โพสต์ถูกสร้างโดย NCSA_THAICERT

️ ThaiCERT ได้ติดตามสถานการณ์ภัยคุกคามทางไซเบอร์ และพบประกาศด้านความปลอดภัยเกี่ยวกับแรนซัมแวร์สายพันธุ์ใหม่ที่ใช้วิธีการโจมตี Bring Your Own Vulnerable Driver (BYOVD) เพื่อปิดการทำงานของซอฟต์แวร์รักษาความปลอกภัย

1.นักวิจัยจากทีม Threat Hunter ของ Symantec และ Carbon Black ตรวจพบแรนซัมแวร์สายพันธุ์ใหม่ชื่อ Osiris ที่มีการยกระดับเทคนิคการโจมตี โดยใช้วิธี Bring Your Own Vulnerable Driver (BYOVD) ผ่านไดรเวอร์ที่เป็นอันตรายชื่อ POORTRY เพื่อปิดการทำงานของซอฟต์แวร์รักษาความปลอดภัยบนระบบปฏิบัติการ Windows ก่อนดำเนินการโจมตีหลัก รูปแบบการโจมตีดังกล่าวช่วยให้มัลแวร์สามารถหลีกเลี่ยงการตรวจจับและควบคุมระบบเป้าหมาย โดยผลิตภัณฑ์ที่ได้รับผลกระทบ ได้แก่ อุปกรณ์ที่ใช้ระบบปฏิบัติการ Windows 11

Osiris มีพฤติกรรมโหลดและติดตั้งไดรเวอร์ POORTRY เพื่อเพิ่มสิทธิ์การทำงานและยุติการทำงานของโปรเซสด้านความปลอดภัย จากนั้นใช้เครื่องมือมาตรฐานที่มีอยู่ในระบบ เพื่อสำรวจระบบและเตรียมระบบของเครื่องที่ถูกโจมตีก่อนการเข้ารหัสไฟล์ นอกจากนี้ยังพบการใช้เครื่องมือขโมยข้อมูลยืนยันตัวตน เช่น Mimikatz ซึ่งถูกปรับเปลี่ยนชื่อโปรแกรมเพื่อหลีกเลี่ยงการตรวจจับ เพื่อขโมยรหัสผ่านและข้อมูลลับ รวมถึงการส่งข้อมูลออกไปยังบริการจัดเก็บข้อมูลบนคลาวด์ ก่อนเริ่มกระบวนการเข้ารหัสข้อมูลและแสดงข้อความเรียกค่าไถ่ แม้ Osiris จะมีเป้าหมายหลักเพื่อเรียกค่าไถ่จากเหยื่อ แต่ผลกระทบที่เกิดขึ้นอาจทำให้ระบบไม่สามารถใช้งานได้ ข้อมูลสำคัญถูกเข้ารหัสหรือรั่วไหล และกระทบต่อการดำเนินงานขององค์กร แนะนำให้ผู้ดูแลระบบอัปเดตระบบปฏิบัติการและซอฟต์แวร์ด้านความปลอดภัยให้เป็นเวอร์ชันล่าสุด จำกัดสิทธิ์การติดตั้งไดรเวอร์และการเข้าถึงระดับผู้ดูแลระบบ ตรวจสอบพฤติกรรมผิดปกติในระบบอย่างสม่ำเสมอ และสำรองข้อมูลแยกออกจากระบบหลักเพื่อช่วยลดความเสี่ยงจากการโจมตีลักษณะดังกล่าว

2แนวทางการป้องกัน
2.1 ไม่ดาวน์โหลดหรือติดตั้งซอฟต์แวร์น่าสงสัย หรือซอฟต์แวร์ที่ไม่ได้มาจากผู้พัฒนา/ผู้ให้บริการโดยตรง
2.2 อัปเดตระบบปฏิบัติการและโปรแกรมต่าง ๆ ให้เป็นเวอร์ชันล่าสุดอยู่เสมอ
2.3 ใช้งานโปรแกรมป้องกันไวรัสที่เชื่อถือได้ และไม่ปิดการทำงานโดยไม่จำเป็น
2.4 ไม่ติดตั้งไดรเวอร์หรือโปรแกรมแปลก ๆ หากไม่แน่ใจควรหลีกเลี่ยงหรือสอบถามผู้เชี่ยวชาญก่อน

3 อ้างอิง
3.1 https://dg.th/v3nc5lmuj7
3.2 https://dg.th/xkyb374e9f
3.3 https://dg.th/ij5adxwzml

️ ThaiCERT ได้ติดตามสถานการณ์ภัยคุกคามทางไซเบอร์ และพบประกาศด้านความมั่นคงปลอดภัยของผู้เชี่ยวชาญด้านความปลอดภัยไซเบอร์จาก JFrog Security Research ได้เปิดเผยช่องโหว่ 2 รายการ ในแพลตฟอร์ม workflow automation ของ n8n ซึ่งสามารถเปิดทางให้ผู้โจมตีที่ผ่านการยืนยันตัวตนแล้ว (authenticated user) ทำการ รันโค้ดจากระยะไกล (Remote Code Execution – RCE) ได้

1. รายละเอียดช่องโหว่:
   1.1 CVE-2026-1470 — Eval Injection (CVSS V3.1 : 9.9) เป็นช่องโหว่ประเภท eval injection ซึ่งเปิดโอกาสให้ผู้โจมตีที่ผ่านการยืนยันตัวตนแล้วสามารถ Bypass กลไก Expression sandbox และสามารถรันโค้ดจากระยะไกลได้อย่างสมบูรณ์ (achieve full remote code execution) บนโหนดหลัก (main node) ของ n8n โดยการส่งโค้ด JavaScript ที่ถูกออกแบบมาเป็นพิเศษ
   1.2 CVE-2026-0863 — Python Task Executor Injection (CVSS V3.1: 8.5) ช่องโหว่นี้เกี่ยวข้องกับการ Bypass sandbox ของส่วน python-task-executor ให้ผู้โจมตีที่ผ่านการยืนยันตัวตนสามารถ รันโค้ด Python ได้บนระบบปฏิบัติการของระบบได้
   ทั้งสองช่องโหว่เป็นประเภท sandbox escape / code injection ซึ่งหมายความว่าผู้โจมตีสามารถ Bypass ความปลอดภัยของ sandbox แล้วเข้าควบคุมกระบวนการรันโค้ดของระบบหลักได้

2. ผลิตภัณฑ์ที่ได้รับผลกระทบ:
   2.1 CVE-2026-1470 1.123.17, 2.0.0, 2.4.5, 2.5.0 และ 2.5.1
   2.2 CVE-2026-0863 1.123.14, 2.0.0, 2.3.5, 2.4.0 และ 2.4.2

3. แนวทางการแก้ไข:

• อัปเดต n8n เป็นเวอร์ชันล่าสุด [email protected] หรือใหม่กว่า

4. หากยังไม่สามารถอัพเดตได้ ควรดำเนินการดังนี้

• ไม่มีมาตรการบรรเทาผลกระทบใด ๆ สำหรับช่องโหว่นี้

5. แหล่งอ้างอิง:
   5.1 https://dg.th/ykopsd7u0e
   5.2 https://dg.th/pzbwex8dnh
   5.3 https://dg.th/mrsk7p1lo2
   5.4 https://dg.th/1tj0bhyg72
   5.5 https://dg.th/v3ycrietpl

️ ThaiCERT ได้ติดตามสถานการณ์ภัยคุกคามทางไซเบอร์ และพบประกาศด้านความปลอดภัยเกี่ยวกับช่องโหว่ของโปรแกรม WinRAR (CVE-2025-8088) ยังคงถูกกลุ่มแฮกเกอร์จำนวนมากนำไปใช้โจมตี เพื่อเข้าถึงระบบและติดตั้งซอฟต์แวร์อันตรายต่างๆ บนเครื่องคอมพิวเตอร์ของเหยื่อ

1. รายละเอียดช่องโหว่
   ช่องโหว่นี้เป็นช่องโหว่ path traversal (การเดินทางของเส้นทางไฟล์) ที่เกี่ยวข้องกับฟีเจอร์ Alternate Data Streams (ADS) บน Windows CVE-2025-8088 คะแนน CVSS v3.1: 8.8 ซึ่งช่วยให้แฮกเกอร์สามารถแอบแทรกไฟล์อันตรายไว้ภายในไฟล์ปลอมที่ดูเหมือนปลอดภัยได้ เมื่อผู้ใช้เปิดไฟล์ RAR ที่ถูกดัดแปลง โปรแกรม WinRAR จะดึงไฟล์ที่ซ่อนอยู่จาก ADS ออกมาที่ตำแหน่งต่างๆ ในระบบ เช่น โฟลเดอร์เริ่มต้นระบบ (Startup) ซึ่งจะทำให้โค้ดอันตรายถูกเรียกใช้เมื่อเปิดคอมพิวเตอร์ แฮกเกอร์อาจซ่อนไฟล์อันตราย เช่น ไฟล์สคริปต์หรือไฟล์ปฏิบัติการ (.LNK, .BAT, .CMD ฯลฯ) ไว้ในไฟล์ ADS ของเอกสารปลอม เช่น PDF ที่ดูเหมือนปลอดภัย พอเหยื่อแตกไฟล์ ก็จะเกิดการรันไฟล์อันตรายโดยไม่รู้ตัว

2. ผลิตภัณฑ์ที่ได้รับผลกระทบ

• WinRAR สำหรับ Windows เวอร์ชัน 7.12 ลงมา

3. แนวทางการแก้ไข

• อัปเดตซอฟต์แวร์ WinRAR เป็นเวอร์ชัน 7.13 หรือใหม่กว่า

4. หากยังไม่สามารถอัปเดตได้ ควรดำเนินการดังนี้
   4.1 พิจารณาปิดการใช้งาน WinRAR ชั่วคราว
   4.1 หลีกเลี่ยงการเปิดหรือแตกไฟล์ RAR จากแหล่งที่ไม่น่าเชื่อถือ

5. อ้างอิง
   5.1 https://dg.th/jt0koy54ux
   5.2 https://dg.th/0819you34j
   5.3 https://dg.th/wk7qumix43
   5.4 https://dg.th/f359hikvtj

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) จำนวน 6 รายการ เมื่อวันที่ 29 มกราคม 2569 เพื่อให้ข้อมูลที่ทันเวลาเกี่ยวกับประเด็นด้านความมั่นคงปลอดภัย ช่องโหว่ และการโจมตีที่เกี่ยวข้องกับระบบ ICS โดยมีรายละเอียดดังนี้

• ICSA-26-029-01 KiloView Encoder Series
• ICSA-26-029-02 Rockwell Automation ArmorStart LT
• ICSA-26-029-03 Rockwell Automation ControlLogix
• ICSA-25-126-03 BrightSign Players (Update A)
• ICSA-25-140-04 Mitsubishi Electric Iconics Digital Solutions / Mitsubishi Electric GENESIS64 (Update D)
• ICSA-25-205-01 Mitsubishi Electric CNC Series (Update B)

CISA แนะนำให้ผู้ใช้งานและผู้ดูแลระบบ ตรวจสอบคำแนะนำ ICS ที่เผยแพร่ล่าสุด เพื่อศึกษารายละเอียดทางเทคนิคและแนวทางการลดความเสี่ยง (mitigations)

อ้างอิง
https://www.cisa.gov/news-events/ics-advisories
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

เมื่อวันที่ 29 มกราคม 2026 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 1 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว ดังนี้

• CVE-2026-1281 Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability

ทั้งนี้ คำสั่ง BOD 22-01 ของ CISA กำหนดให้มี แคตตาล็อก Known Exploited Vulnerabilities (KEV) เพื่อรวบรวมช่องโหว่ (CVEs) ที่มีความเสี่ยงสูงและถูกใช้งานโจมตีจริง หน่วยงาน Federal Civilian Executive Branch (FCEB) ต้องดำเนินการแก้ไขช่องโหว่ที่ระบุภายในเวลาที่กำหนด เพื่อปกป้องเครือข่ายจากภัยคุกคาม

ทาง CISA จะปรับปรุงและเพิ่มช่องโหว่ใหม่เข้าสู่แคตตาล็อก KEV อย่างต่อเนื่อง เพื่อให้ครอบคลุมความเสี่ยงที่ตรวจพบจริงในปัจจุบันและอนาคต

อ้างอิง
https://www.cisa.gov/news-events/alerts/2026/01/29/cisa-adds-one-known-exploited-vulnerability-catalog
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Vulnerabilities

• Ivanti Warns Of Two EPMM Flaws Exploited In Zero-Day Attacks
  "Ivanti has disclosed two critical vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), tracked as CVE-2026-1281 and CVE-2026-1340, that were exploited in zero-day attacks. The flaws are code-injection vulnerabilities that allow remote attackers to execute arbitrary code on vulnerable devices without authentication. Both vulnerabilities have a CVSS score of 9.8 and are rated as critical. "We are aware of a very limited number of customers whose solution has been exploited at the time of disclosure," warns Ivanti."
  https://www.bleepingcomputer.com/news/security/ivanti-warns-of-two-epmm-flaws-exploited-in-zero-day-attacks/
  https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340?language=en_US
• GnuPG And Gpg4win Security Advisory (T8044)
  "We are pleased to announce the availability of a new GnuPG release: version 2.5.17. This version fixes a critical security bug in versions 2.5.13 to 2.5.16. We also released a new Gpg4win version and updated Debian packages."
  https://lists.gnupg.org/pipermail/gnupg-announce/2026q1/000501.html
• Semantic Chaining: A New Image Jailbreak Attack
  "Following the discovery of the Echo Chamber Multi-Turn Jailbreak attack, NeuralTrust researchers have identified a critical vulnerability in the safety architecture of leading multimodal models, including Grok 4, Gemini Nano Banana Pro and Seedance 4.5. This novel technique, which we have named Semantic Chaining, allows users to bypass core safety filters and generate prohibited content, both visual and text-in-image, by exploiting the models' ability to perform complex, multi-stage image modifications."
  https://neuraltrust.ai/blog/semantic-chaining
  https://www.darkreading.com/vulnerabilities-threats/semantic-chaining-jailbreak-gemini-nano-banana-grok-4
• Silent Brothers | Ollama Hosts Form Anonymous AI Network Beyond Platform Guardrails
  "Ollama is an open-source framework that enables users to run large language models locally on their own hardware. By design, the service binds to localhost at 127.0.0.1:11434, making instances accessible only from the host machine. However, exposing Ollama to the public internet requires only a single configuration change: setting the service to bind to 0.0.0.0 or a public interface. At scale, these individual deployment decisions aggregate into a measurable public surface."
  https://www.sentinelone.com/labs/silent-brothers-ollama-hosts-form-anonymous-ai-network-beyond-platform-guardrails/
  https://thehackernews.com/2026/01/researchers-find-175000-publicly.html

Malware

• Android Trojan Campaign Uses Hugging Face Hosting For RAT Payload Delivery
  "Bitdefender researchers have discovered an Android RAT (remote access trojan) campaign that combines social engineering, the resources of the Hugging Face online platform as staging, and extensive use of Accessibility Services to compromise devices. What makes this campaign particularly interesting is the attackers’ use of Hugging Face to host malicious payloads, and the scale at which new samples are deployed. Hugging Face is a widely used online hosting service that provides a home to machine learning models and gives users a place to host their open-source models, datasets, and other development tools that researchers and developers usually need."
  https://www.bitdefender.com/en-us/blog/labs/android-trojan-campaign-hugging-face-hosting-rat-payload
  https://www.bleepingcomputer.com/news/security/hugging-face-abused-to-spread-thousands-of-android-malware-variants/
• Aisuru Botnet Sets New Record With 31.4 Tbps DDoS Attack
  "The Aisuru/Kimwolf botnet launched a new massive distributed denial of service (DDoS) attack that peaked at 31.4 Tbps and 200 million requests per second, setting a new record. The attack was part of a campaign targeting multiple companies, most of them in the telecommunications sector, and was detected and mitigated by Cloudflare last year on December 19. Aisuru is responsible for the previous DDoS record that reached 29.7 Tbps. Another attack that Microsoft attributed to the botnet peaked at 15.72 Tbps and originated from 500,000 IP addresses."
  https://www.bleepingcomputer.com/news/security/aisuru-botnet-sets-new-record-with-314-tbps-ddos-attack/
• Dissecting UAT-8099: New Persistence Mechanisms And Regional Focus
  "Cisco Talos observed new activity from UAT-8099 spanning from August 2025 through early 2026. Analysis of Cisco's file census and DNS traffic indicates that compromised IIS servers are located across India, Pakistan, Thailand, Vietnam, and Japan, with a distinct concentration of attacks in Thailand and Vietnam. Furthermore, this activity significantly overlaps with the WEBJACK campaign; we have identified high-confidence correlations across malware hashes, C2 infrastructure, victimology, and the promoted gambling sites."
  https://blog.talosintelligence.com/uat-8099-new-persistence-mechanisms-and-regional-focus/
• LABYRINTH CHOLLIMA Evolves Into Three Adversaries
  "LABYRINTH CHOLLIMA has evolved into three distinct adversaries with specialized malware, objectives, and tradecraft: GOLDEN CHOLLIMA and PRESSURE CHOLLIMA now likely operate separately from the core LABYRINTH CHOLLIMA group. GOLDEN CHOLLIMA and PRESSURE CHOLLIMA target cryptocurrency entities and are distinguished by the scale and scope of their operations; core LABYRINTH CHOLLIMA operations continue to focus on espionage, targeting industrial, logistics, and defense companies. Despite operating independently, these three adversaries share tools and infrastructure, indicating centralized coordination and resource allocation within the DPRK cyber ecosystem."
  https://www.crowdstrike.com/en-us/blog/labyrinth-chollima-evolves-into-three-adversaries/
  https://cyberscoop.com/north-korea-labyrinth-chollima-splits-crowdstrike/
• Interlock Ransomware: New Techniques, Same Old Tricks
  "The Interlock ransomware group continues to compromise organizations worldwide, with a focus on UK- and US-based organizations, particularly in the education sector. The FortiGuard Incident Response team continues to track the fallout of previous campaigns related to this group. Unlike other current key ransomware threats, the Interlock group is unique in that it does not operate under the RaaS model. Instead, they appear to be a smaller, dedicated group of operators who develop and operate their own malware to support most of their kill chain. The Interlock ransomware group has demonstrated the ability to adapt its techniques and tooling over time as mitigations evolve."
  https://www.fortinet.com/blog/threat-research/interlock-ransomware-new-techniques-same-old-tricks
• Malicious Google Ads Target Mac Users With Fake Mac Cleaner Pages
  "Researchers at MacKeeper have found malicious Google Ads for “Mac cleaner” tools that trick users into running dangerous Terminal commands. Stay safe by learning how to spot these fake Apple sites. Researchers at MacKeeper have identified malicious Google Ads promoting fake “Mac cleaner” tools that trick users into running dangerous Terminal commands. The campaign directs victims to Apple-lookalike pages designed to gain full control of macOS systems."
  https://hackread.com/malicious-google-ads-mac-fake-mac-cleaner/
• Clawdbot’s Rename To Moltbot Sparks Impersonation Campaign
  "After the viral AI assistant Clawdbot was forced to rename to Moltbot due to a trademark dispute, opportunists moved quickly. Within days, typosquat domains and a cloned GitHub repository appeared—impersonating the project’s creator and positioning infrastructure for a potential supply-chain attack. The code is clean. The infrastructure is not. With the GitHub downloads and star rating rapidly rising, we took a deep dive into how fake domains target viral open source projects."
  https://www.malwarebytes.com/blog/threat-intel/2026/01/clawdbots-rename-to-moltbot-sparks-impersonation-campaign
• Supply Chain Attack On eScan Antivirus: Detecting And Remediating Malicious Updates
  "On January 20, a supply chain attack has occurred, with the infected software being the eScan antivirus developed by an Indian company MicroWorld Technologies. The previously unknown malware was distributed through the eScan update server. The same day, our security solutions detected and prevented cyberattacks involving this malware. On January 21, having been informed by Morphisec, the developers of eScan contained the security incident related to the attack."
  https://securelist.com/escan-supply-chain-attack/118688/
• Fake Clawdbot VS Code Extension Installs ScreenConnect RAT
  "On January 27, 2026, our malware detection system flagged a new VS Code extension called "ClawdBot Agent" that immediately set off alarm bells. We confirmed the extension is a fully functional trojan: a working AI coding assistant on the surface, while silently dropping malware onto Windows machines the moment VS Code starts. Here's the kicker: the real Clawdbot team never published an official VS Code extension. The attackers just claimed the name first. We immediately reported it to Microsoft, who were very quick to removing the extension. This post documents our investigation into the extension."
  https://www.aikido.dev/blog/fake-clawdbot-vscode-extension-malware

Breaches/Hacks/Leaks

• Marquis Blames Ransomware Breach On SonicWall Cloud Backup Hack
  "Marquis Software Solutions, a Texas-based financial services provider, is blaming a ransomware attack that impacted its systems and affected dozens of U.S. banks and credit unions in August 2025 on a security breach reported by SonicWall a month later. The software company provides data analytics, compliance reporting, CRM tools, and digital marketing services to more than 700 banks, credit unions, and mortgage lenders across the United States."
  https://www.bleepingcomputer.com/news/security/marquis-blames-ransomware-breach-on-sonicwall-cloud-backup-hack/
• Match Group Breach Exposes Data From Hinge, Tinder, OkCupid, And Match
  "Match Group, the owner of multiple popular online dating services, Tinder, Match.com, Meetic, OkCupid, and Hinge, confirmed a cybersecurity incident that compromised user data. The company stated that hackers stole a "limited amount of user data" after the ShinyHunters threat group leaked 1.7 GB of compressed files allegedly containing 10 million records of Hinge, Match, and OkCupid user information, as well as internal documents. In a statement to BleepingComputer, a spokesperson for Match Group confirmed the incident."
  https://www.bleepingcomputer.com/news/security/match-group-breach-exposes-data-from-hinge-tinder-okcupid-and-match/
  https://www.theregister.com/2026/01/29/shinyhunters_match_group/
• Cyberattack On Large Russian Bread Factory Disrupts Supply Deliveries
  "A cyberattack on a major bread producer in Russia’s Vladimir region has disrupted food deliveries, local media reported. The Vladimir Bread Factory — one of the largest bakery producers in the region — said in a statement that its internal digital systems were hit overnight on Sunday, knocking out office computers, servers, electronic document management tools and the widely used 1C enterprise accounting system."
  https://therecord.media/cyberattack-russian-bread-factory-supply-disruptions

General News

• What Motivates Hackers And What Makes Them Walk Away
  "Most hackers spend more time learning, testing, and comparing notes than breaking into systems. The work often happens alone or in small groups, shaped by curiosity, persistence, and a habit of examining how systems behave. Bugcrowd examined who these security researchers are, how they build skills, and what their work looks like behind the scenes as they look for flaws and decide what to report."
  https://www.helpnetsecurity.com/2026/01/29/bugcrowd-hacker-community-research/
• 2026 Security Operations Insights
  "Security is only becoming more complicated for enterprise organizations. Application environments are changing rapidly as DevOps teams dial up velocity and data volumes scale. Hype around AI has created a rush to develop and adopt AI tools while broadening the attack surface and forcing defenders to reconsider the viability of their solutions. At the same time, attackers are escalating their tactics: stealing credentials at scale, disrupting operations through advanced ransomware, and exploiting gaps across supply chains. These types of breaches affect millions of users, illustrating how quickly an exposure can spread across cloud ecosystems."
  https://www.sumologic.com/guides/2026-security-operations-insights
  https://www.infosecurity-magazine.com/news/cybersecurity-teams-embrace-ai/
• No Place Like Home Network: Disrupting The World's Largest Residential Proxy Network
  "This week Google and partners took action to disrupt what we believe is one of the largest residential proxy networks in the world, the IPIDEA proxy network. IPIDEA’s proxy infrastructure is a little-known component of the digital ecosystem leveraged by a wide array of bad actors. This disruption, led by Google Threat Intelligence Group (GTIG) in partnership with other teams, included three main actions:"
  https://cloud.google.com/blog/topics/threat-intelligence/disrupting-largest-residential-proxy-network
  https://thehackernews.com/2026/01/google-disrupts-ipidea-one-of-worlds.html
  https://www.bleepingcomputer.com/news/security/google-disrupts-ipidea-residential-proxy-networks-fueled-by-malware/
  https://www.infosecurity-magazine.com/news/google-disrupts-proxy-networks/
  https://www.securityweek.com/google-disrupts-ipidea-proxy-network/
  https://securityaffairs.com/187463/security/google-targets-ipidea-in-crackdown-on-global-residential-proxy-networks.html
  https://www.helpnetsecurity.com/2026/01/29/ipidea-proxy-network-disrupted/
  https://www.theregister.com/2026/01/29/google_ipidea_crime_network/
• Identity Theft Resource Center 2025 Annual Data Breach Report: Record Number Of Data Compromises In 2025; 79 Percent Jump Over Five Years
  "Today, the Identity Theft Resource Center (ITRC), a nationally recognized nonprofit organization that supports victims of identity theft, fraud and scams, released its 2025 Annual Data Breach Report, its 20th edition, at today’s Identity, Authentication and the Road Ahead Identity Policy Forum hosted by the Better Identity Coalition, the FIDO Alliance and the ITRC. According to the 2025 Annual Data Breach Report, the number of data compromises in 2025 (3,322) increased by five percent compared to 2024 (3,152). The ITRC set a new record for the number of data compromises tracked in a year, up four percent from the previous all-time high in 2023 (3,202). It is also a 79 percent jump over five years."
  https://www.idtheftcenter.org/post/2025-annual-data-breach-report-record-number-compromises/
  https://www.idtheftcenter.org/publication/2025-data-breach-report/
  https://www.bankinfosecurity.com/data-breaches-in-america-hit-all-time-record-high-in-2025-a-30624
  https://www.infosecurity-magazine.com/news/us-data-breaches-record-high/
• IR Trends Q4 2025: Exploitation Remains Dominant, Phishing Campaign Targets Native American Tribal Organizations
  "Threat actors predominately exploited public-facing applications for the second quarter in a row, with this tactic appearing in nearly 40 percent of Cisco Talos Incident Response (Talos IR) engagements — a notable decrease from over 60 percent last quarter, when engagements involving ToolShell surged. This quarter included exploitation of Oracle E-Business Suite (EBS) and React2Shell, as well as the deployment of malware implants previously associated with advanced persistent threat (APT) groups. Phishing was the second-most common tactic for initial access, and this quarter included a campaign specifically targeting Native American tribal organizations for credential harvesting. Once the adversaries compromised a legitimate account, they leverage it to send out further internal phishes and gain more credentials."
  https://blog.talosintelligence.com/ir-trends-q4-2025/
  https://www.theregister.com/2026/01/29/faster_patching_please_cry_infoseccers/
• The ‘staggering’ Cybersecurity Weakness That Isn’t Getting Enough Focus, According To a Top Secret Service Official
  "The internet domain registration system is a major weakness that malicious hackers can exploit, but is often being overlooked, a senior Secret Service official said Thursday. “It is staggering to me that we live in a world where domain registrars and registrars will do bulk registration of various spellings of a major institution’s brand name to create URLs to then use in phishing campaigns or in fraudulent advertising,” the official, Matt Noyes, said at a conference in Washington, D.C."
  https://cyberscoop.com/secret-service-iana-domain-security-weakness/
• From Quantum To AI Risks: Preparing For Cybersecurity's Future
  "As 2026 begins, the cybersecurity industry faces a pivotal moment, grappling with persistent threats and emerging challenges. The year brings renewed focus on critical goals as discussed in the latest edition of Reporter's Notebook, with Alex Culafi, senior news writer at Dark Reading, joined by Phil Sweeney of TechTarget Search Security and Eric Geller of Cybersecurity Dive. As seasoned reporters immersed in the field, the trio offers unique insights into what cybersecurity professionals should start doing, stop doing, and focus on as 2026 begins. Their conversation highlights pressing issues, emerging trends, and actionable advice for those in the industry."
  https://www.darkreading.com/cybersecurity-operations/quantum-ai-risks-cybersecuritys-future
• How Can CISOs Respond To Ransomware Getting More Violent?
  "QUESTION: Ransomware attack groups are getting more violent. How should CISOs respond to this change in tactics? Jim Doggett, CISO, Semperis: At the start of 2025, it seemed like the world may have turned a corner in the fight against ransomware. Blockchain analysis revealed a major drop in ransom crypto-payments, with revenue declining for the first time since 2022. Sadly, our optimism was short-lived. Threat actors are an adaptable bunch. When cornered, they can also be dangerous."
  https://www.darkreading.com/cyber-risk/how-cisos-respond-ransomware-getting-more-violent
• CISA Urges Critical Infrastructure Organizations To Take Action Against Insider Threats
  "The Cybersecurity and Infrastructure Security Agency (CISA) is calling on critical infrastructure organizations to take decisive action against insider threats. To support this effort, CISA has released today a powerful new resource—Assembling a Multi-Disciplinary Insider Threat Management Team. Designed for critical infrastructure entities and state, local, tribal, and territorial (SLTT) governments, this comprehensive infographic provides actionable strategies guidance to proactively prevent, detect and mitigate insider threats-helping organizations stay ahead of evolving organizational vulnerabilities."
  https://www.cisa.gov/news-events/news/cisa-urges-critical-infrastructure-organizations-take-action-against-insider-threats
  https://www.cisa.gov/resources-tools/resources/assembling-multi-disciplinary-insider-threat-management-team
  https://www.cisa.gov/sites/default/files/2026-01/Assembling a Multidisciplinary Insider Threat Management Team_508.pdf
  https://www.infosecurity-magazine.com/news/cisa-targets-insider-threat-risks/
  https://www.theregister.com/2026/01/29/cisa_insider_threat_guidance/
• Ransomware And Cyber Extortion In Q4 2025
  "In the final quarter of 2025 (Q4 2025), established groups like “Qilin” and “Akira” maintained their leadership positions, while newer operators like “Sinobi” gained traction. In addition, the number of data-leak site posts increased by 50% between Q3 and Q4 2025, and was up 40% from Q4 2024, despite fewer active groups this quarter. We assess with moderate confidence that this reflects short-term consolidation, where higher-output groups attacked more organizations as weaker operators lost momentum."
  https://reliaquest.com/blog/threat-spotlight-ransomware-and-cyber-extortion-in-q4-2025/
  https://www.infosecurity-magazine.com/news/ransomware-numbers-rise-despite/
• Number Of Cybersecurity Pros Surges 194% In Four Years
  "Cybersecurity remains the fastest-growing IT occupation in the UK, having seen its ranks expand by 194% since 2021, according to a new Socura report. The managed detection and response (MDR) specialist used Office of National Statistics (ONS) data to compile its latest report out today: A wave in cyber. Specifically, it cited the ONS Annual Population Survey, which tracks employment figures across 400+ Standard Occupational Classification codes, including 13 IT-related roles."
  https://www.infosecurity-magazine.com/news/number-cybersecurity-pros-surges/
  https://socura.co.uk/reports-and-whitepapers/a-wave-in-cyber
• Cyber Insights 2026: Zero Trust And Following The Path
  "Ask ten experts to describe the current state of zero trust and you will get ten different answers. We asked dozens of experts. Zero trust is not a thing; it is an idea. It is not a product; it is a concept – it is a destination that has no precise route and may never be reached. But it is described very succinctly: trust nothing until the trust is justified. Justification starts with verifying every subject’s identity and authority. This is the single constant in all zero trust journeys: they start with the subject’s identity."
  https://www.securityweek.com/cyber-insights-2026-zero-trust-and-following-the-path/
• Latvia Says Russia Remains Its Top Cyber Threat As Attacks Hit Record High
  "Latvia’s security agency has warned that Russia’s cyberattacks and sabotage campaigns against the country show no sign of slowing, even though most incidents so far have failed to cause serious disruption. In its annual report released this week, Latvia’s national security service, SAB, said 2025 marked an all-time high in registered cyber threats targeting the country, with activity surging significantly past levels seen before Russia’s invasion of Ukraine in 2022."
  https://therecord.media/latvia-says-russia-remains-top-cyber-threat-record-attacks
  https://www.sab.gov.lv/files/uploads/2026/01/SABs-annual-report_2025_ENG.pdf
• Understanding The Russian Cyber Threat To The 2026 Winter Olympics
  "The 2026 Winter Games in Milano Cortina extend beyond sport. Tensions between the Russian Federation and the International Olympic Committee (IOC), stemming from disputes over compliance and governance, lie within a broader geopolitical context. In this environment, the Games may face increased cyber risk, as major international events increasingly intersect with geopolitical competition. The exclusion of Russia from a global stage of historic national importance removes a critical geopolitical guardrail protecting the 2026 Winter Olympic Games."
  https://unit42.paloaltonetworks.com/russian-cyberthreat-2026-winter-olympics/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

