Financial Sector
- Criminal Networks Industrialize Payment Fraud Operations
"Fraud operations are expanding faster than payment defenses can adjust. Criminal groups function like coordinated businesses that develop tools, automate tasks, and scale attacks. New data from a Visa report shows how these shifts are reshaping risk across the financial sector."
https://www.helpnetsecurity.com/2025/11/27/visa-payment-fraud-trends-report/
Malware
- Shai-Hulud 2.0 Campaign Targets Cloud And Developer Ecosystems
"This blog continues our investigation on the Node Package Manager (NPM) supply chain attack that took place on September 15, where attackers executed a highly targeted phishing campaign to compromise the account of an NPM package maintainer. Our previous blog detailed how the malicious code injected onto JavaScript packages diverted cryptocurrency assets by hijacking web APIs and manipulating network traffic, and how the Shai-hulud worm in the attack payload steals cloud service tokens, deploys secret-scanning tools, and spreads to additional accounts. An incident this November 24 reported hundreds of NPM repositories compromised by what appears to be a new Shai-hulud campaign with the repository description, "Sha1-Hulud: The Second Coming.""
https://www.trendmicro.com/en_us/research/25/k/shai-hulud-2-0-targets-cloud-and-developer-systems.html -
- Is Zendesk Scattered Lapsus$ Hunters’ Latest Campaign Target?
"ReliaQuest has uncovered indications of a potential new campaign from the notorious threat collective “Scattered Lapsus$ Hunters,” this time targeting users of the customer support software Zendesk. ReliaQuest’s Threat Research team identified Zendesk-related domains, including more than 40 typosquatted domains and impersonating URLs, created within the past six months. These domains, such as znedesk[.]com or vpn-zendesk[.]com, are clearly designed to mimic legitimate Zendesk environments. Some host phishing pages, like fake single sign-on (SSO) portals that appear before Zendesk authentication. It’s a classic tactic probably aimed at stealing credentials from unsuspecting users. We also identified Zendesk-related impersonating domains that contained multiple different organizations’ names or brands within the URL, making it even more likely that unsuspecting users would trust and click on these links."
https://reliaquest.com/blog/zendesk-scattered-lapsus-hunters-latest-target/
https://www.infosecurity-magazine.com/news/scattered-lapsus-hunters-zendesk/
https://www.theregister.com/2025/11/27/scattered_lapsus_hunters_zendesk/
- Is Zendesk Scattered Lapsus$ Hunters’ Latest Campaign Target?
- Meet Rey, The Admin Of ‘Scattered Lapsus$ Hunters’
"A prolific cybercriminal group that calls itself “Scattered LAPSUS$ Hunters” has dominated headlines this year by regularly stealing data from and publicly mass extorting dozens of major corporations. But the tables seem to have turned somewhat for “Rey,” the moniker chosen by the technical operator and public face of the hacker group: Earlier this week, Rey confirmed his real life identity and agreed to an interview after KrebsOnSecurity tracked him down and contacted his father."
https://krebsonsecurity.com/2025/11/meet-rey-the-admin-of-scattered-lapsus-hunters/
https://hackread.com/report-names-teen-scattered-lapsus-hunters-group/
Breaches/Hacks/Leaks
- OpenAI Discloses API Customer Data Breach Via Mixpanel Vendor Hack
"OpenAI is notifying some ChatGPT API customers that limited identifying information was exposed following a breach at its third-party analytics provider Mixpanel. Mixpanel offers event analytics that OpenAI uses to track user interactions on the frontend interface for the API product. According to the AI company, the cyber incident affected “limited analytics data related to some users of the API” and did not impact users of ChatGPT or other products."
