โพสต์ถูกสร้างโดย NCSA_THAICERT

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

เมื่อวันที่ 26 พฤษภาคม 2569 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 1 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว มีรายละเอียดดังนี้

• CVE-2026-48172 LiteSpeed cPanel Plugin Privilege Escalation Vulnerability

ทาง CISA จะปรับปรุงและเพิ่มช่องโหว่ใหม่เข้าสู่แคตตาล็อก KEV อย่างต่อเนื่อง เพื่อให้ครอบคลุมความเสี่ยงที่ตรวจพบจริงในปัจจุบันและอนาคต

อ้างอิง
https://www.cisa.gov/news-events/alerts/2026/05/26/cisa-adds-one-known-exploited-vulnerability-catalog
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) จำนวน 8 รายการ เมื่อวันที่ 26 พฤษภาคม 2569 เพื่อให้ข้อมูลที่ทันเวลาเกี่ยวกับประเด็นด้านความมั่นคงปลอดภัย ช่องโหว่ และการโจมตีที่เกี่ยวข้องกับระบบ ICS โดยมีรายละเอียดดังนี้

• ICSA-26-146-01 ABB Terra AC
• ICSA-26-146-02 ABB AC500 V2
• ICSA-26-146-03 ABB AbilityTM Zenon Remote Transport Vulnerability
• ICSA-26-146-04 ABB B&R Automation Runtime DoS Vulnerability in System Diagnostics Manager
• ICSA-26-146-05 ABB Ability Camera Connect
• ICSA-26-146-06 ABB LVS MConfig
• ICSMA-26-146-01 Eppendorf BioFlo 320
• ICSA-25-259-01 Schneider Electric Multiple Altivar Process Drives and Communication Modules (Update B)

CISA แนะนำให้ผู้ใช้งานและผู้ดูแลระบบ ตรวจสอบคำแนะนำ ICS ที่เผยแพร่ล่าสุด เพื่อศึกษารายละเอียดทางเทคนิคและแนวทางการลดความเสี่ยง (mitigations)

อ้างอิง
https://www.cisa.gov/news-events/ics-advisories

Healthcare Sector

• Eppendorf BioFlo 320
  "Successful exploitation of this vulnerability could allow an attacker to gain full access to functionality and data with the bioreactor."
  https://www.cisa.gov/news-events/ics-medical-advisories/icsma-26-146-01

Industrial Sector

• ABB B&R Automation Runtime DoS Vulnerability In System Diagnostics Manager (SDM)
  "An update is available that resolves a vulnerability identified by B&Rs internal security analysis in the product versions listed as affected in this advisory. An attacker who successfully exploited this vulnerability could cause the product to stop."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-146-04
• ABB Ability Camera Connect
  "ABB is aware of public reports of vulnerabilities in a 3rd party component VLC media player Version 2.2.4 which was delivered together with the installation package of Camera Connect Version 1.5.0.14 and below. An update is available that resolves a privately reported outdated 3rd party component with vulnerabilities in the product versions listed as affected in this advisory. An attacker who successfully exploited any of these vulnerabilities in the 3rd party component could potentially compromise the system in different ways."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-146-05
• ABB Terra AC Wallbox
  "ABB is aware of vulnerabilities in the product versions listed as affected in the advisory. An attacker who successfully exploited this vulnerability could cause the pollution of heap memory which potentially takes remote control of the product and performs a write operation to the flash memory to alter the firmware behavior."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-146-01
• ABB AC500 V2
  "ABB became aware of vulnerabilities in AC500 V2 listed as affected in the advisory. An attacker who successfully exploited this vulnerability could access fragments of Modbus telegrams that have been sent earlier by that PLC"
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-146-02
• ABB AbilityTM Zenon Remote Transport Vulnerability
  "ABB is aware of vulnerabilities in the product versions listed as affected in the advisory. The vulnerability enables unauthorized access to the Reboot OS function within the Remote Transport Service, allowing an attacker to trigger a system reboot without the required authentication. This functionality initiates a system reboot on the target machine. However, remote exploitation of this vulnerability is not feasible unless the attacker has already gained access to the network where the affected ABB Ability zenon system is deployed. At the time of writing, there is no evidence that this vulnerability is being actively exploited in the wild."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-146-03
• ABB LVS MConfig
  "ABB became aware of an internally discovered vulnerability in the MConfig product versions listed as affected in the advisory. An attacker with access to local networks who successfully exploits vulnerability could have access to application’s sensitive information. ABB strongly advises customers to update MConfig with latest software version."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-146-06

