โพสต์ถูกสร้างโดย NCSA_THAICERT

ศูนย์ประสานการรักษาความมั่นคงปลอดภัยระบบคอมพิวเตอร์แห่งชาติ (ThaiCERT) ได้ติดตามสถานการณ์ข้อมูลข่าวสารเกี่ยวกับภัยคุกคามทางไซเบอร์ใน Ubiquiti UniFi Network Application ซึ่งอาจถูกใช้เป็นช่องทางในการโจมตีระบบหรือยกระดับสิทธิ์ของผู้โจมตีได้ จึงขอแจ้งเตือนผู้ดูแลระบบที่เกี่ยวข้องให้เร่งดำเนินการตรวจสอบและแก้ไขโดยเร็วที่สุด

1. รายละเอียดช่องโหว่
   Ubiquiti ได้เผยแพร่ประกาศด้านความปลอดภัย (Security Advisory Bulletin 062) [1] เกี่ยวกับช่องโหว่ใน Ubiquiti UniFi Network Application โดยมีรายละเอียดดังนี้
   1.1 ช่องโหว่ประเภท Path Traversal ที่หมายเลข CVE-2026-22557 (คะแนน CVSSv3.1: 10.0) [2] ผู้โจมตีสามารถใช้ช่องโหว่นี้เพื่อเข้าถึงไฟล์ภายในระบบได้โดยไม่ได้รับอนุญาต ซึ่งอาจนำไปสู่การเปิดเผยข้อมูลสำคัญ หรือถูกนำไปใช้เพื่อยึดครองบัญชีผู้ใช้งานและระบบได้
   1.2 ช่องโหว่ประเภท Authenticated NoSQL Injection ที่หมายเลข CVE-2026-22558 (คะแนน CVSSv3.1: 7.7) [3] ผู้โจมตีที่มีสิทธิ์เข้าถึงระบบอยู่แล้ว สามารถใช้ช่องโหว่นี้ในการส่งคำสั่งที่เป็นอันตรายผ่านฐานข้อมูล เพื่อยกระดับสิทธิ์ (Privilege Escalation) และเข้าถึงทรัพยากรที่ไม่ได้รับอนุญาต

2. ผลิตภัณฑ์ที่ได้รับผลกระทบ
   2.1 Official Release: UniFi Network Application เวอร์ชัน 10.1.85 และเวอร์ชันก่อนหน้า
   2.2 Release Candidate: UniFi Network Application เวอร์ชัน 10.2.93 และเวอร์ชันก่อนหน้า
   2.3 UniFi Express (UX): UniFi Network Application เวอร์ชัน 9.0.114 และเวอร์ชันก่อนหน้า

3. แนวทางการแก้ไข
   ปัจจุบันยังไม่มีวิธีแก้ไขชั่วคราว (Workaround) ที่มีประสิทธิภาพ ผู้ดูแลระบบจึงควรอัปเดต UniFi Network Application เป็นเวอร์ชันที่แก้ไขช่องโหว่แล้วทันที โดยมีรายละเอียดดังนี้
   3.1 Official Release: อัปเดต UniFi Network Application เป็นเวอร์ชัน 10.1.89 หรือใหม่กว่า
   3.2 Release Candidate: อัปเดต UniFi Network Application เป็นเวอร์ชัน 10.2.97 หรือใหม่กว่า
   3.3 UniFi Express (UX): อัปเดตเฟิร์มแวร์ UniFi Express เป็นเวอร์ชัน 4.0.13 หรือใหม่กว่า ซึ่งจะทำให้ UniFi Network Application ถูกอัปเดตเป็นเวอร์ชัน 9.0.118 หรือใหม่กว่า

4. คำแนะนำด้านความปลอดภัยเพิ่มเติม
   4.1 ตรวจสอบ Log การใช้งานย้อนหลัง เพื่อค้นหาพฤติกรรมผิดปกติหรือความพยายามโจมตี
   4.2 เฝ้าระวังการเข้าถึงระบบจากแหล่งที่ไม่น่าเชื่อถือ
   4.3 จำกัดสิทธิ์ผู้ใช้งานตามหลัก Least Privilege
   4.4 ใช้งานระบบยืนยันตัวตนหลายปัจจัย (Multi-Factor Authentication: MFA) หากรองรับ
   4.5 อัปเดตแพตช์ด้านความปลอดภัยของระบบและซอฟต์แวร์ที่เกี่ยวข้องอย่างสม่ำเสมอ
   4.6 สำรองข้อมูลสำคัญอย่างสม่ำเสมอ เพื่อรองรับกรณีเกิดเหตุการณ์ไม่พึงประสงค์

5. แหล่งอ้างอิง
   [1] https://dg.th/adm6slfevx
   [2] https://dg.th/e0lg7k23r1
   [3] https://dg.th/fy23zu0q6p

Energy Sector

• DoE Publishes 5-Year Energy Security Plan
  "Energy, especially electricity, could be described as the most critical industry – all other critical industries are fundamentally dependent on access to energy. It is essential for peoples’ daily lives (citizens), business operation (economy), and national security (the nation). As such, it is a primary target for criminals, hacktivists, and adversarial nation state actors. The office of Cybersecurity, Energy Security, and Emergency Response (CESER, part of the U.S. Department of Energy) has published a three-pronged 5-year security plan for the fiscal years 2026 to 2030. The three prongs (or goals of the plan) are to develop ‘world-class’ security technologies, to harden the US energy infrastructure, and establish emergency preparedness for response and recovery from incidents."
  https://www.securityweek.com/doe-publishes-5-year-energy-security-plan/
  https://ismg-cdn.nyc3.cdn.digitaloceanspaces.com/asset_files/external/ceser-strategic-plan2026-2030.pdf

Vulnerabilities

• PTC Warns Of Imminent Threat From Critical Windchill, FlexPLM RCE Bug
  "PTC Inc. is warning of a critical vulnerability in Windchill and FlexPLM, widely used product lifecycle management (PLM) solutions, that could allow remote code execution. The security issue, identified as CVE-2026-4681, could be leveraged through the deserialization of trusted data. Its severity has prompted emergency action from German authorities, with the federal police (BKA) reportedly sending agents to affected companies to alert them to the cybersecurity risk."
  https://www.bleepingcomputer.com/news/security/ptc-warns-of-imminent-threat-from-critical-windchill-flexplm-rce-bug/
  https://www.ptc.com/en/about/trust-center/advisory-center/active-advisories/windchill-flexplm-critical-vulnerability
  https://www.heise.de/en/news/WTF-Police-responded-on-Saturday-night-due-to-a-zero-day-11221590.html
• CVE-2026-3055: Citrix NetScaler ADC And NetScaler Gateway Out-Of-Bounds Read
  "On March 23, 2026, Citrix published a security advisory for a critical vulnerability affecting their NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) products. This vulnerability, CVE-2026-3055, which is classified as an out-of-bounds read and holds a CVSS score of 9.3, allows unauthenticated remote attackers to leak potentially sensitive information from the appliance's memory. The Citrix advisory states that systems configured as a SAML Identity Provider (SAML IDP) are vulnerable, whereas default configurations are unaffected. This SAML IDP configuration is likely a very common configuration for organizations utilizing single sign-on. Per the advisory, organizations can determine if they have an appliance configured as a SAML IDP Profile by inspecting their NetScaler Configuration for the specified string: add authentication samlIdPProfile .*"
  https://www.rapid7.com/blog/post/etr-cve-2026-3055-citrix-netscaler-adc-and-netscaler-gateway-out-of-bounds-read/
  https://thehackernews.com/2026/03/citrix-urges-patching-critical.html
  https://www.infosecurity-magazine.com/news/citrix-patch-netscaler/
  https://www.securityweek.com/critical-citrix-netscaler-vulnerability-poised-for-exploitation-security-firms-warn/
  https://securityaffairs.com/189908/security/citrix-netscaler-critical-flaw-could-leak-data-update-now.html
  https://www.helpnetsecurity.com/2026/03/24/netscaler-adc-gateway-cve-2026-3055/
• Chrome 146 Update Patches High-Severity Vulnerabilities
  "Google on Monday announced a fresh Chrome 146 update that resolves eight high-severity memory safety vulnerabilities. First on the list is CVE-2026-4673, a heap buffer overflow issue in WebAudio that earned the reporting researcher a $7,000 bug bounty reward. The same researcher discovered and reported CVE-2026-4677, an out-of-bounds read bug in WebAudio, but Google says it has yet to determine the bounty amount to be awarded for it. In fact, the internet giant has disclosed only the amount paid for the first WebAudio flaw, but not the amounts to be handed out for the remaining vulnerabilities."
  https://www.securityweek.com/chrome-146-update-patches-high-severity-vulnerabilities/

Malware

• Checkmarx KICS Code Scanner Targeted In Widening Supply Chain Hit
  "Hard on the heels of a broad supply chain attack that impacted the Aqua Security-maintained Trivy open source security-scanner project, Checkmarx on Tuesday disclosed that attackers had compromised a version of Keeping Infrastructure as Code Secure (KICS), the open source static code analysis project that it develops and maintains. Specifically, the cybercriminals infiltrated KICS GitHub Action, which organizations use to run KICS scans within their CI/CD pipelines, and poisoned multiple versions of the software. Any organization that had its automated CI/CD pipelines configured to run the KICS GitHub Action during a four-hour window on the morning of March 23 could potentially be impacted, Checkmarx said."
  https://www.darkreading.com/application-security/checkmarx-kics-code-scanner-widening-supply-chain
  https://checkmarx.com/blog/checkmarx-security-update/
  https://thehackernews.com/2026/03/teampcp-hacks-checkmarx-github-actions.html
• TeamPCP Isn't Done: Threat Actor Behind Trivy And KICS Compromises Now Hits LiteLLM's 95 Million Monthly Downloads On PyPI
  "On March 24, 2026, Endor Labs identified that litellm versions 1.82.7 and 1.82.8 on PyPI contain malicious code not present in the upstream GitHub repository. litellm is a widely used open source library with over 95 million month downloads. It lets developers route requests across LLM providers through a single API. Both compromised versions include a backdoored file that decodes and executes a hidden payload the moment the file is imported. Version 1.82.8 goes further: it installs a .pth file that runs the payload on any Python invocation, even if litellm is never imported. Version 1.82.6 is the last known-clean release."
  https://www.endorlabs.com/learn/teampcp-isnt-done
  https://www.bleepingcomputer.com/news/security/popular-litellm-pypi-package-compromised-in-teampcp-supply-chain-attack/
  https://thehackernews.com/2026/03/teampcp-backdoors-litellm-versions.html
  https://www.theregister.com/2026/03/24/trivy_compromise_litellm/
• Someone Has Publicly Leaked An Exploit Kit That Can Hack Millions Of iPhones
  "Last week, cybersecurity researchers uncovered a hacking campaign targeting iPhone users that used an advanced hacking tool called DarkSword. Now someone has leaked a newer version of DarkSword and published it on the code-sharing site GitHub. Researchers are warning that this will allow any hacker to easily use the tools to target iPhone users running older versions of Apple’s operating systems who have not yet updated to its latest iOS 26 software. This likely affects hundreds of millions of actively used iPhones and iPads, according to Apple’s own data on out-of-date devices."
  https://techcrunch.com/2026/03/23/someone-has-publicly-leaked-an-exploit-kit-that-can-hack-millions-of-iphones/
  https://cyberscoop.com/darksword-iphone-spyware-leak-ios-18-exploit-threat/
  https://hackread.com/darksword-iphone-exploit-leaked-online/
• OpenClaw Trap: AI-Assisted Lure Factory Targets Developers & Gamers
  "Netskope Threat Labs identified a link to a malware campaign operating across at multiple GitHub repositories, spanning over 300 delivery packages, including an OpenClaw deployment, an AI developer tool lure, a Telegram-promoted phone tracker, a Fishing Planet game cheat, Roblox scripts, crypto bots, and VPN crackers—all distributing LuaJIT payloads. The lure names suggest AI-assisted generation: obscure biological taxonomy, archaic Latin, and medical terminology applied systematically at scale. Each victim is geolocated, and their desktop screenshot is sent to a server in Frankfurt. We are tracking this cluster as the TroyDen’s Lure Factory."
  https://www.netskope.com/blog/openclaw-trap-ai-assisted-lure-factory-targets-developers-gamers
  https://www.darkreading.com/application-security/github-openclaw-deployer-repo-delivers-trojan
  https://www.helpnetsecurity.com/2026/03/24/github-malware-split-payload/
• Silver Fox: The Only Tax Audit Where The Fine Print Installs Malware
  "Since early 2025, TDR has focused on tracking Silver Fox, a China-based intrusion set. Originally known for financially motivated attacks, the group has been shifting toward more sophisticated, APT-style operations since at least 2024. This dual focus reflects a broader trend observed throughout 2025, which is the increasingly blurred lines between financially motivated cybercrime operators and state-sponsored espionage. Silver Fox relies on ValleyRAT (aka Winos), which can be considered as its primary modular backdoor. Despite the leak of ValleyRAT builder in March 2025, the intrusion set continued to use it, exploiting zero-day driver plugin and using kernel-mode rootkit likely for intelligence collection. In addition, Silver Fox relies on other malicious payloads like HoldingHands, which is a variant of Gh0st RAT. Rather than replacing ValleyRAT, it appears to be deployed alongside it to achieve specific operational goals."
  https://blog.sekoia.io/silver-fox-the-only-tax-audit-where-the-fine-print-installs-malware/
  https://www.infosecurity-magazine.com/news/silver-fox-cyber-dual-espionage/
• Fake Install Logs In Npm Packages Load RAT
  "When it comes to supply chain attacks, last year was a lot for software security teams to get their heads around. There were several large scale attacks that struck npm repositories, the most impactful being Shai-hulud — the first open source package repository worm. Then there were several smaller campaigns that didn’t have as big of an impact, but were very important nonetheless. In February 2026, for example, the ReversingLabs research team documented a North Korea connected campaign we dubbed “Graphalgo.” That campaign started in May 2025, and is part of a larger fake job recruiter scheme conducted by North Korea-backed hackers and targeting crypto developers. It is ongoing, phishing developers with fake job interviews and using “coding tests” as a pretext for pushing downloaders to developers’ systems that retrieve a custom remote access trojan (RAT) as the final stage."
  https://www.reversinglabs.com/blog/npm-fake-install-logs-rat
  https://thehackernews.com/2026/03/ghost-campaign-uses-7-npm-packages-to.html
  https://www.infosecurity-magazine.com/news/npm-ghost-campaign-fake-install/
• From W-2 To BYOVD: How a Tax Search Leads To Kernel-Mode AV/EDR Kill
  "As the saying goes, only two things are guaranteed in life: death and taxes. But, with the April 15 tax filing deadline quickly approaching, there's a third guarantee that threat actors have learned to count on: millions of users searching for the same tax forms, under time pressure, trusting the first Google result they see. During retrospective threat hunting, the Huntress Tactical Response team recently uncovered a large-scale malvertising campaign that has been active since at least January 2026, targeting U.S.-based individuals searching for tax-related documents. The lures are specifically U.S. tax forms (W-2, W-9), and the fake landing pages reference IRS compliance, casting a wide net across employees, freelancers, contractors, and small businesses during filing season. The campaign abuses Google Ads to serve rogue ScreenConnect (ConnectWise Control) installers, ultimately delivering a BYOVD EDR killer that drops a kernel driver to blind security tools before further compromise. Across our customer base, we reported over 60 instances of rogue ScreenConnect sessions tied to this campaign being used as the initial access vector."
  https://www.huntress.com/blog/w2-malvertising-to-kernel-mode-edr-kill
  https://thehackernews.com/2026/03/tax-search-ads-deliver-screenconnect.html
  Analyzing FAUX#ELEVATE: Threat Actors Target France With CV Lures To Deploy Crypto Miners And Infostealers * Targeting Enterprise Environments
  "Securonix threat researchers have been tracking an ongoing campaign targeting French-speaking corporate environments through fake resumes. The campaign uses highly obfuscated VBScript file disguised as resume/CV documents, delivered through phishing emails. Once executed, the malware deploys a mutli-purpose toolkit that combines credential theft, data exfiltration, and Monero cryptocurrency mining for maximum monetization. What makes this campaign notable is the dropper’s extreme approach to evasion. Of its 224,471 lines, only 266 lines (0.12%) are actual executable code, the remainder consists entirely of junk VBS comments sourced from real English sentences. The malware also uses a domain-join gate using WMI, ensuring that payloads are only delivered on enterprise machines, and standalone home systems are excluded entirely. The campaign uses Dropbox for payload hosting, compromised Moroccan WordPress sites for C2 configuration, and mail.ru SMTP infrastructure for exfiltrating stolen browser credentials and desktop files."
  https://www.securonix.com/blog/faux-elevate-threat-actors-crypto-miners-and-infostealers/
  https://thehackernews.com/2026/03/hackers-use-fake-resumes-to-steal.html
• Stryker Says Malware Was Involved In Recent Cyberattack As Production Lines Reopen
  "The medical device firm Stryker said it is ramping production lines back up two weeks after alleged Iranian cyber actors wiped more than 200,000 company devices. The company sought to reassure customers in a notice on Monday, sharing a letter from cybersecurity firm Palo Alto Networks confirming that the hackers behind the incident have been removed from Stryker systems. Stryker officials said they are in the process of rebuilding the wiped systems or restoring them from backups predating the known window of compromise to further prevent threat actors from reentering. The impacted systems that have not been restored yet are isolated from the network."
  https://therecord.media/stryker-cyberattack-malware-iran
  https://www.securityweek.com/stryker-says-malicious-file-found-during-probe-into-iran-linked-attack/
• Threat Brief: Recruiting Scheme Impersonating Palo Alto Networks Talent Acquisition Team
  "Since August 2025, Unit 42 has tracked a series of sophisticated phishing campaigns where attackers impersonate Palo Alto Networks talent acquisition staff. These attacks specifically target senior-level professionals by leveraging scraped LinkedIn data to craft highly personalized lures. The specific attack vector uses social engineering to manufacture a bureaucratic barrier regarding the candidate’s curriculum vitae (CV) and push the candidate toward taking actions such as reformatting their resumes for a fee."
  https://unit42.paloaltonetworks.com/phishing-attackers-pose-as-panw-recruiters/
• Android Devices Ship With Firmware-Level Malware
  "In late February 2026, SophosLabs analysts identified multiple detections on Android devices for malicious activity associated with the Keenadu backdoor. According to Kaspersky, Keenadu is a firmware infection embedded in the libandroid_runtime.so (shared object library) that injects itself into the Zygote process. As Zygote is the parent process for all Android apps, an attacker effectively gains total control over an infected device. Keenadu acts as a downloader for second-stage malware modules that can be used to target the data in multiple applications. All Android apps rely on libandroid_runtime.so to run, so a copy of Keenadu is copied into the address space of every app installed on an infected device."
  https://www.sophos.com/en-us/blog/android-devices-ship-with-firmware-level-malware
• OpenClaw Developers Targeted In Crypto-Wallet Phishing Attack
  "OX Security has detected an active phishing campaign abusing the OpenClaw name and spreading through GitHub. The threat actor creates fake GitHub accounts, opens issue threads in attacker-controlled repositories, and tags dozens of GitHub developers. The posts claim that recipients have won $5,000 worth of CLAW tokens and can collect them by visiting a linked site and connecting their crypto wallet. The linked site is an almost identical clone of openclaw.ai, with one key difference: it adds a “Connect your wallet” button designed to initiate wallet theft."
  https://www.ox.security/blog/openclaw-github-phishing-crypto-wallet-attack/

Breaches/Hacks/Leaks

• Dutch Ministry Of Finance Discloses Breach Affecting Employees
  "The Dutch Ministry of Finance confirmed on Monday that some of its systems were breached in a cyberattack detected last week. Officials said the ministry was notified by a third party of the breach on March 19, and it's still investigating the cyberattack. An ongoing investigation found that the incident affects some employees. "The Ministry of Finance's ICT security detected unauthorized access to systems for a number of primary processes within the policy department on Thursday, March 19," an official statement revealed. "Following the alert, an immediate investigation was launched, and access to these systems has been blocked as of today. This affects the work of a portion of the employees.""
  https://www.bleepingcomputer.com/news/security/dutch-ministry-of-finance-discloses-breach-affecting-employees/
  https://therecord.media/netherlands-finance-ministry-cyberattack-breach
  https://securityaffairs.com/189929/data-breach/data-breach-at-dutch-ministry-of-finance-impacts-staff-following-cyberattack.html
• HackerOne Discloses Employee Data Breach After Navia Hack
  "Bug bounty platform HackerOne is notifying hundreds of employees that their data was stolen after attackers hacked Navia, one of its U.S. benefits administrators. HackerOne manages over 1,950 bug bounty programs and provides vulnerability disclosure, penetration testing, and code security services to high-profile companies like General Motors, Goldman Sachs, Anthropic, GitHub, and Uber, as well as to U.S. government agencies such as the Department of Defense. Navia is a leading consumer-focused benefits administrator serving over 10,000 employers across the United States."
  https://www.bleepingcomputer.com/news/security/hackerone-discloses-employee-data-breach-after-navia-hack/
  https://hackread.com/hackerone-mazda-infinite-campus-dutch-ministry-data-breaches/
  https://www.theregister.com/2026/03/24/hackerone_supplier_breach/
• Infinite Campus Warns Of Breach After ShinyHunters Claims Data Theft
  "Infinite Campus, a widely used K-12 student information system, is warning customers of a data breach following an extortion attempt by a threat actor. In the breach notification sent to customers, Infinite Campus states that hackers accessed an employee's Salesforce account, exposing information that was mostly publicly available. The company has not published an official statement, but customers reported the incident on various public platforms."
  https://www.bleepingcomputer.com/news/security/infinite-campus-warns-of-breach-after-shinyhunters-claims-data-theft/
• OVHcloud Founder Denies Massive 590TB Data Breach Claims
  "A major French tech firm, OVHcloud, has been forced to address claims of a massive data breach after a user on a dark web forum boasted about stealing nearly 600 terabytes of its private data. On 23 March 2026, a poster using the name Normal claimed on BreachForums that they had infiltrated the company’s server infrastructure, potentially affecting millions of websites and customers. The scale of the alleged theft is stunning. The hacker claimed to have snatched information belonging to 1.6 million OVH Fresh customers and nearly 6 million active websites. According to the post, this included everything from the internal source code and private databases of these sites to server settings for users in the EU and the US."
  https://hackread.com/ovhcloud-founder-denies-590tb-data-breach-claims/
• 3.1 Million Impacted By QualDerm Data Breach
  "Healthcare management services provider QualDerm Partners is notifying more than 3.1 million people that their personal, medical, and health insurance information was stolen in a December 2025 data breach. The incident, the company says, was discovered on December 24 and involved unauthorized access to its network for two days. During this window, the attackers exfiltrated certain information from the “limited number of systems” that they compromised, the company notes in an incident notification (PDF)."
  https://www.securityweek.com/3-1-million-impacted-by-qualderm-data-breach/
  https://securityaffairs.com/189917/data-breach/qualderm-partners-december-2025-data-breach-impacts-over-3-million-people.html
• Iran-Linked Ransomware Gang Targeted US Healthcare Org Amid Military Conflict
  "A U.S. healthcare organization was targeted in late February by an Iranian ransomware gang with ties to the country’s government, according to a new report. Incident responders at Beazley Security helped the unnamed healthcare organization deal with an attack involving the Pay2Key ransomware — a strain used by Iranian actors for a variety of purposes since 2020. Halcyon Ransomware Research Center assisted in the investigation and found several improvements in the ransomware that made it tougher to detect and more damaging."
  https://therecord.media/iran-linked-ransomware-gang-targeted-us-healthcare-org

General News

• India’s Evolving Cyber Threat Landscape: State-Sponsored Attacks, Hacktivism, And What’s Next In 2026
  "The India cyber threat landscape 2026 is no longer defined by isolated incidents or opportunistic attacks. It has become a dynamic, constantly shifting battleground shaped by geopolitical tensions, rapid digitization, and highly advanced hackers. What once looked like sporadic cybercrime has matured into a layered ecosystem of state-sponsored cyber attacks, organized ransomware groups, and a growing wave of Hacktivism in India. Recent threat intelligence observations reveal a new pattern: attackers are not only becoming more capable, but also more strategic. They are targeting supply chains, exploiting systemic weaknesses, and adapting their methods faster than most organizations can respond."
  https://cyble.com/blog/india-cyber-threat-landscape-2026-attacks-trends/
• Measuring Security Performance In Real-Time, Not Once a Quarter
  "Most organizations have invested heavily in security products over the past decade. The assumption embedded in that spending is that more tools equal better protection. Tim Nan, CEO of digiDations, says that assumption is the most persistent misconception he encounters when working with security leaders across industries. “Adversaries don’t operate on averages,” Nan says. “They only need one path that works. The issue isn’t whether your defenses work most of the time. It’s whether they ever fail in a way that can be chained into a real attack.”"
  https://www.helpnetsecurity.com/2026/03/24/tim-nan-digidations-continuous-security-validation/
• Russian Citizen Sentenced To Prison For Hacking Into U.S. Companies And Enabling Major Cybercrime Groups To Extort Tens Of Millions Of Dollars
  "A court in the Southern District of Indiana today sentenced a Russian citizen, Aleksei Volkov, to 81 months in prison for assisting major cybercrime groups, including the Yanluowang ransomware group, in carrying out numerous attacks against U.S. companies and other organizations. Volkov facilitated dozens of ransomware attacks throughout the United States, causing over $9 million in actual losses and over $24 million in intended losses. Volkov was indicted for this activity in both the Southern District of Indiana and Eastern District of Pennsylvania. Police in Rome, Italy, then arrested Volkov, and he was extradited to the United States. He pleaded guilty to charges from both indictments."
  https://www.justice.gov/opa/pr/russian-citizen-sentenced-prison-hacking-us-companies-and-enabling-major-cybercrime-groups
  https://thehackernews.com/2026/03/us-sentences-russian-hacker-to-675.html
  https://www.bleepingcomputer.com/news/security/yanluowang-ransomware-access-broker-gets-81-months-in-prison/
  https://therecord.media/hacker-russian-ransomware-sentenced-doj
  https://cyberscoop.com/aleksei-volkov-russian-initial-access-broker-sentenced-ransomware/
  https://www.infosecurity-magazine.com/news/russian-initial-access-broker/
  https://securityaffairs.com/189900/cyber-crime/81-month-sentence-for-russian-hacker-behind-major-ransomware-campaigns.html
  https://www.theregister.com/2026/03/24/russian_iab_sentenced/
  https://www.helpnetsecurity.com/2026/03/24/russian-initial-access-broker-sentenced-ransomware-attacks/
• Ransomware's New Era: Moving At AI Speed
  "Ransomware is not only growing; threat actors are accelerating the pace of their attacks by using offensive tools to exploit valid credentials and hit targets with speed and precision. The practice has undergone big changes over the past five years. Initially, attacks focused on encrypting data; now, threat actors threaten to extract it to pressure victims into paying. Double-extortion tactics quickly shifted to triple-extortion threats to expose stolen data. Threat actors also transitioned from extorting companies to contacting victims directly — whatever it takes to rake in the cash."
  https://www.darkreading.com/endpoint-security/ransomware-new-era-moving-ai-speed
  https://www.halcyon.ai/lp/2026-security-leadership-survey-report
• Gcore Radar Report Reveals 150% Surge In DDoS Attacks Year-On-Year
  "Gcore, the global infrastructure and software provider for AI, cloud, network, and security solutions, today announced the findings of its Q3-Q4 2025 Gcore Radar report DDoS attack trends. The report reveals growing attack volumes, increasingly sophisticated tactics, and changes in attack locations driven by evolving botnet infrastructure. The DDoS attack landscape is at a clear inflection point: threats are not just growing; they are accelerating and diversifying. To prevent disruption, businesses must act quickly and adopt integrated solutions capable of detecting intent, analysing behaviour, and responding to threats across multiple attack surfaces."
  https://hackread.com/gcore-radar-report-reveals-150-surge-in-ddos-attacks-year-on-year/
• Why Agentic AI Systems Need Better Governance – Lessons From OpenClaw
  "OpenClaw is an open-source platform for autonomous AI agents that you can self-host and run locally on your machine for task automation. Taking this platform to task, AI agents are now interacting with one another via an experimental social network for AI agents called Moltbook. Even an experienced AI security researcher at Meta learned that OpenClaw is not without its wild-west frontier status. An AI agent accidentally deleted her emails. This news has again put the spotlight on the nature of authority and agency granted to agentic AI systems, as well as the need for better security and governance."
  https://www.securityweek.com/why-agentic-ai-systems-need-better-governance-lessons-from-openclaw/
• Poland Faced a Surge In Cyberattacks In 2025, Including a Major Assault On The Energy Sector
  "Poland experienced 2½ times more cyberattacks in 2025 compared to the previous year, and the numbers are constantly rising, a government official said Tuesday. The attacks included a destructive infiltration of the country’s energy system in December that was believed to be unprecedented among NATO and European Union members, and was suspected of originating in Russia. Over the last year, Poland was the target of 270,000 cyberattacks, Deputy Minister of Digital Affairs Paweł Olszewski said Tuesday. “We’ve been waging a war in cyberspace for many years now,” the official said. “The number of incidents and attacks has been increasing significantly and radically year after year.”"
  https://www.securityweek.com/poland-faced-a-surge-in-cyberattacks-in-2025-including-a-major-assault-on-the-energy-sector/
• Iran Built a Vast Camera Network To Control Dissent. Israel Turned It Into a Targeting Tool
  "The role of Israel’s hijacking of Iran’s street cameras in the killing of the country’s supreme leader underscores how surveillance systems are increasingly being targeted by adversaries in wartime. Hundreds of millions of cameras have been installed above shops, in homes and on street corners across the world, many connected to the internet and poorly secured. Recent advances in artificial intelligence have enabled militaries and intelligence agencies to sift through vast amounts of surveillance footage and identify targets. On Feb. 28, Israel vividly demonstrated the potential of such systems to be hacked and used against adversaries when Israel tracked down Iranian leader Ayatollah Ali Khamenei with the help of Tehran’s own street cameras – despite repeated warnings that Iran’s surveillance systems had been compromised, according to interviews and an Associated Press review of leaked data, public statements and news reports."
  https://www.securityweek.com/iran-built-a-vast-camera-network-to-control-dissent-israel-turned-it-into-a-targeting-tool/
• Enterprise Cybersecurity Software Fails 20% Of The Time, Warns Absolute Security
  "Endpoint cybersecurity software fails to protect one in five enterprise devices, leaving organizations vulnerable to cyber threats, research by Absolute Security has warned. This protection gap means that organizations face the equivalent of 76 days a year in which they’re providing cybercriminals which increased access to their network, potentially leading to data breaches and downtime. The findings come from Absolute Security’s 2026 Resilience Risk Index. The report, published on March 23, is based on analysis of device-level telemetry across tens of millions of enterprise endpoints, which have been validated as using endpoint management and cybersecurity software."
  https://www.infosecurity-magazine.com/news/cybersecurity-software-failure-20/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) จำนวน 4 รายการ เมื่อวันที่ 24 มีนาคม 2569 เพื่อให้ข้อมูลที่ทันเวลาเกี่ยวกับประเด็นด้านความมั่นคงปลอดภัย ช่องโหว่ และการโจมตีที่เกี่ยวข้องกับระบบ ICS โดยมีรายละเอียดดังนี้

• ICSMA-26-083-01 Grassroots DICOM (GDCM)
• ICSA-26-083-01 Pharos Controls Mosaic Show Controller
• ICSA-26-083-03 Schneider Electric Plant iT/Brewmaxx
• ICSMA-25-364-01 WHILL Model C2 Electric Wheelchairs and Model F Power Chairs (Update A)

CISA แนะนำให้ผู้ใช้งานและผู้ดูแลระบบ ตรวจสอบคำแนะนำ ICS ที่เผยแพร่ล่าสุด เพื่อศึกษารายละเอียดทางเทคนิคและแนวทางการลดความเสี่ยง (mitigations)

อ้างอิง
https://www.cisa.gov/news-events/ics-advisories

New Tooling

• Plumber: Open-Source Scanner Of GitLab CI/CD Pipelines For Compliance Gaps
  "GitLab CI/CD pipelines often accumulate configuration decisions that drift from security baselines over time. Container images get pinned to mutable tags, branches lose protection settings, and required templates go missing. An open-source tool called Plumber automates the detection of those conditions by scanning pipeline configuration and repository settings directly."
  https://www.helpnetsecurity.com/2026/03/23/plumber-open-source-gitlab-ci-cd-compliance-scanner/
  https://github.com/getplumber/plumber

Vulnerabilities

• QNAP Patches Four Vulnerabilities Exploited At Pwn2Own
  "QNAP on Friday announced patches for multiple vulnerabilities across its products, including four issues that were demonstrated at the Pwn2Own Ireland hacking contest in October 2025. The four security defects, tracked as CVE-2025-62843 to CVE-2025-62846, impact the company’s SD-WAN routers and were addressed in QuRouter version 2.6.3.009. According to QNAP’s advisory, the first bug requires physical access to a vulnerable device to gain specific privileges, while the second flaw could be exploited over the local network to obtain sensitive information."
  https://www.securityweek.com/qnap-patches-four-vulnerabilities-exploited-at-pwn2own/
  https://securityaffairs.com/189871/security/qnap-fixed-four-vulnerabilities-demonstrated-at-pwn2own-ireland-2025.html
• We Found Eight Attack Vectors Inside AWS Bedrock. Here's What Attackers Can Do With Them
  "AWS Bedrock is Amazon's platform for building AI-powered applications. It gives developers access to foundation models and the tools to connect those models directly to enterprise data and systems. That connectivity is what makes it powerful – but it’s also what makes Bedrock a target. When an AI agent can query your Salesforce instance, trigger a Lambda function, or pull from a SharePoint knowledge base, it becomes a node in your infrastructure - with permissions, with reachability, and with paths that lead to critical assets. The XM Cyber threat research team mapped exactly how attackers could exploit that connectivity inside Bedrock environments. The result: eight validated attack vectors spanning log manipulation, knowledge base compromise, agent hijacking, flow injection, guardrail degradation, and prompt poisoning."
  https://thehackernews.com/2026/03/we-found-eight-attack-vectors-inside.html

Malware

• CanisterWorm Gets Teeth: TeamPCP's Kubernetes Wiper Targets Iran
  "We found a new payload in the TeamPCP arsenal, and this one doesn't just steal credentials or install backdoors. It wipes entire Kubernetes clusters. The script uses the exact same ICP canister (tdtqy-oyaaa-aaaae-af2dq-cai[.]raw[.]icp0[.]io) we documented in the CanisterWorm campaign. Same C2, same backdoor code, same /tmp/pglog drop path. The Kubernetes-native lateral movement via DaemonSets is consistent with TeamPCP's known playbook, but this variant adds something we haven't seen from them before: a geopolitically targeted destructive payload aimed specifically at Iranian systems."
  https://www.aikido.dev/blog/teampcp-stage-payload-canisterworm-iran
  https://www.bleepingcomputer.com/news/security/teampcp-deploys-iran-targeted-wiper-in-kubernetes-attacks/
• Trivy Supply Chain Attack Expands To Compromised Docker Images
  "Socket's threat research team has identified additional compromised Trivy artifacts published to Docker Hub, following the recently disclosed GitHub Actions compromise affecting the aquasecurity/trivy-action repository. New image tags 0.69.5 and 0.69.6 were pushed on March 22 without corresponding GitHub releases or tags. Both images contain indicators of compromise associated with the same TeamPCP infostealer observed in earlier stages of this campaign. The latest tag currently points to 0.69.6, which is also compromised. Analysis of the binaries confirms the presence of known IOCs, including the typosquatted C2 domain scan.aquasecurtiy.org, exfiltration artifacts (payload.enc, tpcp.tar.gz), and references to the fallback tpcp-docs GitHub repository."
  https://socket.dev/blog/trivy-docker-images-compromised
  https://opensourcemalware.com/blog/teampcp-aquasec-com-github-org-compromise
  https://thehackernews.com/2026/03/trivy-hack-spreads-infostealer-via.html
  https://www.bleepingcomputer.com/news/security/trivy-supply-chain-attack-spreads-to-docker-github-repos/
  https://www.infosecurity-magazine.com/news/trivy-supply-chain-attack-expands/
  https://securityaffairs.com/189856/uncategorized/44-aqua-security-repositories-defaced-after-trivy-supply-chain-breach.html
• Green Blood v2.0 Ransomware Analysis With Decryption
  "The Green Blood ransomware group, which has been active since January 2026, has been targeting countries in South Asia, Africa, and parts of South America, and is characterized by its Golang-based ransomware payload. in this post, we will analyze the main characteristics of the Green Blood ransomware, its encryption method, and the technical reasons why it is decryptable, in order to provide insights to help you effectively respond to similar threats in the future. The Green Blood ransomware group, like other ransomware groups, uses file encryption on infected systems to steal sensitive data from victimized organizations, and pressures victims for ransom payments through threatening messages that promise to permanently destroy the encryption key if the ransom is not paid."
  https://asec.ahnlab.com/en/92997/
• Tycoon2FA Phishing-As-a-Service Platform Persists Following Takedown
  "On March 4, 2026, Europol announced the technical disruption of Tycoon2FA, a subscription-based phishing-as-a-service (PhaaS) platform that enabled cybercriminals to bypass multifactor authentication (MFA) and compromise email accounts. Law enforcement authorities from six countries worked with industry partners to seize 330 domains that formed the platform’s core infrastructure. Infrastructure takedowns are a challenging and important aspect of adversary disruption and a centerpiece of law enforcement and private sector cooperation in cybersecurity. In situations where direct physical enforcement actions such as arrests are infeasible, disrupting bad actors' operational means can often be the most efficacious and direct way to impose costs on criminals who otherwise act with relative impunity."
  https://www.crowdstrike.com/en-us/blog/tycoon2fa-phishing-as-a-service-platform-persists-following-takedown/
  https://www.bleepingcomputer.com/news/security/tycoon2fa-phishing-platform-returns-after-recent-police-disruption/
  https://www.infosecurity-magazine.com/news/tycoon2fa-phishing-service-resumes/
  https://www.securityweek.com/tycoon-2fa-fully-operational-despite-law-enforcement-takedown/
• FBI Warns Of Handala Hackers Using Telegram In Malware Attacks
  "The U.S. Federal Bureau of Investigation (FBI) warned network defenders that Iranian hackers linked to the country's Ministry of Intelligence and Security (MOIS) are using Telegram in malware attacks. In a flash alert issued on Friday, the FBI says Telegram is being used as command-and-control (C2) infrastructure by malware targeting journalists criticizing the Iranian government, Iranian dissidents, and various other oppositional groups worldwide. "Due to the elevated geopolitical climate of the Middle East and current conflict, the FBI is highlighting this MOIS cyber activity," the bureau said."
  https://www.bleepingcomputer.com/news/security/fbi-warns-of-handala-hackers-using-telegram-in-malware-attacks/
  https://www.ic3.gov/CSA/2026/260320.pdf
  https://therecord.media/russia-iran-cyber-fbi-hacks
  https://cyberscoop.com/fbi-iranian-hackers-targeting-opponents-with-telegram-malware/
  https://securityaffairs.com/189820/malware/iran-linked-actors-use-telegram-as-c2-in-malware-attacks-on-dissidents.html
• Riding The Rails: Threat Actors Abuse Railway.com PaaS As Microsoft 365 Token Attack Infrastructure
  "In partnership with our friends at Flare.io and other contacts across the community, Huntress has attributed the Railway attack to the EvilTokens Phishing as a Service (PhaaS) platform. First advertised on the NOIRLEGACY GROUP telegram channel, EvilTokens spun up its own Telegram channels and made a first public post on February 16th, 2026. This activity corresponds with the first handful of compromises Huntress saw from Railway infrastructure on February 19th and 24th, 2026."
  https://www.huntress.com/blog/railway-paas-m365-token-replay-campaign
  https://cyberscoop.com/huntress-railway-ai-phishing-campaign-compromised-hundreds-of-organizations/
• How LevelBlue OTX And Cybereason XDR Detected a North Korea-Linked Remote IT Worker
  "Talk about dodging the insider threat from hell. From August 15 to 25, 2025, the SpiderLabs threat intel team, through the integration of LevelBlue OTX threat intelligence with Cybereason XDR behavioral analytics, detected a North Korea attempt to infiltrate an organization by replying to a help wanted ad. Let’s take a look at how this organization, with LevelBlue’s help, was able to detect and block this sneaky infiltration attempt. It took just 10 days for a nation-state threat actor to go from new hire to terminated employee. What appeared to be routine onboarding quickly unraveled when behavioral analytics flagged suspicious login patterns, and threat intelligence confirmed the worst: the organization had unknowingly hired a suspected North Korea-linked operative."
  https://www.levelblue.com/blogs/spiderlabs-blog/how-levelblue-otx-and-cybereason-xdr-detected-a-north-korea-linked-remote-it-worker
  https://hackread.com/north-korean-hacker-remote-it-job-vpn-slip/
• FriendlyDealer Mimics Official App Stores To Push Unvetted Gambling Apps
  "We’ve identified a huge social-engineering campaign designed to steer people into online gambling sites under the impression they’re installing a legitimate app. We’re calling it FriendlyDealer. It’s been observed across at least 1,500 domains, each hosting a website that impersonates the Google Play or Apple App Store. Users think they’re downloading a gambling app from a trusted source, with all the checks, reviews, and safeguards that implies. But they’re actually still on a website, installing a web app that then redirects them to casino offers through affiliate links."
  https://www.malwarebytes.com/blog/scams/2026/03/friendlydealer-mimics-official-app-stores-to-push-unvetted-gambling-apps
• Pro-Iranian Nasir Security Is Targeting The Energy Sector In The Middle East
  "Resecurity is tracking a relatively new cybercriminal group called Nasir Security, presumably associated with Iran, that is targeting energy organizations in the Middle East. The energy sector is one of the most impacted areas because of Iranian malicious activity in the region, including the lockdown of the Strait of Hormuz and drone/missile attacks against the energy infrastructure of neighboring countries in the GCC, allies of the US. Based on the artifacts collected by the threat intelligence team at Resecurity, the group is attacking supply chain vendors involved in engineering, safety, and construction. The data stolen as a result of such incidents is authentic but originates from a third party (of the target company), which may lead to incorrect assumptions about the origin of the breach. Notably, the focus of the attacks is centered on the energy sector, which has experienced significant financial and technological damage since the start of the war in Iran. Cyberspace is used to amplify it, following recent attacks against LNG and logistics providers."
  https://www.resecurity.com/blog/article/pro-iranian-nasir-security-is-targeting-the-energy-sector-in-the-middle-east
• StoatWaffle, Malware Used By WaterPlum
  "WaterPlum is regarded as an attacking group related to North Korea. They are known to have been operating Contagious Interview attacking campaign. WaterPlum can be classified into multiple clusters (or teams), and among them, activity by Team 8 (also known as Moralis or Modilus family) has been observed. In Contagious Interview campaign, Team 8 has been mainly using OtterCookie. Starting around December 2025, Team 8 started using new malware. We named this malware StoatWaffle. In this article, we'll introduce the latest attacking flow for WaterPlum Team 8 and in deep analysis result of StoatWaffle, new malware that they started using just recently."
  https://jp.security.ntt/insights_resources/tech_blog/stoatwaffle_malware_en/
  https://thehackernews.com/2026/03/north-korean-hackers-abuse-vs-code-auto.html
• When Tax Season Becomes Cyberattack Season: Phishing And Malware Campaigns Using Tax-Related Lures
  "During tax season, threat actors reliably take advantage of the urgency and familiarity of time-sensitive emails, including refund notices, payroll forms, filing reminders, and requests from tax professionals, to trick targets into opening malicious attachments, scanning QR codes, or following multi-step link chains. Every year, there is an observable uptick in tax-themed campaigns as Tax Day (April 15) approaches in the United States, and this year is no different. In recent months, Microsoft Threat Intelligence identified email campaigns using lures around W-2, tax forms, or similar themes, or posing as government tax agencies, tax services firms, and relevant financial institutions. Many campaigns target individuals for personal and financial data theft, but others specifically target accountants and other professionals who handle sensitive documents, have access to financial data, and are accustomed to receiving tax-related emails during this period."
  https://www.microsoft.com/en-us/security/blog/2026/03/19/when-tax-season-becomes-cyberattack-season-phishing-and-malware-campaigns-using-tax-related-lures/
  https://thehackernews.com/2026/03/microsoft-warns-irs-phishing-hits-29000.html
• Hacker Walks Away With $24.5 Million After Breaching Resolv DeFi Platform
  "Decentralized finance platform Resolv said a recent cyberattack allowed a threat actor to compromise the company’s infrastructure and illicitly create $80 million worth of its USR stablecoin. USR is pegged to the U.S. dollar but plummeted in value on Saturday when the hacker created the uncollateralized coins and traded them for about 11,408 ETH, which is worth about $24.5 million. The company published a statement confirming the incident. USR was depegged from the U.S. dollar after the incident and is now worth about 26 cents."
  https://therecord.media/hacker-breaches-resolv-defi-25-million
• Russia-Linked Malware Operation Collapses After Security Failures, Developer’s Arrest
  "An Android spyware operation that briefly gained traction in Russia appears to have collapsed within months of its launch after security flaws exposed its infrastructure and authorities arrested its suspected developer, cybersecurity researchers said. The malware, known as ClayRat, was designed for espionage and remote control of infected Android devices. Once installed, it could intercept SMS messages and call logs, access contacts, take photos, record screens, and execute commands sent from a remote command-and-control server. Despite attracting attention shortly after emerging in October 2025, ClayRat’s infrastructure deteriorated rapidly. By December, all known command servers associated with the malware had gone offline, researchers at the Russian cybersecurity firm Solar said in a report released Friday. Solar is a subsidiary of Russian state-owned telecom giant Rostelecom."
  https://therecord.media/russia-malware-arrest-clayrat

Breaches/Hacks/Leaks

• Mazda Discloses Security Breach Exposing Employee And Partner Data
  "Mazda Motor Corporation (Mazda) announced that information belonging to its employees and business partners had been exposed in a security incident detected last December. Mazda is one of Japan’s largest automotive manufacturers, with an annual production of 1.2 million vehicles and revenue of nearly $24 billion. The company said the attackers exploited a vulnerability in a system related to warehouse management for parts procured from Thailand. The system did not contain any customer data. Also, the breach is limited to 692 records."
  https://www.bleepingcomputer.com/news/security/mazda-discloses-security-breach-exposing-employee-and-partner-data/
• Crunchyroll Probes Breach After Hacker Claims To Steal 6.8M Users' Data
  "Popular anime streaming platform Crunchyroll is investigating a breach after hackers claimed to have stolen personal information for approximately 6.8 million people. "We are aware of recent claims and are currently working closely with leading cyber security experts to investigate the matter," Crunchyroll initially told BleepingComputer. "Our investigation is ongoing, and we continue to work with leading cybersecurity experts. At this time, we believe that the information is primarily limited to customer service ticket data following an incident with a third-party vendor," Crunchyroll shared in a later statement."
  https://www.bleepingcomputer.com/news/security/crunchyroll-probes-breach-after-hacker-claims-to-steal-68m-users-data/
• Chip Services Firm Trio-Tech Says Subsidiary Hit By Ransomware
  "Semiconductor services firm Trio-Tech says one of its subsidiaries in Singapore fell victim to a ransomware attack. The incident, the company said in a filing with the Securities and Exchange Commission, occurred on March 11 and resulted in the encryption of certain files within its network. The subsidiary, it told the SEC, immediately activated response protocols, proactively taking its systems offline to contain the incident. Additionally, the subsidiary launched an investigation into the attack with help from third-party cybersecurity professionals and notified law enforcement."
  https://www.securityweek.com/chip-services-firm-trio-tech-says-subsidiary-hit-by-ransomware/
  https://therecord.media/ransomware-trio-tech-semiconductor-sec
  https://www.theregister.com/2026/03/23/us_chip_testing_firm_shrugged/
• Education Company Kaplan Reports Data Breach Impacting More Than 230,000
  "The educational services company Kaplan told state regulators last week that at least 230,000 people had Social Security and driver’s license numbers leaked following a cybersecurity incident in the fall of 2025. The Florida-based company filed breach notification letters in at least seven states but did not respond to requests for comment about the total number of people impacted by the security incident. The letters sent to victims say law enforcement was called after the incident was discovered and an investigation revealed the hackers had access to Kaplan servers from October 30 to November 18."
  https://therecord.media/kaplan-data-breach-hack-notification

General News

• NIST Updates Its DNS Security Guidance For The First Time In Over a Decade
  "DNS infrastructure underpins nearly every network connection an organization makes, yet security configurations for it have gone largely unrevised at the federal guidance level for more than twelve years. NIST published SP 800-81r3, the Secure Domain Name System Deployment Guide, superseding a version that dates to 2013. The document covers three main areas: using DNS as an active security control, securing the DNS protocol itself, and protecting the servers and infrastructure that run DNS services. It is directed at two groups: cybersecurity executives and decision-makers, and the operational networking and security teams who configure and maintain DNS environments."
  https://www.helpnetsecurity.com/2026/03/23/nist-dns-security-guide-sp-800-81r3/
  https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81r3.pdf
• Your AI Agents Are Moving Sensitive Data. Do You Know Where?
  "In this Help Net Security interview, Gidi Cohen, CEO at Bonfy.AI, addresses what he sees as the most pressing gap in AI agent security: data-layer risk. While the industry focuses on prompt injection and model behavior, Cohen argues the deeper threat is autonomous AI agents operating across systems with no visibility into what data they access, combine, or expose. He explains how Bonfy.AI approaches this through three areas: controlling what data agents can access for grounding, monitoring content as it moves through tool calls and MCP servers, and letting agents query Bonfy in real time to check whether an action is safe before they take it. The conversation covers threat modeling, anomaly detection, multi-agent delegation, model versioning, and practical advice for CISOs navigating pressure to deploy AI at scale."
  https://www.helpnetsecurity.com/2026/03/23/gidi-cohen-bonfy-ai-agent-security/
• US Soldier Sentenced For Helping North Korean IT Workers
  "A District Court judge sentenced three men for their involvement in a scheme that allowed several North Korean IT workers to use their identities and gain employment at U.S. companies. One of the men, 35-year-old Alexander Paul Travis, was an active duty member of the U.S. Army and was stationed at Fort Gordon in Georgia while participating in the scheme from September 2019, until November 2022. Travis pleaded guilty to accusations that he allowed North Korean IT workers to use his identity on resumes and during employer vetting processes that involved interviews, drug tests and fingerprints. The North Korean IT workers also opened bank accounts in his name to receive payment from employers."
  https://therecord.media/us-soldier-sentencer-for-helping-nk-it-workers
  https://www.bankinfosecurity.com/ex-us-soldier-among-3-sentenced-for-dprk-worker-scam-a-31125
• 2025 Talos Year In Review: Speed, Scale, And Staying Power
  "The 2025 Talos Year in Review is now available to view online. The pace and scale of adversary activity in 2025 placed sustained pressure on security teams across industries. As with each annual report, our goal at Talos is to provide the security community with a clear analysis of the tactics, techniques, and procedures that shaped adversary operations, and to help organizations prioritize the actions that reduce exposure and strengthen defenses."
  https://blog.talosintelligence.com/2025-talos-year-in-review-speed-scale-and-staying-power/
  https://blog.talosintelligence.com/2025yearinreview
  https://www.theregister.com/2026/03/23/cisco_talos_cybersecurity_report_patch_fast/
• AI In The SOC: What Could Go Wrong?
  "External, internal, and operational pressures to deploy AI to unlock its promise of increased speed and efficiency has left enterprise cybersecurity professionals in a tough spot — finding they need to enable innovation, while trying to foresee the risks it might introduce. Two enterprise cybersecurity leaders decided to take on the AI challenge and share at this year's RSAC 2026 Conference what they determined it can do well, and what it isn’t ready to take on."
  https://www.darkreading.com/cybersecurity-operations/ai-soc-go-wrong
• Quantum Threats Are Already Active And The Defense Response Remains Fragmented
  "Enterprises are moving toward post-quantum security at uneven speeds, and the gap between organizations that have built crypto-agility into their infrastructure and those that have adopted the label without the underlying capability is widening. Dr. Tan Teik Guan, CEO of Singapore-based cybersecurity company pQCee, draws a sharp line between the two. Crypto-agility, in his view, requires more than support for multiple algorithms or protocol-level negotiation. It demands the ability to respond with appropriate cryptographic defenses in a cost-effective, timely, and non-disruptive way. That means intelligence, governance, and mitigation working together across a layered defense architecture to maintain a quantum-safe state."
  https://www.helpnetsecurity.com/2026/03/23/ciso-post-quantum-crypto-agility/
• The Devices Winning The Race To Get Hacked In 2026
  "Enterprise networks keep adding connected devices, expanding the attack surface as threat actors target a wider range of systems, many of which are difficult to inventory, secure, and patch consistently. Forescout’s 2026 Riskiest Devices research maps that shift in IT, IoT, OT, and IoMT environments, with 11 new riskiest asset types entering the list this year. That is the second-largest year-over-year increase on record, and two of the new entries moved straight into the top five riskiest IT assets: serial-to-IP-converters and workstations."
  https://www.helpnetsecurity.com/2026/03/23/connected-devices-security-risk-2026-research/
  https://www.forescout.com/resources/riskiest-devices-2026-report/
• AI Pulse Poll Reveals Rampant Uncertainty On Enterprise Landscape
  "The artificial landscape remains murky when it comes to accountability, transparency and capabilities for many organizations, as shown in ISACA’s 2026 AI Pulse Poll. The global pulse poll, reflecting responses from more than 3,400 digital trust professionals across IT audit, governance, cybersecurity, privacy and emerging technology roles, finds that even as AI usage accelerates across the enterprise landscape, there appears to be limited human oversight over AI decision-making, little disclosure around AI use, and uncertainty around AI security incident response and accountability for AI system harm. Below are five sneak-peek findings from the 2026 AI Pulse Poll. The full 2026 AI Pulse Poll from ISACA will be released in early May."
  https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2026/ai-pulse-poll-reveals-rampant-uncertainty-on-enterprise-landscape
  https://www.infosecurity-magazine.com/news/cyber-staff-unsure-on-preventing/
• M-Trends 2026: Data, Insights, And Strategies From The Frontlines
  "Every year, the cyber threat landscape forces defenders to adapt to evolving adversary tactics, techniques, and procedures (TTPs). In 2025, Mandiant observed a clear divergence in adversary pacing that closely aligns with the trends we have been documenting for defenders over the past year. On one end of the spectrum, cyber criminal groups optimized for immediate impact and deliberate recovery denial. On the other end, sophisticated cyber espionage groups and insider threats optimized for extreme persistence, utilizing unmonitored edge devices and native network functionalities to evade detection. Today, we release M-Trends 2026. Grounded in over 500,000 hours of frontline incident investigations conducted by Mandiant globally in 2025, this report provides a definitive look at the TTPs actively being used in breaches today."
  https://cloud.google.com/blog/topics/threat-intelligence/m-trends-2026
  https://www.infosecurity-magazine.com/news/high-tech-top-target-cyberattacks/
  https://cyberscoop.com/social-engineering-surge-intrusion-vector-mandiant-m-trends/
  https://www.securityweek.com/m-trends-2026-initial-access-handoff-shrinks-from-hours-to-22-seconds/
  https://www.theregister.com/2026/03/23/voice_phishing_skyrockets_as_smooth/
• Google Authenticator: The Hidden Mechanisms Of Passwordless Authentication
  "Passwordless authentication is often presented as the end of account takeover. But to understand the real threat landscape, we need to examine how passwordless is actually deployed in the real world. Attackers do not break protocols in theory. They target the most common implementations, the places where usability, scale and architecture intersect. Focusing on one of those common implementations, we examine Google Authenticator. This discussion explores the hidden mechanisms behind synced passkeys and their implementation within the Google ecosystem. Our aim is to help defenders better understand the technology, to lay the groundwork to show how new attack vectors could emerge in a passwordless environment."
  https://unit42.paloaltonetworks.com/passwordless-authentication/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

ศูนย์ประสานการรักษาความมั่นคงปลอดภัยระบบคอมพิวเตอร์แห่งชาติ (ThaiCERT) แจ้งเตือนหน่วยงานและผู้ดูแลระบบเกี่ยวกับการนำบริการ Microsoft Azure Monitor เพื่อส่งอีเมลฟิชชิงแบบ Callback Phishing โดยอีเมลดังกล่าวปลอมเป็นการแจ้งเตือนจากทีมความปลอดภัยหรือฝ่ายเรียกเก็บเงินของ Microsoft เนื้อหาอีเมลอ้างพบบิลหรือรายการเรียกเก็บเงินผิดปกติในบัญชี และเร่งให้ผู้รับติดต่อไปยังหมายเลขโทรศัพท์ที่แนบมา ขอให้ผู้ใช้งานเพิ่มความระมัดระวัง ไม่ติดต่อกลับตามหมายเลขในอีเมล ตรวจสอบข้อเท็จจริงผ่านช่องทางที่เชื่อถือได้ และหลีกเลี่ยงการเปิดเผยข้อมูลสำคัญโดยเด็ดขาด

1. รายละเอียดเหตุการณ์ [1]
   การโจมตีดังกล่าวเป็นการโจมตีแบบ Callback Phishing โดยผู้โจมตีอาศัยฟังก์ชันการสร้าง Alert ใน Azure Monitor เพื่อกำหนดข้อความหลอกลวงลงในฟิลด์คำอธิบาย (description) ของการแจ้งเตือน จากนั้นตั้งค่าให้ระบบส่งอีเมลแจ้งเตือนไปยังเป้าหมายที่ต้องการ เนื้อหาอีเมลอ้างว่าพบธุรกรรมต้องสงสัย ใบแจ้งหนี้ หรือการเรียกเก็บเงินที่ไม่ได้รับอนุญาต และกดดันให้ผู้ใช้ติดต่อไปยังหมายเลขโทรศัพท์ที่ระบุในข้อความ
   ตัวอย่างข้อความที่พบในการหลอกลวงระบุลักษณะคล้าย “billing and account security notice” พร้อมแจ้งว่าพบการเรียกเก็บเงินผิดปกติ เช่น ค่าใช้จ่ายของ “Windows Defender” มูลค่า 389.90 ดอลลาร์สหรัฐ และอ้างว่าหากไม่รีบดำเนินการอาจถูกระงับบัญชีหรือมีค่าธรรมเนียมเพิ่มเติม เป้าหมายคือหลอกให้ผู้เสียหายติดต่อไปยังหมายเลขโทรศัพท์ของมิจฉาชีพเพื่อเข้าสู่ขั้นตอนหลอกลวงถัดไป

2. ลักษณะการโจมตีและผลกระทบ
   อีเมลเหล่านี้ไม่ได้ปลอมแปลงโดเมนผู้ส่งแบบทั่วไป แต่ถูกส่งออกจากแพลตฟอร์ม Microsoft Azure Monitor จริง จึงทำให้ส่วนหัวอีเมลและการยืนยันตัวตนดูถูกต้อง นอกจากนี้ผู้โจมตียังใช้ชื่อกฎแจ้งเตือนที่ทำให้ดูคล้ายการแจ้งเตือนอัตโนมัติด้านการชำระเงิน ใบแจ้งหนี้ หรือกิจกรรมในระบบ เพื่อเพิ่มความน่าเชื่อถือและลดความสงสัยของผู้รับ
   แม้รายงานดังกล่าวไม่ได้ยืนยันผลลัพธ์ของการติดต่อในเคสนี้โดยตรง แต่แคมเปญ Callback Phishing ในลักษณะเดียวกันที่ผ่านมาเคยนำไปสู่การขโมยข้อมูลรับรอง การหลอกให้ชำระเงิน หรือการติดตั้งซอฟต์แวร์ควบคุมบนเครื่องของเหยื่อได้ อีกทั้งด้วยธีมอีเมลที่เป็นทางการและเกี่ยวข้องกับองค์กร จึงมีความเป็นไปได้ว่าผู้โจมตีต้องการเข้าถึงเบื้องต้นในเครือข่ายองค์กรเพื่อใช้โจมตีต่อเนื่องในลำดับถัดไป

3. ผลิตภัณฑ์/บริการที่เกี่ยวข้อง
   กรณีนี้เกี่ยวข้องกับบริการ Microsoft Azure Monitor และ Action Groups/Email Notifications ของระบบแจ้งเตือน ซึ่ง Microsoft ระบุว่าอีเมลแจ้งเตือนจากระบบสามารถถูกส่งจากที่อยู่อีเมล [email protected] ได้ จึงอาจทำให้ผู้ใช้งานเข้าใจผิดว่าเป็นการแจ้งเตือนความปลอดภัยหรือการเงินที่ถูกต้องตามปกติ [2]

4. แนวทางการป้องกันและลดความเสี่ยง
   4.1 ผู้ใช้งานและเจ้าหน้าที่ Helpdesk ตรวจสอบอีเมลที่อ้างว่าเป็นการแจ้งเตือนจาก Microsoft หรือ Azure โดยเฉพาะกรณีที่แนบหมายเลขโทรศัพท์และเร่งให้ติดต่อเพื่อยืนยันบิล ยกเลิกรายการ หรือแก้ปัญหาบัญชีอย่างเร่งด่วน
   4.2 กำหนดนโยบายภายในองค์กร ไม่ควรติดต่อตามหมายเลขโทรศัพท์ที่ระบุในอีเมลแจ้งเตือน แต่ให้ตรวจสอบผ่านพอร์ทัล Microsoft อย่างเป็นทางการ หรือใช้ช่องทางติดต่อที่องค์กรยืนยันแล้วเท่านั้น
   4.3 ผู้ดูแลระบบอีเมลและ SOC ควรเพิ่มการเฝ้าระวังอีเมลจากผู้ส่งที่เป็นโดเมน Microsoft จริง แต่มีเนื้อหาเรียกเก็บเงินผิดปกติ การขอให้ติดต่อกลับ หรือการใช้ถ้อยคำเร่งด่วนผิดธรรมชาติ
   4.4 หากองค์กรใช้งาน Azure Monitor ควรตรวจสอบการสร้าง Alert Rules และ Action Groups ที่ผิดปกติ รวมถึงรายการอีเมลปลายทางที่ใช้รับการแจ้งเตือน เพื่อค้นหาการใช้งานในทางที่ผิดหรือการตั้งค่าที่ไม่สอดคล้องกับวัตถุประสงค์ของระบบ
   4.5 แจ้งเตือนผู้ใช้งาน “อีเมลจาก Microsoft จริง” ไม่ได้หมายความว่า “เนื้อหาภายในอีเมลนั้นปลอดภัยหรือเป็นของแท้ทั้งหมด” เพราะกรณีนี้อาศัยแพลตฟอร์มที่ถูกต้องในการส่งอีเมล

5. หากสงสัยว่าได้รับอีเมลลักษณะดังกล่าว
   5.1 ห้ามติดต่อตามหมายเลขโทรศัพท์ในอีเมล ห้ามกดลิงก์ หรือให้ข้อมูลส่วนบุคคล ข้อมูลบัตร หรือข้อมูลบัญชีผู้ใช้
   5.2 ตรวจสอบการเรียกเก็บเงินหรือสถานะบัญชีผ่าน Microsoft/Azure โดยตรง
   5.3 กรณีที่ผู้ใช้งานติดต่อกลับหรือให้ข้อมูลไปแล้ว ควรเปลี่ยนรหัสผ่าน ตรวจสอบบัญชีที่เกี่ยวข้อง และเฝ้าระวังการเข้าถึงหรือติดตั้งโปรแกรมที่ไม่ได้รับอนุญาต
   5.4 ส่งอีเมลที่ต้องสงสัยให้ทีมความมั่นคงปลอดภัยสารสนเทศขององค์กรเพื่อตรวจสอบ

อ้างอิง
[1] https://dg.th/e4xncphqrd
[2] https://dg.th/5uroh2sw7b

ศูนย์ประสานการรักษาความมั่นคงปลอดภัยระบบคอมพิวเตอร์แห่งชาติ (ThaiCERT) ได้ติดตามสถานการณ์ช่องโหว่ด้านความมั่นคงปลอดภัยที่อาจส่งผลกระทบต่อระบบของหน่วยงาน โดยพบช่องโหว่ร้ายแรงในผลิตภัณฑ์ในกลุ่ม Oracle Fusion Middleware โดยเฉพาะระบบจัดการอัตลักษณ์และตัวจัดการเว็บเซอร์วิส ซึ่งสามารถถูกโจมตีผ่านเครือข่ายและนำไปสู่การยึดครองหรือควบคุมระบบได้ จึงขอแนะนำให้ผู้ดูแลระบบเร่งดำเนินการอัปเดตแพตช์เพื่อแก้ไขช่องโหว่โดยทันที

1. รายละเอียดช่องโหว่
   Oracle ได้เผยแพร่ประกาศด้านความปลอดภัย [1] เกี่ยวกับช่องโหว่ CVE-2026-21992 (คะแนน CVSSv3.1: 9.8) [2] ซึ่งส่งผลกระทบต่อ Oracle Identity Manager ของ Oracle Fusion Middleware (ส่วนประกอบ REST WebServices) และ Oracle Web Services Manager ของ Oracle Fusion Middleware (ส่วนประกอบ Web Services Security) โดยช่องโหว่นี้สามารถถูกใช้เพื่อเข้าควบคุมระบบที่ได้รับผลกระทบได้ผ่านโปรโตคอล HTTP โดยไม่ต้องยืนยันตัวตน (Unauthenticated Remote Exploit) และอาจนำไปสู่การรันโค้ดจากระยะไกล (Remote Code Execution - RCE) ส่งผลให้ผู้โจมตีสามารถยึดครองระบบ Oracle Identity Manager และ Oracle Web Services Manager ได้อย่างสมบูรณ์

2. ผลิตภัณฑ์ที่ได้รับผลกระทบ
   2.1 Oracle Identity Manager เวอร์ชัน 12.2.1.4.0 และเวอร์ชัน 14.1.2.1.0
   2.2 Oracle Web Services Manager เวอร์ชัน 12.2.1.4.0 และเวอร์ชัน 14.1.2.1.0

3. แนวทางการแก้ไข
   แนะนำให้ดำเนินการอัปเดตแพตช์จาก Oracle โดยทันที ผ่านชุดอัปเดตของ Fusion Middleware [3] และควรตรวจสอบว่าใช้งานเวอร์ชันที่ยังอยู่ในช่วงการสนับสนุน (Premier / Extended Support) หากไม่สามารถอัปเดตได้ทันที ให้พิจารณามาตรการชั่วคราว (Workaround) ดังนี้

• จำกัดการเข้าถึงระบบผ่าน HTTP/HTTPS จากภายนอก (เช่น allowlist เฉพาะ IP ที่จำเป็น)
• ปิดหรือจำกัดการเข้าถึง service ที่ไม่จำเป็น
• ใช้ Web Application Firewall (WAF) เพื่อช่วยกรองคำขอที่ผิดปกติ
• แยกระบบ (segmentation) เพื่อลดผลกระทบหากถูกโจมตี

4. คำแนะนำด้านความปลอดภัยเพิ่มเติม
   4.1 ตรวจสอบ Log การใช้งานย้อนหลัง เพื่อค้นหาพฤติกรรมผิดปกติหรือความพยายามโจมตี
   4.2 เฝ้าระวังการเข้าถึงระบบจากแหล่งที่ไม่น่าเชื่อถือ
   4.3 อัปเดตแพตช์ด้านความปลอดภัยของระบบและซอฟต์แวร์อย่างสม่ำเสมอ
   4.4 จัดทำและทบทวนนโยบายควบคุมการเข้าถึง (Access Control) ให้เหมาะสม
   4.5 จัดทำระบบสำรองข้อมูล (Backup) และทดสอบการกู้คืนอย่างสม่ำเสมอ

5. แหล่งอ้างอิง
   [1] https://dg.th/gtrvcxjald
   [2] https://dg.th/8uhowa7tmf
   [3] https://dg.th/7dqh5rjcyf

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Vulnerabilities

• Oracle Pushes Emergency Fix For Critical Identity Manager RCE Flaw
  "Oracle has released an out-of-band security update to fix a critical unauthenticated remote code execution vulnerability in Identity Manager and Web Services Manager tracked as CVE-2026-21992. Oracle Identity Manager is used for managing identities and access across an enterprise, while Oracle Web Services Manager provides security and management controls for web services. In an advisory released yesterday, Oracle is "strongly" recommending that customers apply the patches as soon as possible."
  https://www.bleepingcomputer.com/news/security/oracle-pushes-emergency-fix-for-critical-identity-manager-rce-flaw/
  https://www.oracle.com/security-alerts/alert-cve-2026-21992.html
  https://www.darkreading.com/vulnerabilities-threats/patch-oracle-fusion-middleware-rce-flaw
  https://thehackernews.com/2026/03/oracle-patches-critical-cve-2026-21992.html
  https://securityaffairs.com/189796/security/oracle-fixes-critical-rce-flaw-cve-2026-21992-in-identity-manager.html
• CISA Adds Five Known Exploited Vulnerabilities To Catalog
  "CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2025-31277 Apple Multiple Products Buffer Overflow Vulnerability
  CVE-2025-32432 Craft CMS Code Injection Vulnerability
  CVE-2025-43510 Apple Multiple Products Improper Locking Vulnerability
  CVE-2025-43520 Apple Multiple Products Classic Buffer Overflow Vulnerability
  CVE-2025-54068 Laravel Livewire Code Injection Vulnerability"
  https://www.cisa.gov/news-events/alerts/2026/03/20/cisa-adds-five-known-exploited-vulnerabilities-catalog
  https://thehackernews.com/2026/03/cisa-flags-apple-craft-cms-laravel-bugs.html
  https://securityaffairs.com/189776/security/u-s-cisa-adds-apple-laravel-livewire-and-craft-cms-flaws-to-its-known-exploited-vulnerabilities-catalog.html

Malware

• Trivy Under Attack Again: Widespread GitHub Actions Tag Compromise Exposes CI/CD Secrets
  "A new supply chain attack targeting Trivy has been disclosed today by Paul McCarty, marking the second distinct compromise affecting the Trivy ecosystem in March. This latest incident impacts GitHub Actions, and is separate from the earlier OpenVSX compromise involving the VS Code extension. Initial reports have focused on the compromise of Trivy v0.69.4, with downstream ecosystems such as Homebrew already rolling back affected versions. The first known detection of suspicious activity traces back to approximately 19:15 UTC."
  https://socket.dev/blog/trivy-under-attack-again-github-actions-compromise
  https://github.com/aquasecurity/trivy/discussions/10425
  https://www.wiz.io/blog/trivy-compromised-teampcp-supply-chain-attack
  https://www.aikido.dev/blog/teampcp-deploys-worm-npm-trivy-compromise
  https://thehackernews.com/2026/03/trivy-security-scanner-github-actions.html
  https://thehackernews.com/2026/03/trivy-supply-chain-attack-triggers-self.html
  https://www.bleepingcomputer.com/news/security/trivy-vulnerability-scanner-breach-pushed-infostealer-via-github-actions/
• Attack Case Against MS-SQL Server Installing ICE Cloud Scanner (Larva-26002)
  "AhnLab SEcurity intelligence Center (ASEC) has confirmed that the Larva-26002 threat actor continues to target improperly managed MS-SQL servers in 2026. The Larva-26002 threat actor has distributed Trigona and Mimic ransomware in the past, and has since seized control of infected systems and installed scanners. the latest confirmed attack utilizes the ICE Cloud Client, a scanner malware written in Go language. In January 2024, the Larva-26002 threat actor attacked MS-SQL servers to install the Trigona and Mimic ransomware [1]. The email address used in the Mimic ransomware is not known from other attack cases, but the email address used in the Trigona ransomware is the same as the email address used by Palo Alto [2] and Zscaler [3]."
  https://asec.ahnlab.com/en/92988/
• Russian Intelligence Services Target Commercial Messaging Application Accounts
  "CISA and the Federal Bureau of Investigation released a Public Service Announcement (PSA) warning about ongoing phishing campaigns by cyber actors associated with the Russian Intelligence Services targeting commercial messaging applications (CMAs). These campaigns aim to bypass encryption to compromise to individual user accounts with targets including current and former U.S. government officials, military personnel, political figures, and journalists. Evidence shows that cyber actors have been able to compromise individual CMA accounts, but not encryption of the applications themselves. The actors’ global campaigns have resulted in unauthorized access to thousands of individual CMA accounts to view the victims’ messages and contact lists, send messages, and conduct additional phishing against other CMA accounts."
  https://www.cisa.gov/resources-tools/resources/russian-intelligence-services-target-commercial-messaging-application-accounts
  https://www.ic3.gov/PSA/2026/PSA260320
  https://www.bleepingcomputer.com/news/security/fbi-links-signal-phishing-attacks-to-russian-intelligence-services/
  https://thehackernews.com/2026/03/fbi-warns-russian-hackers-target-signal.html
  https://cyberscoop.com/fbi-cisa-issue-psa-on-russian-intelligence-campaign-to-target-messaging-apps/
  https://securityaffairs.com/189808/intelligence/russia-linked-actors-target-whatsapp-and-signal-in-phishing-campaign.html
• Libyan Oil Refinery Among Targets In Long-Running Likely Espionage Campaign
  "A series of attacks on Libyan organizations hit an oil refinery, a telecoms organization and a state institution between November 2025 and February 2026. These attacks delivered the AsyncRAT backdoor, which is a publicly available backdoor that has previously been used by state-sponsored groups. This, and the organizations targeted, point to the possibility that this activity could be state sponsored. While this activity dates from before U.S. and Israeli strikes on Iran led to conflict in the Gulf region and turmoil on the world’s oil markets, the targeting of an oil refinery is notable. Libyan oil production hit 1.37 million barrels a day last year, the highest in about 12 years. With so much disruption in the Middle East, it's possible that attacks against oil producers in other countries could ramp up as fears grow about global energy supplies."
  https://www.security.com/threat-intelligence/asyncrat-libya-oil-cyberattack
  https://www.bankinfosecurity.com/multi-month-cyberespionage-campaign-hits-libyan-oil-refinery-a-31091
• Advanced Fake Zoom Installer Used For Delivering Malware
  "Zoom abuse and impersonation have become popular lure tactics for attackers. Over the past year, we’ve posted blogs about Zoom impersonation for delivering malware, Zoom impersonation to deliver phishing payloads, Zoom Docs abuse, and more. But recently, we observed an impersonation-based attack that stood out for the length it went to fool the target."
  https://sublime.security/blog/advanced-fake-zoom-installer-used-for-delivering-malware/
  https://hackread.com/fake-zoom-meeting-invite-scam-windows-pc-malware/
• CVE-2026-33017: How Attackers Compromised Langflow AI Pipelines In 20 Hours
  "On March 17, 2026, a critical vulnerability was disclosed in Langflow, the open-source visual framework for building AI agents and Retrieval-Augmented Generation (RAG) pipelines. The vulnerability, CVE-2026-33017, is an unauthenticated remote code execution (RCE) in the public flow build endpoint that allows attackers to execute arbitrary Python code on any exposed Langflow instance, with no credentials required and only a single HTTP request to get moving. Within 20 hours of the advisory’s publication, the Sysdig Threat Research Team (TRT) observed the first exploitation attempts in the wild. No public proof-of-concept (PoC) code existed at the time. Attackers built working exploits directly from the advisory description and began scanning the internet for vulnerable instances. Exfiltrated information included keys and credentials, which provided access to connected databases and potential software supply chain compromise."
  https://www.sysdig.com/blog/cve-2026-33017-how-attackers-compromised-langflow-ai-pipelines-in-20-hours
  https://thehackernews.com/2026/03/critical-langflow-flaw-cve-2026-33017.html
  https://www.securityweek.com/critical-langflow-vulnerability-exploited-hours-after-public-disclosure/
  https://www.infosecurity-magazine.com/news/hackers-exploit-critical-langflow/
• That “job Brief” On Google Forms Could Infect Your Device
  "We’ve identified a campaign using business-related lures, such as job interviews, project briefs, and financial document, to distribute malware, including the PureHVNC Remote Access Trojan (RAT). It’s not the malware that’s new, but how the attack starts. Instead of the usual phishing email or fake download page, attackers are using Google Forms to kick off the infection chain. The attack typically begins when a victim downloads a business-themed ZIP file linked from a Google Form. Inside is a malicious file that sets off a multi-stage infection process, eventually installing malware on the system."
  https://www.malwarebytes.com/blog/threat-intel/2026/03/that-job-brief-on-google-forms-could-infect-your-device
• Large-Scale Magento Defacement Campaign Impacts Global Brands And Government Domains
  "Netcraft researchers have identified an ongoing campaign involving the compromise and defacement of thousands of Magento ecommerce sites across multiple sectors and geographies. Beginning 27 February 2026, attackers have deployed defacement txt files across approximately 15,000 hostnames spanning 7,500 domains, including infrastructure associated with prominent global brands, e-commerce platforms, and government services. While a small number of defacements included geopolitical messaging, the majority appear to be opportunistic compromises carried out for attribution and reputation within the defacement ecosystem, rather than targeted hacktivism."
  https://www.netcraft.com/blog/large-scale-magento-defacement-campaign
  https://www.securityweek.com/thousands-of-magento-sites-hit-in-ongoing-defacement-campaign/
  https://securityaffairs.com/189734/hacking/7500-magento-sites-defaced-in-global-hacking-campaign.html
• Copyright Lures Mask a Multi‑Stage PureLog Stealer Attack On Key Industries
  "We identified a targeted malware campaign delivering PureLog Stealer, an information‑stealing malware that uses multi‑stage packed assemblies to harvest sensitive data, including Chrome browser credentials, extensions, cryptocurrency wallets, and system information, through a file disguised as a legal copyright violation notice. It’s considered a low‑cost, easy‑to‑use infostealer, making it accessible even to less‑skilled threat actors. The attack likely relies on phishing emails that lure victims into downloading a malicious executable tailored to the victim’s local language."
  https://www.trendmicro.com/en_us/research/26/c/copyright-lures-mask-a-multistage-purelog-stealer-attack.html
• The Beast Returns: Analysis Of a Beast Ransomware Server
  "Team Cymru analyzes and collects a wide variety of internet telemetry. This includes global NetFlow communications and open ports data, among other types of data such as X509 certificates, passive DNS, and WHOIS records. While other organisations attempt to scan the entire Internet or guess which ports are statistically likely to be listening, our Open Ports data collection leverages Team Cymru’s unique NetFlow visibility to prioritize and perform targeted scans of hosts that are actively communicating. By filling in the known gaps, Team Cymru's informed scanning enables faster discovery of live assets and operational infrastructure."
  https://www.team-cymru.com/post/beast-ransomware-server-toolkit-analysis
  https://www.darkreading.com/threat-intelligence/opsec-beast-gang-exposes-ransomware-server
• Microsoft Azure Monitor Alerts Abused For Callback Phishing Attacks
  "Microsoft Azure Monitor alerts are being abused to send callback phishing emails that impersonate warnings from the Microsoft Security Team about unauthorized charges on your account. Azure Monitor is Microsoft's cloud-based monitoring service that collects and analyzes data from Azure resources, applications, and infrastructure. It enables users to track performance, notify about billing changes, detect issues, and trigger alerts based on various conditions. Over the past month, numerous people have reported receiving Azure Monitor alerts warning of suspicious charges or invoice activity on their accounts, urging them to call an enclosed phone number."
  https://www.bleepingcomputer.com/news/security/microsoft-azure-monitor-alerts-abused-in-callback-phishing-campaigns/
• CVE-2025-32975: Arctic Wolf Observes Exploitation Of Quest KACE Systems Management Appliance
  "Starting the week of March 9, 2026, Arctic Wolf observed malicious activity in customer environments potentially linked to the exploitation of CVE-2025-32975 on unpatched Quest KACE Systems Management Appliance (SMA) instances that were publicly exposed to the internet. This vulnerability was patched in May 2025. Quest KACE SMA is an on-premises appliance for centralized endpoint management, providing inventory, software deployment, patching, and endpoint monitoring capabilities. CVE-2025-32975 is a critical authentication bypass vulnerability that allows threat actors to impersonate legitimate users without valid credentials. The flaw exists in the SSO authentication handling mechanism and can result in complete administrative takeover."
  https://arcticwolf.com/resources/blog/cve-2025-32975/
  https://www.securityweek.com/critical-quest-kace-vulnerability-potentially-exploited-in-attacks/
• VoidStealer: Debugging Chrome To Steal Its Secrets
  "When Google introduced Application-Bound Encryption (ABE) in July 2024 with Chrome 127, it didn't mark the end of infostealers –⁠⁠⁠⁠⁠⁠ as expected, infostealers adopted quickly and came up with various methods to bypass it. Still, it undoubtedly raised the bar for accessing sensitive browser data, and, more importantly, significantly increased the visibility of such data theft attempts, as bypassing ABE now requires attackers to perform additional steps that are inherently more suspicious. Various bypass techniques have emerged since then, and since each comes with its own trade-offs, new approaches continue to appear as threat actors seek to minimize the footprint and evade detection."
  https://www.gendigital.com/blog/insights/research/voidstealer-abe-bypass
  https://www.bleepingcomputer.com/news/security/voidstealer-malware-steals-chrome-master-key-via-debugger-trick/

Breaches/Hacks/Leaks

• Hacker Group LAPSUS$ Claims Alleged AstraZeneca Data Breach
  "A threat actor group identifying itself as “LAPSUS$” is claiming responsibility for an alleged data breach involving AstraZeneca, one of the world’s largest multinational pharmaceutical and biotechnology company. The group claims to have obtained approximately 3GB of internal data, including source code, cloud infrastructure configurations, and employee-related information."
  https://hackread.com/hacker-group-lapsus-astrazeneca-data-breach/
• WorldLeaks Ransomware Group Breached The City Of Los Angels
  "WorldLeaks group hit Los Angeles and its Metro, forcing a shutdown, while two Bay Area cities declared emergencies after ransomware attacks. This week, local media reported that an unauthorized activity hit Metro’s internal systems, forcing the agency to limit access and disrupting station arrival displays. “Unauthorized activity on internal administrative computer systems prompted Metro to limit access to those systems, resulting in station monitors not displaying arrival times, the transit agency announced Thursday.” reported NBC Los Angeles."
  https://securityaffairs.com/189753/data-breach/worldleaks-group-breached-the-city-of-los-angels.html

General News

• Global Cybercrime Crackdown: Over 373 000 Dark Web Sites Shut Down
  "On 9 March 2026, a global operation led by German authorities and supported by Europol was launched against one of the largest networks of fraudulent platforms in the dark web. The investigation began in mid-2021 against the dark web platform “Alice with Violence CP”. During the investigation, authorities discovered that the platform’s operator was running more than 373 000 fraudulent websites advertising child sexual abuse material (CSAM) and cybercrime-as-a-service (CaaS) offerings."
  https://www.europol.europa.eu/media-press/newsroom/news/global-cybercrime-crackdown-over-373-000-dark-web-sites-shut-down
  https://www.bleepingcomputer.com/news/security/police-take-down-373-000-fake-csam-sites-in-operation-alice/
  https://therecord.media/police-dismantle-dark-web-network-exploiting-child-abuse-images
• Authorities Disrupt World’s Largest IoT DDoS Botnets Responsible For Record Breaking Attacks Targeting Victims Worldwide
  "The U.S. Justice Department participated in a court-authorized law enforcement operation today to disrupt Command and Control (C2) infrastructure used by the Aisuru, KimWolf, JackSkid and Mossad Internet of Things (IoT) botnets. The operation was conducted simultaneously to law enforcement actions conducted in Canada and Germany, which targeted individuals who operated these botnets. The four botnets launched Distributed Denial of Service (DDoS) attacks targeting victims around the world. Some of these attacks measured approximately 30 Terabits per second, which were record-breaking attacks."
  https://www.justice.gov/usao-ak/pr/authorities-disrupt-worlds-largest-iot-ddos-botnets-responsible-record-breaking-attacks
  https://www.bleepingcomputer.com/news/security/aisuru-kimwolf-jackskid-and-mossad-botnets-disrupted-in-joint-action/
  https://thehackernews.com/2026/03/doj-disrupts-3-million-device-iot.html
  https://therecord.media/us-seizes-botnet-infrastructure-four-large-networks
  https://www.bankinfosecurity.com/aisuru-kimwolf-botnets-disrupted-in-international-operation-a-31105
  https://cyberscoop.com/botnet-disruption-aisuru-kimwolf-jackskid-mossad/
  https://www.securityweek.com/aisuru-and-kimwolf-ddos-botnets-disrupted-in-international-operation/
  https://securityaffairs.com/189710/cyber-crime/global-law-enforcement-operation-targets-aisuru-kimwolf-jackskid-botnet-operators.html
  https://www.theregister.com/2026/03/20/botnet_disruption/
  https://www.helpnetsecurity.com/2026/03/20/us-disrupts-iot-botnets-ddos-attacks-aisuru-kimwolf/
• Three Men Sentenced For Facilitating Employment Of Foreign Workers In North Korean Sanctions Evasion Scheme
  "Three men have been sentenced in federal court after pleading guilty to their roles in a nationwide scheme that enabled North Korean workers to access U.S.-based computer networks. Each defendant pleaded guilty to a criminal Information charging them with one count of Wire Fraud Conspiracy, said Margaret E. “Meg” Heap, U.S. Attorney for the Southern District of Georgia. The defendants were sentenced by U.S. District Court Judge J. Randal Hall."
  https://www.justice.gov/usao-sdga/pr/three-men-sentenced-providing-computer-access-foreign-workers-potential-espionage-plot
  https://cyberscoop.com/north-korea-it-worker-scheme-three-sentenced/
• Post-Quantum Web Could Be Safer, Faster
  "With practical quantum computers predicted to arrive in the next decade or so, technologists worry about the risks to encrypted data traveling over current Web protocols, but a new infrastructure proposed by an Internet standards group could future-proof against quantum attacks. Cryptographically relevant quantum computers (CRQCs) could allow the decryption of secure traffic using HTTPS and the spoofing of secure servers. Shoring up the security of the Internet with the structures used today requires adopting post-quantum algorithms that come with significant trade-offs."
  https://www.darkreading.com/cloud-security/post-quantum-web-could-be-safer-faster
• Field Workers Don’t Need More Access, They Need Better Security
  "In this Help Net Security interview, Chris Thompson, CISO at West Shore Home, discusses least privilege and credential hygiene for a field-based workforce. He covers access management, authentication practices, and data risk processes that support employees in the field. Thompson also outlines security awareness efforts and how field teams are integrated into an organization’s security posture."
  https://www.helpnetsecurity.com/2026/03/20/chris-thompson-west-shore-home-field-worker-cybersecurity/
• NCA Boss Warns That Teens Are Being “Radicalized” Into Cybercrime Online
  "The head of the UK’s National Crime Agency (NCA) has warned that the country’s teens are being “radicalized” into becoming cybercriminals by online platforms. The NCA was set up over a decade ago to tackle serious and organized crime. In a speech to launch the NCA's National Strategic Assessment this week, Graeme Biggar, NCA director general, argued that “the same toxic online spaces” and algorithms are turning teens into cybercriminals, sex offenders and terrorists."
  https://www.infosecurity-magazine.com/news/nca-boss-warns-teens-radicalized/
• Who’s Really Shopping? Retail Fraud In The Age Of Agentic AI
  "From targeting the “digital contract” with gift card theft to potentially liquidating the cash reserve of a retailer, this blog explores the potential for AI-enabled fraud that retailers could now face. We also explain how organizations can better defend themselves and their guests from AI-enabled fraud."
  https://unit42.paloaltonetworks.com/retail-fraud-agentic-ai/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

เมื่อวันที่ 18 มีนาคม 2026 Cybersecurity and Infrastructure Security Agency (CISA) CISA เรียกร้องให้องค์กรเร่งยกระดับความมั่นคงปลอดภัยของระบบบริหารจัดการอุปกรณ์ปลายทาง หลังเกิดเหตุโจมตีทางไซเบอร์ต่อองค์กรในสหรัฐฯ

ศูนย์รักษาความมั่นคงปลอดภัยทางไซเบอร์และโครงสร้างพื้นฐานของสหรัฐอเมริกา (CISA) แจ้งเตือนให้องค์กรเร่ง ยกระดับความมั่นคงปลอดภัยของระบบบริหารจัดการอุปกรณ์ปลายทาง (Endpoint Management Systems) ภายหลังรับทราบกิจกรรมไซเบอร์ประสงค์ร้ายที่มุ่งเป้าไปยังระบบดังกล่าวในองค์กรของสหรัฐฯ

CISA กล่าวถึงเหตุโจมตีทางไซเบอร์เมื่อวันที่ 11 มีนาคม 2026 ที่เกิดขึ้นกับ Stryker Corporation บริษัทเทคโนโลยีการแพทย์ของสหรัฐฯ ได้ส่งผลกระทบต่อ สภาพแวดล้อม Microsoft ของบริษัทดังกล่าว สะท้อนให้เห็นว่า ระบบบริหารจัดการอุปกรณ์ปลายทางอาจกลายเป็นเป้าหมายสำคัญของผู้ไม่หวังดี เนื่องจากเป็นระบบที่มีขีดความสามารถในการควบคุม กำหนดค่า และสั่งงานอุปกรณ์จำนวนมากภายในองค์กรได้จากศูนย์กลาง

เพื่อป้องกันกิจกรรมประสงค์ร้ายในลักษณะเดียวกัน CISA ขอให้องค์กรต่าง ๆ เร่งทบทวนและเพิ่มความแข็งแกร่งในการตั้งค่าระบบบริหารจัดการอุปกรณ์ปลายทาง โดยอาศัยคำแนะนำและทรัพยากรที่ระบุในประกาศดังกล่าว ทั้งนี้ CISA ยังได้เพิ่มความร่วมมือกับหน่วยงานรัฐบาลกลางที่เกี่ยวข้อง รวมถึง สำนักงานสืบสวนกลางสหรัฐฯ (FBI) เพื่อระบุภัยคุกคามเพิ่มเติม และกำหนดแนวทางลดความเสี่ยงจากการที่ผู้ไม่หวังดีอาจอาศัยซอฟต์แวร์บริหารจัดการอุปกรณ์ปลายทางที่ถูกต้องตามกฎหมายมาใช้ในทางที่ผิด

CISA ยังขอให้องค์กรนำ แนวปฏิบัติที่ดีที่สุดฉบับใหม่ของ Microsoft สำหรับการรักษาความปลอดภัยของ Microsoft Intune มาปรับใช้ โดยหลักการดังกล่าวสามารถประยุกต์ใช้ได้กับทั้ง Microsoft Intune และซอฟต์แวร์บริหารจัดการอุปกรณ์ปลายทางอื่น ๆ ในลักษณะเดียวกัน

คำแนะนำหลักจาก CISA และ Microsoft

1. ใช้หลักการ Least Privilege ในการออกแบบสิทธิ์ผู้ดูแลระบบ
   ให้องค์กรกำหนดสิทธิ์ของผู้ดูแลระบบตามความจำเป็นขั้นต่ำต่อการปฏิบัติงานจริง โดยใช้ความสามารถด้าน Role-Based Access Control (RBAC) ของ Microsoft Intune เพื่อจำกัดขอบเขตการดำเนินการของแต่ละบทบาท ทั้งในด้านประเภทของการกระทำที่อนุญาต และขอบเขตของผู้ใช้หรืออุปกรณ์ที่สามารถเข้าถึงได้
2. บังคับใช้ MFA แบบต้านฟิชชิง และเพิ่มการปกป้องสิทธิ์ระดับสูง
   ให้องค์กรใช้ความสามารถของ Microsoft Entra ID เช่น Conditional Access, Multi-Factor Authentication (MFA), risk signals และ privileged access controls เพื่อป้องกันการเข้าถึงโดยไม่ได้รับอนุญาต โดยเฉพาะต่อการดำเนินการที่เกี่ยวข้องกับสิทธิ์ระดับสูงใน Microsoft Intune
3. กำหนดให้การดำเนินการที่มีความอ่อนไหวต้องได้รับการอนุมัติจากผู้ดูแลมากกว่าหนึ่งราย
   ให้องค์กรตั้งค่านโยบาย Multi Admin Approval เพื่อกำหนดให้การเปลี่ยนแปลงที่มีผลกระทบสูง เช่น การลบข้อมูลอุปกรณ์ การลบแอปพลิเคชัน การเรียกใช้สคริปต์ การแก้ไข RBAC หรือการเปลี่ยนแปลงการตั้งค่าที่สำคัญ ต้องได้รับการอนุมัติจากบัญชีผู้ดูแลระบบอีกบัญชีหนึ่งก่อนดำเนินการ

นอกจากนี้ CISA ยังขอแนะนำให้องค์กรทบทวนทรัพยากรและแนวปฏิบัติที่เกี่ยวข้องเพิ่มเติม เพื่อเสริมสร้างความสามารถในการป้องกัน ตรวจจับ และลดผลกระทบจากกิจกรรมไซเบอร์ประสงค์ร้ายในลักษณะเดียวกัน

อ้างอิง
https://www.cisa.gov/news-events/alerts/2026/03/18/cisa-urges-endpoint-management-system-hardening-after-cyberattack-against-us-organization?utm_source=IranHardening202603&utm_medium=GovDelivery
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

เมื่อวันที่ 19 มีนาคม 2026 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 1 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว ดังนี้

• CVE-2026-20131 Cisco Secure Firewall Management Center (FMC) Software and Cisco Security Cloud Control (SCC) Firewall Management Deserialization of Untrusted Data Vulnerability

ทาง CISA จะปรับปรุงและเพิ่มช่องโหว่ใหม่เข้าสู่แคตตาล็อก KEV อย่างต่อเนื่อง เพื่อให้ครอบคลุมความเสี่ยงที่ตรวจพบจริงในปัจจุบันและอนาคต

อ้างอิง
https://www.cisa.gov/news-events/alerts/2026/03/19/cisa-adds-one-known-exploited-vulnerability-catalog
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) จำนวน 5 รายการ เมื่อวันที่ 19 มีนาคม 2569 เพื่อให้ข้อมูลที่ทันเวลาเกี่ยวกับประเด็นด้านความมั่นคงปลอดภัย ช่องโหว่ และการโจมตีที่เกี่ยวข้องกับระบบ ICS โดยมีรายละเอียดดังนี้

• ICSA-26-078-03 Schneider Electric EcoStruxure Automation Expert
• ICSA-26-078-04 Schneider Electric EcoStruxure Power
• ICSA-26-078-06 CTEK Chargeportal
• ICSA-26-078-07 IGL-Technologies eParking.fi
• ICSA-26-078-08 Automated Logic WebCTRL Premium Server

CISA แนะนำให้ผู้ใช้งานและผู้ดูแลระบบ ตรวจสอบคำแนะนำ ICS ที่เผยแพร่ล่าสุด เพื่อศึกษารายละเอียดทางเทคนิคและแนวทางการลดความเสี่ยง (mitigations)

อ้างอิง
https://www.cisa.gov/news-events/ics-advisories

Industrial Sector

• CTEK Chargeportal
  "Successful exploitation of these vulnerabilities could enable attackers to gain unauthorized administrative control over vulnerable charging stations or disrupt charging services through denial-of-service attacks."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-06
• IGL-Technologies eParking.fi
  "Successful exploitation of these vulnerabilities could enable attackers to gain unauthorized administrative control over vulnerable charging stations or disrupt charging services through denial-of-service attacks."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-07
• Automated Logic WebCTRL Premium Server
  "Successful exploitation of these vulnerabilities could allow an attacker to read, intercept, or modify communications."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-08
• Schneider Electric Modicon M241, M251, And M262
  "Successful exploitation of this vulnerability could allow an attacker to cause a denial-of-service condition on the product."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-01
• Schneider Electric Modicon Controllers M241, M251, M258, And LMC058
  "Successful exploitation of this vulnerability may risk a Cross-site Scripting or an open redirect attack which could result in an account takeover scenario or the execution of code in the user browser."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-02
• Schneider Electric EcoStruxure Automation Expert
  "Schneider Electric is aware of a vulnerability in its EcoStruxure Automation Expert product. The EcoStruxure Automation Expert product is plant automation software designed for digital control systems in discrete, hybrid and continuous industrial processes. A totally integrated automation solution designed to enhance your flexibility, efficiency and scalability. Failure to apply the remediation provided below may risk execution of arbitrary commands on the engineering workstation, which could result in a potential compromise of full system."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-03
• Schneider Electric EcoStruxure PME And EPO
  "Schneider Electric is aware of a vulnerability in its EcoStruxure Power Monitoring Expert (PME) and EcoStruxure Power Operation (EPO) products. EcoStruxure Power Monitoring Expert (PME) is an on-premises software used to help power critical and energy-intensive facilities maximize uptime and operational efficiency. EcoStruxure Power Operation (EPO) are on-premises software offers that provides a single platform to monitor and control medium and lower power systems.Failure to apply the fix provided below may risk local arbitrary code execution, which could result in the local system being compromised, a disruption of operations, and/or unauthorized administrative control of the system."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-04
• Mitsubishi Electric CNC Series
  "Successful exploitation of this vulnerability could allow a remote attacker to cause an out-of-bounds read, resulting in a denial-of-service condition in the affected products."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-05
• A Brief Overview Of The Main Incidents In Industrial Cybersecurity. Q4 2025
  "In Q4 2025, 161 incidents were publicly confirmed by victims. All of these incidents are included in the table at the end of the overview, with select incidents described in detail. When evaluating the results of the quarter in terms of publicly confirmed cyberincidents at industrial enterprises, several observations can be made. First, attention is drawn to the disproportionately large number of incidents that have occurred in organizations from certain countries and territories, such as Japan and Taiwan. The number of incidents is particularly high when looking at estimates of the accessibility of computers related to industrial automation systems in these countries to cyberthreats."
  https://ics-cert.kaspersky.com/publications/reports/2026/03/19/a-brief-overview-of-the-main-incidents-in-industrial-cybersecurity-q4-2025/

Vulnerabilities

• Max Severity Ubiquiti UniFi Flaw May Allow Account Takeover
  "Ubiquiti has patched two vulnerabilities in the UniFi Network Application, including a maximum-severity flaw that may allow attackers to take over user accounts. The UniFi Network app (also known as the UniFi Controller) is management software that helps configure, monitor, and optimize Ubiquiti UniFi networking hardware, such as access points, switches, and gateways. "Combines powerful internet gateways with scalable WiFi and switching. Provides real-time traffic dashboards, visual topology maps, and optimization tips," the networking device manufacturer says. "The preferred way to deploy UniFi Network is on a UniFi Cloud Gateway, rather than on a server, laptop, or other self-hosted environment.""
  https://www.bleepingcomputer.com/news/security/ubiquiti-warns-of-unifi-flaw-that-may-enable-account-takeover/
  https://community.ui.com/releases/Security-Advisory-Bulletin-062-062/c29719c0-405e-4d4a-8f26-e343e99f931b
  https://securityaffairs.com/189689/security/critical-ubiquiti-unifi-unifi-security-flaw-allows-potential-account-hijacking.html
• Magento PolyShell: Unrestricted File Upload In Magento And Adobe Commerce
  "A critical flaw in Magento's REST API lets unauthenticated attackers upload executable files to any store. We named the vulnerability "PolyShell" because the attack uses a polyglot (code disguised as image). Sansec has not observed active exploitation so far. However, the exploit method is circulating already and Sansec expects automated attacks to appear soon."
  https://sansec.io/research/magento-polyshell
  https://www.bleepingcomputer.com/news/security/new-polyshell-flaw-allows-unauthenticated-rce-on-magento-e-stores/
• CISA Adds One Known Exploited Vulnerability To Catalog
  "CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2026-20131 Cisco Secure Firewall Management Center (FMC) Software and Cisco Security Cloud Control (SCC) Firewall Management Deserialization of Untrusted Data Vulnerability"
  https://www.cisa.gov/news-events/alerts/2026/03/19/cisa-adds-one-known-exploited-vulnerability-catalog
  https://securityaffairs.com/189682/security/u-s-cisa-adds-a-flaw-in-cisco-fmc-and-cisco-scc-firewall-management-to-its-known-exploited-vulnerabilities-catalog.html
• RIP RegPwn
  "As part of MDSec’s R&D work, we often discover vulnerabilities and develop exploits to support our red team engagements. When researching widely used software, it is often only a matter of time before the same vulnerability is discovered by other researchers and reported to the vendor. Two weeks ago we outlined an Elevation of Privilege vulnerability in Windows 11 that we had been leveraging in red teams but decided to report to the vendor ourselves. Ironically, today we’re documenting another Elevation Of Privilege vulnerability that was so elegant in its indicators, we kept it internal and used with great success across red team engagements since January 2025. For what will become obvious reasons, we named this vulnerability RegPwn and it affected Windows 10 and 11, as well as Windows Server 2012, 2016, 2019, 2022, and 2025. This vulnerability was fixed this Patch Tuesday and we believe is tracked as CVE-2026-24291."
  https://www.mdsec.co.uk/2026/03/rip-regpwn/

Malware

• Winos4.0 Malware Disguised As KakaoTalk Installation File
  "Typically, people perceive the sites that appear at the top of Google search results as the “most authoritative and official” sites. however, threat actors are playing on the psychology of such users, manipulating the search engine’s algorithms to place malicious sites at the top. SEO poisoning is an attack technique in which threat actors exploit search engine optimization (SEO) techniques to push malicious websites they control to the top of search results for specific keywords, often on pages one to three. the goal is to distribute malware or steal information by directing users to a carefully crafted fake site when they are trying to download official software or find information."
  https://asec.ahnlab.com/en/92971/
• Perseus: DTO Malware That Takes Notes
  "Most mobile malware must continuously evolve to remain effective in an environment shaped by improving security measures, platform restrictions, and user awareness. Rather than relying solely on traditional techniques, contemporary threats increasingly adapt by introducing new capabilities and leveraging legitimate system features in unintended ways. This ongoing evolution reflects a broader trend in which attackers refine their tooling to maintain persistence, evade detection, and maximize control over compromised devices, highlighting the importance of studying how such threats adapt over time."
  https://www.threatfabric.com/blogs/perseus-dto-malware-that-takes-notes
  https://www.bleepingcomputer.com/news/security/new-perseus-android-malware-checks-user-notes-for-secrets/
  https://thehackernews.com/2026/03/new-perseus-android-banking-malware.html
  https://therecord.media/malware-streaming-apps-android
• Operation GhostMail: Russian APT Exploits Zimbra Webmail To Target Ukraine State Agency
  "Seqrite Labs identified a targeted phishing campaign that exploits a cross-site scripting (XSS) vulnerability in Zimbra Collaboration (ZCS) to compromise a Ukrainian government entity. The phishing email has no malicious attachments, no suspicious links, no macros. The entire attack chain lives inside the HTML body of a single email, there are no malicious attachments. A social engineered internship inquiry is used to deliver an obfuscated JavaScript payload embedded directly in the email body. When the victim opens the email in a vulnerable Zimbra webmail session, it exploits CVE-2025-66376 which is a stored XSS bug caused by inadequate sanitization of CSS @import directives within the HTML content."
  https://www.seqrite.com/blog/operation-ghostmail-zimbra-xss-russian-apt-ukraine/
  https://www.bleepingcomputer.com/news/security/russian-apt28-military-hackers-exploit-zimbra-flaw-in-ukrainian-govt-attacks/
  https://thehackernews.com/2026/03/cisa-warns-of-zimbra-sharepoint-flaw.html
  https://therecord.media/russia-hackers-ukraine-zimbra-breach
  https://securityaffairs.com/189673/security/russian-apt-targets-ukraine-via-zimbra-xss-flaw-cve-2025-66376.html
  https://www.securityweek.com/russian-apt-exploits-zimbra-vulnerability-against-ukraine/
• Everyday Tools, Extraordinary Crimes: The Ransomware Exfiltration Playbook
  "As defenders have improved their ability to detect malicious code, attackers have adapted by reducing their reliance on bespoke implants. As a result, data exfiltration is no longer primarily driven by custom malware or specialized tooling. Instead, many modern exfiltration operations leverage legitimate, widely deployed utilities already present in enterprise environments, along with benign cloud storage locations as the destination of the exfiltration connections. This shift significantly complicates detection. Tools and services used for routine business operations can be repurposed to transfer stolen data outside the network without triggering traditional security controls. In many real-world incidents, exfiltration does not rely on novel protocols, custom command-and-control (C2) infrastructure, or overtly malicious binaries."
  https://blog.talosintelligence.com/everyday-tools-extraordinary-crimes-the-ransomware-exfiltration-playbook/
• Hasta La Vista, Hastalamuerte: An Overview Of The Gentlemen's TTPs
  "In face of so many new ransomware brands, and still remaining RaaS operations such as Medusa, Qilin, and DragonForce, prioritizing is not an easy task to accomplish. However, despite the amount of groups conducting attacks for extortion, the TTPs do not change that much; unless we are talking about Cl0p, Akira and other groups that pose a high risk. After all, why should they exploit complex and time-consuming vulnerabilities when there are so many low-hanging fruit out there such as vulnerable web-based remote services like RDWeb and SSL VPN devices and default or easy-to-guess passwords to brute force? Anyway, it is not up to us, but to the criminals, to decide what is the best (or the worst) strategy for a ransomware or extortion operation to conduct attacks."
  https://www.group-ib.com/blog/hastalamuerte-gentlemen-raas-ttps/
  https://www.infosecurity-magazine.com/news/ransomware-affiliate-gentlemen/
• Windsurf IDE Extension Drops Malware Via Solana Blockchain
  "Bitdefender researchers have discovered a malicious Windsurf IDE (integrated development environment) extension that deploys a multi-stage NodeJS stealer by using the Solana blockchain as the payload infrastructure. The extension, disguised as an R language support extension for Visual Studio Code, retrieves encrypted JavaScript from blockchain transactions, executes it using NodeJS runtime primitives, drops compiled add-ons to extract Chromium data, all the while establishing persistence with the help of a hidden PowerShell scheduled task. There’s an official, legitimate extension named REditorSupport, which is likely why the attacker used a very similar name to confuse potential victims."
  https://www.bitdefender.com/en-us/blog/labs/windsurf-extension-malware-solana
  https://hackread.com/windsurf-ide-extension-solana-blockchain-developer-data/
• Russia Turns Vienna Into West’s Biggest Spy Hub – Tracking NATO Communications
  "Russia has turned Vienna into its largest electronic espionage hub in the West, using its diplomatic compounds to monitor sensitive communications across NATO, the Middle East, and Africa. From rooftops across the Austrian capital, clusters of satellite dishes are used for covert signals intelligence (SIGINT), reviving a major Cold War-era function, the Financial Times reported, citing sources familiar with the matter. “This is one of our main concerns,” a senior European diplomat in Vienna said. “They are targeting NATO government and military communications… Vienna is their hub in Europe.”"
  https://www.kyivpost.com/post/72072
  https://securityaffairs.com/189653/intelligence/russia-establishes-vienna-as-key-western-spy-hub-targeting-nato.html
• New Malware Targets Users Of Cobra DocGuard Software
  "Symantec and Carbon Black researchers have uncovered a mysterious and stealthy new threat that hijacks the functionality and infrastructure of the legitimate security software Cobra DocGuard. Infostealer.Speagle is designed to surreptitiously harvest sensitive information from infected computers and transmit it to a Cobra DocGuard server that has been compromised by the attackers, masking the data exfiltration process as legitimate communications between client and server. Notably, Speagle appears to be capable of collecting information on highly targeted subjects, such as specifically seeking out documents related to Chinese ballistic missiles."
  https://www.security.com/threat-intelligence/speagle-cobradocguard-infostealer
  https://thehackernews.com/2026/03/speagle-malware-hijacks-cobra-docguard.html
• EDR Killers Explained: Beyond The Drivers
  "In recent years, EDR killers have become one of the most commonly seen tools in modern ransomware intrusions: an attacker acquires high privileges, deploys such a tool to disrupt protection, and only then launches the encryptor. Besides the dominating Bring Your Own Vulnerable Driver (BYOVD) technique, we also see attackers frequently abusing legitimate anti-rootkit utilities or using driverless approaches to block the communication of endpoint detection and response (EDR) software or suspend it in place. These tools are not just plentiful, but also behave predictably and consistently, which is precisely why affiliates reach for them."
  https://www.welivesecurity.com/en/eset-research/edr-killers-explained-beyond-the-drivers/
  https://thehackernews.com/2026/03/54-edr-killers-use-byovd-to-exploit-34.html
  https://www.helpnetsecurity.com/2026/03/19/edr-killer-ransomware-attacks/
• Analyzing The Current State Of AI Use In Malware
  "Unit 42 researchers searched through open-source intelligence (OSINT) and our internal telemetry for potential signs of malware made to any degree with large language models (LLMs). This includes either using LLMs to create the malware entirely or to assist with their functionality. This article examines two samples, both of which originated from our OSINT hunts. The rise of AI has sparked considerable interest in its potential applications within cybersecurity, both from the defender and attacker perspectives. We currently consider three primary use cases for AI as applied by the creators of malware:"
  https://unit42.paloaltonetworks.com/ai-use-in-malware/

Breaches/Hacks/Leaks

• Navia Discloses Data Breach Impacting 2.7 Million People
  "Navia Benefit Solutions, Inc. (Navia) is informing nearly 2.7 million individuals of a data breach that exposed their sensitive information to attackers. An investigation into the incident revealed that the hackers had access to the organization's systems between December 22, 2025, and January 15, 2026. However, the company discovered the suspicious activity on January 23. Navia says that it responded immediately and launched an inquiry to determine the potential impact of the incident."
  https://www.bleepingcomputer.com/news/security/navia-discloses-data-breach-impacting-27-million-people/
  https://www.bankinfosecurity.com/worker-benefits-administrator-notifying-27m-hack-a-31085
• Bitrefill Blames North Korean Lazarus Group For Cyberattack
  "Crypto-powered gift card store Bitrefill says that the attack it suffered at the beginning of the month was likely perpetrated by North Korean hackers of the Bluenoroff group. During the investigation, the platform observed indicators similar to previous attacks attributed to the North Korean threat actor, like tactics, malware, IP and email addresses. “Based on indicators observed during the investigation - including the modus operandi, the malware used, on-chain tracing and reused IP + email addresses (!) - we find many similarities between this attack and past cyberattacks by the DPRK Lazarus / Bluenoroff group against other companies in the crypto industries,” reads Bitrefill's statement."
  https://www.bleepingcomputer.com/news/security/bitrefill-blames-north-korean-lazarus-group-for-cyberattack/

General News

• CISA Urges Endpoint Management System Hardening After Cyberattack Against US Organization
  "CISA is aware of malicious cyber activity targeting endpoint management systems of U.S. organizations based on the March 11, 2026 cyberattack against U.S.-based medical technology firm Stryker Corporation, which affected their Microsoft environment.1 To defend against similar malicious cyber activity, CISA urges organizations to harden endpoint management system configurations using the recommendations and resources provided in this alert. CISA is conducting enhanced coordination with federal partners, including the Federal Bureau of Investigation (FBI), to identify additional threats and determine mitigation actions."
  https://www.cisa.gov/news-events/alerts/2026/03/18/cisa-urges-endpoint-management-system-hardening-after-cyberattack-against-us-organization
  https://techcommunity.microsoft.com/blog/intunecustomersuccess/best-practices-for-securing-microsoft-intune/4502117
  https://www.bleepingcomputer.com/news/security/cisa-warns-businesses-to-secure-microsoft-intune-systems-after-stryker-breach/
  https://therecord.media/fbi-cisa-warn-of-microsoft-intune-risks-stryker
  https://www.bankinfosecurity.com/microsoft-intune-mdm-gains-notoriety-after-stryker-hack-a-31084
  https://cyberscoop.com/feds-keep-eyes-peeled-for-iran-cyberattacks-respond-to-stryker-breach/
  https://www.theregister.com/2026/03/19/microsoft_intune_lockdown_stryker/
  https://www.helpnetsecurity.com/2026/03/19/cisa-endpoint-management-system-warning/
• February 2026 APT Attack Trends Report (South Korea)
  "AhnLab utilizes its infrastructure to monitor for Advanced Persistent Threat (APT) attacks in South Korea. This report covers the classification and statistics on APT attacks on South Korea targets identified during the month of February 2026, and introduces the features of each type."
  https://asec.ahnlab.com/en/92972/
• FBI Seizes Handala Data Leak Site After Stryker Cyberattack
  "The FBI has seized two websites used by the Handala hacktivist group after the threat actors conducted a destructive cyberattack on medical technology giant Stryker that wiped approximately 80,000 devices. Both the hacktivist's handala-redwanted[.]to and handala-hack[.]to clearnet domains now display a seizure notice stating that the websites were seized under a seizure warrant issued by the District Court for the District of Maryland. "This domain has been seized by the Federal Bureau of Investigation ("FBI") pursuant to a seizure warrant issued by a United States District Court for the District of Maryland as apart of a law enforcement action by the FBI. Law enforcement authorities determined this domain was used to conduct, facilitate, or support malicious cyber activities on behalf of, or in coordination with, a foreign state actor," reads the seizure message."
  https://www.bleepingcomputer.com/news/security/fbi-seizes-handala-data-leak-site-after-stryker-cyberattack/
• Rethinking Cyber Preparedness In Age Of AI Cyberwarfare
  "Artificial intelligence is fundamentally transforming the cyberwarfare landscape, and while they may think otherwise, most organizations aren't ready for an AI-driven attack. Nearly 80% of IT decision-makers say their organization is prepared to handle a cyberwarfare attack, and 76% say they're confident they could combat AI-based attacks. But 54% of organizations say they have been hit by an AI-generated or AI-led attack in the past 12 months, and half of those haven't adequately secured their environment in the aftermath, according to a report by security firm Armis."
  https://www.bankinfosecurity.com/rethinking-cyber-preparedness-in-age-ai-cyberwarfare-a-31086
• The Agentic Era Arrives: How AI Is Transforming The Cyber Threat Landscape
  "The cyber security landscape is undergoing a significant shift. Between January and February 2026, we observed a major evolution in how threat actors adopt, weaponize, and operationalize AI. What was once experimental is now mature. What once required coordinated teams can now be executed by a single experienced developer with an AI‑powered IDE. And what enterprises embraced for productivity has simultaneously become a rapidly expanding attack surface. This report highlights the most significant trends shaping today’s threat environment-and what defenders must prepare for next."
  https://blog.checkpoint.com/research/the-agentic-era-arrives-how-ai-is-transforming-the-cyber-threat-landscape/
  https://engage.checkpoint.com/cpr-ai-threat-landscape-digest
• Inside Russia’s Shift To Credential-Based Intrusions: What CISOs Need To Know In 2026
  "Russia-linked hacktivist activity has entered a noticeably different phase. While earlier campaigns leaned heavily on disruption through denial-of-service and opportunistic scanning of exposed systems, the current trajectory shows a stronger dependence on credential-based intrusions and identity-based cyber attacks. For security leaders, this evolution matters because it lowers the technical barrier to entry while increasing the blast radius of compromise."
  https://cyble.com/blog/russia-credential-based-intrusions-cisos/
• AI Conundrum: Why MCP Security Can't Be Patched Away
  "Organizations rushing to connect their LLM-powered apps to external data sources and services using the Model Context Protocol (MCP) may be inadvertently creating attack surfaces that are fundamentally different from anything their existing security controls can handle. Making matters worse is that the risks are not the kind a security team can address via patching or configuration changes because they exist at the architectural level in both large language models (LLMs) and in MCP, says Gianpietro Cutolo, cloud threat researcher at Netskope, who is scheduled to highlight the issue at a session next week at the RSAC 2026 Conference in San Francisco"
  https://www.darkreading.com/application-security/mcp-security-patched
• SpyCloud’s 2026 Identity Exposure Report Reveals Explosion Of Non-Human Identity Theft
  "SpyCloud, the leader in identity threat protection, today released its annual 2026 Identity Exposure Report, one of the most comprehensive analyses of stolen credentials and identity exposure data circulating in the criminal underground and highlighting a sharp expansion in non-human identity (NHI) exposure. Last year, SpyCloud saw a 23% increase in its recaptured identity datalake, which now totals 65.7B distinct identity records. The report shows attackers are increasingly targeting machine identities and authenticated session artifacts in addition to traditional username and password combinations and personally identifiable information (PII)."
  https://hackread.com/spyclouds-2026-identity-exposure-report-reveals-explosion-of-non-human-identity-theft/
  https://spycloud.com/resource/report/spycloud-annual-identity-exposure-report-2026/
• AI Got It Wrong With High Confidence. Now What?
  "In this Help Net Security interview, Christian Debes, Head of Data Analytics & AI at SPRYFOX, talks about the growing gap between what AI models do and what their operators can explain. He argues this gap is already a liability, particularly when decisions affect people or money and no one can say why a model produced a certain output. Debes walks through how responsible teams approach confident wrong answers, why procurement leaders bear accountability when AI systems fail, and what explainability means as a translation layer between technical teams and business operators. He also addresses the EU AI Act and its risk of producing compliance theater, and closes with a frank assessment of where AI infrastructure is headed if explainability does not keep pace with model complexity."
  https://www.helpnetsecurity.com/2026/03/19/christian-debes-spryfox-ai-explainability-accountability/
• Iran Readied Cyberattack Capabilities For Response Prior To Epic Fury
  "America, Israel and ‘facilitating’ Gulf states received malicious attacks from Iranian APTs within days of Epic Fury, and there are around 60 Iran-linked hacktivist groups currently operating. It is little surprise that malicious Iranian cyber activity increased immediately after the US/Israel strikes commenced at the end of February 2026. It is more surprising that MOIS (Iranian Ministry of Intelligence and Security) and IRGC linked cyber groups seemed to be preparing themselves for this event. A study by Augur Security, which uses AI and behavioral modeling to provide early identification and mapping of malicious infrastructure, demonstrates that numerous government-linked groups (either with MOIS or one of the Islamic Revolutionary Guard Corps – IRGC – cyber units) showed increased infrastructure activity in the six months prior to Epic Fury."
  https://www.securityweek.com/iran-readied-cyberattack-capabilities-for-response-prior-to-epic-fury/
  https://www.augursecurity.com/post/threat-research-iran-2026-threat-posture-assessment
• 2026 Mobile Security: How Regulation And AI Are Reshaping Risk
  "Mobile security is entering its most transformative phase yet. Mobile is now the largest attack surface in the enterprise, and the least protected. In 2026, two forces will converge to redefine risk: regulatory shifts and the acceleration of AI-driven development. These changes will not only reshape how mobile apps are built, distributed, and secured but also challenge enterprises to rethink their governance, strategy, and resilience. The winners will be those who adapt quickly, leveraging AI responsibly while embedding mobile security into the foundations of development, not bolting it on after the fact."
  https://zimperium.com/blog/2026-mobile-security-how-regulation-and-ai-are-reshaping-risk
  https://www.infosecurity-magazine.com/news/financial-brands-mobile-banking/
• Federal Jury Convicts Charlotte Man For Cyber Extortion Scheme That Targeted International Technology Company
  "A federal jury returned a guilty verdict yesterday against a Charlotte man for carrying out an extensive cyber extortion scheme against a D.C.-based international technology company, announced Russ Ferguson, U.S. Attorney for the Western District of North Carolina. Cameron Curry, 27, was convicted of six counts of transmitting or willfully causing interstate communications with the intent to extort a victim company. U.S. District Judge Kenneth D. Bell presided over the three-day trial."
  https://www.justice.gov/usao-wdnc/pr/federal-jury-convicts-charlotte-man-cyber-extortion-scheme-targeted-international
  https://cyberscoop.com/cameron-curry-insider-attack-washington-tech-company/

อ้างอิง
Electronic Transactions Development Agency (ETDA)