โพสต์ถูกสร้างโดย NCSA_THAICERT

Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) จำนวน 2 รายการ เมื่อวันที่ 30 ธันวาคม 2025 เพื่อให้ข้อมูลที่ทันเวลาเกี่ยวกับประเด็นด้านความมั่นคงปลอดภัย ช่องโหว่ และการโจมตีที่เกี่ยวข้องกับระบบ ICS โดยมีรายละเอียดดังนี้

• ICSA-25-364-01: WHILL C2 Wheelchairs
• ICSA-25-345-03: AzeoTech DAQFactory (Update A)

CISA แนะนำให้ผู้ใช้งานและผู้ดูแลระบบ ตรวจสอบคำแนะนำ ICS ที่เผยแพร่ล่าสุด เพื่อศึกษารายละเอียดทางเทคนิคและแนวทางการลดความเสี่ยง (mitigations)

อ้างอิง
https://www.cisa.gov/news-events/alerts/2025/12/30/cisa-releases-two-industrial-control-systems-advisories
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Malware

• GlassWorm Goes Mac: Fresh Infrastructure, New Tricks
  "Two and a half months ago, we exposed GlassWorm, the first self-propagating worm targeting VS Code extensions, using invisible Unicode characters to hide malicious code. We've tracked this threat actor through three waves: invisible Unicode payloads, a return strike that exposed real victims including a Middle Eastern government entity, and a pivot to compiled Rust binaries. Now they're back. With 50,000 downloads, a platform switch from Windows to macOS, and the infrastructure is fully operational as you read this."
  https://www.koi.ai/blog/glassworm-goes-mac-fresh-infrastructure-new-tricks
  https://www.bleepingcomputer.com/news/security/new-glassworm-malware-wave-targets-macs-with-trojanized-crypto-wallets/

General News

• The Biggest Cybersecurity And Cyberattack Stories Of 2025
  "2025 was a big year for cybersecurity, with major cyberattacks, data breaches, threat groups reaching new notoriety levels, and, of course, zero-day vulnerabilities exploited in incidents. Some stories, though, were more impactful or popular with our readers than others. Below are fifteen of what BleepingComputer believes are the most impactful cybersecurity topics of 2025, with a summary of each. These stories are in no particular order."
  https://www.bleepingcomputer.com/news/security/the-biggest-cybersecurity-and-cyberattack-stories-of-2025/
• Infosecurity's Top 10 Cybersecurity Stories Of 2025
  "Cybersecurity dominated headlines throughout 2025, with a year marked by high-profile breaches, evolving attack techniques and major shifts in industry practices. From critical zero-day vulnerabilities and supply chain threats to AI-driven risks and vendor shake-ups, the security landscape has been anything but static. In this roundup, we’ll dive into some of Infosecurity Magazine’s most-read stories of the year, covering the incidents, innovations and trends that shaped the conversation in cybersecurity."
  https://www.infosecurity-magazine.com/news/infosecurity-top-10-stories-2025/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

New Tooling

• Duplicati: Free, Open-Source Backup Client
  "Duplicati is an open source backup client that creates encrypted, incremental, compressed backup sets and sends them to cloud storage services or remote file servers. Duplicati operates as a client side application designed to back up files and folders from endpoints and servers. It runs locally, collects selected data, packages it into backup volumes, and transfers those volumes to a configured destination. Restore operations support individual files, folders, and point in time recovery based on stored versions."
  https://www.helpnetsecurity.com/2025/12/31/duplicati-free-open-source-backup-client/
  https://github.com/duplicati/duplicati

Vulnerabilities

• IBM Warns Of Critical API Connect Auth Bypass Vulnerability
  "IBM urged customers to patch a critical authentication bypass vulnerability in its API Connect enterprise platform that could allow attackers to access apps remotely. API Connect is an application programming interface (API) gateway that enables organizations to develop, test, and manage APIs and provide controlled access to internal services for applications, business partners, and external developers. Available in on-premises, cloud, or hybrid deployments, API Connect is used by hundreds of companies in banking, healthcare, retail, and telecommunications sectors."
  https://www.bleepingcomputer.com/news/security/ibm-warns-of-critical-api-connect-auth-bypass-vulnerability/
  https://www.ibm.com/support/pages/node/7255149
  https://thehackernews.com/2025/12/ibm-warns-of-critical-api-connect-bug.html

Malware

• RondoDoX Botnet Weaponizes React2Shell
  "CloudSEK’s report details a persistent nine-month RondoDoX botnet campaign targeting IoT devices and web applications. Recently, the threat actors have shifted to weaponizing a critical Next.js vulnerability, deploying malicious payloads like "React2Shell" and cryptominers. This analysis offers crucial insights into their evolving infrastructure and provides defensive recommendations to mitigate these sophisticated attacks."
  https://www.cloudsek.com/blog/rondodox-botnet-weaponizes-react2shell
  https://www.bleepingcomputer.com/news/security/rondodox-botnet-exploits-react2shell-flaw-to-breach-nextjs-servers/

Breaches/Hacks/Leaks

• Hackers Drain $3.9M From Unleash Protocol After Multisig Hijack
  "The decentralized intellectual property platform Unleash Protocol has lost around $3.9 million worth of cryptocurrency after someone executed an unauthorized contract upgrade that allowed asset withdrawals. According to the team behind the blockchain project, the attacker obtained enough signing power to act as an administrator of Unleash’s multisig governance system. "Our initial investigation indicates that an externally owned address gained administrative control via Unleash’s multisig governance and carried out an unauthorized contract upgrade," the company says in a public announcement."
  https://www.bleepingcomputer.com/news/security/hackers-drain-39m-from-unleash-protocol-after-multisig-hijack/
• Everest Ransomware Leaks 1TB Of Stolen ASUS Data
  "On December 2, 2025, Hackread.com exclusively reported that the Everest ransomware group claimed to have stolen 1TB of sensitive ASUS data, including information related to the company’s AI models, memory dumps, and calibration files. ASUS later confirmed the report and acknowledged the breach, attributing it to a third-party vendor. Everest has now leaked the entire dataset online. The release followed the group’s claim that ASUS failed to meet the deadline to initiate contact. Notably, the ransomware gang had given the tech giant 24 hours to respond, following its usual approach of demanding a ransom."
  https://hackread.com/everest-ransomware-asus-data-leak/
• Trust Wallet Chrome Extension Hack Drains $8.5M Via Shai-Hulud Supply Chain Attack
  "Trust Wallet on Tuesday revealed that the second iteration of the Shai-Hulud (aka Sha1-Hulud) supply chain outbreak in November 2025 was likely responsible for the hack of its Google Chrome extension, ultimately resulting in the theft of approximately $8.5 million in assets. "Our Developer GitHub secrets were exposed in the attack, which gave the attacker access to our browser extension source code and the Chrome Web Store (CWS) API key," the company said in a post-mortem published Tuesday. "The attacker obtained full CWS API access via the leaked key, allowing builds to be uploaded directly without Trust Wallet's standard release process, which requires internal approval/manual review.""
  https://thehackernews.com/2025/12/trust-wallet-chrome-extension-hack.html
  https://www.securityweek.com/shai-hulud-supply-chain-attack-led-to-8-5-million-trust-wallet-heist/

General News

• What Consumers Expect From Data Security
  "Security teams spend years building controls around data protection, then a survey asks consumers a simple question about responsibility and the answer lands close to home. Most people believe they are in charge of their own data privacy, and they want systems that support that belief, according to the 2025 Data Privacy Research from the Software & Information Industry Association. The study examines how people view responsibility, cost, and acceptable data use."
  https://www.helpnetsecurity.com/2025/12/31/siia-consumer-data-security-report/
• Security Coverage Is Falling Behind The Way Attackers Behave
  "Cybercriminals keep tweaking their procedures, trying out new techniques, and shifting tactics across campaigns. Coverage that worked yesterday may miss how those behaviors appear today. The 2025 Threat-Led Defense Report from Tidal Cyber draws on tens of thousands of observed techniques and procedures collected through its threat intelligence platform. The study tracks adversary activity across campaigns, sectors, and regions, then maps that activity to MITRE ATT&CK behaviors."
  https://www.helpnetsecurity.com/2025/12/31/cybercriminals-activity-behavior/
• Sunken Ships: Will Orgs Learn From Ivanti EPMM Attacks?
  "The Ivanti Endpoint Manager Mobile (EPMM) zero-day attacks, which began last spring and lasted well into the summer as attackers took advantage of patching lag, were one of the top cyber-stories of 2025, sending thousands of victims to the depths of the data exfiltration sea. A recent deep-dive into the wreckage of those attacks highlights the risk inherent in buggy endpoint management systems — a concern that needs to be a higher priority than it typically is, one researcher argues."
  https://www.darkreading.com/cyber-risk/sunken-ships-ivanti-epmm-attacks
• Identity Security 2026: Four Predictions & Recommendations
  "Agentic AI adoption and identity security risks, IGA expands in mid-market, SOC-identity team collaboration, and identity platform consolidation—this 2026 predictions post previews identity trends. As an Omdia analyst looking at identity security and data security, I have the privilege of interacting with the enterprise practitioner community as well as talking to the vendor community about what they see over the horizon. Here are my predictions for what we’ll see in identity in 2026."
  https://www.darkreading.com/identity-access-management-security/identity-security-2026-predictions-and-recommendations
• Contrarians No More: AI Skepticism Is On The Rise
  "As 2025 comes to a close, some of the artificial intelligence industry's biggest skeptics may be poised for a victory lap. In recent months, AI has taken some hits on several fronts. First and foremost, there are increasing fears about an AI bubble potentially popping as major stocks have dipped. Additionally, several studies have shown many companies have yet to achieve the return on investment they'd hoped for with their generative AI (GenAI) pilots."
  https://www.darkreading.com/cybersecurity-operations/contrarians-no-more-ai-skepticism
• Cybersecurity Predictions 2026: An AI Arms Race And Malware Autonomy
  "The year ahead will see an intensified AI-driven cybersecurity arms race, with attackers leveraging autonomous malware and advanced AI technologies to outpace defenders, while security teams adopt increasingly sophisticated AI tools to combat evolving threats amidst growing vendor consolidation and platformization in the industry."
  https://www.darkreading.com/cyber-risk/cybersecurity-predictions-2026-an-ai-arms-race-and-malware-autonomy

อ้างอิง
Electronic Transactions Development Agency (ETDA)

Vulnerabilities

• CSA Issues Alert On Critical SmarterMail Bug Allowing Remote Code Execution
  "The Cyber Security Agency of Singapore (CSA) has issued a bulletin warning of a maximum-severity security flaw in SmarterTools SmarterMail email software that could be exploited to achieve remote code execution. The vulnerability, tracked as CVE-2025-52691, carries a CVSS score of 10.0. It relates to a case of arbitrary file upload that could enable code execution without requiring any authentication. "Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code execution," CSA said."
  https://thehackernews.com/2025/12/csa-issues-alert-on-critical.html
  https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2025-124/
• CISA Adds One Known Exploited Vulnerability To Catalog
  "CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2025-14847 MongoDB and MongoDB Server Improper Handling of Length Parameter Inconsistency Vulnerability"
  https://www.cisa.gov/news-events/alerts/2025/12/29/cisa-adds-one-known-exploited-vulnerability-catalog
  https://www.bleepingcomputer.com/news/security/cisa-orders-federal-agencies-to-patch-mongobleed-flaw-actively-exploited-in-attacks/
  https://securityaffairs.com/186297/hacking/u-s-cisa-adds-a-flaw-in-mongodb-server-to-its-known-exploited-vulnerabilities-catalog.html

Malware

• Spearphishing Campaign Abuses Npm Registry To Target U.S. And Allied Manufacturing And Healthcare Organizations
  "The Socket Threat Research Team uncovered a sustained and targeted phishing (spearphishing) operation that has abused the npm registry as a hosting and distribution layer for at least five months. We identified 27 malicious npm packages published under six different npm aliases, all designed to deliver browser-executed phishing components that impersonate secure document-sharing workflows and Microsoft sign-in pages. The campaign is highly-targeted, focusing on sales and commercial personnel at critical infrastructure-adjacent organizations in the United States and allied nations. Across this cluster, we identified 25 distinct targeted individuals in manufacturing, industrial automation, plastics, and healthcare sectors, consistent with victim-specific preparation rather than broad, opportunistic distribution."
  https://socket.dev/blog/spearphishing-campaign-abuses-npm-registry
  https://thehackernews.com/2025/12/27-malicious-npm-packages-used-as.html
• The Industrialization Of “ClickFix”: Inside ErrTraffic
  "The landscape of cybercrime is undergoing a profound structural shift. We are witnessing the transition from bespoke, high-skill intrusion methods to commoditized, service-based social engineering. At the center of this transformation is the rapid proliferation of “ClickFix” tools – deceptive overlays that trick users into manually executing malicious scripts. Hudson Rock researchers have identified and analyzed a new, highly sophisticated ClickFix service currently being promoted on top-tier Russian-language cybercrime forums. Dubbed “ErrTraffic” (or ErrTraffic v2), this comprehensive software suite industrializes the deployment of ClickFix lures."
  https://www.infostealers.com/article/the-industrialization-of-clickfix-inside-errtraffic/
  https://www.bleepingcomputer.com/news/security/new-errtraffic-service-enables-clickfix-attacks-via-fake-browser-glitches/
• DarkSpectre: Unmasking The Threat Actor Behind 8.8 Million Infected Browsers
  "Over the past year, we've encountered hundreds, if not thousands, of malicious items across numerous marketplaces. But this is the first time we've found a well-funded criminal organization responsible for several of the largest and most sophisticated campaigns we’ve ever uncovered. We're calling them DarkSpectre - a Chinese threat actor behind at least three major malware campaigns infecting over 8.8 million users in over 7 years of operation. And today, we are telling their story, along with uncovering another DarkSpectre campaign affecting 2.2M users, and a new Opera browser extension with nearly 1 million installs tied to GhostPoster.."
  https://www.koi.ai/blog/darkspectre-unmasking-the-threat-actor-behind-7-8-million-infected-browsers
  https://www.bleepingcomputer.com/news/security/zoom-stealer-browser-extensions-harvest-corporate-meeting-intelligence/
• Silver Fox Targeting India Using Tax Themed Phishing Lures
  "CloudSEK's TRIAD reveals a critical campaign by the Chinese "Silver Fox" APT targeting Indian entities with authentic-looking Income Tax phishing lures. While previously misattributed to SideWinder, this sophisticated attack leverages a complex kill chain involving DLL hijacking and the modular Valley RAT to ensure persistence. Discover the full technical breakdown and why accurate attribution is essential for effective defense."
  https://www.cloudsek.com/blog/silver-fox-targeting-india-using-tax-themed-phishing-lures
  https://thehackernews.com/2025/12/silver-fox-targets-indian-users-with.html

Breaches/Hacks/Leaks

• European Space Agency Confirms Breach Of "external Servers"
  "The European Space Agency (ESA) confirmed that attackers recently breached servers outside its corporate network, which contained what it described as "unclassified" information on collaborative engineering activities. Founded 50 years ago and headquartered in Paris, ESA is an intergovernmental organization that coordinates the space activities of 23 member states. ESA has around 3000 staff and had a budget of €7.68 billion ($9 billion) in 2025. Today, the space agency issued a statement confirming a breach, following claims by a threat actor on the BreachForums hacking forum that they had breached some of ESA's servers."
  https://www.bleepingcomputer.com/news/security/european-space-agency-confirms-breach-of-external-servers/

General News

• Executives Say Cybersecurity Has Outgrown The IT Department
  "Cybersecurity has moved from a technical problem to a boardroom concern tied to survival. A global Rimini Street study of senior executives shows security risk shaping decisions on technology, talent, and long term planning across industries that keep economies running. Security threats rank as the most pressing external risk facing organizations. 54% of respondents list cybersecurity threats as their top concern, ahead of supply chain disruption, regulatory shifts, and economic downturns. This view holds steady across regions and industries, indicating that security exposure is treated as a shared business condition."
  https://www.helpnetsecurity.com/2025/12/30/rimini-street-security-leadership-strategy-report/
• Non-Human Identities Push Identity Security Into Uncharted Territory
  "Enterprises are grappling with an identity attack surface that keeps expanding and slipping out of reach, according to Veza. Permissions now grow faster than teams can track them. Enterprises often operate with hundreds of millions of active entitlements, each defining what an identity can do in a system. Veza measured more than 230 billion permissions across its dataset."
  https://www.helpnetsecurity.com/2025/12/30/identity-security-permissions-sprawl/
• Two Americans Plead Guilty To Targeting Multiple U.S. Victims Using ALPHV BlackCat Ransomware
  "Yesterday a federal district court in the Southern District of Florida accepted the guilty pleas of two men to conspiring to obstruct, delay or affect commerce through extortion in connection with ransomware attacks occurring in 2023. “These defendants used their sophisticated cybersecurity training and experience to commit ransomware attacks — the very type of crime that they should have been working to stop,” said Assistant Attorney General A. Tysen Duva of the Justice Department’s Criminal Division. “Extortion via the internet victimizes innocent citizens every bit as much as taking money directly out of their pockets. The Department of Justice is committed to using all tools available to identify and arrest perpetrators of ransomware attacks wherever we have jurisdiction.”"
  https://www.justice.gov/opa/pr/two-americans-plead-guilty-targeting-multiple-us-victims-using-alphv-blackcat-ransomware
  https://therecord.media/ransomware-responders-guilty-plea-using-alphv-blackcat-us-attacks
  https://www.bleepingcomputer.com/news/security/us-cybersecurity-experts-plead-guilty-to-blackcat-alphv-ransomware-attacks/
  https://www.bankinfosecurity.com/2-cyber-pros-admit-to-being-blackcat-ransomware-affiliates-a-30415
• Fraudsters Stick To What Works Even In The Age Of AI
  "Fraudsters stick to the basics, because the basics work. Synthetic identities, fake accounts and tried-and-tested account takeovers still work, even in an age of artificial intelligence-related threats. Deepfakes and other AI threats may dominate the discourse, but scammers are happy to keep on stealing the old-fashioned way."
  https://www.bankinfosecurity.com/blogs/fraudsters-stick-to-what-works-even-in-age-ai-p-4013
• Going Off Message: CISA Warns Of Sophisticated Spyware Attacks
  "Encrypted mobile messaging tools enable secure data sharing for government agencies and private enterprises. Instead of attempting to break through these digital defenses, however, attackers have found a way around: Targeted social engineering paired with commercial spyware. According to a recent alert from the Cybersecurity and Infrastructure Security Agency (CISA), cybercriminals are using malicious QR codes, zero-click exploits and application impersonation to access secure messaging platforms and steal protected data."
  https://blog.barracuda.com/2025/12/30/going-off-message--cisa-warns-of-sophisticated-spyware-attacks
• Zoom Logs Are a Goldmine (if You Know Where To Look)
  "In February 2024, a finance employee wired $25 million after a video call with what appeared to be their CFO. It was a deepfake. That same year, organized groups disrupted dozens of California city council meetings, forcing several cities to reconsider how they run public sessions on Zoom. These incidents point to a blind spot in many security programs: the meeting itself is an attack surface. Zoom is where social engineering happens in real time. Meeting links behave like long-lived access tokens. External participants interact directly with your employees, often outside the controls you rely on elsewhere. And critically, Zoom records all of this activity – in a structured way – if you’re actually collecting it."
  https://beacon.security/resources/zoom-logs-are-a-goldmine

อ้างอิง
Electronic Transactions Development Agency (ETDA)

️ ThaiCERT ได้ติดตามสถานการณ์ภัยคุกคามทางไซเบอร์ และพบข้อมูลการเปิดเผยช่องโหว่ด้านความมั่นคงปลอดภัยระดับร้ายแรงในแพลตฟอร์ม IBM API Connect หากไม่ดำเนินการแก้ไข อาจทำให้ผู้ไม่หวังดีสามารถข้ามกระบวนการยืนยันตัวตนและเข้าถึงระบบหรือแอปพลิเคชันได้โดยไม่ได้รับอนุญาต ส่งผลกระทบต่อความมั่นคงปลอดภัยของระบบสารสนเทศของหน่วยงานได้

รายละเอียดช่องโหว่
• ช่องโหว่หมายเลข CVE-2025-13915 จัดอยู่ในประเภท Authentication Vulnerability
• ช่องโหว่นี้เกิดจากกลไกการยืนยันตัวตนของแพลตฟอร์ม IBM API Connect ที่ไม่เหมาะสม
• ผู้ไม่หวังดีอาจสามารถข้ามกระบวนการยืนยันตัวตน และเข้าถึงระบบหรือฟังก์ชันของแอปพลิเคชันได้โดยไม่ได้รับอนุญาต
• ส่งผลให้มีความเสี่ยงต่อการเข้าควบคุมระบบ การเข้าถึงข้อมูลสำคัญ หรือการดำเนินการที่เป็นอันตรายต่อระบบงานขององค์กร

ผลิตภัณฑ์และเวอร์ชันที่ได้รับผลกระทบ
• IBM API Connect เวอร์ชัน 10.0.8.0 – 10.0.8.5
• IBM API Connect เวอร์ชัน 10.0.11.0

️ ThaiCERT แนะนำให้หน่วยงานที่ใช้งานเวอร์ชันที่ได้รับผลกระทบเร่งดำเนินการตรวจสอบและแก้ไขโดยเร็ว

แนวทางการตรวจสอบและการป้องกัน

1. แนวทางการตรวจสอบ
   • ตรวจสอบเวอร์ชันของ IBM API Connect ที่ใช้งานอยู่ ว่าอยู่ในช่วงเวอร์ชันที่ได้รับผลกระทบหรือไม่
   • ตรวจสอบการตั้งค่าการยืนยันตัวตนและการเข้าถึงระบบ
   • ตรวจสอบบันทึกเหตุการณ์ (Logs) ที่เกี่ยวข้องกับการเข้าถึงระบบและการใช้งาน API

2. แนวทางการป้องกัน
   • ดำเนินการอัปเดต IBM API Connect เป็นเวอร์ชันที่มีการติดตั้ง iFix ล่าสุด ตามคำแนะนำของ IBM
   • จำกัดสิทธิ์การเข้าถึงระบบและฟังก์ชันที่เกี่ยวข้องให้เฉพาะผู้ใช้งานที่จำเป็น

3. มาตรการชั่วคราว (กรณียังไม่สามารถอัปเดตได้ทันที)
   • พิจารณา ปิดฟังก์ชัน self-service sign-up บน Developer Portal เป็นการชั่วคราว
   • เพิ่มมาตรการควบคุมการเข้าถึงระบบ และเฝ้าระวังการใช้งานที่ผิดปกติ

แหล่งอ้างอิง
• https://nvd.nist.gov/vuln/detail/CVE-2025-13915
• https://www.ibm.com/support/pages/node/7255149

ด้วยความปรารถนาดี
สำนักงานคณะกรรมการการรักษาความมั่นคงปลอดภัยไซเบอร์แห่งชาติ (สกมช.) / ThaiCERT

#IBMAPIConnect #CVE202513915 #ThaiCERT #ThaiCyberSecurity#ช่องโหว่รุนแรง #AuthenticationBypass #APISecurity #อัปเดตด่วน

New Tooling

• Superagent: Open-Source Framework For Guardrails Around Agentic AI
  "Superagent is an open-source framework for building, running, and controlling AI agents with safety built into the workflow. The project focuses on giving developers and security teams tools to manage what agents can do, what they can access, and how they behave during execution. Superagent targets environments where autonomous or semi autonomous agents interact with APIs, data sources, and external services."
  https://www.helpnetsecurity.com/2025/12/29/superagent-framework-guardrails-agentic-ai/
  https://github.com/superagent-ai/superagent

Malware

• Shai Hulud Strikes Again - The Golden Path
  "As of 30 minutes ago, we detected what we believe to be the first instance of a new strain of Shai Hulud, which was uploaded to npm in the package @vietmoney/react-big-calendar : https://www.npmjs.com/package/@vietmoney/react-big-calendar It contains a new and novel strain of Shai Hulud. At this time, there does NOT seem to be any major spread or infections. This suggests we may have caught the attackers testing their payload. The differences in the code suggests that this was obfuscated again from original source, not modified in place. This makes it highly unlikely to be a copy-cat, but was made by somebody who had access to the original source code for the worm."
  https://www.aikido.dev/blog/shai-hulud-strikes-again---the-golden-path
  https://www.bankinfosecurity.com/researchers-spot-new-shai-hulud-variant-a-30409
• The HoneyMyte APT Evolves With a Kernel-Mode Rootkit And a ToneShell Backdoor
  "In mid-2025, we identified a malicious driver file on computer systems in Asia. The driver file is signed with an old, stolen, or leaked digital certificate and registers as a mini-filter driver on infected machines. Its end-goal is to inject a backdoor Trojan into the system processes and provide protection for malicious files, user-mode processes, and registry keys. Our analysis indicates that the final payload injected by the driver is a new sample of the ToneShell backdoor, which connects to the attacker’s servers and provides a reverse shell, along with other capabilities. The ToneShell backdoor is a tool known to be used exclusively by the HoneyMyte (aka Mustang Panda or Bronze President) APT actor and is often used in cyberespionage campaigns targeting government organizations, particularly in Southeast and East Asia."
  https://securelist.com/honeymyte-kernel-mode-rootkit/118590/
  https://www.bleepingcomputer.com/news/security/chinese-state-hackers-use-rootkit-to-hide-toneshell-malware-activity/
• EmEditor Supply Chain Incident Details Disclosed: Distribution Of Information-Stealing Malware Sweeps Through Domestic Government And Enterprise Entities
  "On December 23, 2025, the renowned document editor EmEditor officially released an announcement stating that between December 19th and 22nd, its official website installation packages were subjected to a supply chain attack. The MSI installation packages were replaced with malicious ones signed with a non-official signature "WALSHAM INVESTMENTS LIMITED":"
  https://ti.qianxin.com/blog/articles/emeditor-supply-chain-incident-details-disclosed-en/
  https://www.emeditor.com/general/important-security-incident-notice-regarding-the-emeditor-installer-download-link/
  https://www.securityweek.com/infostealer-malware-delivered-in-emeditor-supply-chain-attack/

Breaches/Hacks/Leaks

• Trust Wallet Says 2,596 Wallets Drained In $7 Million Crypto Theft Attack
  "Trust Wallet says attackers who compromised its browser extension right before Christmas have drained approximately $7 million from nearly 3,000 cryptocurrency wallet addresses. The cryptocurrency wallet (used by over 200 million people according to its official website) allows users to store, send, receive, and manage Bitcoin, Ethereum, Solana, and thousands of other cryptocurrencies and digital tokens using a browser extension and free iOS and Android mobile apps. Trust Wallet launched in 2017 and was acquired by Binance, one of the world's largest cryptocurrency exchanges, the following year. Despite this, it still operates as a separate, decentralized wallet application."
  https://www.bleepingcomputer.com/news/security/trust-wallet-says-7-million-crypto-theft-attack-drained-2-596-wallets/
• Romanian Energy Provider Hit By Gentlemen Ransomware Attack
  "A ransomware attack hit Oltenia Energy Complex (Complexul Energetic Oltenia), Romania's largest coal-based energy producer, on the second day of Christmas, taking down its IT infrastructure. The 40-year-old Romanian energy provider employs over 19,000 people, operates four power plants with an installed production capacity of 3900 MWh, and provides about 30% of Romania's electricity. "As a result of the attack, some documents and files were encrypted, and several computer applications became temporarily unavailable, including ERP systems, document management applications, the company's email service, and website," it said over the weekend."
  https://www.bleepingcomputer.com/news/security/romanian-energy-provider-hit-by-gentlemen-ransomware-attack/
  https://securityaffairs.com/186290/cyber-crime/romanias-oltenia-energy-complex-suffers-major-ransomware-attack.html
• Korean Air Data Breach Exposes Data Of Thousands Of Employees
  "Korean Air experienced a data breach affecting thousands of employees after Korean Air Catering & Duty-Free (KC&D), its in-flight catering supplier and former subsidiary, was recently hacked. Korea's flag carrier has over 20,000 employees, a fleet of over 160 aircraft, and has reported over $11 billion in revenue after carrying more than 23 million passengers in 2024. The airline issued an internal notice on Monday, disclosing a data breach after KC&D (which spun off as a separate in-flight meals and retail company in 2020) notified it that it had been recently hacked."
  https://www.bleepingcomputer.com/news/security/korean-air-data-breach-exposes-data-of-thousands-of-employees/
  https://securityaffairs.com/186275/data-breach/korean-air-discloses-data-breach-after-the-hack-of-its-catering-and-duty-free-supplier.html
• Two More Banks Notifying Thousands Of Victims About Marquis Software Ransomware Attack
  "Two U.S. banks have come forward to warn customers they were impacted by an August ransomware attack on a popular financial software company. Artisans' Bank and VeraBank informed regulators in Maine last week that recent data breaches were sourced back to a cyberattack on Marquis Software. The software company previously said it suffered a ransomware attack around August 14 that affected dozens of its corporate customers and thousands of downstream users. VeraBank explained in letters to victims that Marquis Software is their “customer communication and data analysis vendor.”"
  https://therecord.media/banks-marquis-software-ransomware

General News

• Automation Forces a Reset In Security Strategy
  "Enterprise security teams are working under the assumption that disruption is constant. A global study by Trellix shows that resilience has moved from a long term goal to a structural requirement for CISOs. Infrastructure design, operational integration, and the use of AI shape how organizations prepare for ongoing pressure from threats and regulation."
  https://www.helpnetsecurity.com/2025/12/29/trellix-hybrid-security-infrastructure-report/
• Hacker Arrested For KMSAuto Malware Campaign With 2.8 Million Downloads
  "A Lithuanian national has been arrested for his alleged involvement in infecting 2.8 million systems with clipboard-stealing malware disguised as the KMSAuto tool for illegally activating Windows and Office software. The 29-year-old man was extradited from Georgia to South Korea following a related request under Interpol’s coordination. According to the Korean National Police Agency, the suspect used KMSAuto to lure victims into downloading a malicious executable that scanned the clipboard for cryptocurrency addresses and replaced them with ones controlled by the attacker - known as 'clipper malware'."
  https://www.bleepingcomputer.com/news/security/hacker-arrested-for-kmsauto-malware-campaign-with-28-million-downloads/
• Former Coinbase Support Agent Arrested For Helping Hackers
  "A former Coinbase customer service agent was arrested in India for helping hackers earlier this year steal sensitive customer information from a company database. The arrest occurred in Hyderabad, the capital of India's Telangana state and a major technology center in the country, and it is expected that more individuals will be detained, according to Coinbase CEO Brian Armstrong."
  https://www.bleepingcomputer.com/news/security/former-coinbase-support-agent-arrested-for-helping-hackers/
  https://www.theregister.com/2025/12/29/indian_cops_cuff_coinbase_exrep/
• Cybersecurity Trends: What's In Store For Defenders In 2026?
  "As the year comes to a close, what's notable over the past 12 months is how much hasn't fundamentally changed on the cyberattack front. Nation-state and cybercrime hackers are exploiting edge devices at scale. Chinese nation-state and affiliated private hackers enjoy deep access to Western critical infrastructure through networks often poorly protected due to outdated or poorly configured equipment and inadequate visibility."
  https://www.bankinfosecurity.com/blogs/cybersecurity-trends-whats-in-store-for-defenders-in-2026-p-4009
• Dark Reading Confidential: Stop Secrets Creep Across Developer Platforms
  "And welcome to Dark Reading Confidential. It's a podcast from the editors of Dark Reading, bringing you real world stories straight from the cyber trenches. I'm Becky Bracken, your host. And today I am lucky to be joined by my colleague, Rob Wright, who has been Dark Reading's lead reporter on the topic we are taking on today, secrets creep. More particularly, sensitive enterprise information, which is being fed into software development platforms. Rob, is that a fair assessment?"
  https://www.darkreading.com/cybersecurity-operations/stop-secrets-creep-across-developer-platforms
• SBOMs In 2026: Some Love, Some Hate, Much Ambivalence
  "A software bill of materials (SBOMs) has been touted as a critical tool in solving software supply-chain security issues, but the rapid change of software ecosystems and the complexity of creating an end-to-end verified chain of code continue to foil widespread adoption. Docker, for example, has fully embraced the software ingredient lists in their Docker Hardened Images, the company's minimal, security-focused recipes for building secure software containers. The images are built from the ground up to minimize unnecessary software components — also known as artifacts — and sport complete SBOMs and proof of provenance using Level 3 of the Supply-chain Levels for Software Artifacts (SLSA), a way to digitally ensure build integrity and provide verification of software sources."
  https://www.darkreading.com/application-security/sboms-in-2026-some-love-some-hate-much-ambivalence
• 5 Threats That Defined Security In 2025
  "2025 marked yet another busy year in security, between big attacks, government shakeups, and dangerous flaws that echo of the past. The moments that defined this year were impactful but felt evenly spread across the year. Early in 2025, we saw China-nexus advanced persistent threat (APT) Salt Typhoon continue its assault against telecom companies as part of its espionage operations. In the summer and into the fall, we saw the Cybersecurity and Infrastructure Security Agency (CISA) face budgetary cuts and layoffs, fallout from President Trump's commitment to slim the US government at any cost. And just this past month, React2Shell was disclosed to the public — a vulnerability in React with a CVSS score of 10 that echoed of the now-infamous Log4Shell."
  https://www.darkreading.com/vulnerabilities-threats/five-threats-that-defined-security-2025
• LLMs Are Automating The Human Part Of Romance Scams
  "Romance scams succeed because they feel human. New research shows that feeling no longer requires a person on the other side of the chat. Romance baiting scams build emotional bonds over weeks before steering victims toward fake cryptocurrency investments. A recent study shows that most of this work consists of repeatable text exchanges that are already being augmented with language models."
  https://www.helpnetsecurity.com/2025/12/29/llms-romance-baiting-scams-study/
  https://arxiv.org/pdf/2512.16280
• Malware In 2025 Spread Far Beyond Windows PCs
  "This blog is part of a series highlighting new and concerning trends we noticed over the last year. Trends matter because they almost always provide a good indication of what’s coming next. If there’s one thing that became very clear in 2025, it’s that malware is no longer focused on Windows alone. We’ve seen some major developments, especially in campaigns targeting Android and macOS. Unfortunately, many people still don’t realize that protecting smartphones, tablets, and other connected devices is just as essential as securing their laptops."
  https://www.malwarebytes.com/blog/news/2025/12/malware-in-2025-spread-beyond-windows-pcs
• Survey: Security Spending To Increase Sharply In 2026
  "The good news for cybersecurity teams heading into 2026 is that despite a lot of economic uncertainty, cybersecurity budgets are expected to rise. A survey of 310 C-suite security leaders at U.S. organizations with at least $1 billion in revenue finds nearly all (99%) lead organizations that plan to increase cybersecurity budgets in the next few years, with well over half (54%) planning for significant increases of 6% to 10% as they brace for future threats."
  https://blog.barracuda.com/2025/12/29/survey--security-spending-to-increase-sharply-in-2026
• Traditional Security Frameworks Leave Organizations Exposed To AI-Specific Attack Vectors
  "In December 2024, the popular Ultralytics AI library was compromised, installing malicious code that hijacked system resources for cryptocurrency mining. In August 2025, malicious Nx packages leaked 2,349 GitHub, cloud, and AI credentials. Throughout 2024, ChatGPT vulnerabilities allowed unauthorized extraction of user data from AI memory. The result: 23.77 million secrets were leaked through AI systems in 2024 alone, a 25% increase from the previous year."
  https://thehackernews.com/2025/12/traditional-security-frameworks-leave.html

อ้างอิง
Electronic Transactions Development Agency (ETDA)

ThaiCERT ได้ติดตามสถานการณ์ภัยคุกคามทางไซเบอร์ และพบการอัปเดตด้านความปลอดภัยเพื่อแก้ไขช่องโหว์ในซอฟต์แวร์ SmarterMail
หากไม่ดำเนินการแก้ไข อาจทำให้ผู้ไม่หวังดีสามารถเรียกใช้งานคำสั่งบนระบบจากระยะไกล ส่งผลกระทบต่อความมั่นคงปลอดภัยของระบบสารสนเทศของหน่วยงานได้

รายละเอียดช่องโหว่:
SmarterTools ตรวจพบช่องโหว่ความรุนแรงระดับ Critical ในซอฟต์แวร์ SmarterMail
ช่องโหว่นี้เปิดโอกาสให้ผู้โจมตีที่ ยังไม่ได้ยืนยันตัวตน (Unauthenticated) สามารถอัปโหลดไฟล์ไปยังตำแหน่งใดก็ได้บน Mail Server หากถูกโจมตีสำเร็จ อาจนำไปสู่ Remote Code Execution (RCE) และการควบคุมระบบ Mail Server ได้ทั้งหมด ระบบที่เปิด SmarterMail ให้เข้าถึงจาก Internet มีความเสี่ยงสูงมาก ต้องอัปเดตทันที

ภาพรวมของช่องโหว่ (Overview)

• ช่องโหว่ที่เกี่ยวข้อง: CVE-2025-52691 ระดับความรุนแรง: Critical (CVSS 3.1 = 10.0)
• ลักษณะช่องโหว่: ช่องโหว่ประเภท Unauthenticated Arbitrary File Upload ระบบไม่จำกัดตำแหน่งและชนิดของไฟล์ที่อัปโหลด ผู้โจมตีไม่จำเป็นต้องมีบัญชีผู้ใช้หรือรหัสผ่าน
• ผู้โจมตีสามารถอัปโหลดไฟล์อันตรายไปยัง Server ได้ อาจนำไปสู่การรันโค้ดจากระยะไกล (Remote Code Execution)
• ผลิตภัณฑ์ที่ได้รับผลกระทบ: SmarterTools SmarterMail

ผลกระทบ️ หากช่องโหว่นี้ถูกโจมตีสำเร็จ อาจส่งผลดังนี้:

1. อัปโหลดไฟล์อันตรายไปยัง Server ได้ทันที
2. รันโค้ดจากระยะไกล (Remote Code Execution)
3. เข้าควบคุม Mail Server โดยไม่ได้รับอนุญาต
4. เข้าถึงข้อมูลอีเมลภายในองค์กร
5. ใช้ Mail Server เป็นฐานโจมตีระบบอื่น (Pivot / Lateral Movement)

เวอร์ชันที่ได้รับผลกระทบ (Affected Versions): SmarterMail Build 9406 และเวอร์ชันก่อนหน้า

แนวทางแก้ไข (Mitigation – Recommended) SmarterTools แนะนำให้ผู้ดูแลระบบดำเนินการดังนี้:

1. อัปเกรด SmarterMail เป็น Build 9413 หรือใหม่กว่าทันที
2. ตรวจสอบว่าการอัปเดตเสร็จสมบูรณ์และรีสตาร์ทบริการเรียบร้อย
3. ตรวจสอบไฟล์ที่ถูกอัปโหลดผิดปกติก่อนหน้า (Retroactive Check)

แนวทางแก้ไขชั่วคราว: ไม่มี Workaround ที่ปลอดภัยเพียงพอ หากยังไม่สามารถอัปเดตได้ในทันที ควรดำเนินการเพื่อลดความเสี่ยงดังนี้

1. จำกัดการเข้าถึง SmarterMail จาก Internet
2. อนุญาตให้เข้าถึงเฉพาะ IP ที่จำเป็น
3. ปิดการเข้าถึงผ่าน Web Interface หากไม่จำเป็น
   หมายเหตุ: เป็นเพียงการลดความเสี่ยง ไม่ใช่การแก้ไขถาวร

คำแนะนำด้านความปลอดภัยเพิ่มเติม (Security Hardening)

• ตรวจสอบ Log: Web access logs, File upload activity, Error logs ที่ผิดปกติ
• ตรวจสอบไฟล์ใหม่ที่ถูกสร้างใน Directory ของ Web / Mail service
• สำรองข้อมูล (Backup) ก่อนและหลังการอัปเดต
• แยก SmarterMail ออกจากระบบ Critical อื่น (Network Segmentation)
• ใช้ Web Application Firewall (WAF) หากเป็นไปได้

แหล่งอ้างอิง (References)

1. https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2025-124
2. https://nvd.nist.gov/vuln/detail/CVE-2025-52691

ด้วยความปรารถนาดี
สำนักงานคณะกรรมการการรักษาความมั่นคงปลอดภัยไซเบอร์แห่งชาติ (สกมช.) / ThaiCERT

#SmarterMail #CVE202552691 #ThaiCERT #ThaiCyberSecurity #ช่องโหว่รุนแรง #RCE #MailServerSecurity #อัปเดตด่วน

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Vulnerabilities

• All I Want For Christmas Is Your Secrets: LangGrinch Hits LangChain Core (CVE-2025-68664)
  "Earlier this year, my research focused on breaking secret managers in our “Vault Fault” work – systems that are explicitly designed to be the security boundary around your most sensitive credentials. One takeaway kept repeating: when a platform accidentally treats attacker-shaped data as trusted structure, that boundary collapses fast. This time, the system that “breaks” isn’t your secret manager. It’s the agent framework that may use them."
  https://cyata.ai/blog/langgrinch-langchain-core-cve-2025-68664/
  https://thehackernews.com/2025/12/critical-langchain-core-vulnerability.html
  https://securityaffairs.com/186185/hacking/langchain-core-vulnerability-allows-prompt-injection-and-data-exposure.html
• CVE-2025-54322 (ZERODAY) - Unauthenticated Root RCE Affecting ~70,000+ Hosts
  "Xspeeder is a Chinese networking vendor known for edge devices like routers, SD-WAN appliances, and smart TV controllers. Their core firmware, SXZOS, powers a line of SD-WAN devices that are especially prevalent across remote industrial and branch environments. According to Fofa and other more advanced fingerprinting services, there are tens of thousands of publicly accessible SXZOS-based systems globally in various geographic regions, making this firmware and any potential vulnerability it exposes, a widespread risk surface. This was one of the devices that made it into our office over a 8 month ago for research purposes."
  https://pwn.ai/blog/cve-2025-54322-zeroday-unauthenticated-root-rce-affecting-70-000-hosts

Malware

• Exploited MongoBleed Flaw Leaks MongoDB Secrets, 87K Servers Exposed
  "A severe vulnerability affecting multiple MongoDB versions, dubbed MongoBleed (CVE-2025-14847), is being actively exploited in the wild, with over 80,000 potentially vulnerable servers exposed on the public web. A public exploit and accompanying technical details are available, showing how attackers can trigger the flaw to remotely extract secrets, credentials, and other sensitive data from an exposed MongoDB server. The vulnerability was assigned a severity score of 8.7 and has been handled as a “critical fix,” with a patch available for self-hosting instances since December 19."
  https://www.bleepingcomputer.com/news/security/exploited-mongobleed-flaw-leaks-mongodb-secrets-87k-servers-exposed/
• Fake GrubHub Emails Promise Tenfold Return On Sent Cryptocurrency
  "Grubhub users received fraudulent messages, apparently from a company email address, promising a tenfold bitcoin payout in return for a transfer to a specified wallet. The emails claimed to be part of a ‘Holiday Crypto Promotion’ and came from an email address on ‘b.grubhub.com’, which is a legitimate subdomain that Grubhub uses to communicate with its merchant partners and restaurants."
  https://www.bleepingcomputer.com/news/security/fake-grubhub-emails-promise-tenfold-return-on-sent-cryptocurrency/
• Trust Wallet Confirms Extension Hack Led To $7 Million Crypto Theft
  "Trust Wallet confirmed that a compromised Chrome extension update released on December 24 led to $7 million in stolen cryptocurrency after users reported their wallets drained. "So far, $7m affected by this hack. TrustWallet will cover. User funds are SAFU. Appreciate your understanding for any inconveniences caused," posted Binance founder Changpeng "CZ" Zhao on X. "The team is still investigating how hackers were able to submit a new version.""
  https://www.bleepingcomputer.com/news/security/trust-wallet-confirms-extension-hack-led-to-7-million-crypto-theft/
  https://thehackernews.com/2025/12/trust-wallet-chrome-extension-bug.html
  https://securityaffairs.com/186163/cyber-crime/trust-wallet-warns-users-to-update-chrome-extension-after-7m-security-loss.html

Breaches/Hacks/Leaks

• Everest Ransomware Group Claims Theft Of Over 1TB Of Chrysler Data
  "On December 25, while much of the world was observing Christmas, the Everest ransomware group published a new post on its dark web leak site claiming it had breached Chrysler systems, an American automaker. The group says it exfiltrated 1088 GB (over 1 TB) of data, describing it as a full database linked to Chrysler operations. According to the threat actors, the stolen data spans from 2021 through 2025 and includes more than 105 GB of Salesforce related information. Everest claims the data contains extensive personal and operational records tied to customers, dealers, and internal agents."
  https://hackread.com/everest-ransomware-group-chrysler-data-breach/
• Hacker Leaks 2.3M Wired.com Records, Claims 40M-User Condé Nast Breach
  "A hacker using the alias “Lovely” has leaked what they claim is the personal data of over 2.3 million Wired.com users, a prominent American magazine and website. The leak was posted on December 20, 2025, on a newly launched hacking forum called Breach Stars. Along with a download link and file hash, the hacker issued a statement accusing Condé Nast, Wired’s parent company, of ignoring repeated warnings:"
  https://hackread.com/hacker-leak-wired-com-records-conde-nast-breach/
  https://databreaches.net/2025/12/25/conde-nast-gets-hacked-and-databreaches-gets-played-christmas-lump-of-coal-edition/
  https://www.bleepingcomputer.com/news/security/hacker-claims-to-leak-wired-database-with-23-million-records/
  https://securityaffairs.com/186224/data-breach/conde-nast-faces-major-data-breach-2-3m-wired-records-leaked-40m-more-at-risk.html
• Massive Rainbow Six Siege Breach Gives Players Billions Of Credits
  "Ubisoft's Rainbow Six Siege (R6) suffered a breach that allowed hackers to abuse internal systems to ban and unban players, manipulate in-game moderation feeds, and grant massive amounts of in-game currency and cosmetic items to accounts worldwide."
  https://www.bleepingcomputer.com/news/security/massive-rainbow-six-siege-breach-gives-players-billions-of-credits/

General News

• Mentorship And Diversity: Shaping The Next Generation Of Cyber Experts
  "Welcome to Dark Reading's Heard It From a CISO video series, showcasing advice on breaking into and advancing within the cybersecurity field from those who have been there. In this latest installment, Dark Reading associate editor Kristina Beek interviews Patricia Voight, CISO at Webster Bank."
  https://www.darkreading.com/cybersecurity-careers/mentorship-and-diversity-shaping-the-next-generation-of-cyber-experts
• As More Coders Adopt AI Agents, Security Pitfalls Lurk In 2026
  "Software may be eating the world — to paraphrase one tech luminary — but in 2025, AI ate software development. The vast majority of professional programmers now use large language models (LLMs) for code suggestions, debugging, and even vibe coding. Yet, challenges remain: Even as developers start to use AI agents to build applications and integrate AI services into the development and production pipeline, the quality of the code — especially the security of the code — varies significantly. Greenfield projects may see better productivity and security results than rewriting current code, especially if vulnerabilities in the older code are propagated. Some companies see few productivity gains, others see significant benefits."
  https://www.darkreading.com/application-security/coders-adopt-ai-agents-security-pitfalls-lurk-2026
• LLMs Can Assist With Vulnerability Scoring, But Context Still Matters
  "Every new vulnerability disclosure adds another decision point for already stretched security teams. A recent study explores whether LLMs can take on part of that burden by scoring vulnerabilities at scale. While the results show promise in specific areas, consistent weaknesses continue to hold back fully automated scoring. More than 40,000 CVEs were published in 2024, and the study notes that this surge has put strain on programs that score these entries. Without timely severity ratings, teams cannot tell which risks to handle first."
  https://www.helpnetsecurity.com/2025/12/26/llms-automated-vulnerability-assessment/
• From AI To Cyber Risk, Why IT Leaders Are Anxious Heading Into 2026
  "Cybersecurity threats are shaping IT planning for 2026, with AI maturity and regulation emerging as another major source of disruption, according to a global survey from Veeam. Veeam surveyed 250 senior IT and business decision-makers worldwide to understand how they view risks, readiness, and priorities. When respondents ranked expected disruptors for 2026, cybersecurity threats placed first. Nearly half selected security incidents as their top concern. AI maturity and regulation followed at just over 20%. Workforce shortages and cloud complexity ranked lower."
  https://www.helpnetsecurity.com/2025/12/26/it-planning-cybersecurity-threats-2026/
• The Next Big IT Security Battle Is All About Privileged Access
  "Leostream predicts changes in Identity and Access Management (IAM) and Privileged Access Management (PAM) in 2026 driven by new realities of cybersecurity, hybridization, AI, and more. In 2026, passwordless authentication will shift from isolated pilots to full-scale enterprise adoption within privileged environments. Hardware keys, passkeys, and biometric verification will replace traditional credentials, reducing reliance on shared passwords and vaults. This transition will be driven by compliance mandates and the operational cost of credential sprawl."
  https://www.helpnetsecurity.com/2025/12/26/it-privileged-access-security-trends/
• From AI To Analog, Cybersecurity Tabletop Exercises Look a Little Different This Year
  "It's the most wonderful time of the year … for corporate security bosses to run tabletop exercises, simulating a hypothetical cyberattack or other emergency, running through incident processes, and practicing responses to ensure preparedness if when a digital disaster occurs. "We're ultimately testing how resilient is the organization," said Palo Alto Networks Chief Security Intelligence Officer Wendi Whitmore in an interview with The Register. "It's not if we get attacked, it's: How quickly do we respond and contain these attacks.""
  https://www.theregister.com/2025/12/26/end_of_year_tabletop_exercises/
• From Video Games To Cyber Defense: If You Don't Think Like a Hacker, You Won't Win
  "According to Remedio CEO Tal Kollender, the only way to beat the bad guys hacking into corporate networks is to "think like a hacker," and because not everyone is a teenage hacker turned cybersecurity startup chief executive, she built an AI to do this. "My thought was: if I have a hacker mindset, why not adapt it into defense," Kollender told The Register. "Because if you don't think like a hacker, you won't be able to beat them, right?""
  https://www.theregister.com/2025/12/26/video_game_hacker_turned_ceo/
• Death, Torture, And Amputation: How Cybercrime Shook The World In 2025
  "The knock-on, and often unintentional, impacts of a cyberattack are so rarely discussed. As an industry, the focus is almost always placed on the economic damage: the ransom payment; the cost of business downtime; and goodness, don't forget those poor shareholders. But, in recent years, the toll on human life has become increasingly apparent."
  https://www.theregister.com/2025/12/28/death_torture_and_amputation_how/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

Industrial Sector

• Threat Landscape For Industrial Automation Systems. Africa, Q3 2025
  "High threat detection rates point to low cybersecurity maturity across industrial companies on the continent: the availability of internet access on OT computers, weak phishing protection, large portions of unprotected infrastructure, and still relatively poor employee cyberhygiene. In Africa, the percentage of ICS computers on which all categories of threats were blocked is higher than the global average."
  https://ics-cert.kaspersky.com/publications/reports/2025/12/25/threat-landscape-for-industrial-automation-systems-africa-q3-2025/

General News

• TRM Traces Stolen Crypto From 2022 LastPass Breach — On-Chain Indicators Suggest Russian Cybercriminal Involvement
  "In 2022, hackers breached LastPass, one of the world’s most widely used password managers, exposing backups of roughly 30 million customer vaults — encrypted containers holding users’ most sensitive digital credentials, including crypto private keys and seed phrases. Although the vaults were encrypted and initially unreadable without each user’s master passwords, attackers were able to download them in bulk. That created a long-tail risk for more than 25 million users globally: any vault protected by a weak master password could eventually be decrypted offline, turning a single 2022 intrusion into a multi-year window for attackers to quietly crack passwords and drain assets over time."
  https://www.trmlabs.com/resources/blog/trm-traces-stolen-crypto-from-2022-lastpass-breach-on-chain-indicators-suggest-russian-cybercriminal-involvement
  https://thehackernews.com/2025/12/lastpass-2022-breach-led-to-years-long.html

อ้างอิง
Electronic Transactions Development Agency (ETDA)

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

รายละเอียดช่องโหว่:
• ช่องโหว่ CVE-2025-14847 เป็นช่องโหว่ความปลอดภัยใน MongoDB Server ซึ่งเป็นระบบฐานข้อมูลแบบ NoSQL Database (NoSQL) ช่องโหว่ดังกล่าวเกิดจากการจัดการฟิลด์ความยาวข้อมูลที่ไม่ถูกต้องในกระบวนการประมวลผลแพ็กเก็ตข้อมูลที่ถูกบีบอัดด้วย zlib ภายในโปรโตคอลเครือข่ายของ MongoDB ช่องโหว่นี้ผู้โจมตีสามารถส่งข้อมูลที่ถูกจัดรูปแบบผิดพลาด (malformed data) เข้ามายังระบบและทำให้เซิร์ฟเวอร์ตอบกลับด้วยข้อมูลจากหน่วยความจำแบบ heap ที่ยังไม่ได้ถูกกำหนดค่า (Uninitialized Memory) ซึ่งอาจนำไปสู่การรั่วไหลของข้อมูลภายในระบบได้ และผู้โจมตีสามารถโจมตีได้โดยไม่ผ่านการยืนยันตัวตน

ผลิตภัณฑ์และเวอร์ชันที่ได้รับผลกระทบ:
• MongoDB 8.2.0 ถึง 8.2.2, 8.0.0 ถึง 8.0.16, 7.0.0 ถึง 7.0.27, 6.0.0 ถึง 6.0.26, 5.0.0 ถึง 5.0.31 และ 4.4.0 ถึง 4.4.29

แนวทางการตรวจสอบและการป้องกัน:

1. แนวทางการตรวจสอบ
   • สแกนหา MongoDB ที่เปิด port เครือข่าย เพื่อค้นหาว่ามีเซิร์ฟเวอร์ใดเปิด port มาตรฐานของ MongoDB หรือพอร์ตอื่น ๆ เพื่อยืนยันการมีอยู่ของ Instance MongoDB
   • ตรวจสอบว่าเซิร์ฟเวอร์ MongoDB มีการเปิดใช้งาน zlib compression อยู่หรือไม่ เพราะการเปิดใช้งานนี้เป็นปัจจัยให้ช่องโหว่สามารถถูกโจมตีได้ง่ายขึ้น
   • ตรวจสอบว่าเวอร์ชันของ MongoDB ที่รันอยู่เป็นเวอร์ชันที่ถูกระบุว่าได้รับผลกระทบหรือไม่ โดยสามารถดูได้จากคำสั่งหรือวิธีการตรวจสอบเวอร์ชันมาตรฐานของ MongoDB

2. แนวทางการป้องกัน
   • ดำเนินการอัปเดต MongoDB Server ให้เป็นเวอร์ชันล่าสุด
   • จัดทำ Patch Policy และรอบการอัปเดตระบบอย่างสม่ำเสมอ
   • ดำเนินการติดตั้งและตรวจสอบแพตช์ในลักษณะของการจำลองการทำงาน (Staging / UAT) ก่อนนำขึ้นใช้งานจริง (Production)

3. มาตรการชั่วคราว (กรณียังไม่สามารถอัปเดตได้ทันที)
   • ปิดใช้งาน zlib Compression ช่วยลดการโจมตีที่เกี่ยวข้องกับช่องโหว่นี้ โดยตั้งค่าเริ่มต้นของ MongoDB ให้ ยกเลิก zlib ผ่านการตั้งค่าขณะเริ่มต้นเซิร์ฟเวอร์
   • จำกัดการเข้าถึงบริการจากเครือข่ายภายนอก และอนุญาตให้เข้าถึงเฉพาะจาก IP Address หรือเครือข่ายที่เชื่อถือได้
   • ปิดพอร์ต MongoDB จากการเข้าถึงโดยตรงจากอินเทอร์เน็ต

อ้างอิง:

1. https://nvd.nist.gov/vuln/detail/CVE-2025-14847
2. https://www.ox.security/blog/attackers-could-exploit-zlib-to-exfiltrate-data-cve-2025-14847/#technical_analysis

ด้วยความปรารถนาดี
สำนักงานคณะกรรมการการรักษาความมั่นคงปลอดภัยไซเบอร์แห่งชาติ (สกมช.) / ThaiCERT

#MongoBleed #ThaiCERT #CyberSecurity #CVE202514847 #สกมช

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

️ ThaiCERT ได้ติดตามสถานการณ์ภัยคุกคามทางไซเบอร์ และพบข้อมูลการเปิดเผยช่องโหว่ระดับร้ายแรงในแพลตฟอร์ม n8n

หากไม่ดำเนินการแก้ไข อาจทำให้ผู้ไม่หวังดีสามารถเรียกใช้งานคำสั่งบนระบบจากระยะไกล ส่งผลกระทบต่อความมั่นคงปลอดภัยของระบบสารสนเทศของหน่วยงานได้

รายละเอียดช่องโหว่
• ช่องโหว่ CVE-2025-65964 จัดอยู่ในประเภท Inclusion of Functionality from Untrusted Control Sphere หรือการนำฟังก์ชันหรือกลไกจากแหล่งที่ไม่อยู่ภายใต้การควบคุมมาใช้งาน ซึ่งอาจถูกผู้ไม่หวังดีนำไปใช้เพื่อควบคุมการทำงานของระบบและเรียกใช้งานฟังก์ชันที่มีอยู่เดิมในลักษณะที่เป็นอันตราย ส่งผลให้สามารถเรียกใช้งานคำสั่งจากระยะไกลได้
• ช่องโหว่นี้เกิดจากการควบคุมการตั้งค่า Git configuration ภายในฟังก์ชัน Git Node ของแพลตฟอร์ม n8n ที่ไม่เหมาะสม ส่งผลให้ผู้ใช้งานที่มีสิทธิ์สร้างหรือแก้ไขกระบวนการทำงานอัตโนมัติ (Workflow) ที่มีการใช้งาน Git Node สามารถกำหนดค่าพารามิเตอร์ core.hooksPath ให้ชี้ไปยังตำแหน่งของ Git hook ที่ถูกปรับแต่งมาเป็นพิเศษได้ เมื่อมีการเรียกใช้งาน Git operation ภายใน Workflow ที่ผู้ไม่หวังดีจัดเตรียมไว้ ระบบจะเรียกใช้งาน Git hook ดังกล่าวโดยอัตโนมัติ ซึ่งเนื่องจาก Git hook เป็นสคริปต์ที่ถูกประมวลผลในระดับระบบปฏิบัติการ พฤติกรรมดังกล่าวจึงอาจถูกนำไปใช้เพื่อรันคำสั่งใด ๆ บนระบบที่ให้บริการ n8n ภายใต้สิทธิ์ของกระบวนการ n8n ได้

ผลิตภัณฑ์และเวอร์ชันที่ได้รับผลกระทบ
• n8n เวอร์ชันก่อนหน้า 1.119.2

️ ThaiCERT ขอแนะนำให้หน่วยงานที่ใช้งานเวอร์ชันที่ได้รับผลกระทบ เร่งดำเนินการตรวจสอบและแก้ไขโดยเร็ว

แนวทางการตรวจสอบและการป้องกัน

1. แนวทางการตรวจสอบ
   • ตรวจสอบแพลตฟอร์ม n8n ที่ใช้งานอยู่ ว่าเป็นเวอร์ชันที่ต่ำกว่า 1.119.2 หรือไม่
   • ตรวจสอบ Workflow ที่มีการใช้งาน Git Node ภายในระบบ
   • ตรวจสอบว่ามีการเชื่อมต่อหรือทำงานร่วมกับ Git Repository จากแหล่งภายนอกหรือแหล่งที่ไม่น่าเชื่อถือหรือไม่
   • ตรวจสอบบันทึกเหตุการณ์ (Logs) ที่เกี่ยวข้องกับการทำงานของ Git Node และ Git operation ภายใน Workflow

2. แนวทางการป้องกัน
   • ดำเนินการอัปเดตแพลตฟอร์ม n8n เป็นเวอร์ชัน 1.119.2 หรือใหม่กว่า
   • ใช้งานเฉพาะ Git Repository ที่มีความน่าเชื่อถือและผ่านการตรวจสอบแล้ว

3. มาตรการชั่วคราว (กรณียังไม่สามารถอัปเดตได้ทันที)
   • พิจารณา ยกเลิกหรือปิดการใช้งาน Git Node ภายในแพลตฟอร์ม n8n ชั่วคราว
   • หลีกเลี่ยงการ clone หรือใช้งาน Git Repository จากแหล่งที่ไม่น่าเชื่อถือผ่าน Git Node
   • จำกัดการใช้งาน Git Node ให้เฉพาะ Workflow ที่มีความจำเป็น และเฉพาะผู้ใช้งานที่ได้รับอนุญาตเท่านั้น
   ทั้งนี้ มาตรการดังกล่าวเป็นเพียงแนวทางชั่วคราวเพื่อบรรเทาความเสี่ยง ผู้ดูแลระบบควรดำเนินการอัปเดตแพลตฟอร์มเป็นเวอร์ชันที่ปลอดภัยโดยเร็วที่สุด

อ้างอิง
https://nvd.nist.gov/vuln/detail/CVE-2025-65964
https://github.com/n8n-io/n8n/security/advisories/GHSA-wpqc-h9wp-chmq
https://cwe.mitre.org/data/definitions/829.html

ด้วยความปรารถนาดี
สำนักงานคณะกรรมการการรักษาความมั่นคงปลอดภัยไซเบอร์แห่งชาติ (สกมช.) / ThaiCERT