https://www.bleepingcomputer.com/news/security/openai-discloses-api-customer-data-breach-via-mixpanel-vendor-hack/
https://openai.com/index/mixpanel-incident/
https://www.infosecurity-magazine.com/news/openai-warns-mixpanel-data-breach/
https://www.securityweek.com/openai-user-data-exposed-in-mixpanel-hack/
https://hackread.com/openai-api-mixpanel-data-breach-chatgpt/
https://securityaffairs.com/185121/data-breach/openai-data-may-have-been-exposed-after-a-cyberattack-on-analytics-firm-mixpanel.html
https://www.theregister.com/2025/11/27/openai_mixpanel_api/ - Asahi Admits Ransomware Gang May Have Spilled Almost 2M People's Data
"Asahi has finally done the sums on September's ransomware attack in Japan, conceding the crooks may have helped themselves to personal data tied to almost 2 million people. Back on September 29, Asahi disclosed a "system failure caused by a cyberattack" that knocked out ordering, shipping, and call center systems across its Japanese operations. Days later, the attack was claimed by the Qilin ransomware crew, which reckons it stole some 27 GB of internal files – including employee records, contracts, financial documents, and other sensitive assets."
https://www.theregister.com/2025/11/27/asahi_ransomware_numbers/
https://www.infosecurity-magazine.com/news/asahi-15-million-customers/
https://www.securityweek.com/asahi-data-breach-impacts-2-million-individuals/
https://securityaffairs.com/185126/data-breach/asahi-says-crooks-stole-data-of-approximately-2m-customers-and-employees.html
General News
- Your Critical Infrastructure Is Running Out Of Time
"Cyber attackers often succeed not because they are inventive, but because the systems they target are old. A new report by Cisco shows how unsupported technology inside national infrastructure creates openings that attackers can exploit repeatedly. The findings show how widespread this problem has become and how much it influences national resilience."
https://www.helpnetsecurity.com/2025/11/27/cisco-legacy-system-vulnerabilities-report/ - The Identity Mess Your Customers Feel Before You Do
"Customer identity has become one of the most brittle parts of the enterprise security stack. Teams know authentication matters, but organizations keep using methods that frustrate users and increase risk. New research from Descope shows how companies manage customer identity and the issues that have been building in the background."
https://www.helpnetsecurity.com/2025/11/27/descope-customer-identity-issues-report/ - Fraud Fears But No Breach Spike Expected This Festive Season
"Security experts have dismissed fears that threat actors could step up cyber-attacks on distracted retailers this Black Friday and in the run up to Christmas, although concerns persist. Huntsman Security analyzed data security incidents reported to the UK's Information Commissioner's Office (ICO) between Q3 2024 and Q2 2025. It found that the 1381 incidents reported by the retail and manufacturing sector had only minor seasonal peaks, with none outside a margin of error. Some 355 incidents were reported to the regulator in the busiest time of the year for retailers (Q4), versus 323 in Q3 2024, 317 in Q2 2025 and 386 in Q2 2025. The latter period included the massive ransomware breaches at M&S and the Co-Op Group."
https://www.infosecurity-magazine.com/news/fraud-fears-no-breach-spike/ - Ransomware Reshaping Cyber As National Security Priority
"Non-stop, high-profile ransomware attacks against Britain and the United States have transformed cybersecurity into a national security priority, Anne Neuberger, the former White House deputy national security adviser for cyber, said at a Wednesday event in London. "For too long, it's been a tech thing, 'go get your CIO to fix it,'" Neuberger told attendees at an event hosted by think tank Royal United Services Institute, where she serves as a distinguished fellow."
https://www.bankinfosecurity.com/ransomware-reshaping-cyber-as-national-security-priority-a-30160 - As Space Becomes Warfare Domain, Cyber Is On The Frontlines
"Space is becoming a domain of warfare, with private sector companies on the front lines - and the first shots will likely be fired in cyberspace, a senior U.S. intelligence official warned this month. "Cybersecurity for space systems is very likely to be on the front lines of conflict involving space," said Johnathon Martin, acting deputy director of the Office of the Chief Architect at the National Reconnaissance Office, which builds, launches and operates U.S. spy satellites."
https://www.bankinfosecurity.com/as-space-becomes-warfare-domain-cyber-on-frontlines-a-30148 - FCC Warns Of Hackers Hijacking Radio Equipment For False Alerts
"Hackers have been hijacking US radio transmission equipment to air bogus emergency tones and offensive material, according to a notice issued Wednesday by the US Federal Communications Commission (FCC). The wave of intrusions triggered unauthorized uses of the Emergency Alert System’s distinctive Attention Signal, which is normally reserved for tornadoes, hurricanes, earthquakes and other urgent threats. In particular, threat actors appeared to target Barix network audio devices and reconfigure them to capture attacker-controlled streams instead of regular programming."
https://www.infosecurity-magazine.com/news/fcc-hackers-hijacking-radio/
https://docs.fcc.gov/public/attachments/DA-25-996A1.pdf
https://www.theregister.com/2025/11/27/fcc_radio_hijack/
อ้างอิง
Electronic Transactions Development Agency (ETDA) 
Labs identified a U.S.-based company that was targeted by RomCom threat actors via SocGholish, operated by TA569. While the typical initial SocGholish infection chain was followed, roughly 10 minutes post-exploitation, RomCom’s targeted Mythic Agent loader was delivered to the system. This is the first time that a RomCom payload has been observed being distributed by SocGholish."
![[TLP_CLEAR] รายงานการรับมือสถานการณ์ความไม่พร้อ_Page1.png](/assets/uploads/files/1764153732050-tlp_clear-%E0%B8%A3%E0%B8%B2%E0%B8%A2%E0%B8%87%E0%B8%B2%E0%B8%99%E0%B8%81%E0%B8%B2%E0%B8%A3%E0%B8%A3-%E0%B8%9A%E0%B8%A1-%E0%B8%AD%E0%B8%AA%E0%B8%96%E0%B8%B2%E0%B8%99%E0%B8%81%E0%B8%B2%E0%B8%A3%E0%B8%93-%E0%B8%84%E0%B8%A7%E0%B8%B2%E0%B8%A1%E0%B9%84%E0%B8%A1-%E0%B8%9E%E0%B8%A3-%E0%B8%AD_page1.png)
![[TLP_CLEAR] รายงานการรับมือสถานการณ์ความไม่พร้อ_Page2.png](/assets/uploads/files/1764153732110-tlp_clear-%E0%B8%A3%E0%B8%B2%E0%B8%A2%E0%B8%87%E0%B8%B2%E0%B8%99%E0%B8%81%E0%B8%B2%E0%B8%A3%E0%B8%A3-%E0%B8%9A%E0%B8%A1-%E0%B8%AD%E0%B8%AA%E0%B8%96%E0%B8%B2%E0%B8%99%E0%B8%81%E0%B8%B2%E0%B8%A3%E0%B8%93-%E0%B8%84%E0%B8%A7%E0%B8%B2%E0%B8%A1%E0%B9%84%E0%B8%A1-%E0%B8%9E%E0%B8%A3-%E0%B8%AD_page2.png)
![[TLP_CLEAR] รายงานการรับมือสถานการณ์ความไม่พร้อ_Page3.png](/assets/uploads/files/1764153732175-tlp_clear-%E0%B8%A3%E0%B8%B2%E0%B8%A2%E0%B8%87%E0%B8%B2%E0%B8%99%E0%B8%81%E0%B8%B2%E0%B8%A3%E0%B8%A3-%E0%B8%9A%E0%B8%A1-%E0%B8%AD%E0%B8%AA%E0%B8%96%E0%B8%B2%E0%B8%99%E0%B8%81%E0%B8%B2%E0%B8%A3%E0%B8%93-%E0%B8%84%E0%B8%A7%E0%B8%B2%E0%B8%A1%E0%B9%84%E0%B8%A1-%E0%B8%9E%E0%B8%A3-%E0%B8%AD_page3.png)
Threat Research: HashJack – Novel Indirect Prompt Injection Against AI Browser Assistants