Energy Sector

• Cyberattack On Polish Energy Grid Impacted Around 30 Facilities
  "The coordinated attack on Poland's power grid in late December targeted multiple distributed energy resource (DER) sites across the country, including combined heat and power (CHP) facilities and wind and solar dispatch systems. Although the attacker compromised operational technology (OT) systems damaging "key equipment beyond repair," they failed to disrupt power, totalling 1.2 GW or 5% of Poland’s energy supply. Based on public reports, there are at least 12 confirmed affected sites. However, researchers at Dragos, a critical industrial infrastructure (OT) and control systems (ICS) security company say that the number is approximately 30."
  https://www.bleepingcomputer.com/news/security/cyberattack-on-polish-energy-grid-impacted-around-30-facilities/
  https://hub.dragos.com/report/electrum-targeting-polands-electric-sector
  https://5943619.hs-sites.com/hubfs/Reports/dragos-2025-poland-attack-report.pdf
  https://thehackernews.com/2026/01/russian-electrum-tied-to-december-2025.html
  https://therecord.media/poland-electrical-grid-cyberattack-30-facilities-affected

Vulnerabilities

• Achieving Remote Code Execution On n8n Via Sandbox Escape - CVE-2026-1470 & CVE-2026-0863
  "The JFrog Security Research team recently discovered and disclosed two vulnerabilities in n8n’s sandbox mechanism: CVE-2026-1470, rated 9.9 Critical, impacting the expression evaluation engine, and CVE-2026-0863, rated 8.5 High, affecting Python execution in the Code node (“Internal” mode). n8n is a popular AI workflow automation platform that combines AI capabilities with business process automation."
  https://research.jfrog.com/post/achieving-remote-code-execution-on-n8n-via-sandbox-escape/
  https://thehackernews.com/2026/01/two-high-severity-n8n-flaws-allow.html
  https://www.bleepingcomputer.com/news/security/new-sandbox-escape-flaw-exposes-n8n-instances-to-rce-attacks/
  https://www.infosecurity-magazine.com/news/n8n-sandbox-flaws-allow-rce/
• SolarWinds Warns Of Critical Web Help Desk RCE, Auth Bypass Flaws
  "SolarWinds has released security updates to patch critical authentication bypass and remote command execution vulnerabilities in its Web Help Desk IT help desk software. The authentication bypass security flaws (tracked as CVE-2025-40552 and CVE-2025-40554) patched today by SolarWinds were reported by watchTowr's Piotr Bazydlo and can be exploited by remote unauthenticated threat actors in low-complexity attacks. Bazydlo also found and reported a critical remote code execution (RCE) flaw (CVE-2025-40553) stemming from an untrusted data deserialization weakness that can enable attackers without privileges to run commands on vulnerable hosts."
  https://www.bleepingcomputer.com/news/security/solarwinds-warns-of-critical-web-help-desk-rce-auth-bypass-flaws/
• New Architecture, New Risks: One-Click To Pwn IDIS IP Cameras
  "Modern capabilities, such as cloud-powered management, analytics, and detection, have introduced a new architectural era to IP-based video surveillance, which remains a prominent safety feature across enterprises, manufacturing facilities, military installations, and even apartments and small businesses. What was once a world of on-premesis network video recorders (NVRs), local storage arrays, and LAN-based management systems is now a connected environment largely operating in the cloud."
  https://claroty.com/team82/research/new-architecture-new-risks-one-click-to-pwn-idis-ip-cameras
  https://www.bankinfosecurity.com/idis-surveillance-management-software-vulnerable-to-hacking-a-30616
• CISA Adds One Known Exploited Vulnerability To Catalog
  "CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2026-24858 Fortinet Multiple Products Authentication Bypass Using an Alternate Path or Channel Vulnerability"
  https://www.cisa.gov/news-events/alerts/2026/01/27/cisa-adds-one-known-exploited-vulnerability-catalog
  https://securityaffairs.com/187435/security/u-s-cisa-adds-a-flaw-in-multiple-fortinet-products-to-its-known-exploited-vulnerabilities-catalog-2.html
• Bypassing Windows Administrator Protection
  "A headline feature introduced in the latest release of Windows 11, 25H2 is Administrator Protection. The goal of this feature is to replace User Account Control (UAC) with a more robust and importantly, securable system to allow a local user to access administrator privileges only when necessary. This blog post will give a brief overview of the new feature, how it works and how it’s different from UAC. I’ll then describe some of the security research I undertook while it was in the insider preview builds on Windows 11."
  https://projectzero.google/2026/26/windows-administrator-protection.html
  https://www.theregister.com/2026/01/28/google_windows_admin_exploit/

Malware

• Viral Moltbot AI Assistant Raises Concerns Over Data Security
  "Security researchers are warning of insecure deployments in enterprise environments of the Moltbot (formerly Clawdbot) AI assistant, which can lead to leaking API keys, OAuth tokens, conversation history, and credentials. Moltbot is an open-source personal AI assistant with deep system integration created by Peter Steinberger that can be hosted locally on user devices and integrated directly with the user’s apps, including messengers and email clients, as well as the filesystem. Unlike cloud-based chatbots, Moltbot can run 24/7 locally, maintaining a persistent memory, proactively reaching out to the user for alerts/reminders, executing scheduled tasks, and more."
  https://www.bleepingcomputer.com/news/security/viral-moltbot-ai-assistant-raises-concerns-over-data-security/
  https://thehackernews.com/2026/01/fake-moltbot-ai-coding-assistant-on-vs.html
• Operation Bizarre Bazaar: First Attributed LLMjacking Campaign With Commercial Marketplace Monetization
  "Between December 2025 and January 2026, Pillar Security Research team uncovered a disturbing evolution in AI-focused cyber threats. Our honeypots captured 35,000 attack sessions targeting exposed AI infrastructure. We have named this campaign Operation Bizarre Bazaar. It represents the first public documentation of a systematic campaign targeting exposed LLM and Model Context Protocol (MCP) endpoints at scale, featuring complete commercial monetization. The investigation reveals how cybercriminals discover, validate, and monetize unauthorized access to AI infrastructure through a coordinated supply chain spanning reconnaissance, validation, and commercial resale."
  https://www.pillar.security/blog/operation-bizarre-bazaar-first-attributed-llmjacking-campaign-with-commercial-marketplace-monetization
  https://www.pillar.security/resources/operation-bizarre-bazaar
  https://www.bleepingcomputer.com/news/security/hackers-hijack-exposed-llm-endpoints-in-bizarre-bazaar-operation/
• Can’t Stop, Won’t Stop: TA584 Innovates Initial Access
  "Proofpoint tracks multiple sophisticated cybercriminal threat actors, and one of the most frequently active with high volume campaigns is TA584. TA584 is a prominent initial access broker (IAB) that targets organizations globally. In the second half of 2025, TA584 demonstrated multiple attack chain changes including adopting ClickFix social engineering, expanded targeting to more consistently target specific geographies and languages, and recently delivering a new malware called Tsundere Bot. TA584 overlaps with a group tracked as Storm-0900."
  https://www.proofpoint.com/us/blog/threat-insight/cant-stop-wont-stop-ta584-innovates-initial-access
  https://www.bleepingcomputer.com/news/security/initial-access-hackers-switch-to-tsundere-bot-for-ransomware-attacks/
• Trusted, Signed, Still Malicious. Exploiting Custom Email Text To Bypass Security Controls
  "A recent series of phone scam emails has been able to bypass traditional email security measures by placing malicious messages within document names, online meeting descriptions, or account name fields. These emails redirect otherwise legitimate business emails to potential victims, and are particularly notable for embedding phone scams and other malicious content while still retaining the legitimate business’s From address. This makes the email appear to originate from a trusted sender, even though it actually contains a malicious message written by the threat actor. While spoofing the From address would typically trigger failures from Sender Policy Framework (SPF) headers and editing an email would typically trigger failures from DomainKeys Identified Mail (DKIM) headers, these sample emails pass both these security checks because the email was technically sent from a legitimate and trusted source."
  https://cofense.com/blog/trusted,-signed,-still-malicious-exploiting-custom-email-text-to-bypass-security-controls
• Phishing At Cloud Scale: How AWS Is Abused For Credential Theft
  "Threat actors are abusing web services from Amazon like Simple Storage Service (S3) buckets, Amazon Simple Email Service (SES), and Amazon Web Service (AWS) Amplify to launch credential phishing attacks due to their trusted infrastructure, scalability, and ease of abuse. AWS offers threat actors a cloak of legitimacy, bypassing many traditional email based security controls like Secure Email Gateways (SEGs) and other email security technologies, amplifying the risk in today’s connected digital landscape. This report outlines how AWS is abused, supported by examples and phishing trends from June 2021 to December 2025."
  https://cofense.com/blog/phishing-at-cloud-scale-how-aws-is-abused-for-credential-theft
• Unveiling The Weaponized Web Shell EncystPHP
  "FortiGuard Labs has discovered a web shell that we named “EncystPHP.” It features several advanced capabilities, including remote command execution, persistence mechanisms, and web shell deployment. Incidents were launched in early December last year and propagated via exploitation of the FreePBX vulnerability CVE-2025-64328. Its malicious activity appears to be associated with the hacker group INJ3CTOR3, first identified in 2020, which targeted CVE-2019-19006. In 2022, the threat actor shifted its focus to the Elastix system via CVE-2021-45461. These incidents begin with the exploitation of a FreePBX vulnerability, followed by the deployment of a PHP web shell in the target environments. We assess that this campaign represents recent attack activity and behavior patterns associated with INJ3CTOR3."
  https://www.fortinet.com/blog/threat-research/unveiling-the-weaponized-web-shell-encystphp
  Android.Phantom Trojans Are Bundled With Modded Games And Popular Apps To Infiltrate Smartphones. They * Use Machine Learning And Video Broadcasts To Engage In Click Fraud
  "Experts at the Doctor Web antivirus laboratory have discovered and investigated a new trojan clicker malware family. All of these trojans either are administered via the hxxps[:]//dllpgd[.]click server or get downloaded and launched after the corresponding instruction is received from the remote host. Malware belonging to this family infects Android smartphones. Xiaomi’s GetApps software catalogue is one of its principal distribution channels.
  https://news.drweb.com/show/?i=15110&lng=en
  https://hackread.com/phantom-malware-android-game-mods-ad-fraud/
• PureRAT: Attacker Now Using AI To Build Toolset
  "A Vietnamese threat actor is likely using AI to author code powering an ongoing phishing campaign delivering the PureRAT malware and other payloads. The phishing emails masquerade as job opportunities and the attacker may be using them as a lure in the hope that recipients open the emails using work computers. The attacker’s usage of AI provides further evidence that the technology is being used by lower-skilled attackers to assist with developing tools and automating their attacks."
  https://www.security.com/threat-intelligence/ai-purerat-phishing
  https://www.infosecurity-magazine.com/news/emojis-in-purerats-code/
• Malicious PyPI Packages Spellcheckpy And Spellcheckerpy Deliver Python RAT
  "On January 20th and 21st, 2026, our malware detection pipeline flagged two new PyPI packages: spellcheckerpy and spellcheckpy. Both claimed to be the legitimate author of pyspellchecker library. Both are linked to his real GitHub repo. They weren't his. Hidden inside the Basque language dictionary file was a base64-encoded payload that downloads a full-featured Python RAT. The attacker published three "dormant" versions first, payload present, trigger absent, then flipped the switch with spellcheckpy v1.2.0, adding an obfuscated execution trigger that fires the moment you import SpellChecker."
  https://www.aikido.dev/blog/malicious-pypi-packages-spellcheckpy-and-spellcheckerpy-deliver-python-rat
  https://thehackernews.com/2026/01/fake-python-spellchecker-packages-on.html
• Love? Actually: Fake Dating App Used As Lure In Targeted Spyware Campaign In Pakistan
  "ESET researchers have uncovered an Android spyware campaign leveraging romance scam tactics to target individuals in Pakistan. The campaign uses a malicious app posing as a chat platform that allows users to initiate conversations with specific “girls” – fake profiles probably operated via WhatsApp. Underneath the romance charade, the real purpose of the malicious app, which we named GhostChat, is exfiltration of the victim’s data – both upon first execution and continually while the app is installed on the device. The campaign employs a layer of deception that we have not previously seen in similar schemes – the fake female profiles in GhostChat are presented to potential victims as locked, with passcodes required to access them."
  https://www.welivesecurity.com/en/eset-research/love-actually-fake-dating-app-used-lure-targeted-spyware-campaign-pakistan/
  https://www.helpnetsecurity.com/2026/01/29/ghostchat-android-romance-spyware/

General News

• Audits For AI Systems That Keep Changing
  "Security and risk teams often rely on documentation and audit artifacts that reflect how an AI system worked months ago. ETSI’s continuous auditing based conformity assessment specification (ETSI TS 104 008) describes a different approach, where conformity is evaluated through recurring measurement and automated evidence collection tied to live system behavior."
  https://www.helpnetsecurity.com/2026/01/28/etsi-ts-104-008-ai-continuous-auditing/
  https://www.etsi.org/deliver/etsi_ts/104000_104099/104008/01.01.01_60/ts_104008v010101p.pdf
• FBI Seizes RAMP Cybercrime Forum Used By Ransomware Gangs
  "The FBI has seized the notorious RAMP cybercrime forum, a platform used to advertise a wide range of malware and hacking services, and one of the few remaining forums that openly allowed the promotion of ransomware operations. Both the forum's Tor site and its clearnet domain, ramp4u[.]io, now display a seizure notice stating, "The Federal Bureau of Investigation has seized RAMP.""
  https://www.bleepingcomputer.com/news/security/fbi-seizes-ramp-cybercrime-forum-used-by-ransomware-gangs/
  https://hackread.com/russian-cybercrime-ramp-forum-seized-fbi/
  https://www.theregister.com/2026/01/28/fbi_seizes_ramp_forum/
• Empire Cybercrime Market Owner Pleads Guilty To Drug Conspiracy
  "A Virginia man who co-created Empire Market, one of the largest dark web marketplaces at the time, pleaded guilty to federal drug conspiracy charges for facilitating $430 million in illegal transactions from 2018 to 2020. The marketplace operated as a hidden service accessible only via TOR browsers and was advertised as an AlphaBay "clone," modeled after the notorious dark web marketplace shut down by authorities in 2017."
  https://www.bleepingcomputer.com/news/security/empire-cybercrime-market-owner-pleads-guilty-to-drug-conspiracy/
• Slovakian Man Pleads Guilty To Operating Darknet Marketplace
  "A Slovakian national admitted on Tuesday to helping operate a darknet marketplace that sold narcotics, cybercrime tools and services, fake government IDs, and stolen personal information for more than two years. 33-year-old Alan Bill (also known online as "Vend0r" or "KingdomOfficial") pleaded guilty to conspiracy to distribute controlled substances for his role in running Kingdom Market, which operated from March 2021 through December 2023."
  https://www.bleepingcomputer.com/news/security/slovakian-man-pleads-guilty-to-operating-kingdown-market-cybercrime-marketplace/
• The Trends Defining Cyber Security In 2026: Cyber Security Report 2026
  "Security programs are being asked to defend increasingly complex environments against cyber attacks that are faster, more automated, and harder to isolate. The past year of attacks reveals a measurable shift in how adversaries operate, coordinate, and scale across enterprise environments. The Cyber Security Report 2026 is based on direct analysis of global attack activity spanning AI driven attacks, ransomware operations, hybrid environments, and multi channel social engineering. It documents how these techniques are being executed in practice, at scale, across industries and regions."
  https://blog.checkpoint.com/research/the-trends-defining-cyber-security-in-2026-cyber-security-report-2026/
• Consumers Reluctant To Shop At Stores That Don't Take Security Seriously
  "While it's nearly impossible for retail organizations to avoid incidents these days, implementing effective security protocols should be a top priority, as consumers become more security-savvy. Threat actors target the retail sector because shops hold highly coveted information, like financial and purchasing history, that can be further abused in fraud scams. And unlike more regulated sectors such as energy or financial services, that information may not be as tightly protected, especially among small mom-and-pops with fewer resources."
  https://www.darkreading.com/cyber-risk/consumers-reluctant-to-shop-at-stores-hit-by-cyberattacks
• Surging Cyberattacks Boost Latin America To Riskiest Region
  "Latin America and the Caribbean can now lay claim to an unenviable status: cyberattackers' favorite region to target with cyberattacks. Organizations in Latin America saw an average of 3,065 attacks per week last year, a year-over-year surge of 26%, leapfrogging Africa as the top geographic region for cyber-risk, according to the latest data from Check Point Research. About three-quarters (76%) of organizations suffered information disclosure attacks, while a majority also encountered attempts at remote code execution and authentication bypass. In all, Latin American organizations see about 40% more attacks than the global average."
  https://www.darkreading.com/cyber-risk/surging-cyberattacks-latin-america-riskiest-region
• Grammarly And QuillBot Are Among Widely Used Chrome Extensions Facing Serious Privacy Questions
  "A new study shows that some of the most widely used AI-powered browser extensions are a privacy risk. They collect lots of data and require a high level of browser access. The research was conducted by Incogni, which analyzed 442 AI-powered Google Chrome extensions for its 2026 privacy risk report. The study reviewed extensions across eight categories and assessed their permissions, declared data collection practices, and security risk scores."
  https://www.helpnetsecurity.com/2026/01/28/incogni-chrome-extensions-privacy-risks-report/
• Zscaler 2026 AI Threat Report: 91% Year-Over-Year Surge In AI Activity Creates Growing Oversight Gap For Global Enterprises
  "Zscaler, Inc. (NASDAQ: ZS), the leader in cloud security, today released the findings of the ThreatLabz 2026 AI Security Report, warning that enterprises are unprepared for the next wave of AI‑driven cyber risk, even as AI becomes embedded in business operations. Based on an analysis of nearly one trillion AI/ML transactions across the Zscaler Zero Trust Exchange platform between January and December of 2025, the research shows that enterprises are reaching a tipping point where AI has transitioned from a productivity tool to a primary vector for autonomous, machine-speed conflict."
  https://www.zscaler.com/press/zscaler-2026-ai-threat-report-91-year-over-year-surge-ai-activity-creates-growing-oversight
  https://www.infosecurity-magazine.com/news/ai-security-threats-loom-zscaler/
• Researchers Uncover 454,000+ Malicious Open Source Packages
  "Security researchers have warned that the open source ecosystem has become a “structural risk,” after revealing another surge in malicious packages last year. Sonatype said in its 2026 State of the Software Supply Chain report that developers downloaded components 9.8 trillion times last year across Maven Central, PyPl, npm and NuGet. The challenge is that many of these contained malware or vulnerabilities. The security vendor said it discovered 454,648 new malicious packages last year, warning that threats had evolved from “spam and stunts” into “sustained, industrialized campaigns” – many of which are state sponsored."
  https://www.infosecurity-magazine.com/news/454000-malicious-open-source/
• Chinese Language Money Laundering Networks Emerge As Major Facilitators Of The Illicit Crypto Economy, Now Driving 20% Of Laundering Activity
  "After emerging at the start of the pandemic, Chinese-language money laundering networks (CMLNs) now dominate known crypto money laundering activity, processing an estimated 20% of illicit crypto funds over the past five years. This growth is 7,325 times faster than growth of illicit inflows to centralized exchanges since 2020. CMLNs processed $16.1 billion in 2025 — approximately $44 million per day across 1,799+ active wallets. Chainalysis has identified on-chain behavioral fingerprints of six distinct service types within the CMLN ecosystem. Black U and gambling services fragment large transactions into small amounts to evade detection, while over-the-counter (OTC) services consolidate small transactions into large amounts for integration."
  https://www.chainalysis.com/blog/2026-crypto-money-laundering/
  https://www.infosecurity-magazine.com/news/chinese-money-launderers-global/
• 2026 Public Sector Cyber Outlook: Identity, AI And The Fight For Trust
  "The early weeks of 2026 have already made one thing clear: Government cybersecurity is in a new phase, shaped not by incremental change, but by the rapid integration of AI into core public-sector missions. AI systems are now embedded in critical infrastructure, federal service delivery, research environments, as well as state and local operations. At the same time, nation-state adversaries are leveraging AI to accelerate intrusion, scale deception and manipulate trusted systems in ways not possible even a year ago."
  https://www.paloaltonetworks.com/blog/2026/01/public-sector-cyber-outlook/
• 7 Predictions For The 2026 Threat Landscape: Navigating The Year Ahead
  "As we navigate 2026, the pace of technological change continues to accelerate — and with it, the cyber threat landscape. Over the past year, our ThreatLabz research team has analyzed countless threats, uncovering trends that give us a clear view of the challenges and opportunities that lie ahead. The rise of artificial intelligence, the dissolution of the traditional perimeter into a hyper-distributed attack surface of users, devices, and applications, and the industrialization of cybercrime demand a new level of vigilance and a modern, AI-powered defensive strategy."
  https://www.zscaler.com/blogs/security-research/7-predictions-2026-threat-landscape-navigating-year-ahead
• Cyber Insights 2026: Offensive Security; Where It Is And Where It’s Going
  "Cyber red teaming will change more in the next 24 months than it has in the past ten years. Malicious attacks are increasing in frequency, sophistication and damage. Defenders need to find and harden system weaknesses before attackers can attack them. That requires red teams to do more, faster."
  https://www.securityweek.com/cyber-insights-2026-offensive-security-where-it-is-and-where-its-going/
• Why We Can’t Let AI Take The Wheel Of Cyber Defense
  "If you want to waste the incredible potential of artificial intelligence, there is a quick way to do it: confuse automation with actual safety or mistake a shiny new tech feature for true resilience. We are currently living through a strange and intense moment in the security world. AI development is moving at a speed that most companies honestly can’t handle, yet the market is flooded with sales pitches promising “autonomous” cyber defenses. The narrative is always the same: install this system, and it will clean up your security mess while you go grab a coffee."
  https://www.securityweek.com/why-we-cant-let-ai-take-the-wheel-of-cyber-defense/
• From Concept To Practice: How SSVC Has Evolved To Make Adoption Possible
  "It’s Patch Tuesday. Your software scanners light up with almost 70 percent more vulnerabilities than last month, and by Friday you’re expected to explain, clearly and defensibly, which ones matter, which ones wait, and which ones could put the organization at real risk if ignored. Your teams are already stretched, new AI-enabled software is landing faster than it can be inventoried, and every dashboard insists its prioritization should come first."
  https://www.sei.cmu.edu/blog/from-concept-to-practice-how-ssvc-has-evolved-to-make-adoption-possible/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

ศูนย์ประสานการรักษาความมั่นคงปลอดภัยระบบคอมพิวเตอร์แห่งชาติ (ThaiCERT) ได้ติดตามสถานการณ์ภัยคุกคามทางไซเบอร์ และพบประกาศแจ้งเตือนด้านความปลอดภัยจาก Fortinet เกี่ยวกับช่องโหว่การข้ามการยืนยันตัวตน (Authentication Bypass) ในการทำงานของ FortiCloud Single Sign-On (SSO) ซึ่งอาจเปิดโอกาสให้ผู้โจมตีเข้าควบคุมอุปกรณ์ของบัญชีผู้ใช้รายอื่นได้ หากมีการเปิดใช้งาน FortiCloud SSO

1. รายละเอียดช่องโหว่
   Fortinet ได้เปิดเผยช่องโหว่ด้านความปลอดภัยประเภท Authentication Bypass Using an Alternate Path or Channel (CWE-288) หมายเลข CVE-2026-24858 ซึ่งมีคะแนนความรุนแรง CVSS 9.8 (Critical)ช่องโหว่นี้อาจทำให้ผู้โจมตีที่มีบัญชี FortiCloud และมีอุปกรณ์ที่ลงทะเบียนไว้ สามารถใช้กลไก FortiCloud SSO เพื่อเข้าสู่ระบบของอุปกรณ์ Fortinet ที่ลงทะเบียนอยู่กับบัญชี FortiCloud ของบัญชีผู้ใช้รายอื่นได้ หากอุปกรณ์ดังกล่าวเปิดใช้งานการยืนยันตัวตนผ่าน FortiCloud SSO

2. ภาพรวมของช่องโหว่
   ฟีเจอร์ FortiCloud SSO ไม่ได้เปิดใช้งานโดยค่าเริ่มต้นจากโรงงาน อย่างไรก็ตาม เมื่อผู้ดูแลระบบทำการลงทะเบียนอุปกรณ์กับ FortiCare ผ่านหน้า GUI ของอุปกรณ์ หากไม่ได้ปิดตัวเลือก “Allow administrative login using FortiCloud SSO” ฟีเจอร์ดังกล่าวจะถูกเปิดใช้งานโดยอัตโนมัติ Fortinet ยืนยันว่าช่องโหว่นี้ถูกนำไปใช้โจมตีจริง โดยผู้โจมตีสามารถเข้าสู่ระบบอุปกรณ์ผ่าน FortiCloud SSO จากนั้นดาวน์โหลดไฟล์การตั้งค่าของอุปกรณ์ (configuration file) และสร้างบัญชีผู้ดูแลระบบภายในเพิ่มเติมเพื่อคงการเข้าถึงระบบ (persistence)

3. ผลิตภัณฑ์ที่ได้รับผลกระทบและการอัปเกรด

3.1 FortiAnalyzer

• เวอร์ชัน 7.6.0 – 7.6.5 → ควรอัปเกรดเป็น 7.6.6 ขึ้นไป
• เวอร์ชัน 7.4.0 – 7.4.9 → ควรอัปเกรดเป็น 7.4.10 ขึ้นไป
• เวอร์ชัน 7.2.0 – 7.2.11 → ควรอัปเกรดเป็น 7.2.12 ขึ้นไป
• เวอร์ชัน 7.0.0 – 7.0.15 → ควรอัปเกรดเป็น 7.0.16 ขึ้นไป
• เวอร์ชัน 6.4 → ไม่ได้รับผลกระทบ

3.2 FortiManager

• เวอร์ชัน 7.6.0 – 7.6.5 → ควรอัปเกรดเป็น 7.6.6 ขึ้นไป
• เวอร์ชัน 7.4.0 – 7.4.9 → ควรอัปเกรดเป็น 7.4.10 ขึ้นไป
• เวอร์ชัน 7.2.0 – 7.2.11 → ควรอัปเกรดเป็น 7.2.12 ขึ้นไป
• เวอร์ชัน 7.0.0 – 7.0.15 → ควรอัปเกรดเป็น 7.0.16 ขึ้นไป
• เวอร์ชัน 6.4 → ไม่ได้รับผลกระทบ

3.3 FortiOS

• เวอร์ชัน 7.6.0 – 7.6.5 → ควรอัปเกรดเป็น 7.6.6 ขึ้นไป
• เวอร์ชัน 7.4.0 – 7.4.10 → ควรอัปเกรดเป็น 7.4.11 ขึ้นไป
• เวอร์ชัน 7.2.0 – 7.2.12 → ควรอัปเกรดเป็น 7.2.13 ขึ้นไป
• เวอร์ชัน 7.0.0 – 7.0.18 → ควรอัปเกรดเป็น 7.0.19 ขึ้นไป
• เวอร์ชัน 6.4 → ไม่ได้รับผลกระทบ

3.4 FortiProxy

• เวอร์ชัน 7.6.0 – 7.6.4 → ควรอัปเกรดเป็น 7.6.6 ขึ้นไป
• เวอร์ชัน 7.4.0 – 7.4.12 → ควรอัปเกรดเป็น 7.4.13 ขึ้นไป
• เวอร์ชัน 7.2 ทุกเวอร์ชัน → ควรย้ายไปใช้เวอร์ชันที่ได้รับการแก้ไขแล้ว
• เวอร์ชัน 7.0 ทุกเวอร์ชัน → ควรย้ายไปใช้เวอร์ชันที่ได้รับการแก้ไขแล้ว

4. แนวทางการแก้ไข

4.1 แนะนำให้ผู้ดูแลระบบดำเนินการอัปเกรดผลิตภัณฑ์ Fortinet ให้เป็นเวอร์ชันล่าสุดที่มีการแก้ไขช่องโหว่โดยเร็วที่สุด
4.2 ปัจจุบัน Fortinet ได้ยุติการรองรับการเข้าสู่ระบบผ่าน FortiCloud SSO จากอุปกรณ์ที่ใช้งานซอฟต์แวร์เวอร์ชันที่มีช่องโหว่แล้ว ดังนั้น หากอุปกรณ์ได้รับการอัปเกรดเรียบร้อย ไม่จำเป็นต้องปิดการใช้งาน FortiCloud SSO จากฝั่งไคลเอนต์
4.3 ผู้ดูแลระบบสามารถเลือกปิดการใช้งาน FortiCloud SSO เพิ่มเติมได้ตามความเหมาะสม ดังนี้

• FortiOS / FortiProxy: System → Settings → ปิด “Allow administrative login using FortiCloud SSO”
• FortiManager / FortiAnalyzer: System Settings → SAML SSO → ปิด “Allow admins to login with FortiCloud” หรือดำเนินการผ่าน CLI

5. คำแนะนำด้านความปลอดภัยเพิ่มเติม

5.1 ตรวจสอบบัญชีผู้ดูแลระบบทั้งหมดบนอุปกรณ์ Fortinet เพื่อค้นหาบัญชีที่ไม่คาดหมาย
5.2 ตรวจสอบบันทึกการใช้งาน (logs) ที่เกี่ยวข้องกับ FortiCloud SSO
5.3 พิจารณาจำกัดหรือปิดการใช้งาน FortiCloud SSO หากไม่มีความจำเป็นในการใช้งาน
5.4 สามารถตรวจสอบตัวบ่งชี้การถูกโจมตี (Indicators of Compromise: IoCs) และติดตามประกาศด้านความปลอดภัยเพิ่มเติมจาก Fortinet

6.แหล่งอ้างอิง
6.1 https://dg.th/gnw4s89iz5
6.2 https://dg.th/jks3l40y1m

️ ThaiCERT ได้ติดตามสถานการณ์ภัยคุกคามทางไซเบอร์ พบการเปิดเผยช่องโหว่ความรุนแรงระดับวิกฤติในไลบรารี vm2 ซึ่งใช้เพื่อรัน JavaScript ที่ไม่น่าเชื่อถือในสภาพแวดล้อมแบบ Sandbox มีความรุนแรงระดับ Critical เปิดโอกาสให้ผู้โจมตีสามารถรันโค้ดบนโฮสต์หรือเซิร์ฟเวอร์จริงได้

1. รายละเอียดช่องโหว่:

ช่องโหว่ CVE-2026-22709 เป็นช่องโหว่ระดับวิกฤติ (CVSS 9.8) ในไลบรารี vm2 ซึ่งมีหน้าที่สร้างพื้นที่แยกสำหรับรันโค้ด JavaScript ให้ทำงานอยู่ภายในกรอบที่กำหนด ช่องโหว่นี้อาจทำให้โค้ดที่ควรถูกจำกัดอยู่ภายใน sandbox สามารถข้ามข้อจำกัด และทำงานบนโฮสต์ได้ หากระบบนำ vm2 ไปใช้เพื่อรันโค้ดที่ผู้ใช้ที่ส่งเข้ามาหรือโค้ดจากแหล่งที่ไม่น่าเชื่อถือ ผู้โจมตีอาจใช้ช่องโหว่เพื่อสั่งให้ระบบดำเนินการด้วยสิทธิ์ของโปรแกรมที่ให้บริการอยู่ ส่งผลให้เกิดความเสี่ยงต่อการเข้าถึงข้อมูลสำคัญ การแก้ไขไฟล์หรือการตั้งค่า การติดตั้งมัลแวร์ และอาจนำไปสู่การเข้าควบคุมระบบได้

2. ผลิตภัณฑ์ที่ได้รับผลกระทบ:

vm2 (npm package) เวอร์ชันที่ต่ำกว่า 3.10.2

3. แนวทางการแก้ไข:

อัปเดต vm2 เป็นเวอร์ชัน 3.10.2 หรือใหม่กว่า (แนะนำให้อัปเดตเป็นรุ่นล่าสุดที่ผู้พัฒนาเผยแพร่)

4. คำแนะนำด้านความปลอดภัยเพิ่มเติม

   4.1 ระงับหรือจำกัดฟังก์ชัน ที่เปิดให้รันโค้ดจากผู้ใช้หรือแหล่งที่ไม่น่าเชื่อถือผ่าน vm2 ชั่วคราว เพื่อลดโอกาสถูกโจมตี
   4.2 แยกส่วนการรันโค้ด ไปอยู่ในสภาพแวดล้อมที่จำกัดสิทธิ์มากขึ้น เช่น แยกโปรเซสหรือแยกเครื่อง จำกัดสิทธิ์ของระบบปฏิบัติการ เพื่อลดผลกระทบหากเกิด Sandbox Escape
   4.3 เฝ้าระวังพฤติกรรมผิดปกติบนโฮสต์ เช่น การเรียกใช้คำสั่งระบบ การเขียนไฟล์ผิดปกติ สำหรับบริการที่มีการใช้งาน vm2

5. แหล่งอ้างอิง (References)
   5.1 https://dg.th/h5je0gi79k
   5.2 https://dg.th/xf0hizpl5n

ด่วน Microsoft ประกาศออกแพตช์แก้ไขช่องโหว่ Zero-Day หมายเลข CVE-2026-21509 ซึ่งเป็นช่องโหว่ที่ถูกนำไปใช้โจมตีจริงแล้ว ขอให้ผู้ใช้งาน Microsoft Office ทำการตรวจสอบและดำเนินการอัปเดตโดยด่วน!!

รายละเอียดช่องโหว่
• CVE-2026-21509 เป็นช่องโหว่ประเภท Security Feature Bypass ในผลิตภัณฑ์ Microsoft Office มีคะแนน CVSS Score 7.8 ซึ่งเปิดโอกาสให้ผู้โจมตีสามารถข้ามกลไกป้องกันด้านความปลอดภัยของระบบ โดยอาศัยการหลอกให้ผู้ใช้เปิดไฟล์ Office ที่ถูกจัดเตรียมขึ้นเป็นพิเศษ อันอาจเอื้อต่อการทำงานของโค้ดหรือกระบวนการที่เป็นอันตรายบนเครื่องของผู้ใช้ ทั้งนี้ Microsoft ยืนยันว่าช่องโหว่นี้ถูกนำไปใช้โจมตีจริงในลักษณะ Zero-day แล้ว โดยระบบที่มีความเสี่ยงที่จะถูกโจมตีสำเร็จมีเงื่อนไขดังนี้
• ใช้งาน Microsoft Office เวอร์ชันที่ยังไม่ได้รับการอัปเดตแพตช์ความปลอดภัย
• ผู้ใช้งานที่เปิดไฟล์เอกสาร Office จากแหล่งที่ไม่น่าเชื่อถือ
• ระบบไม่มีการบังคับใช้นโยบายความปลอดภัยเพิ่มเติม เช่น Protected View หรือ Macro Protection

ผลิตภัณฑ์ที่ได้รับผลกระทบ (ในกรณียังไม่ได้อัปเดตแพตช์หรือยังไม่ได้รีสตาร์ตระบบ)
• Microsoft Office 2016
• Microsoft Office 2019
• Microsoft Office LTSC 2021
• Microsoft Office LTSC 2024
• Microsoft 365 Apps for Enterprise

🧩 เวอร์ชันที่ได้รับการแก้ไขแล้ว
• Microsoft Office 2019 (32-bit edition) - 16.0.10417.20095
• Microsoft Office 2019 (64-bit edition) - 16.0.10417.20095
• Microsoft Office 2016 (32-bit edition) - 16.0.5539.1001
• Microsoft Office 2016 (64-bit edition) - 16.0.5539.1001
สำหรับผู้ใช้งานและผู้ดูแลระบบที่ใช้งาน Microsoft Office 2021 และเวอร์ชันที่ใหม่กว่า Microsoft ได้ดำเนินการแก้ไขผ่านการอัปเดตฝั่งบริการ (service-side) แล้ว โดยผู้ใช้จำเป็นต้องรีสตาร์ตโปรแกรม Office เพื่อให้การป้องกันมีผลสมบูรณ์ ได้แก่เวอร์ชัน
• Microsoft Office 2021 ทุกเวอร์ชัน และรุ่นที่ใหม่กว่า
• Microsoft Office LTSC 2024
• Microsoft 365 Apps for Enterprise

1. แนวทางการตรวจสอบ
   • ตรวจสอบเวอร์ชันของ Microsoft Office ว่าอยู่ในกลุ่มที่ได้รับผลกระทบหรือไม่
   • ตรวจสอบสถานะการติดตั้งแพตช์ความปลอดภัยล่าสุดจาก Microsoft
   • ตรวจสอบ Log การเปิดไฟล์ Office และพฤติกรรมการทำงานของแอปพลิเคชัน เพื่อค้นหากิจกรรมที่ผิดปกติ
   • ตรวจสอบการใช้งานทรัพยากรระบบ เช่น CPU, Memory และ Network Traffic ที่มีลักษณะผิดปกติ

2. แนวทางการป้องกัน
   สำหรับผู้ใช้งานและผู้ดูแลระบบที่ใช้งาน Microsoft Office 2016 และ Microsoft Office 2019 จำเป็นต้องดำเนินการติดตั้งอัปเดตความปลอดภัยตามเวอร์ชันที่ Microsoft กำหนด ดังต่อไปนี้
   • Microsoft Office 2019 (32-bit edition) - 16.0.10417.20095
   • Microsoft Office 2019 (64-bit edition) - 16.0.10417.20095
   • Microsoft Office 2016 (32-bit edition) - 16.0.5539.1001
   • Microsoft Office 2016 (64-bit edition) - 16.0.5539.1001
   ทั้งนี้ ผู้ใช้งานสามารถตรวจสอบรายละเอียดและดาวน์โหลดแพตช์อัปเดตความปลอดภัยได้จากเว็บไซต์ Microsoft Security Response Center (MSRC) ที่ https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509

สำหรับผู้ใช้งานและผู้ดูแลระบบที่ใช้งาน Microsoft Office 2021 และเวอร์ชันที่ใหม่กว่า
Microsoft ได้ดำเนินการแก้ไขช่องโหว่ผ่านการปรับปรุงระบบฝั่งบริการ (service-side) เรียบร้อยแล้ว โดยขอแนะนำให้ดำเนินการ รีสตาร์ตโปรแกรม Microsoft Office เพื่อให้การตั้งค่าความปลอดภัยมีผลบังคับใช้อย่างสมบูรณ์ ครอบคลุมผลิตภัณฑ์ดังต่อไปนี้
• Microsoft Office 2021 ทุกเวอร์ชัน และรุ่นที่ใหม่กว่า
• Microsoft Office LTSC 2024
• Microsoft 365 Apps for Enterprise

3. มาตรการชั่วคราว (กรณียังไม่สามารถอัปเดตแพตช์ได้ทันที)
   • หลีกเลี่ยงการเปิดไฟล์ Office จากแหล่งที่ไม่ทราบที่มา
   • เปิดใช้งานฟีเจอร์ Protected View และ Macro Protection เพื่อป้องกันไฟล์จากแหล่งที่ไม่น่าเชื่อถือ
   • จำกัดสิทธิ์ผู้ใช้งานไม่ให้สามารถติดตั้งซอฟต์แวร์หรือรันไฟล์ที่ไม่ได้รับอนุญาต
   • ใช้มาตรการ Endpoint Protection เพื่อตรวจจับพฤติกรรมผิดปกติ
   • เพิ่มการเฝ้าระวัง Log และเหตุการณ์ผิดปกติแบบ Real-time

อ้างอิง
https://dg.th/8vhm95tnqb
https://dg.th/lh6w4r0muz
https://dg.th/fv8srq16la
https://dg.th/9gj4es1fvo

ThaiCERT ได้ติดตามสถานการณ์ภัยคุกคามทางไซเบอร์ และพบประกาศด้านความปลอดภัยจาก OpenSSL เกี่ยวกับช่องโหว่ในกระบวนการแยกวิเคราะห์ (parsing) ไฟล์ PKCS#12 ซึ่งเกิดจากการตรวจสอบข้อมูลอินพุตที่ไม่เพียงพอ หากแอปพลิเคชันมีการประมวลผลไฟล์ PKCS#12 ที่ถูกสร้างขึ้นอย่างผิดรูปแบบ อาจส่งผลให้แอปพลิเคชันเกิดการทำงานล้มเหลว และนำไปสู่การโจมตีแบบปฏิเสธการให้บริการ (Denial of Service: DoS)

1. รายละเอียดช่องโหว่ OpenSSL ได้เปิดเผยช่องโหว่ด้านความปลอดภัยจำนวน 2 รายการ ที่เกี่ยวข้องกับกระบวนการประมวลผลไฟล์ PKCS#12 ซึ่งเกิดขึ้นในขั้นตอนการทำงานคนละส่วน แต่ส่งผลกระทบในลักษณะเดียวกัน คือทำให้แอปพลิเคชันที่ประมวลผลไฟล์ดังกล่าวเกิดการทำงานล้มเหลว

1.1 ช่องโหว่ประเภท NULL Pointer Dereference หมายเลข CVE-2026-22795 มีคะแนน CVSS: N/A เกิดจากฟังก์ชัน PKCS12_item_decrypt_d2i_ex() ไม่มีการตรวจสอบค่าพารามิเตอร์ oct ว่าเป็นค่า NULL ก่อนนำไปใช้งาน เมื่อถูกเรียกจาก PKCS12_unpack_p7encdata() พร้อมกับไฟล์ PKCS#12 ที่ผิดรูปแบบ อาจทำให้แอปพลิเคชันเกิดการทำงานล้มเหลว

1.2 ช่องโหว่ประเภท Missing ASN1_TYPE Validation หมายเลข CVE-2026-22796 มีคะแนน CVSS: 5.3 ช่องโหว่ประเภท Missing ASN1_TYPE Validation เกิดจากการไม่ตรวจสอบชนิดข้อมูลของ ASN1_TYPE ก่อนนำไปใช้งาน ส่งผลให้เกิดปัญหา type confusion และอาจนำไปสู่การอ้างอิง pointer ที่ไม่ถูกต้องหรือเป็นค่า NULL ระหว่างการอ่านข้อมูลจากหน่วยความจำ

2. ภาพรวมของช่องโหว่ ช่องโหว่ทั้งสองรายการสามารถถูกโจมตีได้เมื่อผู้ใช้หรือแอปพลิเคชันมีการเปิดหรือประมวลผลไฟล์ PKCS#12 ที่ถูกสร้างขึ้นอย่างประสงค์ร้าย โดยผลกระทบจำกัดอยู่ในลักษณะ การปฏิเสธการให้บริการ (DoS) เท่านั้น ไม่พบการยกระดับสิทธิ์ การรันโค้ดจากระยะไกล (Remote Code Execution) หรือการรั่วไหลของข้อมูลในหน่วยความจำ ทั้งนี้ลักษณะการโจมตีดังกล่าวพบได้ไม่บ่อย เนื่องจากไฟล์ PKCS#12 มักใช้จัดเก็บกุญแจส่วนตัวและใบรับรองดิจิทัล ซึ่งโดยทั่วไปเป็นไฟล์ที่เชื่อถือได้

3. ผลิตภัณฑ์ที่ได้รับผลกระทบ

3.1 OpenSSL 3.6 ควรอัปเกรดเป็น OpenSSL 3.6.1
3.2 OpenSSL 3.5 ควรอัปเกรดเป็น OpenSSL 3.5.5
3.3 OpenSSL 3.4 ควรอัปเกรดเป็น OpenSSL 3.4.4
3.4 OpenSSL 3.3 ควรอัปเกรดเป็น OpenSSL 3.3.6
3.5 OpenSSL 3.0 ควรอัปเกรดเป็น OpenSSL 3.0.19
3.6 OpenSSL 1.1.1 ควรอัปเกรดเป็น OpenSSL 1.1.1ze (สำหรับลูกค้า premium support เท่านั้น)
3.7 OpenSSL 1.0.2 ควรอัปเกรดเป็น OpenSSL 1.0.2zn (สำหรับลูกค้า premium support เท่านั้น)

4. แนวทางการแก้ไข

4.1 แนะนำให้ผู้ดูแลระบบและผู้ใช้งานดำเนินการอัปเกรด OpenSSL เป็นเวอร์ชันที่ได้รับการแก้ไขแล้วโดยเร็ว
4.2 ตรวจสอบระบบและแอปพลิเคชันที่มีการใช้งาน OpenSSL และมีการประมวลผลไฟล์ PKCS#12 ว่าอยู่ในขอบเขตที่ได้รับผลกระทบหรือไม่

5. คำแนะนำด้านความปลอดภัยเพิ่มเติม

5.1 หลีกเลี่ยงหรือจำกัดการรับและประมวลผลไฟล์ PKCS#12 จากแหล่งที่ไม่น่าเชื่อถือ
5.2 กำหนดนโยบายการจัดการกุญแจดิจิทัลและไฟล์ PKCS#12 ให้เหมาะสม
5.3 OpenSSL FIPS Module ในเวอร์ชัน 3.5, 3.4, 3.3 และ 3.0 ไม่อยู่ในขอบเขตที่ได้รับผลกระทบ จากช่องโหว่นี้
5.4 ติดตามประกาศด้านความปลอดภัยจาก OpenSSL และ ThaiCERT อย่างต่อเนื่อง

6.แหล่งอ้างอิง
6.1 https://dg.th/3mn4itf9bz
6.2 https://dg.th/kunq3awt2r
6.3 https://dg.th/pyc3klo17s

Financial Sector

• Investigation Into International “ATM Jackpotting” Scheme And Tren De Aragua Results In Additional Indictment And 87 Total Charged Defendants
  "A federal grand jury in the District of Nebraska returned an additional indictment charging 31 individuals for their roles in a large conspiracy to deploy malware and steal millions of dollars from ATMs in the United States, a crime commonly referred to as “ATM jackpotting.” Fifty-six others have already been charged. Many of the defendants charged in this Homeland Security Task Force operation are Venezuelan and Colombian nationals including illegal alien Tren de Aragua (TdA) members. This indictment alleges 32 counts including conspiracy to commit bank fraud, conspiracy to commit bank burglary and computer fraud, bank fraud, bank burglary, and damage to computers."
  https://www.justice.gov/opa/pr/investigation-international-atm-jackpotting-scheme-and-tren-de-aragua-results-additional
  https://therecord.media/dozens-more-charged-ploutus-jackpotting-atm
  https://www.bleepingcomputer.com/news/security/us-charges-31-more-suspects-linked-to-atm-malware-attacks/
  https://hackread.com/us-charges-atm-jackpotting-scam-suspects/

Healthcare Sector

• Report: Attacks 'Cascade' From IT, OT To Patient Care
  "Of the millions of threats detected in healthcare IT environments last year, email phishing, identity failures and device vulnerabilities were among the dominant vectors for non-clinical IT compromises - often "cascading" into patient care workflows and causing nearly $2 million a day in losses, said a new report from security firm Trellix. Of 54.7 million threats detected by Trellix last year across its healthcare customers worldwide, 75% originated at U.S.-based organizations, with email incidents - including phishing - accounting for at least 85% of the detections, Trellix said."
  https://www.bankinfosecurity.com/report-attacks-cascade-from-it-ot-to-patient-care-a-30608
  https://www.trellix.com/assets/reports/trellix-healthcare-cybersecurity-threat-intelligence-report.pdf

Vulnerabilities

• Critical Sandbox Escape Flaw Found In Popular Vm2 NodeJS Library
  "A critical-severity vulnerability in the vm2 Node.js sandbox library, tracked as CVE-2026-22709, allows escaping the sandbox and executing arbitrary code on the underlying host system. The open-source vm2 library creates a secure context to allow users to execute untrusted JavaScript code that does not have access to the filesystem. vm2 has historically been seen in SaaS platforms that support user script execution, online code runners, chatbots, and open-source projects, being used in more than 200,000 projects on GitHub. The project was discontinued in 2023, though, due to repeated sandbox-escape vulnerabilities, and considered unsafe for running untrusted code."
  https://www.bleepingcomputer.com/news/security/critical-sandbox-escape-flaw-discovered-in-popular-vm2-nodejs-library/
• Fortinet Blocks Exploited FortiCloud SSO Zero Day Until Patch Is Ready
  "Fortinet has confirmed a new, actively exploited critical FortiCloud single sign-on (SSO) authentication bypass vulnerability, tracked as CVE-2026-24858, and says it has mitigated the zero-day attacks by blocking FortiCloud SSO connections from devices running vulnerable firmware versions. The flaw allows attackers to abuse FortiCloud SSO to gain administrative access to FortiOS, FortiManager, and FortiAnalyzer devices registered to other customers, even when those devices were fully patched against a previously disclosed vulnerability."
  https://www.bleepingcomputer.com/news/security/fortinet-blocks-exploited-forticloud-sso-zero-day-until-patch-is-ready/
  https://fortiguard.fortinet.com/psirt/FG-IR-26-060
  https://www.helpnetsecurity.com/2026/01/28/fortinet-forticloud-sso-zero-day-vulnerability-cve-2026-24858/
• Cellbreak: Grist’s Pyodide Sandbox Escape And The Data-At-Risk Blast Radius
  "One malicious formula can turn a spreadsheet into a Remote Code Execution (RCE) beachhead. This sandbox escape lets a formula author execute OS commands or run host‑runtime JavaScript, collapsing the boundary between “cell logic” and host execution. Grist‑Core is a modern relational spreadsheet and programmable alternative to Excel and Google Sheets. Teams use it to model business data, build lightweight apps, and automate workflows with Python formulas across tables and integrations."
  https://www.cyera.com/research-labs/cellbreak-grists-pyodide-sandbox-escape-and-the-data-at-risk-blast-radius
  https://www.infosecurity-magazine.com/news/pyodide-sandbox-escape-rce-grist/
• CISA Adds Five Known Exploited Vulnerabilities To Catalog
  "CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2018-14634 Linux Kernel Integer Overflow Vulnerability
  CVE-2025-52691 SmarterTools SmarterMail Unrestricted Upload of File with Dangerous Type Vulnerability
  CVE-2026-21509 Microsoft Office Security Feature Bypass Vulnerability
  CVE-2026-23760 SmarterTools SmarterMail Authentication Bypass Using an Alternate Path or Channel Vulnerability
  CVE-2026-24061 GNU InetUtils Argument Injection Vulnerability"
  https://www.cisa.gov/news-events/alerts/2026/01/26/cisa-adds-five-known-exploited-vulnerabilities-catalog
  https://securityaffairs.com/187375/security/u-s-cisa-adds-microsoft-office-gnu-inetutils-smartertools-smartermail-and-linux-kernel-flaws-to-its-known-exploited-vulnerabilities-catalog.html
  https://www.securityweek.com/organizations-warned-of-exploited-linux-vulnerabilities/
• Over 6,000 SmarterMail Servers Exposed To Automated Hijacking Attacks
  "Nonprofit security organization Shadowserver has found over 6,000 SmarterMail servers exposed online and likely vulnerable to attacks exploiting a critical authentication bypass vulnerability. Cybersecurity company watchTowr reported the security flaw to developer SmarterTools on January 8, which released a fix on January 15 without assigning an identifier. The vulnerability was later assigned CVE-2026-23760 and rated critical severity, as it allows unauthenticated attackers to hijack admin accounts and gain remote code execution on the host, enabling them to take control of vulnerable servers."
  https://www.bleepingcomputer.com/news/security/over-6-000-smartermail-servers-exposed-to-automated-hijacking-attacks/
  https://securityaffairs.com/187394/hacking/shadowserver-finds-6000-likely-vulnerable-smartermail-servers-exposed-online.html
• OpenSSL Security Advisory (corrected - Added CVE-2026-22795 And CVE-2026-22796)
  "Issue summary: Parsing CMS AuthEnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs."
  https://groups.google.com/a/openssl.org/g/openssl-project/c/pwBoo9Tac6M

Malware

• Diverse Threat Actors Exploiting Critical WinRAR Vulnerability CVE-2025-8088
  "The Google Threat Intelligence Group (GTIG) has identified widespread, active exploitation of the critical vulnerability CVE-2025-8088 in WinRAR, a popular file archiver tool for Windows, to establish initial access and deliver diverse payloads. Discovered and patched in July 2025, government-backed threat actors linked to Russia and China as well as financially motivated threat actors continue to exploit this n-day across disparate operations. The consistent exploitation method, a path traversal flaw allowing files to be dropped into the Windows Startup folder for persistence, underscores a defensive gap in fundamental application security and user awareness."
  https://cloud.google.com/blog/topics/threat-intelligence/exploiting-critical-winrar-vulnerability
  https://www.bleepingcomputer.com/news/security/winrar-path-traversal-flaw-still-exploited-by-numerous-hackers/
  https://cyberscoop.com/winrar-defect-active-exploits-google-threat-intel/
• HoneyMyte Updates CoolClient And Deploys Multiple Stealers In Recent Campaigns
  "Over the past few years, we’ve been observing and monitoring the espionage activities of HoneyMyte (aka Mustang Panda or Bronze President) within Asia and Europe, with the Southeast Asia region being the most affected. The primary targets of most of the group’s campaigns were government entities. As an APT group, HoneyMyte uses a variety of sophisticated tools to achieve its goals. These tools include ToneShell, PlugX, Qreverse and CoolClient backdoors, Tonedisk and SnakeDisk USB worms, among others. In 2025, we observed HoneyMyte updating its toolset by enhancing the CoolClient backdoor with new features, deploying several variants of a browser login data stealer, and using multiple scripts designed for data theft and reconnaissance."
  https://securelist.com/honeymyte-updates-coolclient-uses-browser-stealers-and-scripts/118664/
  https://www.bleepingcomputer.com/news/security/chinese-mustang-panda-hackers-deploy-infostealers-via-coolclient-backdoor/
• Alert: Sicarii Ransomware Encryption Key Handling Defect
  "Sicarii ransomware operations have been observed using an encryption process that can render post-payment data recovery impossible, even if a decryptor is provided. Halcyon malware analysts were the first to observe that the Sicarii binary includes a functional RSA implementation, but it is used in a way that undermines recoverability. During execution, the malware regenerates a new RSA key pair locally, uses the newly generated key material for encryption, and then discards the private key. This per-execution key generation means encryption is not tied to a recoverable master key, leaving victims without a viable decryption path and making attacker-provided decryptors ineffective for affected systems. Halcyon assesses with moderate confidence that the developers may have used AI-assisted tooling, which could have contributed to this implementation error. Organizations impacted by Sicarii ransomware should assume that ransom payment will not result in successful data restoration unless there is independent confirmation that this defect has been corrected."
  https://www.halcyon.ai/ransomware-alerts/alert-sicarii-ransomware-encryption-key-handling-defect
  https://www.darkreading.com/endpoint-security/vibe-coded-sicarii-ransomware-decrypted
• How We Discovered A Campaign Of 16 Malicious Extensions Built To Steal ChatGPT Accounts
  "LayerX Research identified a coordinated set of Chrome browser extensions marketed as ChatGPT enhancement and productivity tools. In practice, however, these extensions are meant to steal users’ ChatGPT identities. The campaign consists of at least 16 distinct extensions developed by the same threat actor, in order to reach as wide a distribution as possible. This campaign coincides with a broader trend: the rapid growth in adoption of AI-powered browser extensions, aimed at helping users with their everyday productivity needs."
  https://layerxsecurity.com/blog/how-we-discovered-a-campaign-of-16-malicious-extensions-chatgpt/
  https://hackread.com/fake-chatgpt-extensions-hijack-user-accounts/
  https://www.securityweek.com/chrome-edge-extensions-caught-stealing-chatgpt-sessions/
• APT Attacks Target Indian Government Using SHEETCREEP, FIREPOWER, And MAILCREEP | Part 2
  "In September 2025, Zscaler ThreatLabz uncovered three additional backdoors, SHEETCREEP, FIREPOWER, and MAILCREEP, used to power the Sheet Attack campaign. In Part 2 of this series, ThreatLabz will delve into these backdoors and analyze how threat actors are leveraging generative AI in their malware development processes. The Sheet Attack campaign stands out for its use of Google Sheets as a command-and-control (C2) channel, an uncommon tactic in this region. Between November 2025 and January 2026, ThreatLabz observed the deployment of new tools, including SHEETCREEP and FIREPOWER, along with MAILCREEP, which is used to manipulate emails, and a PowerShell-based document stealer to exfiltrate files."
  https://www.zscaler.com/blogs/security-research/apt-attacks-target-indian-government-using-sheetcreep-firepower-and
• Dark Web Profile: BravoX Ransomware
  "BravoX is an emerging Ransomware-as-a-Service (RaaS) operation that surfaced after the publication of a new TOR-based data leak site (DLS) following a forum post on the RAMP underground forum. First observed in January 2026, the group currently operates at low volume, listing a limited number of victims while actively advertising an affiliate-driven model aimed at scaling its operations."
  https://socradar.io/blog/dark-web-profile-bravox-ransomware/

Breaches/Hacks/Leaks

• SoundCloud Data Breach
  "In December 2025, SoundCloud announced it had discovered unauthorised activity on its platform. The incident allowed an attacker to map publicly available SoundCloud profile data to email addresses for approximately 20% of its users. The impacted data included 30M unique email addresses, names, usernames, avatars, follower and following counts and, in some cases, the user’s country. The attackers later attempted to extort SoundCloud before publicly releasing the data the following month."
  https://haveibeenpwned.com/Breach/SoundCloud
  https://www.bleepingcomputer.com/news/security/have-i-been-pwned-soundcloud-data-breach-impacts-298-million-accounts/
• Russian Security Systems Firm Delta Hit By Cyberattack, Services Disrupted
  "A cyberattack has disrupted operations at Delta, a Russian provider of alarm and security systems for homes, businesses and vehicles, causing widespread service outages and a wave of customer complaints. Delta said on Monday that it had been hit by a “large-scale, coordinated and well-organized” cyberattack that originated from an unspecified “hostile foreign state.” The company acknowledged temporary disruptions to some services but said there was no evidence that customers’ personal data had been compromised."
  https://therecord.media/russia-delta-security-alarm-company-cyberattack
• Nova Ransomware Claims Breach Of KPMG Netherlands
  "KPMG Netherlands has allegedly become the latest target of the Nova ransomware group, following claims that sensitive data was accessed and exfiltrated. The incident was reported by ransomware monitoring services on 23 January 2026, with attackers claiming the breach occurred on the same day. Nova has reportedly issued a ten-day deadline for contact and ransom negotiations, a tactic commonly used by ransomware groups to pressure large organisations."
  https://dig.watch/updates/nova-ransomware-claims-breach-of-kpmg-netherlands

General News

• When Open Science Meets Real-World Cybersecurity
  "Scientific research environments are built for openness and collaboration, often prioritizing long-term discovery over traditional enterprise security. In this Help Net Security interview, Matthew Kwiatkowski, CISO at Fermilab, America’s particle physics and accelerator laboratory, discusses where cybersecurity blind spots emerge, why availability can outweigh confidentiality, and how security teams protect complex, legacy-driven research infrastructure while supporting scientific progress."
  https://www.helpnetsecurity.com/2026/01/27/matthew-kwiatkowski-fermilab-research-cybersecurity-challenges/
• Waiting For AI Superintelligence? Don’t Hold Your Breath
  "AI’s impact on systems, security, and decision-making is already permanent. Superintelligence, often referred to as artificial superintelligence (ASI), describes a theoretical stage in which AI capability exceeds human cognitive performance across domains. Whether current systems are progressing toward cybersecurity superintelligence remains uncertain."
  https://www.helpnetsecurity.com/2026/01/27/cybersecurity-superintelligence-ai-future/
• AI’s Appetite For Data Is Testing Enterprise Guardrails
  "Privacy programs are taking on more operational responsibility across the enterprise. A new Cisco global benchmark study shows expanding mandates, rising investment, and sustained pressure around data quality, accountability, and cross-border data management tied to AI systems. AI projects expanded the scope of privacy work across most enterprises over the past year. Budgets followed that shift, with additional spending planned as AI moves from pilots into production systems."
  https://www.helpnetsecurity.com/2026/01/27/cisco-ai-expands-privacy-programs/
• AI & The Death Of Accuracy: What It Means For Zero-Trust
  "The glut of AI-generated content could introduce risks to large language models (LLMs) as AI tools begin to train on themselves. Gartner on Jan. 21 predicted that, by 2028, 50% of organizations will implement a zero-trust data governance posture due to an increase in what the analyst firm calls "unverified AI-generated data." Gartner dubbed the idea "model collapse," where machine-learning models could degrade based on errors introduced when they train on AI-generated content. That, in turn, could prompt a new security practice area related to zero-trust: continuous model behavior evaluation."
  https://www.darkreading.com/application-security/ai-death-accuracy-zero-trust
• Beauty In Destruction: Exploring Malware's Impact Through Art
  "An eye-catching giant heart dangles from the ceiling in the lobby of Finnish security company WithSecure. The heart is crafted from 728 computer mice, crowdsourced from around the world, and each one is painted pink. The "Click for Love" art installation is the work of two artists, Hugo Lankinen and Kasper Hildén, who conceived of a pixelated heart in which each mouse acted as a 3D pixel."
  https://www.darkreading.com/vulnerabilities-threats/beauty-in-destruction-exploring-malware-impact-through-art
• Hand CVE Over To The Private Sector
  "The Common Vulnerability Enumeration (CVE), now dubbed Common Vulnerabilities and Exposures, was created in 1999 to fill a void that never really existed to begin with. The CVE initiative was born out of a white paper titled "Towards a Common Enumeration of Vulnerabilities," written by David Mann and Steve Christey-Coley. The gist of the paper described the need for a "common enumeration" of vulnerabilities. However, it overlooks that there was already a broad coverage public vulnerability database (VDB) that had existed for more than a year."
  https://www.darkreading.com/cybersecurity-operations/hand-cve-over-to-private-sector
• Over 80% Of Ethical Hackers Now Use AI
  "The vast majority (82%) of ethical hackers now use AI in their workflows, enabling companies to benefit from faster findings, more assessments, broader security coverage and higher quality reporting, according to Bugcrowd. The bug bounty specialist polled 2000 security researchers worldwide to compile its Inside the Mind of a Hacker report. It revealed a sharp jump in the share of respondents using AI, up from 64% in 2023. Three-quarters (74%) now believe AI increases the value of their work, virtually unchanged from last year."
  https://www.infosecurity-magazine.com/news/over-80-of-ethical-hackers-now-use/
• Cyber Insights 2026: Quantum Computing And The Potential Synergy With Advanced AI
  "It’s hard not to have a dystopian view on the long term future effect of powerful quantum computers wedded to advanced artificial intelligence. But at least we have a few years to prepare. Quantum computers are coming, with a potential computing power almost beyond comprehension. That’s a given. The known threat is to current public key encryption methods, such as RSA and ECC, which will both be crackable through Shor’s algorithm in short timeframes. It is believed that nation states and advanced criminal gangs are engaged in a widespread harvest now, decrypt later (HNDL) campaign – steal and store data and secrets today, even if they are encrypted, because they can be decrypted later with quantum computers."
  https://www.securityweek.com/cyber-insights-2026-quantum-computing-and-the-potential-synergy-with-advanced-ai/
• China Hacked Downing Street Phones For Years
  "China hacked the mobile phones of senior officials in Downing Street for several years, The Telegraph can disclose. The spying operation is understood to have compromised senior members of the government, exposing their private communications to Beijing. State-sponsored hackers are known to have targeted the phones of some of the closest aides to Boris Johnson, Liz Truss and Rishi Sunak between 2021 and 2024."
  https://www.telegraph.co.uk/news/2026/01/26/china-hacked-downing-street-phones-for-years/
  https://www.theregister.com/2026/01/27/chinalinked_hackers_accused_of_yearslong/
• Why Has Microsoft Been Routing Example.com Traffic To a Company In Japan?
  "From the Department of Bizarre Anomalies: Microsoft has suppressed an unexplained anomaly on its network that was routing traffic destined to example.com—a domain reserved for testing purposes—to a maker of electronics cables located in Japan. Under the RFC2606—an official standard maintained by the Internet Engineering Task Force—example.com isn’t obtainable by any party. Instead it resolves to IP addresses assigned to Internet Assiged Names Authority. The designation is intended to prevent third parties from being bombarded with traffic when developers, penetration testers, and others need a domain for testing or discussing technical issues. Instead of naming an Internet-routable domain, they are to choose example.com or two others, example.net and example.org."
  https://arstechnica.com/information-technology/2026/01/odd-anomaly-caused-microsofts-network-to-mishandle-example-com-traffic/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

New Tooling

• Brakeman: Open-Source Vulnerability Scanner For Ruby On Rails Applications
  "Brakeman is an open-source security scanner used by teams that build applications with Ruby on Rails. The tool focuses on application code and configuration, giving developers and security teams a way to identify common classes of web application risk during development and testing. Brakeman analyzes application source code directly, including controllers, models, views, and templates. The scanner builds an internal representation of how data moves through the application, which allows it to flag patterns associated with security issues."
  https://www.helpnetsecurity.com/2026/01/26/brakeman-open-source-vulnerability-scanner-ruby-on-rails/
  https://github.com/presidentbeef/brakeman

Vulnerabilities

• Microsoft Patches Actively Exploited Office Zero-Day Vulnerability
  "Microsoft has released emergency out-of-band security updates to patch a high-severity Microsoft Office zero-day vulnerability exploited in attacks. The security feature bypass vulnerability, tracked as CVE-2026-21509, affects multiple Office versions, including Microsoft Office 2016, Microsoft Office 2019, Microsoft Office LTSC 2021, Microsoft Office LTSC 2024, and Microsoft 365 Apps for Enterprise (the company's cloud-based subscription service). However, as noted in today's advisory, security updates for Microsoft Office 2016 and 2019 are not yet available and will be released as soon as possible."
  https://www.bleepingcomputer.com/news/microsoft/microsoft-patches-actively-exploited-office-zero-day-vulnerability/
  https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509
  https://securityaffairs.com/187349/hacking/emergency-microsoft-update-fixes-in-the-wild-office-zero-day.html
• Nearly 800,000 Telnet Servers Exposed To Remote Attacks
  "Internet security watchdog Shadowserver tracks nearly 800,000 IP addresses with Telnet fingerprints amid ongoing attacks exploiting a critical authentication bypass vulnerability in the GNU InetUtils telnetd server. The security flaw (CVE-2026-24061) impacts GNU InetUtils versions 1.9.3 (released 11 years ago in 2015) through 2.7 and was patched in version 2.8 (released on January 20). "The telnetd server invokes /usr/bin/login (normally running as root) passing the value of the USER environment variable received from the client as the last parameter," explained open-source contributor Simon Josefsson, who reported it."
  https://www.bleepingcomputer.com/news/security/nearly-800-000-telnet-servers-exposed-to-remote-attacks/
• Hands-Free Lockpicking: Critical Vulnerabilities In Dormakaba’s Physical Access Control System
  "In this post, Clemens Stockenreitner and Werner Schober of the SEC Consult Vulnerability Lab highlight several critical vulnerabilities found in dormakaba’s physical access control systems based on exos 9300. This access control system originates from the manufacturer's enterprise product line for door and access systems and is predominantly used by large enterprises in Europe, including industrial and service companies, logistics operators, energy providers, and airport operators. It controls access to public and restricted areas, typically in combination with key cards (RFID) or fingerprint readers. According to the manufacturer, several thousand customers were affected, a small proportion of whom operate in environments with high security requirements."
  https://sec-consult.com/blog/detail/hands-free-lockpicking-critical-vulnerabilities-in-dormakabas-physical-access-control-system/
  https://www.securityweek.com/access-system-flaws-enabled-hackers-to-unlock-doors-at-major-european-firms/

Malware

• Novel Fake CAPTCHA Chain Delivering Amatera Stealer
  "The Blackpoint SOC has identified a new Fake CAPTCHA campaign that leverages a signed Microsoft Application Virtualization (App-V)1 script, SyncAppvPublishingServer.vbs, as a LOLBIN to proxy execution through a legitimate Windows component. Instead of launching PowerShell directly, the attacker uses this script to control how execution begins and to avoid more common, easily recognized execution paths. Early stages are designed to validate execution order and user behavior rather than exploit a vulnerability. Progression is gated on conditions established during the initial interaction, and when those expectations are not met, execution quietly stalls. This reinforces that the delivery flow itself is a core part of the attack, not just a means to reach the final payload."
  https://blackpointcyber.com/blog/novel-fake-captcha-chain-delivering-amatera-stealer/
  https://www.bleepingcomputer.com/news/security/new-clickfix-attacks-abuse-windows-app-v-scripts-to-push-malware/
  https://hackread.com/fake-captcha-scam-microsoft-tools-amatera-stealer/
• Stanley — A $6,000 Russian Malware Toolkit With Chrome Web Store Guarantee
  "Browser-based attacks have entered a new phase, one that's more aggressive, more coordinated, and more dangerous than what we saw a few months ago. An attack vector once considered low-impact has become a huge threat targeting millions of online users. In December 2025, DarkSpectre exposed gaps in browser security by compromising 8.8 million Chrome, Edge, and Firefox users through three linked campaigns. January 2026 brought another concern: two extensions with a combined 900,000 installations were caught quietly siphoning ChatGPT and DeepSeek conversations, one of which carried Google's "Featured" badge. Around the same time, the CrashFix campaign manipulated users into installing a remote access trojan by intentionally crashing their browsers and posing as the solution."
  https://www.varonis.com/blog/stanley-malware-kit
  https://www.bleepingcomputer.com/news/security/new-malware-service-guarantees-phishing-extensions-on-chrome-web-store/
  https://hackread.com/stanley-toolkit-russia-forum-fakes-chrome-urls/
  https://www.securityweek.com/stanley-malware-toolkit-enables-phishing-via-website-spoofing/
• PackageGate: 6 Zero-Days In JS Package Managers But NPM Won't Act
  "After Shai-Hulud ripped through npm last November (700+ packages compromised, 25,000 repos exposed) the ecosystem settled on a defense playbook: disable lifecycle scripts, and commit your lockfiles. It became the standard advice everywhere from GitHub security guides to corporate policy docs. Makes sense. If malicious code can't run on install, and your dependency tree is pinned, you're covered. Right?"
  https://www.koi.ai/blog/packagegate-6-zero-days-in-js-package-managers-but-npm-wont-act
  https://www.bleepingcomputer.com/news/security/hackers-can-bypass-npms-shai-hulud-defenses-via-git-dependencies/
• APT Attacks Target Indian Government Using GOGITTER, GITSHELLPAD, And GOSHELL | Part 1
  "In September 2025, Zscaler ThreatLabz identified two campaigns, tracked as Gopher Strike and Sheet Attack, by a threat actor that operates in Pakistan and primarily targets entities in the Indian government. In both campaigns, ThreatLabz identified previously undocumented tools, techniques, and procedures (TTPs). While these campaigns share some similarities with the Pakistan-linked Advanced Persistent Threat (APT) group, APT36, we assess with medium confidence that the activity identified during this analysis might originate from a new subgroup or another Pakistan-linked group operating in parallel."
  https://www.zscaler.com/blogs/security-research/apt-attacks-target-indian-government-using-gogitter-gitshellpad-and-goshell
• Weaponized In China, Deployed In India: The SyncFuture Espionage Targeted Campaign
  "In early December 2025, the eSentire Threat Response Unit (TRU) identified an ongoing campaign deploying a sophisticated, multi-stage backdoor for the likely purpose of long-term espionage. The campaign targets residents of India with phishing emails that impersonate the Income Tax Department of India, luring victims into downloading a malicious archive. The threat actor's primary objective is to gain persistent, elevated access to the victim's machine for continuous monitoring of user activities, file operations, and exfiltration of sensitive information."
  https://www.esentire.com/blog/weaponized-in-china-deployed-in-india-the-syncfuture-espionage-targeted-campaign
  https://thehackernews.com/2026/01/indian-users-targeted-in-tax-phishing.html
• Special Alert: SLSH Malicious "Supergroup" Targeting 100+ Organizations Via Live Phishing Panels
  "A massive identity-theft campaign is currently active, targeting Okta Single Sign-On (SSO) and other SSO platform accounts across 100+ high-value enterprises. Silent Push has identified a surge in infrastructure deployment that mirrors the TTPs (Tactics, Techniques, and Procedures) of SLSH—a predatory alliance between Scattered Spider, LAPSUS$, and ShinyHunters. This isn’t a standard automated spray-and-pray attack; it is a human-led, high-interaction voice phishing (“vishing”) operation designed to bypass even hardened Multi-Factor Authentication (MFA) setups."
  https://www.silentpush.com/blog/slsh-alert/
  https://www.theregister.com/2026/01/26/shinyhunters_okta_sso_campaign/
• PeckBirdy: A Versatile Script Framework For LOLBins Exploitation Used By China-Aligned Threat Groups
  "Since 2023, we have been observing threat campaigns employing a previously unseen script-based command-and-control (C&C) framework which we named PeckBirdy, being used against Chinese gambling industries, as well as malicious activities targeting Asian government entities and private organizations. While tracking this framework, we identified at least two campaigns using PeckBirdy, which we were able to link to several China-aligned advanced persistent threat (APT) actors. Note that we’ve previously discussed these campaigns during the HitCon conference last August 2025, and are now publishing this entry to share our findings to a wider audience."
  https://www.trendmicro.com/en_us/research/26/a/peckbirdy-script-framework.html
• eScan Antivirus Supply Chain Breach Delivers Signed Malware
  "A critical supply chain compromise affecting MicroWorld Technologies’ eScan antivirus product was identified on January 20 2026, after malicious updates were reportedly delivered through the vendor’s legitimate update infrastructure. The incident led to the global distribution of multi-stage malware to enterprise and consumer endpoints, according to findings published today from Morphisec Threat Labs. The malicious packages were allegedly digitally signed using a compromised eScan certificate, allowing them to appear legitimate and bypass standard trust mechanisms. Once deployed, the malware established persistence, enabled remote access capabilities and actively prevented affected systems from receiving further updates."
  https://www.infosecurity-magazine.com/news/escan-antivirus-breach-delivers/
• SEO Poisoning Marketplace Topping Search Results, Impersonating Top Financial Institutions
  "Fortra Intelligence and Research Experts (FIRE) have uncovered a group of active malicious threat actors operating since 2020. The group refers to themselves as Haxor, a slang word for hackers, and their marketplace as HxSEO, or HaxorSEO. HxSEO has established its primary base of operations and marketplace on Telegram and WhatsApp. HxSEO stands out for their emphasis on unethical search engine optimization (SEO) techniques, selling a service that supports phishing campaigns by improving the perceived legitimacy of malicious pages. Their optimization is impressively successful, with FIRE identifying fraudulent login pages that rank higher than the legitimate pages of global financial institutions."
  https://www.fortra.com/blog/seo-poisoning-marketplace-topping-search-results-impersonating-top-financial-institutions
  https://www.infosecurity-magazine.com/news/researchers-haxor-seo-poisoning/
• Detection Of Recent RMM Distribution Cases Using AhnLab EDR
  "AhnLab SEcurity intelligence Center (ASEC) has recently observed an increase in attack cases exploiting Remote Monitoring and Management (RMM) tools. Whereas attackers previously exploited remote control tools during the process of seizing control after initial penetration, they now increasingly leverage RMM tools even during the initial distribution phase across diverse attack scenarios. This article covers recently identified RMM exploitation cases and detection methods using AhnLab EDR."
  https://asec.ahnlab.com/en/92319/

Breaches/Hacks/Leaks

• FRESH BREACH — LENA HEALTH BREACH PREVIEW — FULL LEAK COMING SOON
  "Lena Health is a company the world will be better off without. To this end, we are working with a plaintiff attorney to contact the true victims of this breach, mostly patients of Lena’s main client, Houston Methodist Hospital, to 1) coördinate a class action against the company, and 2) pressure Houston Methodist to cease their usage of this terrible “digital helper” system."
  https://databreaches.net/2026/01/26/125824/?pk_campaign=feed&pk_kwd=125824

General News

• Rethinking Cybersecurity In a Platform World
  "For more than a decade, enterprise cybersecurity has relied on point solutions. Companies invested in separate tools - endpoint detection, firewalls, cloud security, and identity and access management - each designed to address a specific threat or compliance requirement. But that approach is starting to break down. One big reason? Scale. Most large enterprises juggle 40 to 70 different security tools. In a fast-moving business environment, that's not just overwhelming - it's becoming a real barrier to effective risk management."
  https://www.bankinfosecurity.com/blogs/rethinking-cybersecurity-in-platform-world-p-4035
• Cyber Insights 2026: Threat Hunting In An Age Of Automation And AI
  "Threat hunting is the practice of finding threats within the system. It sits between external attack surface management (EASM), and the security operations center (SOC). EASM seeks to thwart attacks by protecting the interface between the network and the internet. If it fails, and an attacker gets into the system, threat hunting seeks to find and monitor the traces left by the adversary so the attack can be neutralized before damage can be done. SOC engineers take new threat hunter data and build new detection rules for the SIEM. That’s a theoretical representation – precise details vary between different organizations."
  https://www.securityweek.com/cyber-insights-2026-threat-hunting-in-an-age-of-automation-and-ai/
• BreachForums Disclosure Surfaces Falling Out Among ShinyHunters Thieves
  "Sunlight is said to be the best disinfectant, so now that the real identities of hundreds of thousands of alleged cybercriminals have been revealed, it will be interesting to see how many wind up in prison. Earlier this month a disgruntled member of the cybercrime syndicate known as ShinyHunters decided to disclose detailed information on 323,986 users of an online BreachForums site where cybercriminals acquire tools and share tactics and techniques. Apparently upset about cyberattacks targeting organizations in France, a cybercriminal only identified as “James” decided the time had come to show his former compatriots that they are no longer able to anonymously launch cyberattacks."
  https://blog.barracuda.com/2026/01/26/breachforums-disclosure-shinyhunters

อ้างอิง
Electronic Transactions Development Agency (ETDA)

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand