โพสต์ถูกสร้างโดย NCSA_THAICERT

ศูนย์ประสานการรักษาความมั่นคงปลอดภัยระบบคอมพิวเตอร์แห่งชาติ (ThaiCERT) ได้ติดตามสถานการณ์ภัยคุกคามทางไซเบอร์ และพบข้อมูลเกี่ยวกับแคมเปญมัลแวร์ DarkSpectre ซึ่งแฝงตัวผ่านส่วนขยายเบราว์เซอร์ที่มีลักษณะเสมือนถูกต้องตามกฎหมาย

หากผู้ใช้งานติดตั้งหรือเปิดใช้งานส่วนขยายที่ได้รับผลกระทบ อาจทำให้ผู้ไม่หวังดีสามารถฝังโค้ดอันตราย ดาวน์โหลดเพย์โหลดเพิ่มเติมจากเซิร์ฟเวอร์ควบคุม (Command and Control: C2) และเข้าควบคุมอุปกรณ์จากระยะไกล ส่งผลกระทบต่อความมั่นคงปลอดภัยของระบบสารสนเทศของหน่วยงานและองค์กรได้

1. รายละเอียดภัยคุกคาม

1.1 นักวิจัยด้านความมั่นคงปลอดภัยไซเบอร์จากบริษัท Koi ตรวจพบและเปิดเผยแคมเปญมัลแวร์ DarkSpectre ซึ่งเป็นปฏิบัติการโจมตีขนาดใหญ่
1.2 DarkSpectre ใช้ส่วนขยายเบราว์เซอร์ยอดนิยมเป็นช่องทางในการแฝงตัวและแพร่กระจาย บนเบราว์เซอร์ Google Chrome, Microsoft Edge และ Mozilla Firefox
1.3 แคมเปญดังกล่าวถูกตรวจพบครั้งแรกระหว่างการสืบสวนแคมเปญ ShadyPanda และส่งผลกระทบต่ออุปกรณ์มากกว่า 4 ล้านเครื่องทั่วโลก
1.4 มัลแวร์ถูกออกแบบให้เริ่มทำงานภายหลัง โดยอาศัยโค้ด JavaScript ที่ซ่อนอยู่ เพื่อดึงเพย์โหลดอันตรายจาก C2 เซิร์ฟเวอร์

2. ภาพรวมของภัยคุกคาม (Overview)

2.1 ประเภทภัยคุกคาม: Malware Campaign via Malicious Browser Extensions
2.2 เทคนิคการโจมตี: ใช้ส่วนขยายที่ดูเหมือนถูกต้องตามกฎหมาย สามารถแฝงโค้ด JavaScript เพื่อทำงานภายหลัง จากนั้น ทำการติดต่อกับ C2 เซิร์ฟเวอร์เพื่อรับคำสั่งเพิ่มเติม
2.3 ผู้โจมตีไม่จำเป็นต้องเข้าถึงระบบโดยตรง เพียงผู้ใช้ติดตั้งส่วนขยาย ก็อาจถูกโจมตีได้
2.4 ระบบที่ได้รับผลกระทบ: อุปกรณ์ผู้ใช้งานที่ติดตั้งส่วนขยายบน Chrome, Edge และ Firefox

3. ผลกระทบ หากแคมเปญ DarkSpectre ถูกโจมตีสำเร็จ อาจส่งผลดังนี้:
   3.1 อุปกรณ์ผู้ใช้งานถูกฝังมัลแวร์โดยไม่รู้ตัว
   3.2 ดาวน์โหลดและรันโค้ดอันตรายเพิ่มเติมจากระยะไกล
   3.3 ถูกควบคุมอุปกรณ์ผ่าน C2 เซิร์ฟเวอร์
   3.4 ข้อมูลส่วนบุคคลและข้อมูลองค์กรรั่วไหล
   3.5 ใช้อุปกรณ์เป็นฐานโจมตีระบบอื่นภายในเครือข่าย (Lateral Movement)

4. รายชื่อส่วนขยายเบราว์เซอร์ที่เกี่ยวข้อง

• Chrome Audio Capture
• ZED: Zoom Easy Downloader
• X (Twitter) Video Downloader
• Google Meet Auto Admit
• Zoom.us Always Show "Join From Web"
• Timer for Google Meet
• CVR: Chrome Video Recorder
• GoToWebinar & GoToMeeting Download Recordings
• Meet Auto Admit
• Google Meet Tweak (Emojis, Text, Cam Effects)
• Mute All on Meet
• Google Meet Push-To-Talk
• Photo Downloader for Facebook, Instagram
• Zoomcoder Extension
• Auto-join for Google Meet
• Edge Audio Capture (Edge)
• Twitter X Video Downloader (Firefox)
• New Tab – Customized Dashboard (Edge)
• "Google Translate" by charliesmithbons

5. แนวทางป้องกันและลดความเสี่ยง (Mitigation – Recommended)

5.1 ตรวจสอบและถอนการติดตั้ง (Remove) ส่วนขยายเบราว์เซอร์ที่ไม่จำเป็นหรือมีความเสี่ยง
5.2 อนุญาตให้ติดตั้งส่วนขยายเฉพาะที่ผ่านการอนุมัติจากหน่วยงาน (Extension Whitelisting)
5.3 อัปเดตเบราว์เซอร์และระบบปฏิบัติการให้เป็นเวอร์ชันล่าสุด
5.4 สแกนอุปกรณ์ด้วยโปรแกรมป้องกันมัลแวร์ที่เชื่อถือได้

6. แนวทางเฝ้าระวังเพิ่มเติม

6.1 ตรวจสอบ Log การใช้งานเบราว์เซอร์และทราฟฟิกเครือข่ายที่ผิดปกติ
6.2 เฝ้าระวังการติดต่อไปยัง C2 เซิร์ฟเวอร์ที่ไม่รู้จัก
6.3 ตรวจสอบการเรียกใช้งานบริการตรวจสอบ IP ภายนอก เช่น ipinfo.io ซึ่งอาจเป็นตัวบ่งชี้พฤติกรรมของมัลแวร์
6.4 แจ้งเตือนผู้ใช้งานให้หลีกเลี่ยงการติดตั้งส่วนขยายจากแหล่งที่ไม่น่าเชื่อถือ

7. คำแนะนำด้านความปลอดภัยเพิ่มเติม (Security Hardening)

7.1 กำหนดนโยบายควบคุมการใช้งานส่วนขยายเบราว์เซอร์ในองค์กร
7.2 แยกสิทธิ์ผู้ใช้งานทั่วไปออกจากสิทธิ์ผู้ดูแลระบบ
7.3 สำรองข้อมูลสำคัญอย่างสม่ำเสมอ
7.4 จัดอบรมให้ความรู้ผู้ใช้งานเกี่ยวกับภัยคุกคามจาก Browser Extension

แหล่งอ้างอิง (References)
https://www.techspot.com/news/110779-darkspectre-quietly-infected-millions-through-seemingly-legit-browser.html

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

ศูนย์ประสานการรักษาความมั่นคงปลอดภัยระบบคอมพิวเตอร์แห่งชาติ (ThaiCERT) ได้ติดตามสถานการณ์ภัยคุกคามทางไซเบอร์ พบการอัปเดตด้านความมั่นคงปลอดภัยเพื่อแก้ไขช่องโหว่ระดับร้ายแรงในซอฟต์แวร์ Veeam Backup & Replication ซึ่งเป็นระบบสำรองข้อมูลที่มีการใช้งานอย่างแพร่หลายในองค์กร

หากไม่ดำเนินการแก้ไข อาจทำให้ผู้ไม่หวังดีสามารถสั่งรันคำสั่งจากระยะไกล (Remote Code Execution: RCE) บนระบบสำรองข้อมูลได้ อาจส่งผลกระทบต่อความมั่นคงปลอดภัยของข้อมูลสำรอง และระบบสารสนเทศขององค์กร

1.รายละเอียดช่องโหว่
ช่องโหว่ CVE-2025-59470 มีคะแนนความรุนแรง CVSS 9.0 จัดอยู่ในระดับร้ายแรง เป็นช่องโหว่ที่อาจนำไปสู่การสั่งรันคำสั่งจากระยะไกล (Remote Code Execution: RCE) โดยเปิดโอกาสให้ผู้ใช้งานในบทบาท Backup Operator หรือ Tape Operator สามารถกำหนดค่าพารามิเตอร์ที่ถูกออกแบบมาเป็นพิเศษ
เพื่อสั่งรันโค้ดในสิทธิ์ของผู้ใช้งานระบบ postgres ซึ่งอาจถูกนำไปใช้เพื่อเข้าควบคุมระบบสำรองข้อมูลโดยไม่ได้รับอนุญาต

2. ความเสี่ยงและผลกระทบ
   หากช่องโหว่ดังกล่าวถูกนำไปใช้โจมตี อาจทำให้ผู้ไม่หวังดีสามารถเข้าควบคุมระบบสำรองข้อมูล แก้ไขหรือลบข้อมูลสำรอง รวมถึงใช้ระบบสำรองข้อมูลเป็นจุดเริ่มต้นในการโจมตีระบบอื่นภายในองค์กร ซึ่งอาจส่งผลกระทบต่อความต่อเนื่องในการดำเนินงานและความมั่นคงปลอดภัยของข้อมูลสำคัญ

3. ผลิตภัณฑ์ที่ได้รับผลกระทบ
   • Veeam Backup & Replication เวอร์ชัน 13.0.1.180 และ เวอร์ชัน 13 ก่อนหน้าทั้งหมด

4.แนวทางการป้องกันและลดความเสี่ยง
4.1 ดำเนินการอัปเดตซอฟต์แวร์เป็น Veeam Backup & Replication เวอร์ชัน 13.0.1.1071 หรือใหม่กว่า
4.1 ทบทวนและจำกัดสิทธิ์ของบัญชีผู้ใช้งานในบทบาท Backup Operator และ Tape Operator ให้เหมาะสม

️ ThaiCERT ย้ำเช็กเวอร์ชันด่วน! ข้อมูลสำรองของคุณอาจไม่ปลอดภัย

แหล่งอ้างอิง (References)
• https://www.veeam.com/kb4792
• https://www.cve.org/CVERecord?id=CVE-2025-59470
• https://thehackernews.com/2026/01/veeam-patches-critical-rce.html

ด้วยความปรารถนาดี สำนักงานคณะกรรมการการรักษาความมั่นคงปลอดภัยไซเบอร์แห่งชาติ (สกมช.) / ThaiCERT

#Veeam #VeeamBackup #CVE202559470 #ThaiCERT #ThaiCyberSecurity #RCE #BackupSecurity #ช่องโหว่รุนแรง #อัปเดตด่วน

New Tooling

• StackRox: Open-Source Kubernetes Security Platform
  "Security teams spend a lot of time stitching together checks across container images, running workloads, and deployment pipelines. The work often happens under time pressure, with engineers trying to keep clusters stable while meeting internal policy requirements. The StackRox open source project sits in that space, offering a Kubernetes security platform that teams can run and adapt on their own."
  https://www.helpnetsecurity.com/2026/01/08/stackrox-kubernetes-security-platform-open-source/
  https://github.com/stackrox/stackrox

Vulnerabilities

• Coolify Discloses 11 Critical Flaws Enabling Full Server Compromise On Self-Hosted Instances
  "Cybersecurity researchers have disclosed details of multiple critical-severity security flaws affecting Coolify, an open-source, self-hosting platform, that could result in authentication bypass and remote code execution."
  https://thehackernews.com/2026/01/coolify-discloses-11-critical-flaws.html
  https://censys.com/advisory/cve-2025-64424-cve-2025-64420-cve-2025-64419
• PoC Released For Unauthenticated RCE In Trend Micro Apex Central (CVE-2025-69258)
  "Trend Micro has released a critical patch fixing several remotely exploitable vulnerabilities in Apex Central (on-premise), including a flaw (CVE-2025-69258) that may allow unauthenticated attackers to achieve code execution on affected installations. The three vulnerabilities were unearthed and privately reported by Tenable bug hunters last year, and they now published technical details and PoC exploits for each."
  https://www.helpnetsecurity.com/2026/01/08/trend-micro-apex-central-cve-2025-69258-rce-poc/
  https://www.tenable.com/security/research/tra-2026-01
  https://success.trendmicro.com/en-US/solution/KA-0022071
• Cisco Warns Of Identity Service Engine Flaw With Exploit Code
  "Cisco has patched a vulnerability in its Identity Services Engine (ISE) network access control solution, with public proof-of-concept exploit code, that can be abused by attackers with admin privileges. Enterprise admins use Cisco ISE to manage endpoint, user, and device access to network resources while enforcing a zero-trust architecture. The security flaw (CVE-2026-20029) affects Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) regardless of device configuration, and remote attackers with high privileges can exploit it to access sensitive information on unpatched devices."
  https://www.bleepingcomputer.com/news/security/cisco-warns-of-identity-service-engine-flaw-with-exploit-code/
  https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-xxe-jWSbSDKt
  https://thehackernews.com/2026/01/cisco-patches-ise-security.html
  https://securityaffairs.com/186682/security/public-poc-prompts-cisco-patch-for-ise-ise-pic-vulnerability.html
  https://www.theregister.com/2026/01/08/rcisco_ise_bug_poc/
• CISA Adds Two Known Exploited Vulnerabilities To Catalog
  "CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2009-0556 Microsoft Office PowerPoint Code Injection Vulnerability
  CVE-2025-37164 HPE OneView Code Injection Vulnerability"
  https://www.cisa.gov/news-events/alerts/2026/01/07/cisa-adds-two-known-exploited-vulnerabilities-catalog
  https://thehackernews.com/2026/01/cisa-flags-microsoft-office-and-hpe.html
  https://www.bleepingcomputer.com/news/security/cisa-tags-max-severity-hpe-oneview-flaw-as-actively-exploited/
  https://www.darkreading.com/vulnerabilities-threats/maximum-severity-hpe-oneview-flaw-exploited
  https://www.securityweek.com/critical-hpe-oneview-vulnerability-exploited-in-attacks/
  https://securityaffairs.com/186672/security/u-s-cisa-adds-hpe-oneview-and-microsoft-office-powerpoint-flaws-to-its-known-exploited-vulnerabilities-catalog.html
  https://www.malwarebytes.com/blog/news/2026/01/cisa-warns-of-active-attacks-on-hpe-oneview-and-legacy-powerpoint
  https://www.theregister.com/2026/01/08/cisa_oneview_powerpoint_bugs/
  https://www.helpnetsecurity.com/2026/01/08/hpe-oneview-cve-2025-37164-exploited/
• ZombieAgent: New ChatGPT Vulnerabilities Let Data Theft Continue (and Spread)
  "To improve user experience and expand ChatGPT’s capabilities, OpenAI has added a feature that allows ChatGPT to connect to external systems such as Gmail, Jira, GitHub, Teams, Outlook, Google Drive and more. The feature, called Connectors, lets users link to these systems in just a few clicks. ChatGPT also includes built-in tools that allow it to browse the internet, open links, analyze, generate images and more. For example, its Memory feature, enabled by default unless the user explicitly disables it, lets ChatGPT store conversations and sensitive information about the user. This allows it to learn about the user and provide better and more accurate responses. ChatGPT can read, create, delete and edit these stored memories."
  https://www.radware.com/blog/threat-intelligence/zombieagent/
  https://www.darkreading.com/endpoint-security/chatgpt-memory-feature-prompt-injection
  https://www.infosecurity-magazine.com/news/new-zeroclick-attack-chatgpt/
  https://www.theregister.com/2026/01/08/openai_chatgpt_prompt_injection/
• Researchers Expose WHILL Wheelchair Safety Risks Via Remote Hacking
  "Security researchers have demonstrated a critical vulnerability in high-tech electric wheelchairs that allows for unauthorized remote control, highlighting new safety risks for connected mobility devices. On December 30, the US cybersecurity agency CISA published an advisory to inform the public about a serious vulnerability discovered by researchers in electric wheelchairs made by WHILL, a Japan-based company whose personal electric mobility devices are sold around the world. According to CISA’s advisory, WHILL Model C2 and Model F electric wheelchairs are affected by a missing authentication vulnerability. The issue is tracked as CVE-2025-14346 and it has been assigned a critical severity rating."
  https://www.securityweek.com/researchers-expose-whill-wheelchair-safety-risks-via-remote-hacking/
  https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-364-01

Malware

• FBI Warns About Kimsuky Hackers Using QR Codes To Phish U.S. Orgs
  "The North Korean state-sponsored hacker group Kimsuki is using malicious QR codes in spearphishing campaigns that target U.S. organizations, the Federal Bureau of Investigation warns in a flash alert. The observed activity targets organizations involved in North Korea-related policy, research, and analysis, including non-governmental organizations, think tanks, academic institutions, strategic advisory firms, and government entities in the U.S. The use of QR codes in phishing, a technique also known as "quishing," isn’t new; the FBI warned about it when cybercriminals used it to steal money, but it remains an effective security bypass."
  https://www.bleepingcomputer.com/news/security/fbi-warns-about-kimsuky-hackers-using-qr-codes-to-phish-us-orgs/
  https://www.ic3.gov/CSA/2026/260108.pdf
• UAT-7290 Targets High Value Telecommunications Infrastructure In South Asia
  "Talos assesses with high confidence that UAT-7290 is a sophisticated threat actor falling under the China-nexus of Advanced Persistent Threat actors (APTs). UAT-7290 primarily targets telecommunications providers in South Asia. However, in recent months we have also seen UAT-7290 expand their targeting into Southeastern Europe. In addition to conducting espionage focused attacks where UAT-7290 burrows deep inside a victim enterprise’s network infrastructure, their tactics, techniques and procedures (TTPs) and tooling suggests that this actor also establishes Operational Relay Box (ORBs) nodes. The ORB infrastructure may then be used by other China-nexus actors in their malicious operations, signifying UAT-7290's dual role as an espionage motivated threat actor as well as an initial access group."
  https://blog.talosintelligence.com/uat-7290/
  https://www.bleepingcomputer.com/news/security/new-china-linked-hackers-breach-telcos-using-edge-device-exploits/
  https://thehackernews.com/2026/01/china-linked-uat-7290-targets-telecoms.html
  https://www.infosecurity-magazine.com/news/china-uat-7290-targets-telecoms/
• Guloader Malware Being Disguised As Employee Performance Reports
  "AhnLab SEcurity intelligence Center (ASEC) recently discovered the Guloader malware being distributed via phishing emails disguised as an employee performance report. The email claims to be informing the recipient about the report for October 2025, and prompts the recipient to check the attachment by mentioning the plan to dismiss some employees."
  https://asec.ahnlab.com/en/91825/
• In-Depth Analysis Report On LockBit 5.0: Operation And Countermeasures
  "Since its first appearance in September 2019, LockBit has been known as one of the most notorious and active Ransomware-as-a-Service (RaaS) groups worldwide. LockBit operates on the RaaS model and is characterized by sophisticated encryption technology and automated propagation capabilities. Initial access is typically gained through vulnerability exploits, brute force attacks, phishing, or leaked login credentials, and the attack follows a three-stage process: initial access, lateral movement and privilege escalation, and ransomware deployment."
  https://asec.ahnlab.com/en/91945/
• xRAT (QuasarRAT) Malware Being Distributed Through Webhard (Adult Games)
  "AhnLab SEcurity intelligence Center (ASEC) recently discovered that the xRAT (QuasarRAT) malware is being distributed through a webhard disguised as an adult game. In Korea, webhard services are one of the most commonly used platforms for distributing malware. Typically, threat actors use malware that are easily accessible, such as njRAT and XwormRAT. They disguise the malware as legitimate programs (e.g. games) or adult content to distribute them. Numerous cases have been introduced in the AhnLab SEcurity intelligence Center (ASEC) blog post below."
  https://asec.ahnlab.com/en/91930/
• The Truman Show Scam: Trapped In An AI-Generated Reality
  "The OPCOPRO “Truman Show” operation is a fully synthetic, AI‑powered investment scam that uses legitimate Android and iOS apps from the official mobile app stores, and AI‑generated communities to steal money and identity data from victims. Instead of relying on malicious code, the attackers use social engineering. The attackers pull victims using phishing SMS/ads/Telegram into tightly-controlled WhatsApp and Telegram groups, where AI‑generated “experts” and synthetic peers simulate an institutional‑grade trading community for weeks before any money or personal details are requested."
  https://blog.checkpoint.com/mobile/the-truman-show-scam-trapped-in-an-ai-generated-reality/
• Boto-Cor-De-Rosa Campaign Reveals Astaroth WhatsApp-Based Worm Activity In Brazil
  "Astaroth is a Brazilian banking malware previously covered in our analysis Astaroth Unleashed, where we detailed its evolution and capabilities. In a newly identified campaign, internally referred to as Boto Cor-de-Rosa, our researchers discovered that Astaroth now exploits WhatsApp Web as part of its propagation strategy. The malware retrieves the victim’s WhatsApp contact list and automatically sends malicious messages to each contact to further spread the infection."
  https://www.acronis.com/en/tru/posts/boto-cor-de-rosa-campaign-reveals-astaroth-whatsapp-based-worm-activity-in-brazil/
  https://thehackernews.com/2026/01/whatsapp-worm-spreads-astaroth-banking.html
  https://hackread.com/astaroth-banking-trojan-brazil-whatsapp-messages/
  https://securityaffairs.com/186685/malware/astaroth-banking-trojan-spreads-in-brazil-via-whatsapp-worm.html
• Fake WinRAR Downloads Hide Malware Behind a Real Installer
  "A member of our web research team pointed me to a fake WinRAR installer that was linked from various Chinese websites. When these links start to show up, that’s usually a good indicator of a new campaign. So, I downloaded the file and started an analysis, which turned out to be something of a Matryoshka doll. Layer after layer, after layer. WinRAR is a popular utility that’s often downloaded from “unofficial” sites, which gives campaigns offering fake downloads a bigger chance of being effective."
  https://www.malwarebytes.com/blog/threat-intel/2026/01/fake-winrar-downloads-hide-malware-behind-a-real-installer
• The Great VM Escape: ESXi Exploitation In The Wild
  "In December 2025, Huntress observed an intrusion leading to the deployment of VMware ESXi exploits. Based on indicators we observed, including the workstation name the threat actor was operating from and other TTPs, the Huntress Tactical Response team assesses with high confidence that initial access occurred via SonicWall VPN. The toolkit analyzed in this report also includes simplified Chinese strings in its development paths, including a folder named “全版本逃逸--交付” (translated: “All version escape - delivery”), and evidence suggesting it was potentially built as a zero-day exploit over a year before VMware's public disclosure, pointing to a well-resourced developer likely operating in a Chinese-speaking region."
  https://www.huntress.com/blog/esxi-vm-escape-exploit
  https://www.bleepingcomputer.com/news/security/vmware-esxi-zero-days-likely-exploited-a-year-before-disclosure/
  https://securityaffairs.com/186709/hacking/chinese-speaking-hackers-exploited-esxi-zero-days-long-before-disclosure.html
• The Ghost In The Machine: Unmasking CrazyHunter's Stealth Tactics
  "CrazyHunter ransomware has emerged as a significant and concerning threat, highlighting the increasing sophistication of cybercriminal tactics. Trellix has been actively tracking this ransomware since its initial appearance, noting its rapid development and growing prevalence. The ransomware executable is a fork of the Prince ransomware, which surfaced in mid-2024. It has introduced notable advancements, particularly in network compromise techniques and anti-malware evasion. This blog provides an in-depth analysis of CrazyHunter ransomware and its attack flow."
  https://www.trellix.com/blogs/research/the-ghost-in-the-machine-crazyhunters-stealth-tactics/

bolded text

• December 2025 Phishing Email Trends Report
  "This report provides the distribution quantity, statistics, trends, and case information on phishing emails, which were collected and analyzed for one month in December 2025. The following statistics and cases are included in the original report."
  https://asec.ahnlab.com/en/91944/
• Initial Access Sales Accelerated Across Australia And New Zealand In 2025
  "The cyber threat environment in Australia and New Zealand experienced a new escalation throughout 2025, driven by a surge in initial access sales, ransomware operations, and high-impact data breaches. According to our Threat Landscape Report Australia and New Zealand 2025, threat activity observed between January and November 2025 reveals a complex and commercialized underground ecosystem, where compromised network access is actively bought, sold, and exploited across multiple sectors."
  https://cyble.com/blog/australia-new-zealand-initial-access-threats/
• Here's What Cloud Security's Future Holds For The Year Ahead
  "Cloud service providers (CSPs) play an important role in democratizing usage of technology to enable innovation. With cloud platforms, organizations do not need to worry about provisioning hardware and computing infrastructure; they can utilize cloud services and cloud-native development processes to easily build and deploy software applications. Now, as organizations are racing to adopt AI for its benefits, CSPs are fiercely competing to be the platform of choice for AI workloads and similarly democratize access to AI innovation."
  https://www.darkreading.com/cloud-security/heres-cloud-security-holds-year-ahead
• Fifth Of Breaches Take Two Weeks To Recover From
  "Endpoint disruption following a serious security breach can take up to two weeks to recover from and cost millions for most (87%) US and UK organizations, a new report has revealed. Absolute Security polled 750 CISOs on both sides of the Atlantic to compile the first in a new e-book series, The Resilient CISO: The State of Enterprise Resilience. It revealed that, over the past 12 months, more than half (55%) of respondents had suffered a cyber-attack, ransomware infection, compromise or data breach that took mobile, remote or hybrid endpoint devices out of action."
  https://www.infosecurity-magazine.com/news/fifth-breaches-two-weeks-recover/
• Rethinking Security For Agentic AI
  "Artificial intelligence has already transformed how enterprises operate, but the next wave of innovation, agentic AI, operates as autonomous or semi‑autonomous agents that can run code, interact with APIs, access databases, and make decisions on the fly. Organizations need to take immediate measures against security threats that can occur when software systems transition from producing passive text output to performing active operational tasks."
  https://www.securityweek.com/rethinking-security-for-agentic-ai/
• The State Of Ransomware In The U.S.: Report And Statistics 2025
  "Despite arrests, takedowns, and the apparent collapse of several major ransomware groups, 2025 delivered no slowdown in ransomware harm. Victim numbers climbed sharply, new groups emerged, and attackers increasingly found success with social engineering over technical exploits."
  https://www.emsisoft.com/en/blog/47215/the-state-of-ransomware-in-the-u-s-report-and-statistics-2025/
  https://www.theregister.com/2026/01/08/ransomware_2025_emsisoft/
• Inside Vercel’s Sleep-Deprived Race To Contain React2Shell
  "Talha Tariq and his colleagues at Vercel, the company that maintains Next.js, endured many sleep-deprived nights and weekends when React2Shell was discovered and disclosed soon after Thanksgiving. The defect, which affects vast stretches of the internet’s underlying infrastructure, posed a significant risk for Next.js, an open-source library that depends on vulnerable React Server Components."
  https://cyberscoop.com/vercel-cto-security-react2shell-vulnerability/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

Vulnerabilities

• Ni8mare  -  Unauthenticated Remote Code Execution In n8n (CVE-2026-21858)
  "We discovered a critical vulnerability (CVE-2026-21858, CVSS 10.0) in n8n that enables attackers to take over locally deployed instances, impacting an estimated 100,000 servers globally. No official workarounds are available for this vulnerability. Users should upgrade to version 1.121.0 or later to remediate the vulnerability."
  https://www.cyera.com/research-labs/ni8mare-unauthenticated-remote-code-execution-in-n8n-cve-2026-21858
  https://github.com/n8n-io/n8n/security/advisories/GHSA-v4pr-fm98-w9pg
  https://www.bleepingcomputer.com/news/security/max-severity-ni8mare-flaw-lets-hackers-hijack-n8n-servers/
  https://thehackernews.com/2026/01/critical-n8n-vulnerability-cvss-100.html
  https://cyberscoop.com/n8n-critical-vulnerability-massive-risk/
  https://securityaffairs.com/186648/security/ni8mare-flaw-gives-unauthenticated-control-of-n8n-instances.html
• n8n Warns Of CVSS 10.0 RCE Vulnerability Affecting Self-Hosted And Cloud Versions
  "Open-source workflow automation platform n8n has warned of a maximum-severity security flaw that, if successfully exploited, could result in authenticated remote code execution (RCE). The vulnerability, which has been assigned the CVE identifier CVE-2026-21877, is rated 10.0 on the CVSS scoring system. "Under certain conditions, an authenticated user may be able to cause untrusted code to be executed by the n8n service," n8n said in an advisory released Tuesday. "This could result in full compromise of the affected instance.""
  https://thehackernews.com/2026/01/n8n-warns-of-cvss-100-rce-vulnerability.html
  https://github.com/n8n-io/n8n/security/advisories/GHSA-v364-rw7m-3263
• CVE-2025-68428: Critical Path Traversal In JsPDF
  "A critical local file inclusion and path traversal vulnerability has been disclosed in jsPDF, a widely-adopted npm package for generating PDF documents in JavaScript applications. The flaw, tracked as CVE-2025-68428 and GHSA-f8cm-6447-x5h2, allows attackers to read arbitrary files from the local filesystem and exfiltrate their contents by embedding them within generated PDFs. Successful exploitation results in unauthorized disclosure of sensitive data including configuration files, environment variables, credentials, and other files accessible to the Node.js process. File contents are included verbatim in generated PDFs, enabling data exfiltration through normal application output. As a result, this is considered a critical vulnerability with a CVSS v4.0 score of 9.2."
  https://www.endorlabs.com/learn/cve-2025-68428-critical-path-traversal-in-jspdf
  https://github.com/parallax/jsPDF/security/advisories/GHSA-f8cm-6447-x5h2
  https://www.bleepingcomputer.com/news/security/critical-jspdf-flaw-lets-hackers-steal-secrets-via-generated-pdfs/
• New Veeam Vulnerabilities Expose Backup Servers To RCE Attacks
  "Veeam released security updates to patch multiple security flaws in its Backup & Replication software, including a critical remote code execution (RCE) vulnerability. Tracked as CVE-2025-59470, this RCE security flaw affects Veeam Backup & Replication 13.0.1.180 and all earlier version 13 builds. "This vulnerability allows a Backup or Tape Operator to perform remote code execution (RCE) as the postgres user by sending a malicious interval or order parameter," Veeam explained in a Tuesday advisory."
  https://www.bleepingcomputer.com/news/security/new-veeam-vulnerabilities-expose-backup-servers-to-rce-attacks/
  https://www.veeam.com/kb4792
  https://thehackernews.com/2026/01/veeam-patches-critical-rce.html
  https://cyberscoop.com/veeam-backup-replication-security-flaw-remote-code-execution-fix/
  https://securityaffairs.com/186630/security/veeam-resolves-cvss-9-0-rce-flaw-and-other-security-issues.html
  https://www.securityweek.com/several-code-execution-flaws-patched-in-veeam-backup-replication/
• IBM's AI Agent Bob Easily Duped To Run Malware, Researchers Show
  "IBM describes its coding agent thus: "Bob is your AI software development partner that understands your intent, repo, and security standards." Unfortunately, Bob doesn't always follow those security standards. Announced last October and presently in closed beta testing, IBM offers Bob in the form of a command line interface – a CLI, like Claude Code – and an integrated development environment – an IDE like Cursor."
  https://www.theregister.com/2026/01/07/ibm_bob_vulnerability/

Malware

• Inside GoBruteforcer: AI-Generated Server Defaults, Weak Passwords, And Crypto-Focused Campaigns
  "GoBruteforcer is a botnet that turns compromised Linux servers into scanning and password brute-force nodes. It targets internet-exposed services such as phpMyAdmin web panels, MySQL and PostgreSQL databases, and FTP servers. Infected hosts are incorporated into the botnet and accept remote operator commands. Newly discovered weak credentials are used to steal data, create backdoor accounts, sell access, and expand the botnet. The malicious toolkit is usually split into two parts. The first is an IRC bot that enables remote control of the compromised host, including command execution and updates. The second is a bruteforcer that is fetched later and used to scan random public IP ranges and attempt logins using credentials that are hardcoded or provided by the command and control (C2) server."
  https://research.checkpoint.com/2026/inside-gobruteforcer-ai-generated-server-defaults-weak-passwords-and-crypto-focused-campaigns/
  https://www.bleepingcomputer.com/news/security/new-gobruteforcer-attack-wave-targets-crypto-blockchain-projects/
• International Threats: Themes For Regional Phishing Campaigns
  "Cofense Intelligence relies on over 35 million trained employees from around the world, therefore a considerable number of analyzed campaigns are written in languages other than English. This report covers from May 2023 to May 2025 and focuses on the overall themes of campaigns in the top five most commonly seen languages besides English that bypassed perimeter filtering such as Secure Email Gateways (SEGs). Themes are valuable because they inform individuals what to be most suspicious of, can be used to help guide Security Awareness Training (SAT) by customizing content and phishing simulations, and enable a more rapid and informed response from Security Operations Centers (SOCs)."
  https://cofense.com/blog/international-threats-themes-for-regional-phishing-campaigns
• Phishing Actors Exploit Complex Routing And Misconfigurations To Spoof Domains
  "Phishing actors are exploiting complex routing scenarios and misconfigured spoof protections to effectively spoof organizations’ domains and deliver phishing emails that appear, superficially, to have been sent internally. Threat actors have leveraged this vector to deliver a wide variety of phishing messages related to various phishing-as-a-service (PhaaS) platforms such as Tycoon2FA. These include messages with lures themed around voicemails, shared documents, communications from human resources (HR) departments, password resets or expirations, and others, leading to credential phishing."
  https://www.microsoft.com/en-us/security/blog/2026/01/06/phishing-actors-exploit-complex-routing-and-misconfigurations-to-spoof-domains/
  https://thehackernews.com/2026/01/microsoft-warns-misconfigured-email.html
  https://www.darkreading.com/cloud-security/phishers-exploit-office-365-users-guard-down
  https://www.securityweek.com/complex-routing-misconfigurations-exploited-for-domain-spoofing-in-phishing-attacks/
  https://securityaffairs.com/186638/hacking/misconfigured-email-routing-enables-internal-spoofed-phishing.html
• DDoSia Powers Affiliate-Driven Hacktivist Attacks
  "A pro-Russian hacktivist group known as NoName057(16) is using a volunteer-distributed distributed denial-of-service (DDoS) tool to disrupt government, media, and institutional websites tied to Ukraine and Western political interests. The group has been active since at least 2022 and relies on a custom denial-of-service platform, dubbed DDoSia, that allows individuals with minimal technical skill to participate in coordinated attacks against target entities. Many of NoName057(16)'s campaigns have often coincided with major geopolitical events — such as Western sanctions, diplomatic actions, or military aid announcements — that it quickly frames as provocations worthy of retaliatory cyberattacks, and are similar to other ideologically driven cyber operations."
  https://www.darkreading.com/cyberattacks-data-breaches/ddosia-powers-volunteer-driven-hacktivist-attacks
• Cyberattacks Likely Part Of Military Operation In Venezuela
  "The recent US military operation in Venezuela resulting in the capture of President Nicolás Maduro had "layering effects" provided by US Cyber Command and other agencies, but the degree to which cyber operations played a role in the raid remains a question mark, experts say. During a Jan. 3 press conference following the successful operation, President Donald Trump hinted that "a certain expertise" had allow US forces to shut down power to the area of operations. "It was dark — the lights of Caracas were largely turned off due to a certain expertise that we have," he told reporters during the press conference."
  https://www.darkreading.com/cybersecurity-operations/cyberattacks-part-military-operation-venezuela
• Ghost Tapped: Tracking The Rise Of Chinese Tap-To-Pay Android Malware
  "Group-IB researchers have observed the growing proliferation of NFC-enabled Android tap-to-pay malware developed and sold within Chinese cybercrime communities on Telegram. Also referred to as “Ghost Tap”, these applications are used to relay NFC communications between a victim’s device or a mobile wallet loaded with compromised payment cards, and the criminal’s device. This technique allows criminals to complete payments or cash-out remotely as though the victims’ cards were physically present."
  https://www.group-ib.com/blog/ghost-tapped-chinese-malware/
  https://www.infosecurity-magazine.com/news/ghost-tap-malware-remote-nfc-fraud/
• Malicious NPM Packages Deliver NodeCordRAT
  "Zscaler ThreatLabz regularly monitors the npm database for suspicious packages. In November 2025, ThreatLabz identified three malicious packages: bitcoin-main-lib, bitcoin-lib-js, and bip40. The bitcoin-main-lib and bitcoin-lib-js packages execute a postinstall.cjs script during installation, which installs bip40, the package that contains the malicious payload. This final payload, named NodeCordRAT by ThreatLabz, is a remote access trojan (RAT) with data-stealing capabilities. It is also possible to download bip40 as a standalone package, completely bypassing the other libraries. To deceive developers into downloading the fraudulent packages, the attacker used name variations of real repositories found within the legitimate bitcoinjs project."
  https://www.zscaler.com/blogs/security-research/malicious-npm-packages-deliver-nodecordrat
• Black Cat Behind SEO Poisoning Malware Campaign Targeting Popular Software Searches
  "A cybercrime gang known as Black Cat has been attributed to a search engine optimization (SEO) poisoning campaign that employs fraudulent sites advertising popular software to trick users into downloading a backdoor capable of stealing sensitive data. According to a report published by the National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT/CC) and Beijing Weibu Online (aka ThreatBook), the activity is designed to strategically push bogus sites to the top of search results on search engines like Microsoft Bing, specifically targeting users looking for programs like Google Chrome, Notepad++, QQ International, and iTools."
  https://thehackernews.com/2026/01/black-cat-behind-seo-poisoning-malware.html
• Unpacking The Packer ‘pkr_mtsi’
  "This blog post presents an in-depth technical analysis of pkr_mtsi, a malicious Windows packer first observed in the wild on April 24, 2025, and continuously deployed through the time of writing. The packer is actively leveraged in large-scale malvertising and SEO-poisoning campaigns to distribute trojanized installers for legitimate software, enabling initial access and flexible delivery of follow-on payloads. In observed campaigns, pkr_mtsi has been used to deliver a diverse set of malware families, including Oyster, Vidar, Vanguard Stealer, Supper, and more, underscoring its role as a general-purpose loader rather than a single-payload wrapper."
  https://www.reversinglabs.com/blog/unpacking-pkr_mtsi
  https://www.infosecurity-magazine.com/news/malware-loader-pkrmtsi-payloads/

Breaches/Hacks/Leaks

• OwnCloud Urges Users To Enable MFA After Credential Theft Reports
  "File-sharing platform ownCloud warned users today to enable multi-factor authentication (MFA) to block attackers using compromised credentials from stealing their data. ownCloud has over 200 million users worldwide, including hundreds of enterprise and public-sector organizations such as the European Organization for Nuclear Research, the European Commission, German tech company ZF Group, insurance firm Swiss Life, and the European Investment Bank."
  https://www.bleepingcomputer.com/news/security/owncloud-urges-users-to-enable-mfa-after-credential-theft-reports/
• Major Data Breach Hits Company Operating 150 Gas Stations In The US
  "Gulshan Management Services, Inc., a Texas-based company that operates over 150 gas stations and convenience stores under the Handi Plus and Handi Stop brands all over the United States, has confirmed a large-scale data breach that exposed personal information tied to more than 377,000 people. The incident came to light through a filing with the Maine Attorney General, a required step when residents of that state are affected. According to the disclosure, attackers gained unauthorized access to an external system between September 17 and September 27, 2025. The breach was discovered on September 27, suggesting it went undetected for several days before being identified."
  https://hackread.com/data-breach-us-gas-stations-company/
• Spanish Airline Iberia Attributes Recent Data Breach Claims To November Incident
  "Leaked data exposed by a cybersecurity firm this week was allegedly stolen during a data breach identified in November, according to Spanish airline Iberia. On Monday, researchers at Hudson Rock published a report about a threat actor named Zestix that has been auctioning data allegedly stolen from the corporate file-sharing portals of about 50 large companies and law firms."
  https://therecord.media/spanish-airline-attributes-recent-breach-allegation-to-nov-incident
• Illinois State Agency Exposed Personal Data Of 700,000 People
  "The Illinois Department of Human Services (IDHS) exposed personal information belonging to more than 700,000 state residents after inadvertently posting the data on the open internet where it remained for as long as four years before being taken down in September. The agency learned in late September that personal data showing names, addresses and other information for more than 32,400 disabled customers were left on the open web after agency officials created planning maps on a mapping website to help direct resource allocations."
  https://therecord.media/illinois-agency-exposed-data
• ESA Calls Cops As Crims Lift Off 500 GB Of Files, Say Security Black Hole Still Open
  "The European Space Agency on Wednesday confirmed yet another massive security breach, and told The Register that the data thieves responsible will be subject to a criminal investigation. And this could be a biggie. Earlier in the week, Scattered Lapsus$ Hunters told us that they gained initial access to ESA's servers back in September by exploiting a public CVE, and stole 500 GB of very sensitive data. This, we're told, includes operational procedures, spacecraft and mission details, subsystems documentation, and proprietary contractor data from ESA partners including SpaceX, Airbus Group, and Thales Alenia Space, among others."
  https://www.theregister.com/2026/01/07/european_space_agency_breach_criminal_probe/

General News

• Why Legitimate Bot Traffic Is a Growing Security Blind Spot
  "Security teams have spent years improving their ability to detect and block malicious bots. That effort remains critical. Automated traffic now makes up more than half of all web traffic, and bot-driven attacks continue to grow in volume and sophistication. What has changed is the role of legitimate bots and how little visibility most security teams have into their behavior. So-called good bots now account for a significant share of automated traffic. Search engine crawlers index content. AI systems scrape pages to train models and generate responses. Agentic AI is beginning to interact with applications on behalf of users. These bots often operate within accepted norms, but at a scale that introduces real security, performance, and cost implications."
  https://hackread.com/legitimate-bot-traffic-security-blind-spot/
• When AI Agents Interact, Risk Can Emerge Without Warning
  "System level risks can arise when AI agents interact over time, according to new research that examines how collective behavior forms inside multi agent systems. The study finds that feedback loops, shared signals, and coordination patterns can produce outcomes that affect entire technical or social systems, even when individual agents operate within defined parameters. These effects surface through interaction itself, which places risk in the structure of the system and how agents influence one another."
  https://www.helpnetsecurity.com/2026/01/07/research-interacting-ai-risks/
  https://arxiv.org/pdf/2512.17793
• What European Security Teams Are Struggling To Operationalize
  "European security and compliance teams spend a lot of time talking about regulation. A new forecast report from Kiteworks suggests the harder problem sits elsewhere. According to the report, many European organizations have strong regulatory frameworks on paper, driven by GDPR and upcoming AI rules, and weaker operational systems that show how those rules work in daily practice. The gap, the report argues, shows up in areas like AI incident response, supply chain visibility, and compliance automation as organizations move toward 2026."
  https://www.helpnetsecurity.com/2026/01/07/security-teams-european-compliance-operations-gap/
• Cloud And Threat Report: 2026
  "The 2026 edition of the Netskope Cloud and Threat Report is designed to analyze the most significant cybersecurity trends of the previous year, offering a critical preview of the challenges and risks that will define the enterprise landscape in 2026. In 2025, the rapid, often ungoverned, adoption of generative AI fundamentally reshaped the cybersecurity landscape. As organizations navigated the complexities of cloud data security, persistent phishing campaigns, and malware delivered through trusted channels, the introduction of widespread AI usage—particularly “shadow AI” and emerging “agentic AI”—layered new and complex data exposure risks onto the modern enterprise environment. This report provides a look back at the most significant trends of 2025 and serves as a critical preview of the evolving threat landscape for 2026, highlighting the additive nature of the risks that security teams must now confront. Not only do security teams still have to manage existing risks, but they now also have to manage the risks created by genAI."
  https://www.netskope.com/resources/cloud-and-threat-reports/cloud-and-threat-report-2026
  https://www.infosecurity-magazine.com/news/personal-llm-accounts-drive-shadow/
  https://www.helpnetsecurity.com/2026/01/07/gen-ai-data-violations-2026/
• The Loudest Voices In Security Often Have The Least To Lose
  "Years ago, during one of the many times I’ve been in London, I turned on the television one evening. When the television fired up, I found myself watching a political debate between the leaders of different political parties leading up to an election. In the UK parliamentary system, the chosen leader of the political party that wins the most votes is appointed Prime Minister by the monarch. Thus, although there is no direct election for the Prime Minister, I was effectively watching a debate between candidates for Prime Minister."
  https://www.securityweek.com/the-loudest-voices-in-security-often-have-the-least-to-lose/
• Threat Spotlight: How Phishing Kits Evolved In 2025
  "In 2025, 90% of high-volume phishing campaigns leveraged Phishing-as-a-Service (PhaaS) kits. These kits have transformed the phishing landscape, enabling even less-skilled cybercriminals to access advanced tools and automation and launch large-scale, targeted phishing campaigns, often impersonating legitimate services and institutions. This article provides an overview of phishing kit activity and evolution during 2025. It is a companion piece to the 2026 phishing predictions published in December 2025."
  https://blog.barracuda.com/2026/01/07/threat-spotlight-phishing-kits-evolved-2025
• Stalkerware Operator Pleads Guilty In Rare Prosecution
  "The owner of a Michigan-based stalkerware company pleaded guilty on Monday to federal charges for selling a surveillance product designed to spy on people without their consent. Bryan Fleming admitted to founding and running pcTattletale, a company that marketed its spyware as a way for customers to catch romantic partners cheating. Fleming’s guilty plea is the first successful prosecution of a stalkerware operator since 2014."
  https://therecord.media/stalkerware-guilty-plea-fleming
  https://www.theregister.com/2026/01/07/stalkerware_slinger_pleads_guilty/
• Alleged Cyber Scam Kingpin Arrested, Extradited To China
  "Cambodian authorities on Tuesday arrested and extradited to China Chen Zhi, the head of the Prince Group conglomerate and the alleged mastermind behind a multi-billion dollar scam empire. Cambodia’s Ministry of Interior announced the arrests of Zhi and two others — Xu Ji Liang and Shao Ji Hui — whose relation to Prince Group is unclear."
  https://therecord.media/alleged-cyber-scam-kingpin-cambodia-arrested-extradited
• Top 10 Ransomware Groups Of 2025
  "The Top 10 Ransomware Groups of 2025 illustrate how the ransomware ecosystem changed in structure rather than simply growing in volume. After the disruption of dominant groups in 2024, the ecosystem entered 2025 without a clear center of gravity. Instead of collapsing, ransomware operations adapted. Affiliates became more independent, group boundaries blurred, and former rivals increasingly operated without strict competitive lines. This shift reshaped how campaigns were organized, how infrastructure was shared, and how ransomware operations sustained momentum."
  https://socradar.io/blog/top-10-ransomware-groups-2025/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

️ ThaiCERT ได้ติดตามสถานการณ์ภัยคุกคามทางไซเบอร์ และพบข้อมูลการเปิดเผยช่องโหว่ระดับวิกฤติในแพลตฟอร์ม n8n

หากไม่ดำเนินการแก้ไข อาจเปิดโอกาสให้ผู้ไม่หวังดีเข้าถึงข้อมูลภายในเซิร์ฟเวอร์ และอาจต่อยอดไปสู่การเข้าควบคุมระบบ ส่งผลกระทบต่อความมั่นคงปลอดภัยของระบบสารสนเทศของหน่วยงาน

รายละเอียดช่องโหว่
• ช่องโหว่ CVE-2026-21858 ระดับ Critical มีคะแนน CVSS 10.0 เป็นช่องโหว่ที่เกี่ยวข้องกับการตีความชนิดข้อมูล (Content-Type) ผิดพลาด ในกระบวนการทำงานของ Webhook และ Form รวมถึงส่วนการจัดการไฟล์
• ช่องโหว่นี้อาจเปิดโอกาสให้ผู้โจมตีที่สามารถเข้าถึง Webhook และ Form endpoints ของ n8n โจมตีได้ โดยไม่ต้องยืนยันตัวตน ผ่าน workflow บางรูปแบบที่เกี่ยวข้องกับ Form เพื่อเข้าถึงและอ่านไฟล์บนเซิร์ฟเวอร์ อาจถูกนำไปใช้เพื่อเปิดเผยข้อมูลสำคัญ รวมถึงข้ามกระบวนการยืนยันตัวตน และนำไปสู่การเข้าควบคุมระบบได้

ผลิตภัณฑ์และเวอร์ชันที่ได้รับผลกระทบ
• n8n เวอร์ชันก่อนหน้าและรวมถึง 1.65.0
• เวอร์ชันที่มีการแก้ไขแล้ว: 1.121.0 หรือใหม่กว่า

️ ThaiCERT ขอแนะนำให้หน่วยงานที่ใช้งานเวอร์ชันที่ได้รับผลกระทบ เร่งดำเนินการตรวจสอบและแก้ไขทันที

แนวทางการตรวจสอบและการป้องกัน
แนวทางการตรวจสอบ
1. ตรวจสอบแพลตฟอร์ม n8n ที่ใช้งานอยู่ ว่าเป็นเวอร์ชันก่อนหน้าและ 1.65.0 หรือไม่
2. ตรวจสอบ workflow ที่มีการใช้งาน Form หรือ Webhook และจุดเชื่อมต่อที่เปิดให้เข้าถึงจากภายนอก
3. ตรวจสอบว่ามี Form endpoints หรือ Webhook endpoints ที่เปิดสาธารณะ หรือไม่
4. ตรวจสอบบันทึกเหตุการณ์ (Logs) ที่เกี่ยวข้องกับการเรียกใช้งาน Webhook Form และพฤติกรรมการเข้าถึงไฟล์ที่ผิดปกติบนโฮสต์ที่ให้บริการ n8n

แนวทางการป้องกัน
• ดำเนินการอัปเดตแพลตฟอร์ม n8n เป็นเวอร์ชัน 1.121.0 หรือใหม่กว่า

มาตรการชั่วคราว (กรณียังไม่สามารถอัปเดตได้ทันที)
1. จำกัดหรือปิดการเข้าถึง Webhook และ Form endpoints ที่เปิดสาธารณะ จนกว่าจะดำเนินการอัปเดต
2. หลีกเลี่ยงการเปิด n8n ให้เข้าถึงจากอินเทอร์เน็ตโดยตรง และจำกัดการเข้าถึงผ่านเครือข่ายภายในหรือ VPN เท่านั้น
3. บังคับใช้การยืนยันตัวตนสำหรับ Forms ทั้งหมด

ทั้งนี้ มาตรการดังกล่าวเป็นเพียงแนวทางชั่วคราวเพื่อบรรเทาความเสี่ยง ผู้ดูแลระบบควรดำเนินการอัปเดตแพลตฟอร์มเป็นเวอร์ชันที่ปลอดภัยโดยเร็วที่สุด

แหล่งอ้างอิง (References)
• https://thehackernews.com/2026/01/critical-n8n-vulnerability-cvss-100.html
• https://www.cyera.com/research-labs/ni8mare-unauthenticated-remote-code-execution-in-n8n-cve-2026-21858
• https://github.com/n8n-io/n8n/security/advisories/GHSA-v4pr-fm98-w9pg

ด้วยความปรารถนาดี
สำนักงานคณะกรรมการการรักษาความมั่นคงปลอดภัยไซเบอร์แห่งชาติ (สกมช.) / ThaiCERT

ตรวจสอบและแก้ไขด่วน! ช่องโหว่ระดับวิกฤตบนแพลตฟอร์ม Workflow Automation Platform n8n อาจถูกนำไปใช้เพื่อหลีกเลี่ยงกลไก Sandbox ภายใน Python Code Node ส่งผลให้ระบบมีความเสี่ยงต่อการเรียกใช้งานคำสั่งโดยไม่ได้รับอนุญาต

️ หากไม่ดำเนินการแก้ไข ช่องโหว่นี้อาจส่งผลให้ระบบมีความเสี่ยงต่อการถูกเข้าถึงหรือควบคุมโดยไม่ได้รับอนุญาต กระทบต่อความมั่นคงปลอดภัยของระบบสารสนเทศของหน่วยงาน รวมถึงอาจนำไปสู่การเปลี่ยนแปลงการตั้งค่าระบบ การรบกวนการให้บริการ หรือความเสียหายต่อข้อมูลและความน่าเชื่อถือของระบบ

รายละเอียดช่องโหว่
• CVE-2025-68668 เป็นช่องโหว่ที่มีระดับความรุนแรงวิกฤต คะแนน CVSS 9.9 จัดอยู่ในประเภท Sandbox Bypass หรือ เกิดจากความบกพร่องของกลไกการจำกัดขอบเขตการทำงานของโค้ด เหตุการณ์นี้เกิดขึ้นในส่วนฟังก์ชัน Python Code Node บนแพลตฟอร์ม n8n โดยฟังก์ชันดังกล่าวจะมีการเรียกใช้ Pyodide (Python runtime บน WebAssembly) เพื่อสร้างสภาพแวดล้อมสำหรับประมวลผลโค้ดภาษา Python ภายใน Workflow n8n
• ช่องโหว่นี้เปิดโอกาสให้ผู้ใช้งานที่ผ่านการยืนยันตัวตนและมีสิทธิ์ในการสร้างหรือแก้ไข Workflow สามารถเขียนโค้ดภาษา Python ผ่าน Python Code Node เพื่อข้ามกลไกการจำกัดขอบเขตการทำงานของสภาพแวดล้อมสำหรับรันโค้ดภาษา Python (Pyodide) ส่งผลให้สามารถส่งคำสั่งเพื่อเรียกใช้งานเครื่องโฮสต์ที่ให้บริการ n8n ได้โดยตรง โดยคำสั่งดังกล่าวจะถูกประมวลผลภายใต้สิทธิ์เดียวกับกระบวนการทำงานของ n8n ซึ่งอาจนำไปสู่การเข้าถึงระบบโดยไม่ได้รับอนุญาต การเปลี่ยนแปลงการตั้งค่าระบบ หรือการเข้าควบคุมระบบในวงกว้าง

ผลิตภัณฑ์และเวอร์ชันที่ได้รับผลกระทบ
• n8n เวอร์ชันตั้งแต่ 1.X.X (ก่อนหน้า 2.0.0)

️ ThaiCERT ขอแนะนำให้หน่วยงานที่ใช้งานเวอร์ชันที่ได้รับผลกระทบ เร่งดำเนินการตรวจสอบและแก้ไขทันที

แนวทางการตรวจสอบและการป้องกัน

1. แนวทางการตรวจสอบ
   • ตรวจสอบแพลตฟอร์ม n8n ที่ใช้งานอยู่ว่าเป็นเวอร์ชันที่ต่ำกว่า 2.0.0 หรือไม่
   • ตรวจสอบว่ามีการใช้งาน Python Code Node ภายใน Workflow หรือไม่
   • ตรวจสอบบัญชีผู้ใช้งานที่มีสิทธิ์ สร้างหรือแก้ไข Workflow

2. แนวทางการป้องกัน
   • ดำเนินการ อัปเดตแพลตฟอร์ม n8n เป็นเวอร์ชัน 2.0.0 หรือใหม่กว่า
   • สำหรับระบบที่ยังใช้ n8n เวอร์ชัน 1.x สามารถเพิ่มความปลอดภัยได้โดยกำหนดค่าให้ใช้ Python sandbox แบบ task runner ผ่านตัวแปรสภาพแวดล้อม

• N8N_RUNNERS_ENABLED
• N8N_NATIVE_PYTHON_RUNNER

3. มาตรการชั่วคราว (กรณียังไม่สามารถอัปเดตได้ทันที)
   • ปิดการใช้งาน Code Node ชั่วคราว โดยกำหนดค่า NODES_EXCLUDE: ["n8n-nodes-base.code"]
   • ปิดการรองรับภาษา Python ใน Code Node โดยกำหนดค่า N8N_PYTHON_ENABLED=false
   • จำกัดสิทธิ์ผู้ใช้งานที่สามารถสร้างหรือแก้ไข Workflow ให้เฉพาะที่มีความจำเป็นเท่านั้น
   อ้างอิง
   https://nvd.nist.gov/vuln/detail/CVE-2025-68668
   https://github.com/n8n-io/n8n/security/advisories/GHSA-62r4-hw23-cc8v
   https://thehackernews.com/2026/01/new-n8n-vulnerability-99-cvss-lets.html
   https://cwe.mitre.org/data/definitions/693.html

ด้วยความปรารถนาดี
สำนักงานคณะกรรมการการรักษาความมั่นคงปลอดภัยไซเบอร์แห่งชาติ (สกมช.) / ThaiCERT

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Vulnerabilities

• New n8n Vulnerability (9.9 CVSS) Lets Authenticated Users Execute System Commands
  "A new critical security vulnerability has been disclosed in n8n, an open-source workflow automation platform, that could enable an authenticated attacker to execute arbitrary system commands on the underlying host. The vulnerability, tracked as CVE-2025-68668, is rated 9.9 on the CVSS scoring system. It has been described as a case of a protection mechanism failure. Cyera Research Labs' Vladimir Tokarev and Ofek Itach have been credited with discovering and reporting the flaw, which has been codenamed N8scape."
  https://thehackernews.com/2026/01/new-n8n-vulnerability-99-cvss-lets.html
  https://github.com/n8n-io/n8n/security/advisories/GHSA-62r4-hw23-cc8v
• New D-Link Flaw In Legacy DSL Routers Actively Exploited In Attacks
  "Threat actors are exploiting a recently discovered command injection vulnerability that affects multiple D-Link DSL gateway routers that went out of support years ago. The vulnerability is now tracked as CVE-2026-0625 and affects the dnscfg.cgi endpoint due to improper input sanitization in a CGI library. An unauthenticated attacker could leverage this to execute remote commands via DNS configuration parameters. Vulnerability intelligence company VulnCheck reported the problem to D-Link on December 15, after The Shadowserver Foundation observed a command injection exploitation attempt on one of its honeypots."
  https://www.bleepingcomputer.com/news/security/new-d-link-flaw-in-legacy-dsl-routers-actively-exploited-in-attacks/
  https://www.vulncheck.com/advisories/dlink-dsl-command-injection-via-dns-configuration-endpoint
• Critical AdonisJS Bodyparser Flaw (CVSS 9.2) Enables Arbitrary File Write On Servers
  "Users of the "@adonisjs/bodyparser" npm package are being advised to update to the latest version following the disclosure of a critical security vulnerability that, if successfully exploited, could allow a remote attacker to write arbitrary files on the server. Tracked as CVE-2026-21440 (CVSS score: 9.2), the flaw has been described as a path traversal issue affecting the AdonisJS multipart file handling mechanism. "@adonisjs/bodyparser" is an npm package associated with AdonisJS, a Node.js framework for developing web apps and API servers with TypeScript. The library is used to process AdonisJS HTTP request body."
  https://thehackernews.com/2026/01/critical-adonisjs-bodyparser-flaw-cvss.html
  https://github.com/adonisjs/core/security/advisories/GHSA-gvq6-hvvp-h34h
• Cato CTRL Threat Research: Vulnerability Discovered In Open WebUI Enables Account Takeover And Remote Code Execution (CVE-2025-64496)
  "Cato CTRL’s Vitaly Simonovich (senior security researcher) has discovered a vulnerability (CVE-2025-64496 with a “High” severity rating of 7.3 out of 10) in Open WebUI in versions 0.6.34 and older. This flaw affects the Direct Connections feature, which lets users connect to external AI model servers (ex: OpenAI’s API). If a threat actor tricks a user into connecting to a malicious server, it can lead to an account takeover attack. If the user also has workspace.tools permission enabled, it can lead to remote code execution (RCE). Which means that a threat actor can control the system running Open WebUI."
  https://www.catonetworks.com/blog/cato-ctrl-vulnerability-discovered-open-webui-cve-2025-64496/
  https://www.infosecurity-magazine.com/news/flaw-open-webui-affects-ai/
  TOTOLINK EX200 Firmware-Upload Error Handling Can Activate An Unauthenticated Root Telnet Service
  "A flaw in the firmware-upload error-handling logic of the TOTOLINK EX200 extender can cause the device to unintentionally start an unauthenticated root-level telnet service. This condition may allow a remote authenticated attacker to gain full system access."
  https://kb.cert.org/vuls/id/295169
  https://thehackernews.com/2026/01/unpatched-firmware-flaw-exposes.html
  https://securityaffairs.com/186597/security/cert-cc-warns-of-critical-unfixed-vulnerability-in-totolink-ex200.html
• Critical Dolby Vulnerability Patched In Android
  "The January 2026 Android update patches a single vulnerability, a critical Dolby audio decoder issue whose existence came to light in October 2025. The flaw, tracked as CVE-2025-54957, was described at the time of its disclosure as a medium-severity out-of-bounds write issue impacting the widely used Dolby Digital Plus (DD+) Unified Decoder. The vulnerability, exploitable using specially crafted media files, was discovered by Google researchers and reported to Dolby in June 2025, with a patch released in September."
  https://www.securityweek.com/critical-dolby-vulnerability-patched-in-android/
  https://securityaffairs.com/186591/security/google-fixes-critical-dolby-decoder-bug-in-android-january-update.html

Malware

• Cyber Counterintelligence (CCI): When 'Shiny Objects' Trick 'Shiny Hunters'
  "It is worth noting that "Shiny Hunters" (tricked by our team with a honeytrap), or more accurately, their rebranded version involving new members, which calls itself "Scattered Lapsus$ Hunters" (SLH) or "Scattered Lapsus$ Shiny Hunters (SLSH)," linked to 'The Com' (short for 'The Community'), a predominantly English-speaking cybercriminal ecosystem. This loosely organized network operates more like a cybercrime youth movement, encompassing a broad and constantly shifting range of actors, mainly teenagers. Some announcements of successful data breaches by these actors were published on the associated Telegram channel, "The Comm Leaks." The FBI issued a Public Service Announcement (PSA) last year warning about the risks associated with joining such movements."
  https://www.resecurity.com/blog/article/cyber-counterintelligence-cci-when-shiny-objects-trick-shiny-hunters
  https://databreaches.net/2026/01/06/cyber-counterintelligence-cci-resecurity-releases-data-on-john-erin-binns-irdev/
  https://securityaffairs.com/186586/cyber-crime/resecurity-went-on-the-cyber-offensive-when-shiny-objects-trick-shiny-hunters.html
• 900K Users Compromised: Chrome Extensions Steal ChatGPT And DeepSeek Conversations
  "The OX Research team detected a new malware campaign stealing ChatGPT and DeepSeek conversations – from over 900,000 Chrome extension downloads. Two malicious extensions were found exfiltrating user conversations and all Chrome tab URLs to a remote C2 server every 30 minutes. The malware deceives users by impersonating a legitimate extension by a company called AITOPIA, which adds a sidebar on top of any website, with the ability to chat with the most popular LLMs in the market."
  https://www.ox.security/blog/malicious-chrome-extensions-steal-chatgpt-deepseek-conversations/
  https://thehackernews.com/2026/01/two-chrome-extensions-caught-stealing.html

General News

• Taiwan Says China's Attacks On Its Energy Sector Increased Tenfold
  "The National Security Bureau in Taiwan says that China's attacks on the country's energy sector increased tenfold in 2025 compared to the previous year. A report from the agency highlights that attackers targeted critical infrastructure in nine key sectors, and the total number of cyber incidents linked to China grew by 6%. The emergency rescue and hospitals sectors saw an increase in cyberattacks of 54%, while communications and transmissions recorded 6.7% more incidents."
  https://www.bleepingcomputer.com/news/security/taiwan-says-chinas-attacks-on-its-energy-sector-increased-tenfold/
• 7 Types Of Hacker Motivations
  "Hackers are not created equal, nor do they have the same purpose. Some hackers are paid to scrutinize security systems, find loopholes, fix weaknesses, and ultimately protect organizations and people. Others exploit those same gaps for profit, power, or disruption. What separates hackers isn’t just skill level or tactics; it’s intent. The purpose behind an attack changes everything about how hackers shape their tactics and how the hacking process unfolds: who is targeted, which methods and tools are used, how patient the attacker is, and the kind of damage they want to cause."
  https://www.mcafee.com/blogs/internet-security/7-types-of-hacker-motivations/
• CISOs Face a Tighter Insurance Market In 2026
  "Cyber-risk leaders may not want to get too cozy with the current dynamics in the cyber-insurance market. After a couple of years of softening rates and cutthroat competition, the pace of premium rate reductions shows signs of slowing, and insurers are asking for more proof of best practices before writing policies or paying claims. Boards and enterprise risk management stakeholders increasingly see cyber insurance as a non-negotiable part of cyber-risk management strategies, but while it may be easier and cheaper to get coverage now, all it takes is one or two mega loss events — a supply chain problem or AI-related incident — to cause underwriting stances to shift dramatically."
  https://www.darkreading.com/endpoint-security/cisos-face-tighter-insurance-market
• Startup Trends Shaking Up Browsers, SOC Automation, AppSec
  "Entrepreneurs, investors, and CISOs working in startups are often developing new artificial intelligence (AI) technologies, infrastructure, and attack surfaces long before most early adopters. It's instructive for us to pay attention to what they've been up to in 2025 to see where the industry is headed. The following trends have emerged in the startup space over the past year that will disrupt Web security, threat modeling, and AI SOC automation for years to come."
  https://www.darkreading.com/endpoint-security/startup-trends-shaking-up-browsers-soc-automation-appsec
• How To Avoid Phishing Incidents In 2026: A CISO Guide
  "By 2026, most phishing emails will look legitimate enough to pass filters and first checks. Trusted platforms, clean-looking links, and delayed execution make fast decisions risky and slow ones dangerous. As a result, investigations drag on, queues grow during phishing waves, and confidence in verdicts drops. Read on to see how security leaders can regain confidence in phishing decisions and reduce investigation pressure as these attacks become harder to spot."
  https://hackread.com/how-to-avoid-phishing-incidents-2026-ciso-guide/
• Turning Plain Language Into Firewall Rules
  "Firewall rules often begin as a sentence in someone’s head. A team needs access to an application. A service needs to be blocked after hours. Translating those ideas into vendor specific firewall syntax usually involves detailed knowledge of zones, objects, ports, and rule order. New research from New York University examines a different starting point, one that treats natural language as the entry point for firewall configuration."
  https://www.helpnetsecurity.com/2026/01/06/research-natural-language-firewall-configuration/
  https://arxiv.org/pdf/2512.10789
• The Roles And Challenges In Moving To Quantum-Safe Cryptography
  "A new research project examines how organizations, regulators, and technical experts coordinate the transition to quantum safe cryptography. The study draws on a structured workshop with public sector, private sector, and academic participants to document how governance, security, and innovation systems shape cryptographic migration planning. The paper focuses on the Netherlands as a case study. The authors frame the transition to quantum safe systems as a socio technical process that involves institutions, standards bodies, and operational decision makers alongside cryptographic engineering work."
  https://www.helpnetsecurity.com/2026/01/06/quantum-safe-cryptography-transition-research/
  https://arxiv.org/pdf/2512.16974
• Cyber Risk Trends For 2026: Building Resilience, Not Just Defenses
  "If there’s one lesson from the past year, it’s this: we won’t outpace the adversary by trying to stop every attack. We will, however, outlast them by becoming measurably more resilient. In my recent lecture on emerging threats for 2026, I made the case that cyberattacks will be more complex, more persistent, more intelligent, and far more automated than we’ve seen before. That means our odds of outright prevention diminish. The imperative shifts to resilience; the ability to take a punch, adapt in the moment, and rebound quickly with minimal damage."
  https://www.securityweek.com/cyber-risk-trends-for-2026-building-resilience-not-just-defenses/
• HackerOne 'ghosted' Me For Months Over $8,500 Bug Bounty, Says Researcher
  "Last fall, Jakub Ciolek reported two denial-of-service bugs in Argo CD, a popular Kubernetes controller, via HackerOne's Internet Bug Bounty (IBB) program. Both were assigned CVEs and have since been fixed. But instead of receiving an $8,500 reward for the two flaws, Ciolek says, HackerOne ghosted him for months. The open source bug bounty program finally contacted Ciolek on Tuesday, but only after The Register reached out to HackerOne asking about the status of his reward payment and the IBB program in general."
  https://www.theregister.com/2026/01/07/hackerone_ghosted_researcher/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

Healthcare Sector

• Pharma’s Most Underestimated Cyber Risk Isn’t a Breach
  "Chirag Shah, Global Information Security Officer & DPO at Model N examines how cyber risk in pharma and life sciences is shifting beyond traditional breaches toward data misuse, AI-driven exposure and regulatory pressure. He explains why executives still underestimate silent control failures, how ransomware groups are weaponizing compliance risk, and why proof of security will increasingly require real-time governance, not audits, as cybersecurity and compliance continue to converge."
  https://www.helpnetsecurity.com/2026/01/05/chirag-shah-model-n-pharma-cyber-risk/

New Tooling

• OpenAEV: Open-Source Adversarial Exposure Validation Platform
  "OpenAEV is an open source platform designed to plan, run, and review cyber adversary simulation campaigns used by security teams. The project focuses on organizing exercises that blend technical actions with operational and human response elements, all managed through a single system. At the core of OpenAEV is the concept of a scenario. A scenario defines a threat context and turns it into a structured plan made up of events called injects. Scenarios can include background material such as documents, media files, and contextual data that help frame the exercise for participants. Players and assets are defined at this level, linking people and endpoints to the planned activity."
  https://www.helpnetsecurity.com/2026/01/05/openaev-open-source-adversarial-exposure-validation-platform/
  https://github.com/OpenAEV-Platform/openaev

Vulnerabilities

• Claude In Chrome: A Threat Analysis
  "Claude in Chrome, made available in beta to all paid plan subscribers on Dec 18th, is the new agentic chrome extension by Anthropic. Following the likes of Perplexity's Comet, ChatGPT’s Atlas, and others, Anthropic brought Claude’s capabilities into the browser. It's less a browser extension than a new kind of browser altogether. This paradigm shift demands a corresponding shift in how we think about security. The threat model for an agentic browser includes both familiar as well as novel risks. In this post, we map the attack surface of Claude Chrome where the agent—not the user—is in the driver's seat."
  https://labs.zenity.io/p/claude-in-chrome-a-threat-analysis
  https://hackread.com/data-exposure-risk-claude-chrome-extension/
• WhatsApp Silent Fix Of Device Fingerprinting Privacy Issue Assessment: The Good, The (Not So) Bad, And The (Somewhat) Ugly
  "Using our research tool, we discovered that WhatsApp is silently implementing fixes for device fingerprinting privacy vulnerabilities. While the fix remains incomplete, it signals WhatsApp is finally starting to address vulnerabilities that were responsibly disclosed by the security community."
  https://medium.com/@TalBeerySec/whatsapp-silent-fix-of-device-fingerprinting-privacy-issue-assessment-the-good-the-not-so-bad-9127b5215e28
  https://www.securityweek.com/researcher-spotlights-whatsapp-metadata-leak-as-meta-begins-rolling-out-fixes/

Malware

• Dozens Of Global Companies Hacked Via Cloud Credentials From Infostealer Infections & More At Risk
  "A high-profile threat actor, operating under the moniker “Zestix” (also operating under the alias “Sentap”), has been identified auctioning data exfiltrated from the corporate file-sharing portals of approximately 50 major global enterprises. This report serves as an exhaustive analysis of this campaign, offering direct evidence for key compromises, detailing the breach of ShareFile, OwnCloud, and Nextcloud instances belonging to critical entities across the aviation, robotics, housing, and government infrastructure sectors."
  https://www.infostealers.com/article/dozens-of-global-companies-hacked-via-cloud-credentials-from-infostealer-infections-more-at-risk/
  https://www.bleepingcomputer.com/news/security/cloud-file-sharing-sites-targeted-for-corporate-data-theft-attacks/
• Analyzing PHALT#BLYX: How Fake BSODs And Trusted Build Tools Are Used To Construct a Malware Infection
  "Securonix threat researchers have been tracking a stealthy campaign targeting the hospitality sector using click-fix social engineering, fake captcha and fake blue screen of death to trick users into pasting malicious code. It leverages a trusted MSBuid.exe tool to bypass defenses and deploys a stealthy, Russian-linked DCRat payload for full remote access and the ability to drop secondary payloads."
  https://www.securonix.com/blog/analyzing-phaltblyx-how-fake-bsods-and-trusted-build-tools-are-used-to-construct-a-malware-infection/
  https://www.bleepingcomputer.com/news/security/clickfix-attack-uses-fake-windows-bsod-screens-to-push-malware/
  https://therecord.media/russian-hackers-europe-hospitality-blue-screen
• How We Prevented Cursor, Windsurf & Google Antigravity From Recommending Malware
  "We discovered that the most popular AI IDEs were officially recommending extensions that didn't exist, namespaces anyone could claim and upload malware to. So we claimed them first. Cursor, Windsurf, Google Antigravity, Trae: these are the hottest tools in software development right now. Cursor alone has over a million daily active users and a $9.9 billion valuation. Windsurf hit a million users within months of launch. Google Antigravity launched just weeks ago, backed by the $2.4 billion acquisition of Windsurf's team and technology. They all have something in common: they're all forked from VSCode."
  https://www.koi.ai/blog/how-we-prevented-cursor-windsurf-google-antigravity-from-recommending-malware
  https://www.bleepingcomputer.com/news/security/vscode-ide-forks-expose-users-to-recommended-extension-attacks/
• The DocuSign Impersonation Wave With Real-Time Customizable LogoKit
  "Phishing remains one of the most significant cyberattack entry points worldwide. According to Group-IB’s High-Tech Crime Trends Report 2025, phishing activity grew by 22% year-on-year — highlighting how heavily attackers still rely on social-engineering to gain initial access. Meanwhile, the FBI’s IC3 recorded 193,407 phishing and spoofing complaints in 2024, the year’s top cyber-crime category, contributing to $16.6 billion in reported losses."
  https://www.group-ib.com/blog/docusign-impersonation-logokit/
• A Broken System Fueling Botnets
  "Synthient continues to track the Kimwolf DDoS and proxy botnet with this report, delivering significant findings on the inner workings, infection chain, and reliance on the residential proxy ecosystem. Kimwolf has been highly active since early August of 2025, with substantial growth over the past four months. The Synthient’s research team assesses with high confidence that the total number of infected devices has surpassed 2 million, primarily targeting Android devices running an exposed Android Debug Bridge (ADB) service via residential proxies. These findings further reveal an expansive network of compromised TV streaming devices used by providers to obtain large pools of IP addresses."
  https://synthient.com/blog/a-broken-system-fueling-botnets
  https://thehackernews.com/2026/01/kimwolf-android-botnet-infects-over-2.html
  https://www.securityweek.com/kimwolf-android-botnet-grows-through-residential-proxy-networks/
  https://securityaffairs.com/186559/malware/kimwolf-botnet-leverages-residential-proxies-to-hijack-2m-android-devices.html
• Russia-Aligned Hackers Abuse Viber To Target Ukrainian Military And Government
  "The Russia-aligned threat actor known as UAC-0184 has been observed targeting Ukrainian military and government entities by leveraging the Viber messaging platform to deliver malicious ZIP archives. "This organization has continued to conduct high-intensity intelligence gathering activities against Ukrainian military and government departments in 2025," the 360 Threat Intelligence Center said in a technical report. Also tracked as Hive0156, the hacking group is primarily known for leveraging war-themed lures in phishing emails to deliver Hijack Loader in attacks targeting Ukrainian entities. The malware loader subsequently acts as a pathway for Remcos RAT infections."
  https://thehackernews.com/2026/01/russia-aligned-hackers-abuse-viber-to.html
  https://securityaffairs.com/186571/apt/russia-linked-apt-uac-0184-uses-viber-to-spy-on-ukrainian-military-in-2025.html
• Fake WordPress Domain Renewal Phishing Email Stealing Credit Card And 3-D Secure OTP
  "I investigated a phishing email impersonating WordPress.com that claims a domain renewal is due soon and urges immediate action to prevent service disruption. The campaign leads victims to a fake WordPress payment portal hosted on attacker infrastructure and performs theft of credit card details and 3-D Secure OTPs, which are exfiltrated to the attacker via Telegram."
  https://malwr-analysis.com/2025/12/31/fake-wordpress-domain-renewal-phishing-email-stealing-credit-card-and-3-d-secure-otp/

Breaches/Hacks/Leaks

• US Broadband Provider Brightspeed Investigates Breach Claims
  "Brightspeed, one of the largest fiber broadband companies in the United States, is investigating security breach and data theft claims made by the Crimson Collective extortion gang. Founded in 2022, the U.S. telecommunications and Internet service provider (ISP) serves rural and suburban communities across 20 states. "We take the security of our networks and protection of our customers' and employees' information seriously and are rigorous in securing our networks and monitoring threats. We are currently investigating reports of a cybersecurity event," Brightspeed told BleepingComputer. "As we learn more, we will keep our customers, employees and authorities informed.""
  https://www.bleepingcomputer.com/news/security/us-broadband-provider-brightspeed-investigates-breach-claims/
  https://www.securityweek.com/brightspeed-investigating-cyberattack/
• Ledger Customers Impacted By Third-Party Global-e Data Breach
  "Ledger is informing some customers that their personal data has been exposed after hackers breached the systems of third-party payment processor Global-e. In a statement for BleepingComputer, the blockchain company underlines that its network has not been impacted and that the platform's hardware and software systems remain secure. "Some of the data accessed as part of this incident pertained to customers who purchased on Ledger.com using Global-e as a Merchant of Record," the company told BleepingComputer."
  https://www.bleepingcomputer.com/news/security/ledger-customers-impacted-by-third-party-global-e-data-breach/
• NordVPN Denies Breach Claims, Says Attackers Have "dummy Data"
  "NordVPN denied allegations that its internal Salesforce development servers were breached, saying that cybercriminals obtained "dummy data" from a trial account on a third-party automated testing platform. The company's statement comes after a threat actor (using the 1011 handle) claimed on a hacking forum over the weekend that they stole more than 10 databases containing sensitive information like Salesforce API keys and Jira tokens, following a brute-force attack against a NordVPN development server."
  https://www.bleepingcomputer.com/news/security/nordvpn-denies-breach-claims-says-attackers-have-dummy-data/
  https://hackread.com/nordvpn-denies-breach-hacker-salesforce-dev-data/
• New Zealand Probes Ransomware Hack Of Health Portal
  "The New Zealand government is probing a year-end ransomware hack of private healthcare service provider Manage My Health that impacted thousands of patients. Digital extortion group Kazu has claimed responsibility and threatened to leak the data on Jan. 15 unless it receives a $60,000 ransom. Manage My Health is an online portal used by more than 1.85 million New Zealanders for booking medical appointments and accessing health records and prescriptions. Kazu has claimed that it stole 4.15 terabytes of data, which is over 700 files."
  https://www.bankinfosecurity.com/new-zealand-probes-ransomware-hack-health-portal-a-30444
  https://www.infosecurity-magazine.com/news/new-zealand-orders-review-manage/
  https://www.theregister.com/2026/01/05/nz_managemyhealth_breach_review/
• Researcher Wipes White Supremacist Dating Sites, Leaks Data On Okstupid[.]lol
  "A self-described security researcher operating under the pseudonym Martha Root has breached and exposed thousands of user profiles from a WordPress hosted white supremacist dating website, WhiteDate and two associated platforms, WhiteChild and WhiteDeal. The incident was discussed during the 39th Chaos Communication Congress (CCC) in Hamburg in late December 2025, and has since drawn both praise and controversy across cybersecurity and political circles."
  https://hackread.com/white-supremacist-dating-sites-wiped-okstupid-lol/
• Cyberattack Forces British High School To Close
  "A cyberattack has forced a British high school to remain closed following the Christmas holidays. Higham Lane School in Nuneaton, a town in central England, has told its roughly 1,500 students they won’t be able to attend classes until at least Wednesday due to the incident. In an email to parents and carers, the school said the cyberattack “has taken down the school IT system,” leaving staff without access “to any digital services including telephones / emails / servers and the school’s management system.”"
  https://therecord.media/cyberattack-british-high-school-closes

General News

• The Enduring Attack Surface Of VPNs
  "One way to look at the novel coronavirus pandemic: A societal experiment in how an oft-overlooked yet essential element of secure networking would stand up to an exploding user base. Unsurprisingly, the rapid uptake of virtual private networks by companies suddenly managing a remote workforce came with significant security costs. Researchers from the Blekinge Institute of Technology in Sweden in a 2025 paper counted a 238% surge in VPN targeted attacks between 2020 and 2022, peak years of coronavirus lockdowns. The study is a meta-analysis of 81 reports from sources including Google and BrightTALK."
  https://www.bankinfosecurity.com/enduring-attack-surface-vpns-a-30446
• AI Security Risks Are Also Cultural And Developmental
  "Security teams spend much of their time tracking vulnerabilities, abuse patterns, and system failures. A new study argues that many AI risks sit deeper than technical flaws. Cultural assumptions, uneven development, and data gaps shape how AI systems behave, where they fail, and who absorbs the harm. The research was produced by a large international group of scholars from universities, ethics institutes, and policy bodies, including Ludwig Maximilian University of Munich, the Technical University of Munich, and the African Union. It examines AI through international human rights law, with direct relevance to security leaders responsible for AI deployment across regions and populations."
  https://www.helpnetsecurity.com/2026/01/05/ai-security-governance-risks-research/
  https://arxiv.org/pdf/2512.15786
• 8 Cybersecurity Predictions For 2026: Barracuda Leaders Share Their Insights
  "As we head into 2026, cybersecurity is changing faster than ever — thanks to big leaps in artificial intelligence, increasingly complex regulatory requirements and mounting pressure on critical infrastructure. To help organizations navigate these changes, three Barracuda executives share their top predictions for the coming year, offering valuable insights on the operational challenges, compliance risks and strategic priorities shaping the future of security."
  https://blog.barracuda.com/2026/01/05/cybersecurity-predictions-2026-barracuda-leaders
• Bitfinex Hack Convict Ilya Lichtenstein Released Early Under U.S. First Step Act
  "Ilya Lichtenstein, who was sentenced to prison last year for money laundering charges in connection with his role in the massive hack of cryptocurrency exchange Bitfinex in 2016, said he has been released early. In a post shared on X last week, the 38-year-old announced his release, crediting U.S. President Donald Trump's First Step Act. According to the Federal Bureau of Prisons' inmate locator, Lichtenstein is scheduled for release on February 9, 2026. "I remain committed to making a positive impact in cybersecurity as soon as I can," Lichtenstein added. "To the supporters, thank you for everything. To the haters, I look forward to proving you wrong.""
  https://thehackernews.com/2026/01/bitfinex-hack-convict-ilya-lichtenstein.html
  https://www.infosecurity-magazine.com/news/lichtenstein-released-bitfinex/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand