สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 
โพสต์ถูกสร้างโดย NCSA_THAICERT
-
INTERPOL เปิดปฏิบัติการ Operation Ramz ทลายโครงสร้างพื้นฐานฟิชชิงและมัลแวร์ใน 13 ประเทศโพสต์ใน Cyber Security News
-
7-Eleven ยืนยันเหตุข้อมูลรั่วไหล หลังกลุ่ม ShinyHunters อ้างขโมยข้อมูล Salesforce กว่า 600,000 รายการโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
พบมัลแวร์ Reaper สายพันธุ์ใหม่บน macOS ใช้โดเมนปลอมหลอกขโมยรหัสผ่านและฝัง Backdoorโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
CISA เพิ่มช่องโหว่ที่ถูกใช้โจมตี 1 รายการลงในแคตตาล็อกโพสต์ใน Cyber Security News
เมื่อวันที่ 16 พฤษภาคม 2569 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 1 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว มีรายละเอียดดังนี้
- CVE-2026-42897 Microsoft Exchange Server Cross-Site Scripting Vulnerability
อ้างอิง
https://www.cisa.gov/news-events/alerts/2026/05/15/cisa-adds-one-known-exploited-vulnerability-catalog
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
CISA เผยแพร่คำแนะนำด้านระบบควบคุมอุตสาหกรรม (ICS) จำนวน 7 รายการโพสต์ใน OT Cyber Security News
Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) จำนวน 7 รายการ เมื่อวันที่ 19 พฤษภาคม 2569 เพื่อให้ข้อมูลที่ทันเวลาเกี่ยวกับประเด็นด้านความมั่นคงปลอดภัย ช่องโหว่ และการโจมตีที่เกี่ยวข้องกับระบบ ICS โดยมีรายละเอียดดังนี้
- ICSA-26-139-01 ABB CoreSense HM and CoreSense M10
- ICSA-26-139-02 Siemens RUGGEDCOM APE1808 Devices
- ICSA-26-139-03 ScadaBR
- ICSA-26-139-04 ZKTeco CCTV Cameras
- ICSA-26-139-05 Kieback & Peter DDC Building Controllers
- ICSA-24-177-01 ABB 800xA Base (Update A)
- ICSA-25-196-02 ABB RMC-100 (Update A)
CISA แนะนำให้ผู้ใช้งานและผู้ดูแลระบบ ตรวจสอบคำแนะนำ ICS ที่เผยแพร่ล่าสุด เพื่อศึกษารายละเอียดทางเทคนิคและแนวทางการลดความเสี่ยง (mitigations)
-
CISA เผยแพร่คำแนะนำด้านระบบควบคุมอุตสาหกรรม (ICS) จำนวน 18 รายการโพสต์ใน OT Cyber Security News
Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) จำนวน 18 รายการ เมื่อวันที่ 14 พฤษภาคม 2569 เพื่อให้ข้อมูลที่ทันเวลาเกี่ยวกับประเด็นด้านความมั่นคงปลอดภัย ช่องโหว่ และการโจมตีที่เกี่ยวข้องกับระบบ ICS โดยมีรายละเอียดดังนี้
- ICSA-26-134-01 Siemens gWAP
- ICSA-26-134-02 Siemens Ruggedcom Rox
- ICSA-26-134-03 Siemens Solid Edge
- ICSA-26-134-04 Siemens Teamcenter
- ICSA-26-134-05 Siemens Simcenter Femap
- ICSA-26-134-06 Siemens Industrial Devices
- ICSA-26-134-07 Siemens SIMATIC
- ICSA-26-134-08 Siemens Siemens ROS#
- ICSA-26-134-09 Siemens Opcenter RDnL
- ICSA-26-134-10 Siemens SIMATIC CN 4100
- ICSA-26-134-11 Siemens Ruggedcom Rox
- ICSA-26-134-12 Siemens Ruggedcom Rox
- ICSA-26-134-13 Siemens SIPROTEC 5
- ICSA-26-134-14 Siemens SENTRON 7KT PAC1261 Data Manager
- ICSA-26-134-15 Siemens SIMATIC S7 PLC Web Server
- ICSA-26-134-16 Siemens Ruggedcom Rox
- ICSA-26-134-17 Universal Robots Polyscope 5
- ICSA-26-057-06 SWTCH EV swtchenergy.com (Update A)
CISA แนะนำให้ผู้ใช้งานและผู้ดูแลระบบ ตรวจสอบคำแนะนำ ICS ที่เผยแพร่ล่าสุด เพื่อศึกษารายละเอียดทางเทคนิคและแนวทางการลดความเสี่ยง (mitigations)
-
Cyber Threat Intelligence 19 May 2026โพสต์ใน Cyber Security News
Industrial Sector
- Fuel Tank Breaches Expand Scope Of Iran's Cyber Offensive
"Iranian hackers reportedly breached systems that monitor fuel levels in storage tanks serving gas stations around the US, demonstrating yet again the changing nature of modern warfare and Iran's cyber reach beyond its active military engagement with the US and Israel. Threat actors from Iran allegedly exploited automatic tank gauge (ATG) systems that were exposed online and lacked password protections, according to a report published by CNN Friday that cited sources familiar with the incident. Attackers managed to change display readings on the tanks but not the actual levels of fuel in them, according to the report."
https://www.darkreading.com/cyberattacks-data-breaches/fuel-tank-breaches-expand-scope-irans-cyber-offensive
New Tooling
- Lyrie: Open-Source Autonomous Pentesting Agent
"Penetration testing has usually required weeks of manual work, specialized tooling, and teams with narrow skill sets. Lyrie, an open-source autonomous security agent built by OTT Cybersecurity, compresses that process into a command line tool and publishes the entire codebase. The project reached version 3.1.0 this month. The release adds XChaCha20-Poly1305 memory encryption for sensitive threat data, seven new proof-of-concept generators covering prompt injection, auth bypass, CSRF, open redirect, race conditions, secret exposure, and cross-site execution, and three new deep scanners for Rust analysis, taint engine processing, and AI-driven code review. The repository now ships 25 tested commands spanning core security operations, binary analysis, governance, and self-improvement workflows."
https://www.helpnetsecurity.com/2026/05/18/lyrie-ai-autonomous-pentesting-agent/
https://github.com/OTT-Cybersecurity-LLC/lyrie-ai
Vulnerabilities
- Exploit Available For New DirtyDecrypt Linux Root Escalation Flaw
"A recently patched local privilege escalation vulnerability in the Linux kernel's rxgk module now has a proof-of-concept exploit that allows attackers to gain root access on some Linux systems. Named DirtyDecrypt and also known as DirtyCBC, this security flaw was also autonomously found and reported by the V12 security team earlier this month, when the maintainers informed them that it was a duplicate that had already been patched in the mainline. "We found and reported this on May 9, 2026, but was informed it was a duplicate by the maintainers," V12 said. "It's a rxgk pagecache write due to missing COW guard in rxgk_decrypt_skb. See poc.c for more details.""
https://www.bleepingcomputer.com/news/security/exploit-available-for-new-dirtydecrypt-linux-root-escalation-flaw/ - Linux Kernel Flaw Opens Root-Only Files To Unprivileged Users
"Another Linux kernel flaw has handed local unprivileged users a way to peek at files they should never be able to read, including root-only secrets such as SSH keys. The bug affects multiple LTS kernel lines from 5.10 upward, although a fix has already landed – and there is now a proposal for reducing the odds of similar surprises in future. What FOSS analytics vendor Metabase memorably dubbed the strip-mining era of open source security continues. This time, the culprit is CVE-2026-46333, a local kernel vulnerability that lets an unprivileged user read files they should not be able to access, including those normally available only to root. An attacker who already has login access to an affected machine could therefore potentially grab SSH keys, password files, or other confidential credentials, as the KnightLi blog explains."
https://www.theregister.com/security/2026/05/18/linux-kernel-flaw-opens-root-only-files-to-unprivileged-users/5241950
https://www.knightli.com/en/2026/05/17/ssh-keysign-pwn-cve-2026-46333/
Malware
- SHub Reaper | MacOS Stealer Spoofs Apple, Google, And Microsoft In a Single Attack Chain
"Infostealers targeting macOS have continued to proliferate over the last two years, with threat actors iterating on successful techniques across related malware families. Researchers at Moonlock, Jamf, and Malwarebytes have previously documented the rise of SHub Stealer, including its use of fake application installers and “ClickFix” social engineering. This week, SentinelOne observed a new SHub variant using the build tag “Reaper”. Reaper uses fake WeChat and Miro installers as lures, but what stands out is the way the infection chain shifts its disguise at each stage. The payload may be hosted on a typo-squatted Microsoft domain, executed under the guise of an Apple security update, and persist from a fake Google Software Update directory. Alongside the previously documented SHub feature set, the build also adds an AMOS-style document theft module with chunked uploads."
https://www.sentinelone.com/blog/shub-reaper-macos-stealer-spoofs-apple-google-and-microsoft-in-a-single-attack-chain/
https://www.bleepingcomputer.com/news/security/shub-macos-infostealer-variant-spoofs-apple-security-updates/
https://hackread.com/reaper-malware-fake-microsoft-domain-macos-passwords/
https://www.theregister.com/security/2026/05/19/do-fear-the-reaper-stealer-swipes-macos-users-passwords-wallets-then-backdoors-them/5242258 - New Actors Deploy Shai-Hulud Clones: TeamPCP Copycats Are Here
"Four new malicious npm packages were detected and reported by OX Security in the last 24h, containing infostealer code. One of the packages (chalk-tempalte) contains a direct clone of the Shai-Hulud source code that TeamPCP leaked last week, probably inspired as part of the supply chain attack competition that was published in BreachForums not long after. One incriminating evidence that this is a different actor from TeamPCP, is that the Shai-Hulud malware code is an almost exact copy of the leaked source code, with no obfuscation techniques, which make the final version visually different from the original. In our breakdown we show the side by side comparison of the chalk-template Shai-Hulud version with the original source code leak, showing that they are the same."
https://www.ox.security/blog/new-actors-deploy-shai-hulud-clones-teampcp-copycats-are-here/
https://www.bleepingcomputer.com/news/security/leaked-shai-hulud-malware-fuels-new-npm-infostealer-campaign/
https://www.securityweek.com/first-shai-hulud-worm-clones-emerge/
https://www.theregister.com/cyber-crime/2026/05/18/shai-hulud-copycat-hits-another-npm-package/5242180 - Click, Install, Compromised: The New Wave Of Zoom-Themed Attacks
"As with most things, change is inevitable - especially for threat actors operating in a rapidly evolving threat landscape. What starts as a familiar Zoom invite can quickly escalate into a full-blown compromise. Recently, the Cofense Phishing Defense Center (PDC) has observed a shift in which traditional credential-harvesting phishing campaigns and familiar social engineering tactics are increasingly being repurposed to deliver more significant threats, including malware and unauthorized remote access."
https://cofense.com/blog/click-install-compromised-the-new-wave-of-zoom-themed-attacks - When Worm Source Code Goes Open Source: The Shai-Hulud Clones Arrive
"Last week the TeamPCP group did something the open source security community has been quietly dreading: they published the source code for the Shai-Hulud worm on GitHub and ran what amounted to a public attack challenge on BreachForums, inviting other actors to take the code and run with it. Days later, the first clones appeared on npm. A single threat actor uploaded four malicious packages from one account: a near-verbatim copy of Shai-Hulud with its own command-and-control infrastructure, three Axios typosquats, and a DDoS botnet payload that conscripts infected machines into a flooding network. All of them are aimed at developers who happen to fat-finger a dependency name."
https://mondoo.com/blog/shai-hulud-clones-arrive-when-worm-source-code-goes-open-source
https://www.darkreading.com/application-security/shai-hulud-worm-clones-spread-code-release - Custom Attack Tooling Including Undisclosed C2 Infrastructure Targeting Malaysian Organizations
"Oasis Security identified attacker-controlled infrastructure hosted on Microsoft Azure infrastructure in the Malaysia West region, used to conduct a targeted intrusion campaign against multiple Malaysian organizations. The operation demonstrates a high degree of operational planning, with the attacker developing purpose-built Python tooling for each target — covering internal network enumeration, database access, and external data exfiltration."
https://oasis-security.io/blog/malaysian-government-with-undisclosed-c2-infrastructure
https://hackread.com/government-backed-hackers-cloudflare-malaysia-espionage/ - Fast16: Pre-Stuxnet Sabotage Tool Was Built To Subvert Nuclear Weapons Simulations
"In April 2026, our peers in SentinelOne published the first public analysis of fast16, a previously undiscovered sabotage framework whose oldest components appear to date from around 2005, approximately two years before Stuxnet first became active. The framework consists of a service binary that embeds an early Lua 5.0 virtual machine, a boot-start filesystem driver that intercepts and patches executable code as it is read from disk, and a rule-driven hook engine that rewrites very specific instruction sequences inside a single, narrowly defined target application."
https://www.security.com/threat-intelligence/fast16-nuclear-sabotage
https://thehackernews.com/2026/05/pre-stuxnet-fast16-malware-tampered.html - NATS-As-C2: Inside a New Technique Attackers Are Using To Harvest Cloud Credentials And AI API Keys
"On May 5, 2026, the Sysdig Threat Research Team (TRT) identified a novel command-and-control (C2) technique in which a threat actor used a NATS server as C2 infrastructure. The Sysdig TRT has dubbed this technique “NATS-as-C2.” Rather than relying on traditional HTTP-based panels or chat platforms, the attacker leveraged infrastructure more commonly associated with modern distributed systems. The Sysdig TRT traced the activity to an extended exploitation attempt involving CVE-2026-33017, an unauthenticated remote code execution (RCE) vulnerability in Langflow that was added to the CISA KEV catalog on March 25, 2026. Over roughly 30 minutes of hands-on activity, the operator at 159.89.205.184 (DigitalOcean) downloaded a Python worker and a Go binary. During this time, the Sysdig TRT captured the threat actor’s payload, exposing their coordination plane: a NATS server at 45.192.109.25:14222 running an authenticated, ACL-enforced instance. The attacker subsequently attempted to escape the container using DirtyPipe and DirtyCreds exploits."
https://webflow.sysdig.com/blog/nats-as-c2-inside-a-new-technique-attackers-are-using-to-harvest-cloud-credentials-and-ai-api-keys - Gamaredon’s Infection Chain: Spoofed Emails, GammaDrop And GammaLoad
"Investigating Gamaredon’s abuse of CVE-2025-8088, we identified a dozen waves of spearphishing emails against Ukrainian state institutions in a campaign that is still active, dating back to September 2025. These emails – spoofed or sent from compromised government accounts – deliver persistent, multi-stage VBScript downloaders that profile the infected system. In the absence of public analysis of these malware, this report documents Gamaredon’s GammaDrop and GammaLoad downloader variants, the infrastructure behind them, and the methods used to deliver the spearphishing emails."
https://harfanglab.io/insidethelab/gamaredon-gammadrop-gammaload/
Breaches/Hacks/Leaks
- 7-Eleven Data Breach Confirmed After ShinyHunters Ransom Demand
"7-Eleven, the world’s largest convenience store chain, has confirmed suffering a data breach after the notorious ShinyHunters hacker group claimed to have stolen information from its systems. The company has started sending out security incident notices revealing that an intrusion into 7-Eleven systems used to store franchisee documents was detected on April 8. According to a notification submitted to the Maine Attorney General’s Office, unspecified personal information has been compromised. The exposed information was provided to the company during franchise applications."
https://www.securityweek.com/7-eleven-data-breach-confirmed-after-shinyhunters-ransom-demand/
https://securityaffairs.com/192336/data-breach/shinyhunters-hack-7-eleven-franchisee-data-and-salesforce-records-exposed.html - A Hotel Check-In System Left a Million Passports And Driver’s Licenses Open For Anyone To See
"A hotel check-in system left more than 1 million customer passports, driver’s licenses, and selfie verification photos to the open web after a security lapse. The data is now offline after TechCrunch alerted the company responsible. The hotel check-in system, called Tabiq, is maintained by the Japan-based tech startup Reqrea. According to its website, Tabiq is used in several hotels across Japan and relies on facial recognition and document scanning to check guests in."
https://techcrunch.com/2026/05/15/a-hotel-check-in-system-left-a-million-passports-and-drivers-licenses-open-for-anyone-to-see/
https://securityaffairs.com/192302/data-breach/public-amazon-bucket-leaks-sensitive-guest-data-from-japanese-hotel-platform-tabiq.html - Millions Impacted Across Several US Healthcare Data Breaches
"Several major data breaches were added to the healthcare data breach tracker maintained by the US Department of Health and Human Services (HHS) in recent days. All of the breaches were disclosed in recent months, but the number of affected individuals has only been made public now on the HHS breach tracker. The largest incident affects the New York City Health and Hospitals Corporation, which in March disclosed a data breach detected on February 2, 2026. An investigation found that threat actors had access to its systems between November 2025 and February 2026 via a third-party vendor. Exposed information includes personal, health insurance, medical, biometric, and financial information."
https://www.securityweek.com/millions-impacted-across-several-us-healthcare-data-breaches/
General News
- April 2026 Threat Trend Report On APT Groups
"this report covers cyber espionage and covert sabotage activities by Region-led threat groups believed to be supported by the Region. it excludes cybercrime groups that operate for financial gain. based on publicly available analysis over the past month, we categorized threat actors according to the names of their representatives in the ATIP."
https://asec.ahnlab.com/en/93744/ - 201 Arrests In First-Of-Its-Kind Cybercrime Operation In MENA Region
"A first-of-its-kind cybercrime operation in the MENA region has led to the arrest of 201 individuals, with a further 382 suspects identified. Thirteen countries from the Middle East and North Africa took part in Operation Ramz (October 2025 – 28 February 2026) which aimed to investigate and disrupt malicious infrastructure, identify and arrest suspects, and prevent future losses. The operation focused on neutralizing phishing and malware threats, as well as tackling cyber scams that inflict severe cost to the region. In addition to the arrests made, 3,867 victims were identified, and 53 servers were seized."
https://www.interpol.int/en/News-and-Events/News/2026/201-arrests-in-first-of-its-kind-cybercrime-operation-in-MENA-region
https://www.bleepingcomputer.com/news/security/interpol-operation-ramz-seizes-53-malware-phishing-servers/
https://thehackernews.com/2026/05/interpol-operation-ramz-disrupts-mena.html
https://therecord.media/more-than-200-arrested-interpol-middle-east-scams
https://cyberscoop.com/interpol-operation-ramz-middle-east-north-africa/
https://www.infosecurity-magazine.com/news/interpol-cybercrime-crackdown-mena/
https://www.helpnetsecurity.com/2026/05/18/interpol-mena-cybercrime-operation-ramz-201-arrests/ - Hacktivists, Ransomware, And a 124% Surge Across DACH
"Hacktivism and ransomware targeting organizations across Germany, Austria, and Switzerland increased 124% in 2025, according to Check Point Exposure Management (based on published attacks on the web and dark web). Three distinct dynamics drove the surge, each with its own logic and its own implications for security teams in 2026."
https://blog.checkpoint.com/exposure-management/hacktivists-ransomware-and-a-124-surge-the-dach-threat-picture/ - The Canvas Breach Proved That Prevention Is No Longer Enough
"Earlier this month, ShinyHunters breached Instructure’s Canvas platform twice within a single week — stealing 3.65 terabytes of data from approximately 275 million users across more than 8,000 institutions. The group defaced login pages at hundreds of schools during final exam periods, forced Canvas offline, and extracted a ransom payment before Congress opened a formal investigation. The attack did not require exotic malware or zero-day exploits. Attackers entered through compromised “Free-For-Teacher” accounts, escalated rapidly, and exfiltrated sensitive data at scale before Instructure could contain them."
https://cyberscoop.com/canvas-breach-saas-security-identity-governance-op-ed/ - AI Is Drowning Software Maintainers In Junk Security Reports
"AI-assisted vulnerability research has exploded, unleashing a firehose of low-quality reports on overworked software maintainers who are wasting hours sifting through noise instead of fixing real problems. Linus Torvalds, the Linux kernel’s creator, says the flood has made the project’s security mailing list “almost entirely unmanageable, with enormous duplication due to different people finding the same things with the same tools.”"
https://www.helpnetsecurity.com/2026/05/18/problems-with-ai-assisted-vulnerability-research/
https://www.theregister.com/security/2026/05/18/linus-torvalds-says-ai-powered-bug-hunters-have-made-linux-security-mailing-list-almost-entirely-unmanageable/5241633 - The AI Backdoor Your Security Stack Is Not Built To See
"Enterprises deploying LLMs have spent the past two years building defenses around a reasonable assumption: malicious behavior leaves a trace in the input. Scan for suspicious tokens, filter unusual characters, watch for prompt injection patterns. New research from Microsoft and the Institute of Science Tokyo demonstrates that this defensive posture has a blind spot, and the cost of that blind spot could be measured in leaked proprietary data and regulatory exposure."
https://www.helpnetsecurity.com/2026/05/18/metabackdoor-llm-backdoor-attack/
https://arxiv.org/pdf/2605.15172 - AI Shrinks Vulnerability Exploitation Window To Hours
"Time has become organizations’ biggest vulnerability because the gap between vulnerability discovery and exploitation has narrowed to hours, according to Synack’s 2026 State of Vulnerabilities Report. Agentic AI systems that act autonomously across systems introduce new risks that require human expertise to identify and understand. Automated scanning detects known signatures but can miss logic flaws, misconfigurations, and unexpected behavior."
https://www.helpnetsecurity.com/2026/05/18/synack-2025-ai-driven-vulnerability-trends-report/ - When Ransomware Hits, Confidence Doesn’t Restore Endpoints
"Ransomware, supply chain vulnerabilities, insider threats, compliance failures, and software disruptions remain major concerns for security leaders, according to The Ransomware Reality: Zero Days to Recover report by Absolute Security. A survey of 750 CISOs from enterprise organizations with more than 5,000 employees in the United States and the United Kingdom revealed gaps between ransomware frequency, confidence in recovery capabilities, and remediation timelines."
https://www.helpnetsecurity.com/2026/05/18/absolute-security-cisos-ransomware-pressure-report/ - IT Threat Evolution In Q1 2026. Mobile Statistics
"In the third quarter of 2025, we updated the methodology for calculating statistical indicators based on the Kaspersky Security Network. These changes affected all sections of the report except for the statistics on installation packages, which remained unchanged. To illustrate the differences between the reporting periods, we have also recalculated data for the previous quarters. Consequently, these figures may significantly differ from the previously published ones. However, subsequent reports will employ this new methodology, enabling precise comparisons with the data presented in this post."
https://securelist.com/malware-report-q1-2026-mobile-statistics/119819/
https://securelist.com/malware-report-q1-2026-pc-iot-statistics/119828/ - Developer Workstations Are Now Part Of The Software Supply Chain
"Supply chain attackers are not only trying to slip malicious code into trusted software. They are trying to steal the access that makes trusted software possible. Recently, three separate campaigns hit npm, PyPI, and Docker Hub in a 48-hour window, and all three targeted secrets from developer environments and CI/CD pipelines, including API keys, cloud credentials, SSH keys, and tokens. This is an ongoing concern and is self-propagating, as seen in attacks like the "mini Shai Hulud" campaigns. That pattern should change how security teams think about the software supply chain."
https://thehackernews.com/2026/05/developer-workstations-are-now-part-of.html
อ้างอิง
Electronic Transactions Development Agency (ETDA)
- Fuel Tank Breaches Expand Scope Of Iran's Cyber Offensive
-
พบอัปเดตความปลอดภัยเดือนพฤษภาคมติดตั้งล้มเหลวใน Windows 11 บางเครื่อง ผู้ดูแลระบบเร่งตรวจสอบโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Grafana เผยเหตุข้อมูลรั่วไหล หลังผู้โจมตีใช้ GitHub Token เข้าถึง Source Code และพยายามเรียกค่าไถ่โพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
พบช่องโหว่ Zero-Day "MiniPlasma" บน Windows เสี่ยงถูกยกระดับสิทธิ์เป็น SYSTEM แม้ติดตั้งอัปเดตล่าสุดแล้วโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
🛑 ด่วน! แจ้งเตือนช่องโหว่ใน Microsoft Exchange Server On-Premises 🛑โพสต์ใน Cyber Security News
ศูนย์ประสานการรักษาความมั่นคงปลอดภัยระบบคอมพิวเตอร์แห่งชาติ (ThaiCERT) ได้ติดตามสถานการณ์ภัยคุกคามทางไซเบอร์ และพบประกาศด้านความปลอดภัยเกี่ยวกับช่องโหว่ CVE-2026-42897 ซึ่งกระทบต่อ Microsoft Exchange Server แบบ On-Premises โดย Microsoft ระบุว่าช่องโหว่นี้ถูกนำไปใช้โจมตีจริงแล้ว และสามารถถูกโจมตีผ่านอีเมลที่ถูกสร้างขึ้นเป็นพิเศษ หากผู้ใช้งานเปิดอีเมลดังกล่าวผ่าน Outlook Web Access / Outlook on the web (OWA) และเข้าเงื่อนไขการโต้ตอบบางประการ ผู้โจมตีอาจทำให้มีการรัน JavaScript ที่ไม่พึงประสงค์ในบริบทของเว็บเบราว์เซอร์ได้[1]
-
รายละเอียดช่องโหว่
CVE-2026-42897 - Microsoft Exchange Server Spoofing / Cross-Site Scripting (XSS) Vulnerability (CVSS v3.1: 8.1) ช่องโหว่นี้เกิดจากการจัดการข้อมูลนำเข้าไม่เหมาะสมระหว่างการสร้างหน้าเว็บ ทำให้เกิดปัญหา Cross-Site Scripting (XSS) และสามารถนำไปสู่การ spoofing ผ่านเครือข่ายได้ โดยผู้โจมตีที่ไม่ได้รับอนุญาตสามารถส่งอีเมลที่สร้างขึ้นเป็นพิเศษไปยังผู้ใช้งาน เมื่อผู้ใช้งานเปิดอีเมลดังกล่าวผ่าน OWA (Outlook Web Access) ภายใต้เงื่อนไขบางประการ อาจทำให้โค้ด JavaScript ถูกรันในบริบทของเบราว์เซอร์ของผู้ใช้งาน[2] -
ผลิตภัณฑ์ที่ได้รับผลกระทบ
ช่องโหว่นี้กระทบ Microsoft Exchange Server แบบ On-Premises ดังต่อไปนี้
2.1 Microsoft Exchange Server 2016 ทุกอัปเดต
2.2 Microsoft Exchange Server 2019 ทุกอัปเดต
2.3 Microsoft Exchange Server Subscription Edition (SE) ทุกอัปเดต -
แนวทางการแก้ไข[3]
3.1 ขณะนี้ยังไม่มีแพตช์ถาวรสำหรับช่องโหว่นี้ โดย Microsoft ระบุว่า Exchange Emergency Mitigation Service (EEMS) จะช่วยปรับใช้มาตรการบรรเทาผลกระทบอัตโนมัติให้กับ Exchange Server 2016, 2019 และ SE แบบ On-Premises
3.2 Microsoft อยู่ระหว่างเตรียมออกแพตช์สำหรับ Exchange SE RTM, Exchange 2016 CU23 และ Exchange Server 2019 CU14/CU15 โดยสำหรับ Exchange 2016 และ 2019 จะมีให้เฉพาะลูกค้าที่อยู่ในโปรแกรม Extended Security Update (ESU) Period 2
3.3 ผู้ดูแลระบบควรติดตามประกาศและอัปเดตจาก Microsoft อย่างใกล้ชิด และติดตั้งแพตช์ทันทีเมื่อพร้อมใช้งาน -
แนวทางลดความเสี่ยง
4.1 ตรวจสอบทันทีว่า Exchange Emergency Mitigation Service (EEMS) เปิดใช้งานอยู่หรือไม่
4.2 หาก EEMS ถูกปิดใช้งาน ให้เปิดใช้งานโดยเร็ว เนื่องจากเป็นแนวทางที่ Microsoft แนะนำสำหรับการลดความเสี่ยงในทันที
4.3 ตรวจสอบว่าเซิร์ฟเวอร์ Exchange ไม่ได้ใช้เวอร์ชันที่เก่ากว่า March 2023 เนื่องจาก EM Service อาจไม่สามารถตรวจสอบ mitigation ใหม่ได้
4.4 สำหรับสภาพแวดล้อมแบบ air-gapped หรือไม่สามารถใช้ EEMS ได้ ให้ดาวน์โหลด Exchange On-premises Mitigation Tool (EOMT) เวอร์ชันล่าสุด และรันคำสั่งผ่าน Exchange Management Shell แบบสิทธิ์ผู้ดูแลระบบ
4.5 จำกัดการเข้าถึง Exchange Server จากอินเทอร์เน็ตเท่าที่จำเป็น และพิจารณาเพิ่มการตรวจจับ/กรองอีเมลที่มีเนื้อหาน่าสงสัย
4.6 แจ้งเตือนผู้ใช้งานให้ระมัดระวังการเปิดอีเมลที่ผิดปกติ โดยเฉพาะเมื่อใช้งานผ่าน Outlook Web Access / Outlook on the web
แหล่งอ้างอิง
[1] https://dg.th/pmdqus9801
[2] https://dg.th/lpestq91o6
[3] https://dg.th/7ojxn95rga
หมายเหตุ - อ้างอิง CVSS จาก https://www.cve.org/ -
-
🛑 ด่วน!Google Chrome ออกอัปเดตแก้ไขช่องโหว่หลายรายการ 🛑โพสต์ใน Cyber Security News
ศูนย์ประสานการรักษาความมั่นคงปลอดภัยระบบคอมพิวเตอร์แห่งชาติ (ThaiCERT) ได้ติดตามสถานการณ์ภัยคุกคามทางไซเบอร์ และพบประกาศด้านความปลอดภัยเกี่ยวกับการอัปเดต Google Chrome 148 ซึ่งแก้ไขช่องโหว่ด้านความปลอดภัยรวม 79 รายการ โดยมีช่องโหว่ระดับ Critical จำนวน 14 รายการ และระดับ High จำนวน 37 รายการ กระทบต่อหลายส่วนประกอบของเบราว์เซอร์ เช่น WebML, Skia, UI, FileSystem, Input, Aura, HID, Blink, Tab Groups, Downloads, ANGLE และ Payments [1]
- รายละเอียดช่องโหว่
ช่องโหว่ระดับ Critical ที่ได้รับการแก้ไขในรอบนี้ประกอบด้วยหลายประเภท เช่น Heap Buffer Overflow, Integer Overflow, Use-After-Free, Insufficient Validation of Untrusted Input, Object Lifecycle Issue และ Race Condition ซึ่งเป็นกลุ่มช่องโหว่ที่อาจนำไปสู่การทำงานผิดพลาดของเบราว์เซอร์ การรันโค้ดจากระยะไกล หรือการหลีกเลี่ยงกลไกความปลอดภัยได้ในบางเงื่อนไข
ช่องโหว่ Critical ที่สำคัญ ได้แก่ [2]
- CVE-2026-8509 - Heap buffer overflow ใน WebML
- CVE-2026-8510 - Integer overflow ใน Skia
- CVE-2026-8511 - Use after free ใน UI
- CVE-2026-8512 - Use after free ใน FileSystem
- CVE-2026-8513 - Use after free ใน Input
- CVE-2026-8514 - Use after free ใน Aura
- CVE-2026-8515 - Use after free ใน HID
- CVE-2026-8516 - Insufficient validation of untrusted input ใน DataTransfer
- CVE-2026-8517 - Object lifecycle issue ใน WebShare
- CVE-2026-8518 - Use after free ใน Blink
- CVE-2026-8519 - Integer overflow ใน ANGLE
- CVE-2026-8520 - Race condition ใน Payments
- CVE-2026-8521 - Use after free ใน Tab Groups
- CVE-2026-8522 - Use after free ใน Downloads
- ผลิตภัณฑ์ที่ได้รับผลกระทบ
- Google Chrome for Windows
- Google Chrome for macOS
- Google Chrome for Linux
- แนวทางการแก้ไข
อัปเดต Google Chrome เป็นเวอร์ชันล่าสุดทันที ได้แก่
- Windows / macOS: 148.0.7778.167/168
- Linux: 148.0.7778.167
- แนวทางลดความเสี่ยง
- หลีกเลี่ยงการเข้าเว็บไซต์ที่ไม่น่าเชื่อถือ หรือเปิดลิงก์จากอีเมล/ข้อความที่ไม่ทราบแหล่งที่มา
- จำกัดการติดตั้ง extension เฉพาะรายการที่จำเป็นและเชื่อถือได้
- เปิดใช้งาน automatic update ของ Chrome
แหล่งอ้างอิง
[1] https://dg.th/l9grebqvsf
[2] https://dg.th/f0vyaghbdl - รายละเอียดช่องโหว่
-
Cyber Threat Intelligence 18 May 2026โพสต์ใน Cyber Security News
Financial Sector
- GCC Cyber 2026: How Digital Banking Expansion Is Creating a New Attack Surface Attackers Are Already Exploiting
"The Gulf Cooperation Council (GCC) region has spent the last several years building one of the world’s most ambitious digital economies. Across Bahrain, Kuwait, Oman, Qatar, Saudi Arabia, and the UAE, governments and enterprises have accelerated investments in cloud infrastructure, AI-driven services, smart cities, and digital banking technology at a pace rarely seen elsewhere. Banks are rolling out instant payments, embedded finance services, mobile-first platforms, and API-driven ecosystems designed to support a rapidly expanding fintech economy."
https://cyble.com/blog/gcc-digital-banking-attack-surface-risks-2026/
Vulnerabilities
- Claw Chain: Cyera Research Unveil Four Chainable Vulnerabilities In OpenClaw
"Cyera's research team identified four previously undisclosed vulnerabilities in OpenClaw, one of the most rapidly adopted open-source platforms for autonomous AI agents. Originally launched as “Clawdbot” in late 2025, OpenClaw connects LLMs directly to filesystems, SaaS applications, credentials, and execution environments - and is increasingly deployed across enterprise workflows for IT automation, customer service, and operational integrations with platforms like Telegram, Discord, and Microsoft Agent 365. The four findings - spanning sandbox isolation, identity, and execution validation - were disclosed to the OpenClaw maintainers in April 2026 and have all been patched."
https://www.cyera.com/blog/claw-chain-cyera-research-unveil-four-chainable-vulnerabilities-in-openclaw
https://thehackernews.com/2026/05/four-openclaw-flaws-enable-data-theft.html
https://hackread.com/claw-chain-vulnerabilities-openclaw-ai-servers-risk/ - Microsoft Silently Patched a CVSS 9.9 Privilege Escalation In Azure Backup For AKS
"In March 2026, I discovered a privilege escalation vulnerability in Azure Backup for AKS that allowed a user with only the “Backup Contributor” Azure role (zero Kubernetes permissions) to gain cluster-admin on any AKS cluster. CERT/CC validated this finding as VU#284781 on April 16, 2026. Microsoft rejected it, claiming the “attacker already held administrator access.” This was factually incorrect — the vulnerability grants cluster-admin, it does not require it. On May 12, 2026, I confirmed Microsoft has silently patched the behavior without:"
https://olearysec.com/research/azure-backup-aks-silent-patch/
https://www.bleepingcomputer.com/news/security/microsoft-rejects-critical-azure-vulnerability-report-no-cve-issued/ - Microsoft Warns Of Exchange Zero-Day Flaw Exploited In Attack
"On Thursday, Microsoft shared mitigations for a high-severity Exchange Server vulnerability exploited in attacks that allow threat actors to execute arbitrary code via cross-site scripting (XSS) while targeting Outlook on the web users. Microsoft describes this security flaw (CVE-2026-42897) as a spoofing vulnerability affecting up-to-date Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition (SE) software. While patches aren't yet available to permanently fix the vulnerability, the company added that the Exchange Emergency Mitigation Service (EEMS) will provide automatic mitigation for Exchange Server 2016, 2019, and SE on-premises servers."
https://www.bleepingcomputer.com/news/microsoft/microsoft-warns-of-exchange-zero-day-flaw-exploited-in-attacks/
https://techcommunity.microsoft.com/blog/exchange/addressing-exchange-server-may-2026-vulnerability-cve-2026-42897/4518498
https://www.cisa.gov/news-events/alerts/2026/05/15/cisa-adds-one-known-exploited-vulnerability-catalog
https://thehackernews.com/2026/05/on-prem-microsoft-exchange-server-cve.html
https://www.infosecurity-magazine.com/news/microsoft-zeroday-exchange-servers/
https://www.securityweek.com/microsoft-warns-of-exchange-server-zero-day-exploited-in-the-wild/
https://securityaffairs.com/192204/security/cve-2026-42897-microsoft-confirms-active-exploitation-of-exchange-server-zero-day.html
https://securityaffairs.com/192240/hacking/u-s-cisa-adds-a-flaw-in-microsoft-exchange-server-to-its-known-exploited-vulnerabilities-catalog.html - Critical FunnelKit Vulnerability Threatens 40,000+ WooCommerce Checkouts
"Sansec is tracking active attacks against Funnel Builder by FunnelKit, a checkout and upsell plugin used on 40,000+ WooCommerce stores. All versions before 3.15.0.3 let unauthenticated attackers inject arbitrary JavaScript into every checkout page on the store. Attackers are planting fake Google Tag Manager scripts into the plugin's "External Scripts" setting. The injected code looks like ordinary analytics next to the store's real tags, but loads a payment skimmer that steals credit card numbers, CVVs and billing addresses from checkout. FunnelKit has shipped a patched version and is asking all customers to update."
https://sansec.io/research/funnelkit-woocommerce-vulnerability-exploited
https://www.bleepingcomputer.com/news/security/funnel-builder-wordpress-plugin-bug-exploited-to-steal-credit-cards/
https://thehackernews.com/2026/05/funnel-builder-flaw-under-active.html
https://securityaffairs.com/192260/cyber-crime/attackers-exploit-funnel-builder-bug-to-inject-e-skimmers-into-e-stores.html - Chrome 148 Update Patches Critical Vulnerabilities
"Google this week released a Chrome 148 update that resolves 79 vulnerabilities, including 14 critical-severity bugs across multiple components. The first critical issue is a heap buffer overflow in WebML tracked as CVE-2026-8509, for which the internet giant paid a $43,000 bug bounty. Google has not shared details on the flaw, but its severity rating and the paid amount suggest that it could be exploited for remote code execution. The second critical issue is CVE-2026-8510, an integer overflow weakness in Skia that earned the reporting researcher a $25,000 reward."
https://www.securityweek.com/chrome-148-update-patches-critical-vulnerabilities/ - New Windows 'MiniPlasma' Zero-Day Exploit Gives SYSTEM Access, PoC Released
"A cybersecurity researcher has released a proof-of-concept exploit for a Windows privilege escalation zero-day dubbed "MiniPlasma" that lets attackers gain SYSTEM privileges on fully patched Windows systems. The exploit was published by a researcher known as Chaotic Eclipse, or Nightmare Eclipse, who released both the source code and a compiled executable on GitHub after claiming that Microsoft failed to properly patch a previously reported 2020 vulnerability. According to the researcher, the flaw impacts the 'cldflt.sys' Cloud Filter driver and its 'HsmOsBlockPlaceholderAccess' routine, which was originally reported to Microsoft by Google Project Zero researcher James Forshaw in September 2020."
https://www.bleepingcomputer.com/news/microsoft/new-windows-miniplasma-zero-day-exploit-gives-system-access-poc-released/
Malware
- Inside The REMUS Infostealer: Session Theft, MaaS, And Rapid Evolution
"In recent months, a new infostealer malware known as REMUS has emerged across the cybercrime landscape, drawing attention from security researchers and malware analysts. Several technical analyses published in recent months focused on the malware’s capabilities, infrastructure, and similarities to Lumma Stealer, including browser targeting mechanisms, and credential theft functionality and more. However, far less attention has been given to the underground operation behind the malware itself."
https://www.bleepingcomputer.com/news/security/inside-the-remus-infostealer-session-theft-maas-and-rapid-evolution/ - PureLogs: Delivery Via PawsRunner Steganography
"The use of steganography in the threat landscape continues to accelerate. Threat actors are increasingly shifting from direct encrypted transfers to a 'legitimate-file-plus-hidden-data' model, effectively masking their next-stage payloads within everyday media. FortiGuard Labs recently uncovered a phishing campaign that abuses environment variables to hide malicious commands and uses PawsRunner as a Steganography Loader to deploy the .NET infostealer PureLogs."
https://www.fortinet.com/blog/threat-research/purelogs-delivery-via-pawsrunner-steganography - From PyInstaller To XWorm V7.4: Infection Chain Analysis
"Point Wild conducted an in-depth analysis of a suspicious PyInstaller-packed Python sample and identified it as a multi-stage malware loader designed to deploy the XWorm Remote Access Trojan (RAT), specifically associated with the XWorm V7.4 campaign. The sample leveraged multiple layers of obfuscation, staged execution and anti-analysis techniques to conceal its true functionality and evade detection by traditional security controls."
https://www.pointwild.com/threat-intelligence/from-pyinstaller-to-xworm-v7-4-infection-chain-analysis/
https://hackread.com/hackers-pyinstaller-amsi-patching-xworm-rat-v7-4/ - New Calendar Invite Phishing Campaign: ICS Abuse And Post-Delivery Persistence
"Fortra Intelligence and Research Experts (FIRE) have identified an ongoing campaign combining ConsentFix (also known as device code phishing) to harvest Microsoft account credentials and calendar phishing (or CalPhishing) to bypass security controls and push users closer to the 'trusted' workflow. This activity is likely linked to the EvilTokens AI-enabled phishing kit, which has been known to include calendar phishing as an option. However, CalPhishing appears to be the increasingly preferable method of delivery thanks to its ability to bypass defences."
https://www.fortra.com/blog/new-calendar-invite-phishing-campaign-ics-abuse-and-post-delivery-persistence
https://hackread.com/calphishing-eviltokens-kit-outlook-invites-m365/ - Gremlin Stealer's Evolved Tactics: Hiding In Plain Sight With Resource Files
"This article examines new obfuscation techniques the Gremlin stealer malware uses to conceal malicious payloads within embedded resources. We analyze a variant protected by a sophisticated commercial packing utility that employs instruction virtualization, transforming the original code into a custom, non-standard bytecode executed by a private virtual machine. Gremlin stealer siphons sensitive information from compromised systems and exfiltrates it to attacker‑controlled servers for potential publication or sale. It targets web browsers, system clipboard and local storage to exfiltrate sensitive information like:"
https://unit42.paloaltonetworks.com/gremlin-stealer-evolution/
https://www.infosecurity-magazine.com/news/gremlin-stealer-evolves-into/ - Cato CTRL Threat Research: Suspected China-Linked Threat Actor Targets Global Manufacturer With Undocumented TencShell Malware
"In April 2026, Cato CTRL identified and blocked an attempted intrusion against a global manufacturing customer involving TencShell, a previously undocumented, Go-based implant derived from the open-source Rshell C2 framework. The activity appeared in traffic associated with a third-party user connected to the customer environment. The attack chain used a first-stage dropper, Donut shellcode, a masqueraded .woff web-font resource, memory injection, and web-like C2 communication. We assess the activity as suspected China-linked based on the apparent Rshell lineage, Tencent-themed API impersonation, and infrastructure patterns, While this pattern is relevant to our suspected China-linked assessment, it is not sufficient on its own for attribution."
https://www.catonetworks.com/blog/cato-ctrl-suspected-china-linked-threat-actor-targets-global-manufacturer/
https://www.infosecurity-magazine.com/news/china-hackers-tencshell-malware/ - Kazuar: Anatomy Of a Nation-State Botnet
"Kazuar, a sophisticated malware family attributed to the Russian state actor Secret Blizzard, has been under constant development for years and continues to evolve in support of espionage-focused operations. Over time, Kazuar has expanded from a relatively traditional backdoor into a highly modular peer-to-peer (P2P) botnet ecosystem designed to enable persistent, covert access to target environments. This upgrade aligns with Secret Blizzard’s broader objective of gaining long-term access to systems for intelligence collection. The threat actor has historically targeted organizations in the government and diplomatic sector in Europe and Central Asia, as well as systems in Ukraine previously compromised by Aqua Blizzard, very likely for the purpose of obtaining information supporting Russia’s foreign policy and military objectives."
https://www.microsoft.com/en-us/security/blog/2026/05/14/kazuar-anatomy-of-a-nation-state-botnet/
https://thehackernews.com/2026/05/turla-turns-kazuar-backdoor-into.html
https://www.bleepingcomputer.com/news/security/russian-hackers-turn-kazuar-backdoor-into-modular-p2p-botnet/
https://securityaffairs.com/192231/apt/russian-apt-turla-builds-long-term-access-tool-with-kazuar-botnet-evolution.html - Tinker Tailor Soldier: Paper Werewolf’s Latest Toolkit
"In March—April 2026, we uncovered a new campaign by Paper Werewolf targeting Russian industrial, financial, and transport organizations. The analysis revealed several previously undescribed malware instances, including a custom‑built stealer we dubbed PaperGrabber, loaders and downloaders written in C++, C#, Python, and JavaScript, and a novel shellcode‑based implant for the Mythic post‑exploitation framework."
https://bi.zone/eng/expertise/blog/kamen-nozhnitsy-bumaga-novyy-instrumentariy-v-atakakh-klastera-paper-werewolf/ - Tycoon 2FA Operators Adopt OAuth Device Code Phishing
"In late April 2026, the eSentire Threat Response Unit (TRU) analyzed a phishing campaign that combines two trends TRU has tracked over the past year. The first is the continued operation of the Tycoon 2FA Phishing-as-a-Service (PhaaS) kit despite the March 2026 coalition takedown led by Microsoft and Europol in collaboration with eSentire and other industry partners; the second is the broader shift toward abusing OAuth Device Authorization Grant flows to compromise Microsoft 365 accounts."
https://www.esentire.com/blog/tycoon-2fa-operators-adopt-oauth-device-code-phishing
https://www.bleepingcomputer.com/news/security/tycoon2fa-hijacks-microsoft-365-accounts-via-device-code-phishing/ - Scammers Send Physical Phishing Letters To Steal Ledger Wallet Seed Phrases
"Crypto wallet owners using Ledger hardware wallets are being targeted through physical mail, with scammers impersonating the company in a campaign designed to steal recovery seed phrases. The operation uses printed letters that look official, complete with Ledger branding, a reference number, and a fake security notice warning recipients about an urgent “Quantum Resistance” update. One example of the scam circulating online shows an Italian language version addressed to a customer in Italy, suggesting the attackers are tailoring the campaign based on regional customer data. The letter claims users must complete a mandatory security upgrade for their Ledger device before a deadline or risk losing wallet functionality."
https://hackread.com/scammers-physical-phishing-letters-ledger-wallet-seed/
Breaches/Hacks/Leaks
- American Lending Center Data Breach Affects 123,000 Individuals
"American Lending Center this week revealed that a data breach discovered last year has impacted more than 123,000 individuals. American Lending Center (ALC) is a California-based non-bank lender that manages a $3 billion portfolio specializing in government-guaranteed small business loans. The organization is notifying individuals affected by the data breach that information such as names, dates of birth, and SSNs may have been stolen in a ransomware attack detected in July 2025."
https://www.securityweek.com/american-lending-center-data-breach-affects-123000-individuals/ - More Than $10 Million Stolen From Crypto Platform THORChain
"Cryptocurrency platform THORChain said more than $10 million was stolen during a security incident on Friday morning. The cyberattack was first identified by blockchain security firm Peckshield and cryptocurrency investigator Zachary Wolk, who goes by the online alias ZachXBT. Around 6 am EST, both reported that more than 36 Bitcoin, worth about $3 million, and another $7 million in other coins was siphoned from THORChain. THORChain published its own statement shortly after confirming the incident."
https://therecord.media/more-than-10-million-stolen-crypto-platform-thorchain - Grafana GitHub Token Breach Led To Codebase Download And Extortion Attempt
"Grafana has disclosed that an "unauthorized party" obtained a token that granted them the ability to access the company's GitHub environment and download its codebase. "Our investigation has determined that no customer data or personal information was accessed during this incident, and we have found no evidence of impact to customer systems or operations," Grafana said in a series of posts on X. The company also said it immediately launched a forensic analysis upon discovering the activity and that it identified the source of the leak, adding the compromised credentials have since been invalidated, and extra security measures have been implemented to secure against unauthorized access."
https://thehackernews.com/2026/05/grafana-github-token-breach-led-to.html
https://hackread.com/grafana-source-code-theft-rejected-ransom-demand/
General News
- Pwn2Own Berlin 2026, Day One: $523,000 Paid Out, AI Products Fall
"Day one of Pwn2Own Berlin 2026 featured 22 entries targeting widely used technologies, including browsers, operating systems, AI platforms, and NVIDIA infrastructure. By the end of the day, researchers demonstrated 24 unique zero-day vulnerabilities and earned a total of $523,000 in rewards, highlighting ongoing security risks across major enterprise and consumer software ecosystems. Orange Tsai of the DEVCORE Research Team made the headlines; he chained four separate logic bugs to escape the Microsoft Edge sandbox, a technically demanding achievement that earned him $175,000 and 17.5 Master of Pwn points in a single attempt. It was the kind of result that reminds you why this competition exists: not to embarrass vendors, but to surface flaws in controlled conditions before someone with worse intentions finds them first."
https://securityaffairs.com/192183/hacking/pwn2own-berlin-2026-day-one-523000-paid-out-ai-products-fall.html - Microsoft Exchange, Windows 11 Hacked On Second Day Of Pwn2Own
"During the second day of Pwn2Own Berlin 2026, competitors collected $385,750 in cash awards after exploiting 15 unique zero-day vulnerabilities in multiple products, including Windows 11, Microsoft Exchange, and Red Hat Enterprise Linux for Workstations. The Pwn2Own Berlin 2026 hacking competition takes place at the OffensiveCon conference from May 14 to May 16 and focuses on enterprise technologies and artificial intelligence. Security researchers can earn over $1,000,000 in cash and prizes by hacking fully patched products in the web browser, enterprise applications, cloud-native/container environments, virtualization, local privilege escalation, servers, local inference, and LLM categories."
https://www.bleepingcomputer.com/news/security/pwn2own-day-two-hackers-demo-microsoft-exchange-windows-11-red-had-enterprise-linux-zero-days/
https://securityaffairs.com/192209/security/pwn2own-berlin-2026-day-two-385750-more-microsoft-exchange-falls-and-the-running-total-crosses-900k.html - Pwn2Own Berlin 2026, Day Three: DEVCORE Crowned Master Of Pwn, $1.298 Million Total
"Pwn2Own Berlin 2026 ended after three intense days, with participants discovering 47 unique zero-days, and earning $1,298,250 in total payouts. Pwn2Own Berlin 2026 wrapped up at OffensiveCon on Saturday with a final day that sealed DEVCORE’s dominance across every metric that matters. That's a wrap on Pwn2Own Berlin 2026!
$1,298,250 awarded. 47 unique 0-days. 3 days of absolute chaos. And talk about main character energy – congrats to DEVCORE for claiming Master of Pwn with 50.5 points and $505,000 – they never slowed down. See you next year! #Pwn2Own… pic.twitter.com/ZcWN8VPLDS — TrendAI Zero Day Initiative (@thezdi) May 16, 2026"
https://securityaffairs.com/192250/hacking/pwn2own-berlin-2026-day-three-devcore-crowned-master-of-pwn-1-298-million-total.html - Microsoft Backpedals: Edge To Stop Loading Passwords Into Memory
"Microsoft is updating the Edge web browser to ensure it no longer loads saved passwords into process memory in clear text at startup after previously stating it was "by design." This behavior was disclosed on May 4 by security researcher Tom Jøran Sønstebyseter Rønning, who demonstrated that all credentials stored in the Edge built-in password manager were decrypted on launch and kept in memory even when not in use. Rønning also released a proof-of-concept (PoC) tool that would allow attackers with Administrator privileges to dump passwords from other users' Edge processes (without admin privileges, the PoC only allows accessing Edge processes launched by the same user)."
https://www.bleepingcomputer.com/news/microsoft/microsoft-edge-to-stop-loading-cleartext-passwords-in-memory-on-startup/ - The Boring Stuff Is Dangerous Now
"Are you freaking out? It feels like the entire industry is losing its head over the collision of two huge security pressures. First, every development team has suddenly been mandated to use AI coding tools, resulting in thousands of new bugs and misconfigurations. This has coincided with the announcement that, if Claude Mythos was unleashed, it would exploit every unknown vulnerability out there. It’s enough to make everyone from triagers and CISOs want to give up. Let’s consider how both scenarios play out, and what it means for vulnerability discovery, vulnerability management, and actual risk reduction."
https://www.darkreading.com/cyber-risk/ai-code-and-agents-forces-defenders-adapt - The Next Cybersecurity Challenge May Be Verifying AI Agents
"For the past two decades, cybersecurity has largely been a story about protecting humans from machines blocking malware, filtering phishing emails, companies mitigating DDoS attacks, and patching software vulnerabilities before attackers exploit them. The adversary was clear. The surface was known. The playbook, while imperfect, was at least legible, but that story is now changing. The next major frontier in cybersecurity is not defending against AI. It is figuring out how to trust it."
https://hackread.com/next-cybersecurity-challenge-verifying-ai-agents/
อ้างอิง
Electronic Transactions Development Agency (ETDA)
- GCC Cyber 2026: How Digital Banking Expansion Is Creating a New Attack Surface Attackers Are Already Exploiting
-
พบช่องโหว่ Claw Chain ใน OpenClaw เสี่ยงขโมยข้อมูลและยกระดับสิทธิ์โพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
OpenAI ได้รับผลกระทบจาก Supply Chain Attack ผ่านแพ็กเกจ TanStack อันตรายโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
พบช่องโหว่ร้ายแรงในปลั๊กอิน Funnel Builder บน WordPress ถูกใช้ฝังโค้ดขโมยข้อมูลบัตรเครดิตร้านค้าออนไลน์โพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
ด่วน! แจ้งเตือนช่องโหว่ใน NGINX อาจทำให้ระบบหยุดให้บริการ หรือรันโค้ดได้ภายใต้เงื่อนไขบางประการโพสต์ใน Cyber Security News
ศูนย์ประสานการรักษาความมั่นคงปลอดภัยระบบคอมพิวเตอร์แห่งชาติ (ThaiCERT) ได้ติดตามสถานการณ์ข่าวสารภัยคุกคามทางไซเบอร์ และพบรายงานการค้นพบช่องโหว่ด้านความมั่นคงปลอดภัยใน NGINX Web Server ซึ่งเป็นซอฟต์แวร์ Web Server และ Reverse Proxy ที่มีการใช้งานอย่างแพร่หลาย โดยบริษัท Depth First ได้เปิดเผยช่องโหว่หลายรายการที่ส่งผลกระทบต่อ NGINX Open Source โดยเฉพาะช่องโหว่ CVE-2026-42945 ใน ngx_http_rewrite_module ซึ่งอาจทำให้ NGINX worker process หยุดทำงาน หรืออาจนำไปสู่การรันโค้ดได้ภายใต้เงื่อนไขบางประการ จึงขอให้ผู้ดูแลระบบเร่งตรวจสอบเวอร์ชัน การตั้งค่า และอัปเดตแพตช์ตามคำแนะนำของผู้ผลิต [1]
-
รายละเอียดช่องโหว่[2]
1.1 CVE-2026-42945 (CVSS v3.1: 8.1) [3]
เป็นช่องโหว่ประเภท Heap Buffer Overflow ใน ngx_http_rewrite_module โดยเกี่ยวข้องกับการทำงานของ rewrite และ set directive รวมถึงการใช้ตัวแปรจากการจับกลุ่มแบบ unnamed capture เช่น $1 หรือ $2 ในบางรูปแบบการตั้งค่า ผู้โจมตีที่ไม่ต้องยืนยันตัวตนอาจส่ง HTTP request ที่สร้างขึ้นเป็นพิเศษ เพื่อทำให้ NGINX worker process หยุดทำงาน และในบางเงื่อนไขอาจนำไปสู่การรันโค้ดบนระบบได้
1.2 CVE-2026-42946 (CVSS v3.1: 6.5) [4]
เป็นช่องโหว่ใน ngx_http_scgi_module และ ngx_http_uwsgi_module ที่เกิดจากการจัดการ upstream response ไม่เหมาะสม อาจทำให้เกิดการใช้หน่วยความจำผิดปกติ หรือเกิดการอ่านข้อมูลในหน่วยความจำของ NGINX worker process เกินขอบเขต ส่งผลให้ worker process หยุดทำงานหรืออาจเกิดการเปิดเผยข้อมูลบางส่วนในหน่วยความจำได้ ภายใต้เงื่อนไขที่มีการใช้งาน scgi_pass หรือ uwsgi_pass
1.3 CVE-2026-40701 (CVSS v3.1: 4.8) [5]
เป็นช่องโหว่ประเภท Use-After-Free ใน ngx_http_ssl_module ซึ่งเกี่ยวข้องกับการใช้งาน TLS, OCSP และการตรวจสอบ client certificate ในบางรูปแบบการตั้งค่า หาก TLS connection ถูกปิดก่อนกระบวนการ asynchronous OCSP DNS resolution เสร็จสมบูรณ์ อาจทำให้ worker process อ้างอิงหน่วยความจำที่ถูกคืนไปแล้ว และส่งผลให้เกิดการทำงานผิดพลาดหรือ worker process restart ได้
1.4 CVE-2026-42934 (CVSS v3.1: 4.8) [6]
เป็นช่องโหว่ประเภท Out-of-Bounds Read ใน ngx_http_charset_module เกิดจากข้อผิดพลาดในการจัดการ UTF-8 sequence ที่ไม่สมบูรณ์ระหว่าง proxy buffer boundaries ในบางรูปแบบการตั้งค่า อาจทำให้ระบบอ่านข้อมูลหน่วยความจำเกินขอบเขต ส่งผลให้เกิดการเปิดเผยข้อมูลในหน่วยความจำอย่างจำกัด หรือทำให้ worker process restart ได้ -
ผลิตภัณฑ์ที่ได้รับผลกระทบ [7]
2.1 NGINX Open Source เวอร์ชัน 0.6.27 – 1.30.0
2.2 ระบบที่มีการใช้งาน ngx_http_rewrite_module และมี rewrite rule ที่เข้าเงื่อนไข
2.3 ระบบที่มีการใช้งาน scgi_pass หรือ uwsgi_pass
2.4 ระบบที่เปิดใช้งาน SSL/OCSP และ client certificate verification ตามเงื่อนไขที่ได้รับผลกระทบ
2.5 ระบบที่ใช้งาน charset conversion และ proxy buffering ตามเงื่อนไขที่ได้รับผลกระทบ -
แนวทางการแก้ไข
3.1 อัปเดต NGINX เป็นเวอร์ชันที่ได้รับการแก้ไขแล้ว เช่น NGINX Open Source 1.30.1 stable หรือ 1.31.0 mainline หรือใหม่กว่า
3.2 ตรวจสอบ configuration ของ ngx_http_rewrite_module โดยเฉพาะ rewrite rule ที่ใช้ unnamed capture เช่น $1 หรือ $2
3.3 หากยังไม่สามารถอัปเดตได้ทันที ให้ปรับ rewrite rule โดยหลีกเลี่ยงรูปแบบที่เข้าเงื่อนไข และพิจารณาใช้ named capture แทน
3.4 ตรวจสอบการใช้งาน scgi_pass, uwsgi_pass, SSL/OCSP, charset conversion และ proxy buffering ว่าตรงกับเงื่อนไขช่องโหว่หรือไม่
3.5 เฝ้าระวัง log ผิดปกติ การ restart หรือ crash ของ worker process และคำขอ HTTP ที่ผิดปกติซึ่งเกี่ยวข้องกับโมดูลที่ได้รับผลกระทบ
3.6 เปิดใช้งานมาตรการป้องกันหน่วยความจำ เช่น ASLR และจำกัดสิทธิ์ของ service process ตามหลัก Least Privilege -
มาตรการชั่วคราวหากยังไม่สามารถอัปเดตได้ทันที
4.1 จำกัดการเข้าถึงบริการ NGINX จากอินเทอร์เน็ตเฉพาะที่จำเป็น
4.2 ตรวจสอบและลดการใช้งาน rewrite rule ที่เข้าเงื่อนไข โดยเฉพาะ rule ที่ใช้ $1, $2 หรือ replacement string ที่มีเครื่องหมาย ?
4.3 พิจารณาปิดหรือจำกัดการใช้งาน scgi_pass, uwsgi_pass, SSL/OCSP หรือ charset conversion ที่ไม่จำเป็น หลังประเมินผลกระทบต่อระบบ
4.4 เปิดใช้ ASLR และมาตรการ hardening อื่น ๆ ของระบบปฏิบัติการ
4.5 เฝ้าระวังการ restart ของ worker process การใช้หน่วยความจำผิดปกติ และ HTTP request ที่มีลักษณะผิดปกติ
แหล่งอ้างอิง
[1] https://dg.th/evl9wbh1g0
[2] https://dg.th/9fbo7qn4id
[3] https://dg.th/cmtunbh2dy
[4] https://dg.th/p4mxew3thg
[5] https://dg.th/m74zfgc18u
[6] https://dg.th/1kt5x3qzyl
[7] https://dg.th/871rkqmdt0 -
-
Microsoft แก้ไขข้อผิดพลาด Windows Autopatch หลังพบการติดตั้งไดรเวอร์ที่ถูกจำกัดโดยไม่ได้รับอนุญาตโพสต์ใน Cyber Security News
ศูนย์ประสานการรักษาความมั่นคงปลอดภัยระบบคอมพิวเตอร์แห่งชาติ (ThaiCERT) ได้ติดตามสถานการณ์ความผิดปกติในบริการ Windows Autopatch ของ Microsoft ซึ่งมีรายงานว่าเกิดข้อผิดพลาดในการจัดการนโยบาย ทำให้ระบบทำการติดตั้งไดรเวอร์ (Driver Updates) ลงบนเครื่องคอมพิวเตอร์ของผู้ใช้งานโดยอัตโนมัติ ทั้งที่ผู้ดูแลระบบได้ตั้งค่าจำกัดหรือต้องรอการอนุมัติก่อน (Restricted Drivers) ซึ่งความผิดปกตินี้อาจส่งผลต่อเสถียรภาพของระบบในหน่วยงานได้ [1]
-
รายละเอียดเหตุการณ์
Microsoft ตรวจพบข้อผิดพลาดในระดับบริการ (Service-side bug) ของ Windows Autopatch ที่ทำให้กลไกการควบคุมการติดตั้งไดรเวอร์ทำงานผิดพลาด ส่งผลให้ไดรเวอร์ประเภท Recommended Drivers ถูกส่งไปยังเครื่องปลายทางและติดตั้งโดยอัตโนมัติ แม้ว่าผู้ดูแลระบบไอทีจะกำหนดนโยบาย (Administrative Policies) ให้ต้องมีการอนุมัติด้วยตนเอง (Manual Approval) ก่อนก็ตาม [2] -
ลักษณะของปัญหา
ปัญหาดังกล่าวเกิดขึ้นจากการประมวลผลในส่วนของ Cloud Machinery ของ Microsoft ที่ทำหน้าที่ตัดสินใจว่าเครื่องปลายทางควรได้รับซอฟต์แวร์ใดบ้าง โดยพบความผิดปกติดังนี้
2.1 ระบบข้ามขั้นตอนการตรวจสอบสิทธิ์การอนุมัติของผู้ดูแลระบบ
2.2 มีการติดตั้งไดรเวอร์ที่เป็นตัวเลือก (Optional Drivers) หรือไดรเวอร์ที่ถูกจำกัดไว้ลงในเครื่องกลุ่มเป้าหมายโดยทันที
2.3 ความผิดปกตินี้เกิดขึ้นในวงจำกัด โดยเฉพาะกับอุปกรณ์ในภูมิภาคสหภาพยุโรป (EU) แต่ส่งผลกระทบต่อความเชื่อมั่นในระบบการจัดการอัปเดตอัตโนมัติ -
ผลกระทบ
3.1 ระบบอาจติดตั้งไดรเวอร์ที่ไม่เหมาะสมกับฮาร์ดแวร์ ส่งผลให้เครื่องเกิดอาการค้างหรือทำงานผิดปกติ
3.2 อุปกรณ์อาจเกิดการรีสตาร์ท (Unexpected Reboots) โดยไม่คาดคิด
3.3 ในบางกรณี อาจนำไปสู่ความล้มเหลวของระบบ (System Failures) จนไม่สามารถเข้าใช้งานได้
3.4 ผู้ดูแลระบบสูญเสียการควบคุมในการทดสอบไดรเวอร์ก่อนการใช้งานจริงในหน่วยงาน -
ผลิตภัณฑ์และระบบที่ได้รับผลกระทบ
4.1 ระบบปฏิบัติการ Windows 11 เวอร์ชัน 25H2, 24H2 และ 23H2
4.2 อุปกรณ์ที่บริหารจัดการผ่านบริการ Windows Autopatch
4.3 กลุ่มผู้ใช้งานและอุปกรณ์ที่ตั้งอยู่ในภูมิภาคสหภาพยุโรป (EU) -
แนวทางการแก้ไขและป้องกัน
5.1 Microsoft ระบุว่าได้แก้ไขปัญหานี้แล้วผ่านการปรับปรุงฝั่งบริการ จึงไม่จำเป็นต้องติดตั้ง client-side update เพิ่มเติมเพื่อแก้ไขปัญหา
5.2 ผู้ดูแลระบบควรตรวจสอบประวัติการติดตั้งไดรเวอร์บนอุปกรณ์ที่อยู่ภายใต้ Windows Autopatch โดยเฉพาะอุปกรณ์ในภูมิภาค EU หรืออุปกรณ์ที่พบอาการผิดปกติหลังได้รับการอัปเดต
5.3 ตรวจสอบเหตุการณ์รีสตาร์ตผิดปกติ ระบบขัดข้อง หรือความไม่เสถียรของเครื่องหลังช่วงเวลาที่พบปัญหา
5.4 หากพบว่าไดรเวอร์ที่ติดตั้งส่งผลกระทบต่อการทำงานของระบบ ควรพิจารณา rollback ไดรเวอร์ หรือปรึกษาผู้ผลิตฮาร์ดแวร์/ผู้ให้บริการที่เกี่ยวข้องก่อนดำเนินการเพิ่มเติม
5.5 ทบทวนนโยบายการจัดการไดรเวอร์และเฟิร์มแวร์ใน Microsoft Intune/Windows Autopatch เพื่อให้มั่นใจว่ายังสอดคล้องกับแนวทาง Change Management ของหน่วยงาน
5.6 ติดตามประกาศจาก Microsoft Release Health, Microsoft 365 admin center และ Windows Autopatch documentation อย่างต่อเนื่อง เพื่อรับทราบปัญหาที่เกี่ยวข้องกับการอัปเดตในอนาคต
แหล่งอ้างอิง
[1] https://dg.th/thxzwm0y36
[2] https://dg.th/i012xc96zt -
-
Cyber Threat Intelligence 15 May 2026โพสต์ใน Cyber Security News
Industrial Sector
- Siemens SIMATIC
"SIMATIC CN 4100 contains multiple vulnerabilities which could potentially lead to a compromise in availability, integrity and confidentiality. Siemens has released a new version for SIMATIC CN 4100 and recommends to update to the latest version."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-134-10 - Siemens Ruggedcom Rox
"Ruggedcom Rox before v2.17.1 contain multiple third-party vulnerabilities. Siemens has released new versions for the affected products and recommends to update to the latest versions."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-134-16 - Universal Robots Polyscope 5
"Successful exploitation of these vulnerabilities could allow an attacker to bypass authentication and execute code."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-134-17 - Siemens Siemens ROS#
"ROS# contains a ROS service file_server, that before version 2.2.2 contains a path traversal vulnerability which could allow an attacker to access, i.e. read and write, arbitrary files, which are accessible with the user rights of the user that runs the service, on the system that hosts service. Siemens has released a new version for ROS# and recommends to update to the latest version."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-134-08 - Siemens Ruggedcom Rox
"Ruggedcom Rox contains an input validation vulnerability in the Scheduler functionality that could allow an authenticated remote attacker to execute arbitrary commands with root privileges on the underlying operating system. Siemens has released new versions for the affected products and recommends to update to the latest versions."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-134-12 - Siemens SENTRON 7KT PAC1261 Data Manager
"The web server in SENTRON 7KT PAC1261 Data Manager Before V2.1.0 contains a request smuggling vulnerability in the Go Project's net/http package that could allow an attacker to retrieve authorization tokens that can be used to gain administrative control over the device. Siemens has released a new version for SENTRON 7KT PAC1261 Data Manager and recommends to update to the latest version."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-134-14 - Siemens SIMATIC S7 PLC Web Server
"SIMATIC S7 PLCs contain multiple vulnerabilities in the web server that could allow an attacker to perform cross-site scripting attacks. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens is preparing further fix versions and recommends specific countermeasures for products where fixes are not, or not yet available."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-134-15 - Siemens gWAP
"Siemens gPROMS Web Applications Publisher (gWAP) is affected by a remote code execution vulnerability introduced through a third-party component, namely the Axios HTTP client library. The vulnerability stems from a specific "Gadget" attack chain that allows prototype pollution in other third-party libraries, potentially allowing an attacker to execute arbitrary code. Siemens has released a new version for gWAP and recommends to update to the latest version."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-134-01 - Siemens Ruggedcom Rox
"Ruggedcom Rox contains an improper access control vulnerability that could allow an authenticated remote attacker to read arbitrary files with root privileges from the underlying operating system's filesystem. Siemens has released new versions for the affected products and recommends to update to the latest versions."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-134-02 - Siemens Solid Edge
"Solid Edge SE2026 before Update 5 is affected by two file parsing vulnerabilities that could be triggered when the application reads specially crafted files in PAR format. This could allow an attacker to crash the application or execute arbitrary code. Siemens has released a new version for Solid Edge SE2026 and recommends to update to the latest version."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-134-03 - Siemens Teamcenter
"Siemens Teamcenter is affected by multiple vulnerabilities which could potentially lead to a compromise in availability, integrity and confidentiality. Siemens has released new versions for the affected products and recommends to update to the latest versions."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-134-04 - Siemens Simcenter Femap
"Simcenter Femap is affected by heap based buffer overflow vulnerability in Datakit library that could be triggered when the application reads files in IPT format. If a user is tricked to open a malicious file with the affected application, an attacker could leverage the vulnerability to perform remote code execution in the context of the current process. Siemens has released a new version for Simcenter Femap and recommends to update to the latest version."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-134-05 - Siemens Industrial Devices
"Multiple industrial devices contain a vulnerability that could allow an attacker to cause a denial of service condition. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens is preparing further fix versions and recommends specific countermeasures for products where fixes are not, or not yet available."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-134-06 - Siemens SIMATIC
"SIMATIC HMI Unified Comfort Panels before V21.0 are affected by a vulnerability that allows an unauthenticated attacker to access the web browser via the help link. This vulnerability allows an attacker to access the web browser through the Control Panel if it is not protected by the corresponding security mechanisms. This opens the possibility for the attacker to find backdoors, which might lead to unwanted misconfigurations. Siemens has released new versions for the affected products and recommends to update to the latest versions."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-134-07 - Siemens Opcenter RDnL
"Opcenter RDnL is affected by missing authentication in critical function in ‘ActiveMQ Artemis’. An unauthenticated attacker within the adjacent network could use the Core protocol to force a target broker to establish an outbound Core federation connection to an attacker-controlled rogue broker. This could potentially result in availability impacts or message injection into any queue via the rogue broker. Breaking the integrity of a message has a low impact due to missing auto refresh functionality and it does not contain any confidential information. ActiveMQ Artemis has released a new version and Siemens recommends to update to the latest version."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-134-09 - Siemens Ruggedcom Rox
"Ruggedcom Rox contains an input validation vulnerability in the feature key installation process that could allow an authenticated remote attacker to execute arbitrary commands with root privileges on the underlying operating system. Siemens has released new versions for the affected products and recommends to update to the latest versions."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-134-11 - Siemens SIPROTEC 5
"The SIPROTEC 5 devices do not use sufficiently random numbers to generate session identifiers. This could facilitate a brute-force attack against a valid session identifier which could allow an unauthenticated remote attacker to hijack a valid user session. The affected session identifiers are only used in a subset of the endpoints that are provided by the affected products. Siemens is preparing fix versions and recommends countermeasures for products where fixes are not, or not yet available."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-134-13
Vulnerabilities
- 200,000 WordPress Sites At Risk From Critical Authentication Bypass Vulnerability In Burst Statistics Plugin
"On May 8, 2026, PRISM, Wordfence Threat Intelligence’s autonomous vulnerability research platform, discovered a critical Authentication Bypass vulnerability in Burst Statistics, a WordPress plugin with more than 200,000 active installations. The vulnerability was introduced in the code on April 23, 2026, discovered just 15 days later, and patched 19 days later, highlighting the positive impact that AI can have on reducing the window for attackers to find and target new vulnerabilities in WordPress. This vulnerability allows unauthenticated attackers who know a valid administrator username to fully impersonate that administrator for the duration of any REST API request, including WordPress core endpoints such as /wp-json/wp/v2/users, by supplying any arbitrary and incorrect password in a Basic Authentication header. In a worst-case scenario, an attacker could exploit this flaw to create a new administrator-level account with no prior authentication whatsoever."
https://www.wordfence.com/blog/2026/05/200000-wordpress-sites-at-risk-from-critical-authentication-bypass-vulnerability-in-burst-statistics-plugin/
https://www.bleepingcomputer.com/news/security/hackers-exploit-auth-bypass-flaw-in-burst-statistics-wordpress-plugin/ - Ongoing Exploitation Of Cisco Catalyst SD-WAN Vulnerabilities
"Cisco Talos is tracking the active exploitation of CVE-2026-20182, an authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage. Successful exploitation of CVE-2026-20182 allows an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. The exploitation of CVE-2026-20182 appears to have been limited so far and Talos clusters this activity under UAT-8616 with high confidence."
https://blog.talosintelligence.com/sd-wan-ongoing-exploitation/
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa2-v69WY2SW
https://www.bleepingcomputer.com/news/security/cisco-warns-of-new-critical-sd-wan-flaw-exploited-in-zero-day-attacks/
https://www.darkreading.com/vulnerabilities-threats/maximum-severity-cisco-sd-wan-bug-exploited
https://thehackernews.com/2026/05/cisco-catalyst-sd-wan-controller-auth.html - NGINX Rift: Achieving NGINX Remote Code Execution Via An 18-Year-Old Vulnerability
"We used depthfirst’s system to analyze the NGINX source code, and it autonomously discovered 4 remote memory corruption issues, including a critical heap buffer overflow introduced in 2008. We further investigated the exploitability of the issues, and developed a working proof of concept demonstrating RCE with ASLR off. If you use rewrite and set directives in your NGINX configuration, you’re at risk. In mid-April, I was chatting with a colleague about the most vulnerable spot in our infrastructure. Since most of our services live entirely inside a private network, our app platform is the only exposed surface. He joked that achieving remote code execution on our web service would mean hacking into depthfirst completely. Hacking the web service itself is not my usual focus. However, the idea of hacking the underlying web server intrigued me, which directed my attention to NGINX."
https://depthfirst.com/research/nginx-rift-achieving-nginx-rce-via-an-18-year-old-vulnerability
https://my.f5.com/manage/s/article/K000161019
https://thehackernews.com/2026/05/18-year-old-nginx-rewrite-module-flaw.html
https://www.bleepingcomputer.com/news/security/18-year-old-nginx-vulnerability-allows-dos-potential-rce/
https://securityaffairs.com/192132/hacking/nginx-rift-an-18-year-old-flaw-in-the-worlds-most-deployed-web-server-just-came-to-light.html - New Fragnesia Linux Flaw Lets Attackers Gain Root Privileges
"Linux distros are rolling out patches for a new high-severity kernel privilege escalation vulnerability that allows attackers to run malicious code as root. Known as Fragnasia and tracked as CVE-2026-46300, this security flaw stems from a logic bug in the Linux XFRM ESP-in-TCP subsystem that can enable unprivileged local attackers to gain root privileges by writing arbitrary bytes to the kernel page cache of read-only files. Zellic's head of assurance, William Bowling, who discovered this new universal local privilege escalation flaw, also shared a proof-of-concept (PoC) exploit that achieves a memory-write primitive in the kernel that is used to corrupt the page cache memory of the /usr/bin/su binary to get a shell with root privileges on vulnerable systems."
https://www.bleepingcomputer.com/news/security/new-fragnesia-linux-flaw-lets-attackers-gain-root-privileges/
https://github.com/v12-security/pocs/tree/main/fragnesia
https://thehackernews.com/2026/05/new-fragnesia-linux-kernel-lpe-grants.html
https://www.infosecurity-magazine.com/news/fragnesia-linux-kernel-lpe-root/
https://www.securityweek.com/new-linux-kernel-vulnerability-fragnesia-allows-root-privilege-escalation/
https://securityaffairs.com/192145/uncategorized/linux-kernel-bug-fragnesia-allows-local-root-access-attacks.html
https://www.theregister.com/security/2026/05/14/dirty-frag-gets-a-sequel-as-fragnesia-hands-linux-attackers-root-level-access/5240270 - F5 Patches Over 50 Vulnerabilities
"F5 on Wednesday announced fixes for over 19 high-severity and 32 medium-severity vulnerabilities impacting BIG-IP, BIG-IQ, and NGINX. Based on the CVSS score, the most severe of the resolved issues is CVE-2026-42945 (CVSS v4.0 score of 9.2), a denial-of-service (DoS) condition in NGINX’s ngx_http_rewrite_module module. The bug allows an unauthenticated attacker to send crafted HTTP requests that, combined with certain conditions beyond the attacker’s control, could trigger a heap buffer overflow and a restart. If Address Space Layout Randomization (ASLR) is disabled, the flaw can be exploited for code execution."
https://www.securityweek.com/f5-patches-over-50-vulnerabilities/ - CISA Adds One Known Exploited Vulnerability To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2026-20182 Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability"
https://www.cisa.gov/news-events/alerts/2026/05/14/cisa-adds-one-known-exploited-vulnerability-catalog
https://securityaffairs.com/192157/hacking/u-s-cisa-adds-a-flaw-in-cisco-catalyst-sd-wan-to-its-known-exploited-vulnerabilities-catalog.html - CVE-2026-44338: PraisonAI Authentication Bypass In Under 4 Hours And The Growing Trend Of Rapid Exploitation
"On May 11, 2026, GitHub published advisory GHSA-6rmh-7xcm-cpxj, tracked as CVE-2026-44338 for PraisonAI, an open-source multi-agent orchestration framework with ~7,100 GitHub stars. The legacy api_server.py entrypoint shipped with authentication disabled by default, exposing two endpoints, GET /agents and POST /chat, to any caller. Within three hours and 44 minutes of the advisory becoming public, a scanner identifying itself as CVE-Detector/1.0 was probing the exact vulnerable endpoint on internet-exposed instances. The advisory was published at 13:56 UTC. The first targeted request landed at 17:40 UTC the same day."
https://www.sysdig.com/blog/cve-2026-44338-praisonai-authentication-bypass-in-under-4-hours-and-the-growing-trend-of-rapid-exploitation
https://www.securityweek.com/hackers-targeted-praisonai-vulnerability-hours-after-disclosure/ - High-Severity Vulnerability Patched In VMware Fusion
"Broadcom announced on Thursday that it has released a VMware Fusion update to patch a high-severity vulnerability. The flaw, tracked as CVE-2026-41702 and rated ‘important’ by the vendor, was reported by Mathieu Farrell. An advisory describes CVE-2026-41702 as a time-of-check time-of-use (TOCTOU) flaw that “occurs during an operation performed by a SETUID binary”. “A malicious actor with local non-administrative user privileges may exploit this vulnerability to escalate privileges to root on the system where Fusion is installed,” the advisory explains."
https://www.securityweek.com/high-severity-vulnerability-patched-in-vmware-fusion/
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37454
https://thehackernews.com/2026/05/praisonai-cve-2026-44338-auth-bypass.html
https://securityaffairs.com/192136/security/broadcom-releases-vmware-fusion-security-update-for-root-access-bug.html
Malware
- Help-Desk Lures Drop KongTuke's Evolved ModeloRAT
"Threat actors are impersonating help-desk staff over external Microsoft Teams chats to trick victims into deploying "ModeloRAT" on their own machines. ReliaQuest attributes the activity to financially motivated initial access broker (IAB) "KongTuke" based on reuse of the group's custom Python loader. Previously, KongTuke has compromised WordPress sites to host "ClickFix" and "CrashFix" lures and paste-and-run prompts on fake CAPTCHA or browser-crash pages for access that has historically fed ransomware affiliates. This Teams activity, which appears to add to, rather than replace, that web-based approach, marks the first time we’ve seen KongTuke use a collaboration platform for initial access. In the incidents we investigated, a single external Teams chat moved the operator from cold outreach to a persistent foothold in under five minutes."
https://reliaquest.com/blog/threat-spotlight-help-desk-lures-drop-kongtukes-evolved-modelorat
https://www.bleepingcomputer.com/news/security/kongtuke-hackers-now-use-microsoft-teams-for-corporate-breaches/ - Chinese APT Campaign Targets Entities With Updated FDMTP Backdoor
"Darktrace have identified activity consistent with Chinese-nexus operations, a Twill Typhoon-linked campaign targeting customer environments, primarily within the Asia-Pacific & Japan (APJ) region. Beginning in late September 2025, multiple affected hosts were observed making requests to domains impersonating content delivery networks (CDNs), including infrastructure masquerading as Yahoo- and Apple-affiliated services. Across these cases, Darktrace identified a consistent behavioral execution pattern: the retrieval of legitimate binaries alongside malicious Dynamic Link Libraries (DLLs), enabling sideloading and execution of a modular .NET-based Remote Access Trojan (RAT) framework."
https://www.darktrace.com/blog/chinese-apt-campaign-targets-entities-with-updated-fdmtp-backdoor
https://www.infosecurity-magazine.com/news/mustang-panda-fdmtp-backdoor-apj/
https://www.bankinfosecurity.com/mustang-panda-linked-to-new-modular-fdmtp-backdoor-a-31696
https://hackread.com/chinatwill-typhoon-fake-apple-yahoo-sites-espionage/ - FrostyNeighbor: Fresh Mischief And Digital Shenanigans
"This blogpost covers newly discovered activities attributed to FrostyNeighbor, targeting governmental organizations in Ukraine. FrostyNeighbor has been running continual cyberoperations, changing and updating its toolset regularly, updating its compromise chain and methods to evade detection – targeting victims located in Eastern Europe, according to our telemetry."
https://www.welivesecurity.com/en/eset-research/frostyneighbor-fresh-mischief-digital-shenanigans/
https://thehackernews.com/2026/05/ghostwriter-targets-ukrainian.html
https://www.darkreading.com/cyberattacks-data-breaches/frostyneighbor-apt-govt-orgs-poland-ukraine - Instead Of a Job—stolen Data And Money. Trojan Stealer Targeting MacOS And Windows Users Conceals Itself In Fake Online Interview Apps
"Doctor Web’s experts are warning users about the spread of JobStealer, a trojan app that steals confidential information from macOS and Windows computer users. It primarily aims to hijack data from crypto wallets. Fraudsters, under the pretext of conducting online interviews, lure potential victims to malicious websites and ask them to download a video conferencing app. In reality, this software is the JobStealer trojan."
https://news.drweb.com/show/?i=15253&lng=en
https://hackread.com/fake-job-interview-jobstealer-malware-windows-macos/ - OrBit (Re)turns: Tracking An Open-Source Linux Rootkit Across Four Years Of Forks And Deployments
"In July 2022, we published the first analysis of OrBit, a then-undocumented Linux userland-rootkit that stood out for its comprehensive libc hooking, SSH backdoor access, and PAM-based credential harvesting. At the time, OrBit appeared as a single sample with a single operator fingerprint, and the codebase itself looked customized. It wasn’t. As we will show below, OrBit is a repackaged and selectively weaponized build of Medusa, an open-source LD_PRELOAD rootkit published on GitHub in December 2022. The story of OrBit’s four-year evolution is not one of novel development; it’s the story of how a publicly available rootkit was forked, configured, and redeployed."
https://intezer.com/blog/orbit-returns/ - Device Code Phishing Is An Evolution In Identity Takeover
"Credential phishing remains an effective technique enabling everything from account takeover and fraud to ransomware and espionage. However, as organizations become better at defending against common phishing techniques such as multifactor authentication (MFA) phishing, cyber threat actors have expanded their capabilities to techniques like device code and OAuth phishing. When combined with LLM-generated tools and social engineering, criminals can use such techniques to target more people with new social engineering tricks at scale."
https://www.proofpoint.com/us/blog/threat-insight/device-code-phishing-evolution-identity-takeover - Kimsuky Targets Organizations With PebbleDash-Based Tools
"Over the past few months, we have conducted an in-depth analysis of specific activity clusters of Kimsuky (aka APT43, Ruby Sleet, Black Banshee, Sparkling Pisces, Velvet Chollima, and Springtail), a prolific Korean-speaking threat actor. Our research revealed notable tactical shifts throughout multiple phases of the group’s latest campaigns. Kimsuky has continuously introduced new malware variants based on the PebbleDash platform, a tool historically leveraged by the Lazarus Group but appropriated by Kimsuky since at least 2021. Our monitoring indicates various strategic updates to the group’s arsenal, including the use of VSCode Tunneling, Cloudflare Quick Tunnels, DWAgent, large language models (LLMs), and the Rust programming language. This expanding set of tools underscores the group’s ongoing adaptation and evolution."
https://securelist.com/kimsuky-appleseed-pebbledash-campaigns/119785/ - Popular Node-Ipc Npm Package Infected With Credential Stealer
"Socket’s threat feed has detected malicious activity in newly published versions of node-ipc, a long-running npm package previously associated with one of the most widely discussed supply chain incidents in the JavaScript ecosystem."
https://socket.dev/blog/node-ipc-package-compromised
https://www.stepsecurity.io/blog/node-ipc-npm-supply-chain-attack
https://thehackernews.com/2026/05/stealer-backdoor-found-in-3-node-ipc.html
Operation SilentCanvas : JPEG Based Multistage Powershell Intrusion
"At CYFIRMA, we identified a highly sophisticated multi-stage intrusion campaign leveraging a weaponized PowerShell payload disguised as a legitimate JPEG image file to deploy a trojanized instance of ConnectWise ScreenConnect for covert and persistent remote access. The intrusion likely originated through social engineering techniques such as phishing emails, malicious attachments, deceptive file-sharing interactions, or fake update lures involving a malicious file named sysupdate.jpeg. The payload was specifically crafted to exploit user trust and bypass conventional file-extension validation mechanisms while blending malicious activity with legitimate enterprise software."
https://www.cyfirma.com/research/operation-silentcanvas-jpeg-based-multistage-powershell-intrusion/
อ้างอิง
Electronic Transactions Development Agency (ETDA)
- Siemens SIMATIC
-
Cyber Threat Intelligence 14 May 2026โพสต์ใน Cyber Security News
Financial Sector
- Financial Stability Risks Mount As Artificial Intelligence Fuels Cyberattacks
"Artificial intelligence is transforming how the financial system copes with vulnerabilities and reacts to incidents. Yet it is also amplifying cyber threats that can undermine financial stability when the offensive capabilities of intruders outpace defenses. IMF analysis suggests that extreme cyber‑incident losses could trigger funding strains, raise solvency concerns, and disrupt broader markets. The financial system relies on shared digital infrastructure that’s highly interconnected, including software, cloud services, and networks for payments and other data. Advanced AI models can dramatically reduce the time and cost needed to identify and exploit vulnerabilities, raising the likelihood of simultaneously discovering and targeting weaknesses in widely used systems. As a result, cyber risk is increasingly about correlated failures that could disrupt financial intermediation, payments, and confidence at the systemic level."
https://www.imf.org/en/blogs/articles/2026/05/07/financial-stability-risks-mount-as-artificial-intelligence-fuels-cyberattacks
https://www.bankinfosecurity.com/imf-warns-ai-has-made-cyber-risk-financial-stability-threat-a-31679
Industrial Sector
- ABB AC500 V3 Stack Buffer Overflow In Cryptographic Message Syntax
"ABB became aware of vulnerability in the products versions listed as affected in the advisory. An update is available that resolves publicly reported vulnerability. An attacker who successfully exploited these vulnerabilities could cause a crash, denial-of-service (DoS), or potentially remote code execution."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-132-05 - ABB AC500 V3 Multiple Vulnerabilities
"ABB became aware of severe vulnerability in the products versions listed as affected in the advisory. An update is available that resolves these vulnerabilities. An attacker who successfully exploited these vulnerabilities could bypass the user management and read visualization files (CVE-2025-2595), read and write certificates and keys (CVE-2025-41659) or cause a denial-of-service (DoS) (CVE-2025-41691)."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-132-03 - ABB WebPro SNMP Card PowerValue Multiple Vulnerabilities
"ABB became aware of multiple internally discovered vulnerabilities in the WebPro SNMP card PowerValue for the product versions listed as affected in the advisory. Depending upon the vulnerability, an attacker with access to local network who successfully exploited this vulnerability could have - Unauthorized access - Insufficient Session Expiration leading to resource unavailability - Uncontrolled Resource Consumption leading to DOS attack ABB strongly advises customers to update the latest firmware of affected products."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-132-06 - Fuji Electric Tellus
"Successful exploitation of this vulnerability could allow an attacker to elevate privileges from user to system, which may then enable the attacker to cause a temporary denial of service, open files, or delete files."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-132-01 - Subnet Solutions PowerSYSTEM Center
"Successful exploitation of these vulnerabilities could allow an authenticated attacker to expose sensitive information or cause a CRLF injection."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-132-02 - ABB Automation Builder Gateway For Windows
"ABB became aware of severe vulnerability in the products versions listed as affected in the advisory. The Windows gateway is accessible remotely by default. Unauthenticated attackers can therefore search for PLCs, but the user management of the PLCs prevents the actual access to the PLCs – unless it is disabled"
https://www.cisa.gov/news-events/ics-advisories/icsa-26-132-04 - ICS Patch Tuesday: New Security Advisories From Siemens, Schneider, CISA
"Only Siemens, Schneider Electric, CISA, and CERT@VDE have published new ICS security advisories for the May 2026 Patch Tuesday. Siemens has published 18 new security advisories, and several of them describe critical vulnerabilities. The company has addressed critical issues in Sentron 7KT PAC1261 Data Manager (device takeover), Simatic S7 PLC web server (XSS), Ruggedcom Rox (command execution as root, old vulnerabilities in third-party components), ROS# (arbitrary file access), Simatic CN4100 (over 300 third-party component flaws), and Opcenter RDnL (missing authentication)."
https://www.securityweek.com/ics-patch-tuesday-new-security-advisories-from-siemens-schneider-cisa/
Vulnerabilities
- CVE-2025-32975: The Open Directory Behind The KACE SMA Breach And 60+ Downstream Victims
"Quest KACE Systems Management Appliance (SMA) is a widely deployed on-premises platform that enterprises use for endpoint management, handling software deployment, patch distribution, inventory, and scripted administrative control across managed devices. That privileged position makes it an exceptionally high-value target for an attacker who controls a KACE SMA appliance, which, in many environments, can reach every managed endpoint from a single trusted management plane. CVE-2025-32975 is a critical authentication bypass vulnerability in KACE SMA's SSO authentication handling mechanism with a CVSS score of 10.0. The flaw allows an unauthenticated, network-reachable attacker to impersonate legitimate users, including administrators, without supplying any credentials."
https://hunt.io/blog/cve-2025-32975-quest-kace-sma-open-directory-60-victims
https://securityaffairs.com/192067/security/quest-kace-sma-flaw-cve-2025-32975-when-one-unpatched-tool-opens-the-door-to-60-organizations.html - Fortinet, Ivanti Patch Critical Vulnerabilities
"Fortinet and Ivanti on Tuesday announced patches for 18 vulnerabilities across their product portfolios, including three critical-severity bugs. Fortinet published 11 advisories describing as many bugs, including two dealing with critical-severity code execution security defects. Tracked as CVE-2026-44277 (CVSS score of 9.1), the first of them is an improper access control issue in FortiAuthenticator that could be exploited remotely, without authentication, via crafted requests. “FortiAuthenticator Cloud is not impacted by the issue, and hence customers do not need to perform any action,” the company says."
https://www.securityweek.com/fortinet-ivanti-patch-critical-vulnerabilities/ - Chipmaker Patch Tuesday: Intel And AMD Patch 70 Vulnerabilities
"Intel and AMD have released over two dozen advisories on May 2026 Patch Tuesday, addressing 70 vulnerabilities across their product portfolios. Intel published 13 advisories describing 24 security defects, including one critical and eight high-severity flaws. The critical bug, tracked as CVE-2026-20794 (CVSS score of 9.3), is described as a buffer overflow issue in the Data Center Graphics Driver for VMware ESXi software that could be exploited for privilege escalation and potentially for code execution. Intel’s update for the product also resolves two high-severity out-of-bounds write and read weaknesses that could lead to denial-of-service (DoS) conditions and potentially to data corruption or disclosure."
https://www.securityweek.com/chipmaker-patch-tuesday-intel-and-amd-patch-70-vulnerabilities/ - Windows BitLocker Zero-Day Gives Access To Protected Drives, PoC Released
"A cybersecurity researcher has published proof-of-concept (PoC) exploits for two unpatched Microsoft Windows vulnerabilities named YellowKey and GreenPlasma, which are a BitLocker bypass and a privilege-escalation flaw. Known as Chaotic Eclipse or Nightmare Eclipse, the researcher describes the BitLocker bypass issue as functioning like a backdoor because the vulnerable component is present only in the Windows Recovery Environment (WinRE), which is used to repair boot-related issues in Windows."
https://www.bleepingcomputer.com/news/security/windows-bitlocker-zero-day-gives-access-to-protected-drives-poc-released/
https://www.theregister.com/security/2026/05/13/disgruntled-researcher-releases-two-more-microsoft-zero-days/5239758 - 1,000,000 WordPress Sites Affected By Arbitrary File Read And SQL Injection Vulnerabilities In Avada Builder WordPress Plugin
"On March 21st, 2026, we received a submission for an Arbitrary File Read and an SQL Injection vulnerability in Avada Builder, a WordPress plugin with an estimated 1,000,000 active installations. The arbitrary file read vulnerability can be used by authenticated attackers, with subscriber-level access and above, to read arbitrary files on the server, which may contain sensitive information. The SQL injection vulnerability can be used by unauthenticated attackers to extract sensitive data from the database, such as password hashes. Props to Rafie Muhammad who discovered and responsibly reported these vulnerabilities through the Wordfence Bug Bounty Program. This researcher earned bounties of $3,386.00 and $1,067.00 for these discoveries."
https://www.wordfence.com/blog/2026/05/1000000-wordpress-sites-affected-by-arbitrary-file-read-and-sql-injection-vulnerabilities-in-avada-builder-wordpress-plugin/
https://www.infosecurity-magazine.com/news/avada-builder-flaws-one-million/ - Microsoft, Palo Alto Networks Find Many Vulnerabilities By Using AI On Their Own Code
"Microsoft and Palo Alto Networks have separately reported this week that they have seen significant results after turning AI on their own code to find vulnerabilities. Advanced AI models such as Claude Mythos have sparked debate in the cybersecurity industry about what the vulnerability discovery landscape will look like going forward. While some organizations have confirmed that these AI models are a game-changer, others are skeptical of their actual performance. Microsoft said on Tuesday that more than a dozen of the 137 vulnerabilities fixed with its latest Patch Tuesday updates were found by a new AI system called MDASH (multi-model agentic scanning harness) built by its Autonomous Code Security team."
https://www.securityweek.com/microsoft-palo-alto-networks-find-many-vulnerabilities-by-using-ai-on-their-own-code/
https://www.theregister.com/patches/2026/05/14/welcome-to-the-vulnpocalypse-as-vendors-use-ai-to-find-bugs-and-patches-multiply-like-rabbits/5240027
https://thehackernews.com/2026/05/microsofts-mdash-ai-system-finds-16.html - One Is a Fluke, 3 Is a Pattern: MCP Back-End Vulnerabilities
"Model Context Protocol (MCP) servers entered our lives recently but drastically improved the capabilities of AI models. (For an examination of the inner works of MCP, read our previous blog post.) If you've been paying attention, you know the security issues involved with giving AI models access to external applications. MCP servers sit at the center of that approach, and researchers quickly found ways to exploit those servers: tool description poisoning, cross-server context injection, and supply chain attacks on platforms that host them."
https://www.akamai.com/blog/security-research/one-fluke-3-pattern-mcp-back-end-vulnerabilities
https://www.theregister.com/security/2026/05/13/bug-hunter-tracks-down-three-serious-mcp-database-flaws-one-left-unpatched/5238916
Malware
Seedworm: Iran-Linked Hackers Breached Korean Electronics Maker In Global Spying Campaign
"Iran-linked attackers spent a week inside the network of a major South Korean electronics manufacturer in February 2026, as part of a sprawling early-year espionage campaign affecting at least nine organizations across four continents. Other targets included government agencies and an international airport in the Middle East, Southeast Asian industrial manufacturers, a Latin American financial-services provider, and educational institutions in multiple countries."
https://www.security.com/threat-intelligence/iran-seedworm-electronics
https://www.bleepingcomputer.com/news/security/iranian-hackers-targeted-major-south-korean-electronics-maker/- Sandworm Activity In Industrial Environments: What The Data Reveals
"“Without rapid containment, Sandworm does not disengage. It accelerates.” Recent geopolitical events involving publicly disclosed attacks against national critical infrastructure across Europe and the U.S., have once again drawn attention to a highly disruptive threat actor known as Sandworm, the Russian state-sponsored group also tracked as APT44, Seashell Blizzard, and Voodoo Bear. By studying environments where Sandworm activity has been positively identified, we can extract lessons that help future victims detect intrusions earlier, recover more effectively, and — most importantly — prevent Sandworm-related incidents altogether."
https://www.nozominetworks.com/blog/sandworm-activity-in-industrial-environments-what-the-data-reveals
https://www.bankinfosecurity.com/russian-attacks-on-polish-water-utilities-use-fear-as-weapon-a-31681 - FamousSparrow APT Targets Azerbaijani Oil And Gas Industry
"Bitdefender Labs tracked a multi-wave intrusion targeting an Azerbaijani oil and gas company from late December 2025 through late February 2026. This research documents expansion of Chinese APT activity against South Caucasus energy infrastructure, attributed with moderate-to-high confidence to FamousSparrow (overlapping with the Earth Estries threat ecosystem). The operation demonstrates several notable technical and strategic characteristics, most notably an evolved DLL sideloading technique. Unlike standard DLL sideloading that relies on simple file replacement, this method overrides two specific exported functions within the malicious library. This creates a two-stage trigger that gates the Deed RAT loader’s execution through the host application’s natural control flow, further evolving the defense evasion capabilities of traditional DLL sideloading."
https://businessinsights.bitdefender.com/famoussparrow-apt-targets-azerbaijani-oil-gas-industry
https://thehackernews.com/2026/05/azerbaijani-energy-firm-hit-by-repeated.html
https://www.darkreading.com/cyberattacks-data-breaches/china-famoussparrow-apt-south-caucasus-energy-firm - The French 2-Step: Exposing a Multi-Stage Scam Targeting The National Railway Company In France
"While online scams are becoming more advanced, this particular multi-stage scam stands out for its advanced social engineering. These days, it’s not uncommon to receive fake phishing emails. Generally, they are easy to spot because of the ridiculous way they try to make us believe in offers that are too good to be true. However Group-IB’s current research indicates that fraudsters can be very persuasive and meticulous both in the way they carry out their scam and their choice of victims. This blog focuses on one highly-targeted scheme to deceive customers of the French national railway company (SNCF), which is used on a daily basis by 5 millions of travelers through 15 thousand trains."
https://www.group-ib.com/blog/french-railway-two-step-scam/ - Sinkholing CountLoader: Insights Into Its Recent Campaign
"McAfee Labs has recently uncovered a large scale CountLoader campaign that uses multiple layers of obfuscation and staged payload delivery to evade detection and maintain persistence in infected systems. The infection process relies on several layers of loaders, including PowerShell scripts, obfuscated JavaScript executed through mshta.exe, and in memory shellcode injection, each stage decrypting and launching the next. The attackers employ a custom encrypted communication protocol to interact with their C2 servers. By registering a backup domain used by the malware, we were able to sinkhole the traffic and observe thousands of infected machines connecting to the C2 infrastructure. Final payload deployed in this campaign is a cryptocurrency clipper, which monitors clipboard activity and replaces copied wallet addresses with attacker controlled ones to redirect cryptocurrency transactions."
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/sinkholing-countloader-insights-into-its-recent-campaign/ - GemStuffer Campaign Abuses RubyGems As Exfiltration Channel Targeting UK Local Government
"Socket's threat research team is tracking a suspicious RubyGems campaign we’re calling GemStuffer, involving more than 100 gems that appear to use the RubyGems registry as a data transport mechanism rather than a conventional malware distribution channel. The packages do not appear designed for mass developer compromise. Many have little or no download activity, and the payloads are repetitive, noisy, and unusually self-contained. Instead, the scripts fetch pages from UK local government democratic services portals, package the collected responses into valid .gem archives, and publish those gems back to RubyGems using hardcoded API keys. In some samples, the payload creates a temporary RubyGems credential environment under /tmp, overrides HOME, builds a gem locally, and pushes it to rubygems.org. Other variants skip the gem CLI entirely and POST the archive directly to the RubyGems API."
https://socket.dev/blog/gemstuffer
https://thehackernews.com/2026/05/gemstuffer-abuses-150-rubygems-to.html - Shai-Hulud Goes Open Source: Malware Creators Leak Their Own Code To GitHub
"Breaking News: TeamPCP has gone open source — and the copycats are already here. The group behind Shai-Hulud has leaked their own malware code to GitHub, and independent threat actors have already begun modifying it and expanding its reach. OX Security is actively tracking this as it unfolds. TeamPCP has escalated. The group behind Shai-Hulud is now spreading not just their malware, but their own source code, using what appear to be compromised GitHub accounts. Currently 2 repositories are active, but that number is growing as infections spread. New repositories can be monitored in real time using this link. Search GitHub for “A Gift From TeamPCP.”"
https://www.ox.security/blog/shai-hulud-open-source-malware-github/
https://www.theregister.com/security/2026/05/13/malware-crew-teampcp-open-sources-its-shai-hulud-worm-on-github/5239319 - Analyzing TeamPCP’s Supply Chain Attacks: Checkmarx KICS And Elementary-Data In CI/CD Credential Theft
"TeamPCP has been identified as running a coordinated campaign from March 19 through April 24, with at least seven distinct waves identified. It finds trusted artifacts in developer tool chains, poisons the distribution channel using that project’s own infrastructure, and harvests credentials before the project’s maintainers or security monitoring catches the substitution. The targets span five programming ecosystems and three registry types. What distinguishes the two most recent operations is how the actor reached the same outcome, despite using different methods to get there. The KICS attack was operationally complex, with simultaneous poisoning across three distribution channels, an obfuscated payload executed via a downloaded runtime, and a downstream npm hijack executed within 24 hours using stolen credentials."
https://www.trendmicro.com/en_us/research/26/e/analyzing-teampcp-supply-chain-attacks.html - Undermining The Trust Boundary: Investigating a Stealthy Intrusion Through Third-Party Compromise
"In recent years, many sophisticated intrusions have increasingly avoided using noisy exploits, obvious malware, or custom tooling, instead leveraging systems that organizations already trust within their environments. By operating through legitimate and trusted administrative mechanisms, threat actors could more easily blend seamlessly into routine operations and remain undetected. Microsoft Incident Response investigated an intrusion that followed this pattern. What initially appeared as routine administrative activity was instead found to be a coordinated campaign abusing trusted operational relationships and authentication processes to establish durable access. The threat actor in this incident leveraged a compromised third-party IT services provider and legitimate IT management tools to conduct a stealthy campaign focusing on long-term access, credential theft, and establishing a persistent foothold."
https://www.microsoft.com/en-us/security/blog/2026/05/12/undermining-the-trust-boundary-investigating-a-stealthy-intrusion-through-third-party-compromise/
Breaches/Hacks/Leaks
- When The Ransomware Gang Gets Hacked: What The Gentlemen Leak Reveals About Modern Ransomware Risk
"On May 4, 2026, The Gentlemen’s administrator acknowledged on underground forums that their internal backend database had been compromised and leaked, likely connected to a breach of 4VPS, a hosting provider the group used to run their infrastructure. Check Point Research obtained a portion of that data before it was removed: internal chat logs, organizational rosters, ransom negotiation transcripts, and tooling discussions. It is the kind of inside view of a ransomware operation that almost never becomes available to defenders. This blog distills what CPR found, building on our initial analysis published in April 2026. For the full technical breakdown, read the complete CPR research report."
https://blog.checkpoint.com/research/when-the-ransomware-gang-gets-hacked-what-the-gentlemen-leak-reveals-about-modern-ransomware-risk/
https://research.checkpoint.com/2026/thus-spoke-the-gentlemen/
https://www.darkreading.com/threat-intelligence/gentlemen-raas-gang-data-leak - 716,000 Impacted By OpenLoop Health Data Breach
"Hackers stole the personal information of 716,000 individuals during a January 2026 intrusion at telehealth platform OpenLoop Health. The incident was initially disclosed to the relevant authorities in March, but the number of impacted individuals was added to the US Department of Health and Human Services’ breach portal only this week. According to notification letters OpenLoop Health filed with the Attorney General’s Offices in California and Texas, the intrusion was discovered on January 7. “An unauthorized third party had gained access to certain OpenLoop systems and removed certain information,” the notification reads."
https://www.securityweek.com/716000-impacted-by-openloop-health-data-breach/
https://securityaffairs.com/192066/uncategorized/openloop-health-confirms-january-2026-data-breach-affecting-716000.html - TeamPCP Claims Sale Of Mistral AI Repositories Amid Mini Shai-Hulud Attack
"Only days after the Mini Shai-Hulud supply chain attack targeted npm and PyPI packages associated with French artificial intelligence company Mistral AI, a threat actor using the TeamPCP identity is now claiming to sell what appear to be internal company repositories and source code on a hacking forum. The forum post, published a few hours ago under the TeamPCP name, advertises roughly 5GB of alleged internal repositories connected to both “mistralai” and “mistral-solutions.” The actor claims the archive contains around 450 repositories covering training systems, fine-tuning projects, benchmarking tools, dashboards, inference infrastructure, experiments, and future AI projects."
https://hackread.com/teampcp-mistral-ai-repositories-mini-shai-hulud-attack/
General News
- April 2026 Phishing Email Trends Report
"in April 2026, the most common threat in phishing email attachments was Trojan (47%). this type was distributed by disguising itself with a double extension or a legitimate file name to trick the user into executing it and installing malware on the system. they continued to spread through multiple variants and social engineering techniques."
https://asec.ahnlab.com/en/93706/ - Checkbox Assessments Aren't Fit To Measure To Risk
"A rapidly evolving threat landscape with highly adaptable and increasingly sophisticated threat actors is no place for checkbox compliance assessments that merely audit organizations' security postures once a year. That's why security professionals and industry experts are calling for compliance models that take a more continuous approach, and more companies continue to emerge in the space. Industry leaders and CISOs continually poke holes in the way governance, risk management, and compliance (GRC) and third-party risk management (TPRM) assessments are conducted – and the holes are only growing bigger. Yearly assessments, with their static questionaries to determine an organization's risk level, are stagnant, the polar opposite of how attackers' behave. Threat actors can now find and exploit vulnerabilities faster and discover new vectors to conduct supply-chain attacks."
https://www.darkreading.com/cyber-risk/checkbox-assessments-aren-t-fit-to-measure-to-risk - Ransomware: Over Half Of CISOs Would Consider Paying Ransom To Hackers
"In the event of being hit by a ransomware attack, over half of cybersecurity leaders would consider paying the ransom demand to cybercriminals to end the incident and restore systems faster, according to newly released figures. Published on May 13, the report by Absolute Security suggested that 58% of CISOs would realistically think about paying the ransom, if that is what it took to help restore systems encrypted in a ransomware attack. The research suggested that CISOs in the US are more likely to consider paying a ransom demand, at 63%, than their counterparts in the UK, at just 47%."
https://www.infosecurity-magazine.com/news/ransomware-over-half-cisos-would/ - Global Cyber Agencies Issue New SBOMs For AI Guidance To Tackle AI Supply Chain Risks
"Multiple government cyber agencies have a new resource defining the minimum elements for software bills of materials (SBOMs) for AI to strengthen the AI-supply chain. The aim is to help public and private sector stakeholders improve transparency in their artificial intelligence (AI) systems and supply chains. The paper, Software Bill of Materials (SBOM) for Artificial Intelligence - Minimum Elements, was published on 12 May and was written by the G7 Cybersecurity Working Group."
https://www.infosecurity-magazine.com/news/new-sboms-for-ai-guidance-2026/
https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/KI/SBOM-for-AI_minimum-elements.pdf?__blob=publicationFile&v=4 - Alleged Dream Market Admin Arrested In Germany After US Indictment
"German and U.S. authorities arrested the alleged administrator behind Dream Market, a popular dark web forum that shut down in 2019. During a May 7 raid on three locations, German and U.S. law enforcement arrested Owe Martin Andresen, 49, on multiple charges of money laundering. An indictment unsealed this week by the DOJ accused Andresen of being the main administrator of Dream Market. The Justice Department did not respond to requests for comment about whether they will ask for him to be extradited from Germany, where he also faces charges. U.S. Attorney Theodore Hertzberg said Andresen “will be prosecuted in both Germany and the United States as a result of his actions.”"
https://therecord.media/dream-market-admin-arrested-in-germany - Operating Inside The Lethal Trifecta: Blast Radius Reduction In AI Agent Deployments
"AI agents that can read files, call APIs, and perform actions are already being deployed in enterprises. These agents often operate in the center of what Simon Willison terms ‘the lethal trifecta’: they can access private data, process untrusted content, and communicate externally, making them susceptible to data theft via indirect prompt injection – where an attacker plants instructions in content that the agent reads on behalf of a trusted user, such as an email, a web page, or a document. The agent follows the injected instructions with the user's privileges, and the user never sees the attack. The Agents Rule of Two generalizes the concept: an agent should satisfy at most two of a) processing untrusted inputs, b) accessing sensitive systems, and c) changing state externally."
https://www.sophos.com/en-us/blog/inside-the-lethal-trifecta-blast-radius-reduction-in-ai-agent-deployments
อ้างอิง
Electronic Transactions Development Agency (ETDA) - Financial Stability Risks Mount As Artificial Intelligence Fuels Cyberattacks