Vulnerabilities

• Microsoft Patches SharePoint RCE Flaw CVE-2026-45659 Across Server Versions
  "Microsoft has rolled out updates to fix a remote code execution vulnerability impacting SharePoint that could be exploited by bad actors in attacks without requiring any specialized conditions to be met. The vulnerability, tracked as CVE-2026-45659, carries a CVSS score of 8.8. It has been assigned an important severity. "Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network," Microsoft said in an advisory released last week."
  https://thehackernews.com/2026/05/microsoft-patches-sharepoint-rce-flaw.html
  https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45659
  https://www.helpnetsecurity.com/2026/05/26/sharepoint-vulnerability-cve-2026-45659/
• CISA Adds One Known Exploited Vulnerability To Catalog
  "CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2026-48172 LiteSpeed cPanel Plugin Privilege Escalation Vulnerability"
  https://www.cisa.gov/news-events/alerts/2026/05/26/cisa-adds-one-known-exploited-vulnerability-catalog
• Exploitation Of KnowledgeDeliver Via ViewState Deserialization Vulnerability
  "In late 2025, Mandiant responded to a security incident involving a compromised web server running KnowledgeDeliver. KnowledgeDeliver is a Learning Management System (LMS) developed by Digital Knowledge commonly used in Japan. Mandiant identified a critical vulnerability that allowed unauthenticated Remote Code Execution (RCE). An unknown threat actor leveraged this access to inject malicious code into the LMS platform, with the goal of infecting users visiting the site. This vulnerability stems from the use of identical pre-shared ASP.NET machine keys across multiple customer deployments. The vulnerability was initially exploited as a zero-day, now tracked as CVE-2026-5426."
  https://cloud.google.com/blog/topics/threat-intelligence/knowledgedeliver-viewstate-deserialization-vulnerability
  https://thehackernews.com/2026/05/knowledgedeliver-lms-flaw-exploited-to.html
  https://www.bleepingcomputer.com/news/security/knowledgedeliver-flaw-exploited-as-a-zero-day-to-install-web-shells/
  https://www.securityweek.com/hackers-exploited-knowledgedeliver-zero-day-for-web-shell-deployment/

Malware
INTRUSION ANALYSIS: China-Nexus Adversary Targeting Southeast Asian Edge Network Infrastructure
"A China-nexus intrusion set has been identified conducting a large-scale campaign targeting edge network devices across Southeast Asia. The adversary deploys a custom Linux ELF implant (router.elf) directly onto compromised border routers, establishing persistent command-and-control (C2) via DNS over HTTPS (DoH) while simultaneously weaponizing the router's iptables subsystem to hijack downstream DNS traffic at scale. Correlated Windows-side tradecraft leverages a cracked Cobalt Strike 4.4 Beacon delivered via DLL sideloading (version.dll), sharing identical C2 infrastructure and malleable C2 profiles with the router implant — confirming unified operational control."
https://qiita.com/Y4er/items/0b6071745e4b7b240b3e

• Phishing Campaign Deploys JavaScript-Driven PureLogs Variant To Steal Sensitive Data
  "FortiGuard Labs recently identified a phishing campaign distributing a PureLogs variant designed to collect sensitive data from the victim’s device. The analysis provides an in-depth examination of the campaign, including the phishing emails and the mechanisms by which the JavaScript file operates on the victim's device. This campaign uses deceptive emails disguised as purchase orders, a tactic commonly used to trick recipients into opening malicious attachments."
  https://www.fortinet.com/blog/threat-research/phishing-campaign-deploys-javascript-driven-purelogs-variant-to-steal-sensitive-data
• 2 PhaaS 2 Furious: The Evolution Of Chinese-Language Phishing Services
  "While Russian-speaking threat actors have historically dominated the phishing-as-a-service (PhaaS) landscape, a rival ecosystem is rapidly growing within the Chinese-language underground. Google Threat Intelligence Group (GTIG) analyzed a dozen current PhaaS offerings in the Chinese underground, all of them mature services and many likely tied intricately to the broader criminal ecosystem in that region. These services not only lower the barrier to entry for Chinese cyber criminals, but reveal broader patterns on the evolution of social engineering and credential theft. Late last year, Google took legal action against one PhaaS provider and has worked since then to endorse legislation and enact technical safeguards against these types of scams."
  https://cloud.google.com/blog/topics/threat-intelligence/chinese-language-phishing-services
  https://www.infosecurity-magazine.com/news/chinese-phishing-live-credential/
  https://www.helpnetsecurity.com/2026/05/26/chinese-language-phishing-services/
• BTMOB: A Stealthy RAT Burrowing Deep Into Android Devices
  "Our recent review of threat detections in Brazil surfaced BTMOB, an Android remote access trojan (RAT) that is less notable for detection volume than for the damage it can wreak. The combination of phishing-led delivery, ready-made app-building tooling and device takeover capabilities makes BTMOB a threat to watch well beyond Brazil or Latin America."
  https://www.welivesecurity.com/en/malware/btmob-stealthy-rat-burrowing-deep-android-devices/
  https://www.infosecurity-magazine.com/news/btmob-android-rat-maas-builder/
• Fast And Furious – Nimbus Manticore Operations During The Iranian Conflict
  "During the recent geopolitical tensions in the Middle East, we reported on multiple Iran-nexus threat actors advancing Iran’s strategic objectives through cyber operations. These activities included targeting internet-connected cameras, conducting destructive attacks against US and Israeli entities, and exfiltrating data from cloud environments to support broader kinetic and intelligence-gathering efforts. Nimbus Manticore (also tracked as UNC1549) is an IRGC-affiliated threat actor who primarily targets the defense, aviation and telecommunication sectors through career-themed phishing campaigns. Nimbus Manticore stands out compared to other Iranian-linked groups due to its complex malware toolset. In 2025, we documented the MiniJunk malware framework used by Nimbus Manticore to target high-profile organizations across Western Europe and the Middle East."
  https://research.checkpoint.com/2026/fast-and-furious-nimbus-manticore-operations-during-the-iranian-conflict/
  https://thehackernews.com/2026/05/iranian-hackers-deploy-minifast-and.html
  https://www.infosecurity-magazine.com/news/iranian-hackers-us-aviation/
  https://www.securityweek.com/iranian-apt-targets-aviation-software-companies-with-updated-tools/
  https://securityaffairs.com/192689/apt/nimbus-manticore-expanded-attacks-with-ai-assisted-malware-and-fake-zoom-installers.html
• Fake Software On GitHub And SourceForge Distribute Deno RAT
  "During our threat hunting activities, we found fake installers and plugins impersonating popular software including ChatGPT, Claude, AutoTune, and Kontakt on GitHub and SourceForge distributing a Deno backdoor known as DinDoor. Attackers are using compromised YouTube channels to distribute links to these platforms. DinDoor ultimately drops different types of malware, including a stealthy remote access Trojan (RAT), which also uses the Deno JavaScript runtime."
  https://www.malwarebytes.com/blog/threat-intel/2026/05/fake-software-on-github-and-sourceforge-distribute-deno-rat
• Smart Contracts For C&C: How ClearFake Hid In Plain Sight On BSC Testnet
  "TrendAI Research analyzed in May 2026 an intrusion where threat actors used a technique known as EtherHiding to store payload routing instructions inside BNB Smart Chain (formerly Binance Smart Chain or BSC) smart contracts. Unlike traditional command-and-control (C&C) infrastructure, this routing layer cannot be altered, suspended, or seized by security vendors, registrars, or law enforcement due to the immutable nature of the blockchain. TrendAI found that the injected JavaScript on compromised websites queried these contracts to retrieve and route victims to the next stage of the attack chain."
  https://www.trendmicro.com/en_us/research/26/e/smart-contracts-for-command-and-control.html
• Living Off The Land With VS Code: Inside a Sophisticated Phishing Campaign
  "In this blog post, we examine a multi-stage phishing campaign targeting staff members of the Punjab Safe Cities Authority (PSCA) and PPIC3 in Pakistan. The attack leveraged two distinct infection vectors, both relying on the same underlying infrastructure. The phishing email was analyzed by Joe Reverser in the report available here: https://www.joesandbox[.]com/joereverser/analysis/download/ff6db592-b57e-4d21-9d46-e69c2719d8a5?type=html. The Capability Preview image below already offers a comprehensive overview of the kill chain:"
  https://joesecurity.org/blog/8858614039441223943
• Dark Web Profile: CoinbaseCartel
  "CoinbaseCartel is a financially motivated threat actor that emerged on the Dark Web in September 2025. Unlike traditional ransomware groups, the group does not encrypt victim systems. Instead, it relies exclusively on data theft, threatening to publish exfiltrated data on its dark web leak site unless victims pay a ransom. This approach is commonly described as a single-extortion model. The group’s name carries no connection to the legitimate cryptocurrency exchange Coinbase. On its leak site, CoinbaseCartel describes itself as “redefining data extortion” and explicitly states that its operations have no political, personal, or activist agenda."
  https://socradar.io/blog/dark-web-profile-coinbasecartel/

Breaches/Hacks/Leaks

• Charter Confirms Data Breach After ShinyHunters Extortion Threat
  "U.S. telecommunications giant Charter Communications has confirmed it suffered a data breach after the ShinyHunters extortion group threatened to leak stolen data unless a ransom is paid. Charter Communications is one of the largest broadband providers in the United States, serving tens of millions of residential and business customers through its Spectrum brand. In a statement shared this weekend, the company said it is alerting authorities about the incident and that no sensitive personal customer information was stolen."
  https://www.bleepingcomputer.com/news/security/charter-confirms-data-breach-after-shinyhunters-extortion-threat/
• 7-Eleven Data Breach Exposes Personal Information Of 185,000 People
  "The ShinyHunters extortion gang stole the personal information of over 183,000 people after hacking the systems of convenience store chain giant 7-Eleven in April, according to data breach notification service Have I Been Pwned. Founded in 1927, 7-Eleven now operates, franchises, and licenses more than 86,000 stores worldwide, including 13,000 stores in the U.S. and Canada. 7-Eleven also operates and franchises Speedway, Stripes, Laredo Taco Company, and Raise the Roost Chicken and Biscuits locations, and its 7Rewards and Speedy Rewards loyalty programs also have over 100 million members."
  https://www.bleepingcomputer.com/news/security/7-eleven-data-breach-exposes-personal-information-of-185-000-people/
  https://haveibeenpwned.com/Breach/7-Eleven
  https://www.securityweek.com/185000-likely-impacted-by-7-eleven-data-breach/
  https://www.helpnetsecurity.com/2026/05/26/7-eleven-data-breach-shinyhunters/
• Lithuania Suspects Foreign Involvement In Data Leak Of Over 600,000 National Register Entries
  "Lithuanian authorities are on high alert after a massive data leak involving more than 600,000 entries from national data registers, which is believed to have been executed by another country. The Lithuanian general prosecutor’s office on Friday announced the leak was primarily from registers of real estate and legal entities accessed by using login credentials of institutions authorized to receive the data. The head of the State Enterprise Centre of Registers, Adrijus Jusas, resigned Monday following the leak."
  https://www.securityweek.com/lithuania-suspects-foreign-involvement-in-data-leak-of-over-600000-national-register-entries/
  https://therecord.media/lithuania-investigates-theft-of-state-records
• MyPillow Must Decide Whether To Be Firm Or Soft As Ransomware Crims Demand Pay
  "Crims found the soft spot in the company's security. MyPillow, the US-based bedding brand founded by election conspiracy theorist Mike Lindell, has been listed by Play ransomware extortionists as an alleged victim. The pillow shop first appeared on Play’s name-and-shame data leak site on Monday, with the gang threatening to leak stolen data by Friday if MyPillow execs don’t pay the ransom demand."
  https://www.theregister.com/cyber-crime/2026/05/26/mypillow-appears-on-play-ransomware-leak-site/5246513

General News

• April 2026 Threat Trend Report On APT Attacks (South Korea)
  "ahnLab utilized its infrastructure to monitor Advanced Persistent Threat (APT) attacks on targets in Korea. this report summarizes the classification, statistics, and features of each type of APT attacks identified in Korea during the month of April 2026."
  https://asec.ahnlab.com/en/93831/
• 2026 Cloud Security Report: Why Traditional Network, Cloud, And Security Architecture Are Lagging Behind The AI Transformation
  "As AI rapidly reshapes industries, the role of the cloud has become even more critical. From automated customer experiences to intelligent cyber security and predictive analytics, AI transformations are increasingly being built on a cloud-first foundation. Over the past two years, AI has swiftly moved from an experimental state to an operational reality, with every leading organization embedding AI into the core of how they build, operate, and compete. However, security architectures have not kept pace with the AI transformation. Closing that gap requires more than incremental fixes. It demands a rethinking of how security is designed, deployed, and enforced across hybrid environments."
  https://blog.checkpoint.com/securing-the-cloud/2026-cloud-security-report-why-traditional-network-cloud-and-security-architecture-are-lagging-behind-the-ai-transformation/
• Why Network Segmentation Projects Fail: Four Patterns
  "In previous blogs, I’ve discussed why segmentation matters, the challenges of getting it right, and the benefits that organizations see when they fully commit to both macro- and micro-segmentation. Today, I want to flip the question around. Instead of asking what happens when segmentation succeeds, let’s ask: why do so many segmentation projects fail. That question is the focus of the newly released Cisco 2026 Segmentation Report, which draws on a survey of 400 failed segmentation projects at U.S.-based organizations with 500 or more employees. The findings are illuminating—and occasionally surprising."
  https://blogs.cisco.com/security/why-network-segmentation-projects-fail-four-patterns
  https://www.cisco.com/c/en/us/products/collateral/security/hypershield/segmentation-report-2026.pdf
• The Hackers Behind Shai-Hulud: Lucky Or Skilled?
  "TeamPCP has made a name for itself as a scourge of the open source community following its particular waves of the Shai-Hulud attacks, but the group's attack history is less "sophisticated threat actor" and more "right place, right time" luck. A financially motivated threat actor, TeamPCP formally emerged in late 2025, making a name exploiting the React2Shell vulnerability as well as targeting misconfigured Docker APIs and Next.js. As researchers from Flare recently noted, the group would historically use opportunistic compromises to conduct ransomware, steal data to turn around and sell, and mine cryptocurrency."
  https://www.darkreading.com/application-security/shai-hulud-hackers-teampcp-lucky-skilled
• What Happens When Security Teams Inherit Identity
  "At the Span Cyber Security Arena conference, I sat down with Eric Woodruff, Chief Identity Architect at Semperis, to talk about how organizations perceive identity and the challenges those perceptions create for security. He shared his perspective on where organizations struggle with identity, why identity platforms can become difficult to manage, how phishing-resistant authentication is viewed in practice, and what non-human identities and AI could mean for security."
  https://www.helpnetsecurity.com/2026/05/26/eric-woodruff-semperis-identity-security/
• CERT-In Recommends 12-Hour Patching For Internet-Facing Flaws Amid AI-Assisted Attacks
  "The Indian Computer Emergency Response Team (CERT-In) has issued new guidelines requiring organizations to patch critical security vulnerabilities in internet-exposed systems within 12 hours of being flagged where "feasible" to safeguard against potential threats stemming from threat actors' abuse of artificial intelligence (AI) tools and large language models (LLMs) to automate vulnerability discovery and exploitation, and enhance the scale and velocity of cyber attacks. "AI-assisted cyber exploitation reduces the time required for adversaries to identify, weaponize, and exploit vulnerabilities, exposed services, weak identities, insecure APIs, and misconfigured systems," CERT-In said in a 38-page blueprint published Monday."
  https://thehackernews.com/2026/05/cert-in-mandates-12-hour-patching-for.html
  https://www.cert-in.org.in/s2cMainServlet?pageid=GUIDLNVIEW02&refcode=CISG-2026-02
  https://www.infosecurity-magazine.com/news/cert-in-12-hour-patch-deadline-ai/
• 62% Of Database Ransom Wallets Were Never Paid
  "We built a five-year census of 65,907 exposed databases on the public internet. 30,515 of them (46.3%) carry a ransom or wipe marker. We then validated every bitcoin address inside those notes, ending with 514 distinct attacker wallets. When we priced the 512 we could resolve on-chain, 318 had received zero bitcoin. The 9.78 BTC (around $753,000) that did move concentrated into a handful of operators. Mass database extortion is industrial, automated, mostly unpaid, and still doing enormous damage."
  https://ransomnews.com/database-ransom-economics-2026/
  https://securityaffairs.com/192711/cyber-crime/the-hidden-ransomware-economy-running-on-exposed-databases.html

อ้างอิง
Electronic Transactions Development Agency (ETDA)

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

New Tooling

• OpenHack: Open-Source AI-Powered Vulnerability Research
  "Source-guided vulnerability research increasingly leans on coding harnesses such as Claude Code, Codex, and Cursor to drive agent-based reviews of application code. A new MIT-licensed project from the Dutch security firm Hadrian, called OpenHack, packages that approach into a file-based workspace that any of those harnesses can run. OpenHack is a set of agents and tools that mimics how Hadrian’s research team performs automated vulnerability research. The workflow runs inside a coding harness or a custom runner, with durable state kept in plain files such as cloned source, recon items, scenario prompts, scenario results, finding candidates, triage decisions, findings, and logs. The harness supplies model execution, terminal access, repository access, and human-in-the-loop approval."
  https://www.helpnetsecurity.com/2026/05/25/openhack-open-source-ai-powered-vulnerability-research/
  https://github.com/hadriansecurity/openhack

Malware

• RemotePE: The Lazarus RAT That Lives In Memory
  "Last year, we published research1 about a North Korean Lazarus subgroup targeting financial and cryptocurrency organizations, encountered during multiple incident response engagements. This Lazarus subgroup overlaps with activity linked to AppleJeus2, Citrine Sleet3, UNC47364, and Gleaming Pisces5. In one investigation, we observed that the actor had replaced ThemeForestRAT and PondRAT with a more sophisticated memory-only toolset. This follow-up post covers all three malware families from that toolset: DPAPILoader, RemotePELoader and RemotePE."
  https://blog.fox-it.com/2026/05/22/remotepe-the-lazarus-rat-that-lives-in-memory/
  https://thehackernews.com/2026/05/lazarus-deploys-remotepe-memory-only.html
  TrapDoor Crypto Stealer Supply Chain Attack Hits 34 Packages And Hundreds Of Versions Across Npm, PyPI, And Crates.io
  "Socket researchers have identified an active crypto stealer supply chain attack spanning npm, PyPI, and Crates.io. The campaign, which Socket is tracking as TrapDoor, spans more than 34 malicious packages and 384+ related versions and artifacts across npm, PyPI, and Crates.io, with some already removed and others still live at the time of writing. The earliest package Socket observed was the PyPI package [email protected], uploaded on May 22, 2026 at 20:20:18 UTC, with the wheel published at 20:22:04 UTC. The packages were then published in waves by a handful of accounts and actively updated throughout the weekend."
  https://socket.dev/blog/trapdoor-crypto-stealer-npm-pypi-crates
  https://thehackernews.com/2026/05/trapdoor-supply-chain-attack-spreads.html
• Zero-Click WhatsApp Account Takeover Hits iPhone Users Running iOS 16. No Linked Devices, No Warning
  "There is a particular kind of security incident that is harder to explain than most: your WhatsApp account is sending messages you did not write, asking your contacts for money transfers, and when you check the “Linked Devices” section in the app, it shows nothing. No unauthorized sessions, no suspicious logins, no QR codes scanned by mistake. Just your phone, your account, and someone else apparently using it at the same time. That is exactly what happened to multiple iPhone users in Italy over the past few weeks, and the forensic investigation that followed has uncovered what appears to be an active zero-click exploitation campaign targeting a specific combination of iOS version and WhatsApp client."
  https://securityaffairs.com/192627/security/zero-click-whatsapp-account-takeover-hits-iphone-users-running-ios-16-no-linked-devices-no-warning.html

Breaches/Hacks/Leaks

• Hacker Selling 340 Million OnlyFans User Records Built From Old Breaches
  "A threat actor is advertising what they describe as a massive database containing information linked to hundreds of millions of OnlyFans users, including creators and subscribers. However, conversations with the seller and a review of sample data suggest that the collection did not result from a direct breach or scraping of OnlyFans systems. The listing appeared earlier this week on a well-known cybercrime forum, where a user operating under the alias “Euphoric_Reply_5727” offered what they described as “340 Million User Records” linked to OnlyFans users. The seller priced the database at 0.313 BTC, roughly $76,000 at the time of writing."
  https://hackread.com/hacker-selling-onlyfans-user-records-old-breaches/
  https://securityaffairs.com/192643/cyber-crime/340-million-onlyfans-profiles-allegedly-rebuilt-from-leaks.html
• Oncology Institute Discloses Data Breach
  "The Oncology Institute says a previously disclosed cybersecurity incident has been confirmed to impact patient information. The Oncology Institute (TOI) is an oncology provider founded in 2007 that delivers specialized cancer care through a network of over 100 clinics across five states. The healthcare organization told the SEC in November 2025 that it had learned of a cybersecurity incident affecting a third-party software services provider. At the time, the vendor’s investigation was ongoing and it could not say whether patient information had been compromised."
  https://www.securityweek.com/oncology-institute-discloses-third-party-data-breach/
• 266,000 Affected By Data Breach At Radiology Associates Of Richmond
  "Radiology Associates of Richmond (RAR) has disclosed a data breach impacting the protected health information of 266,000 individuals. According to the healthcare organization’s incident notice, the data breach occurred on or about July 25, 2025, when hackers accessed its internal systems. RAR did not say when the intrusion was discovered, but said that it worked with external cybersecurity experts to contain the attack and investigate its scope."
  https://www.securityweek.com/266000-affected-by-data-breach-at-radiology-associates-of-richmond/
• DocketWise Data Breach Impacts 143,000
  "Immigration and legal case management platform DocketWise is notifying over 143,000 people that their personal, financial, and medical information was compromised in a data breach. The incident, the company says, involved third-party partner repositories that a threat actor cloned using valid credentials. DocketWise launched an investigation into the matter in October 2025, and this year determined that some of the cloned repositories were used as a data migration pipeline for the DocketWise application, which contains law firm records, including personally identifiable information (PII)."
  https://www.securityweek.com/docketwise-data-breach-impacts-143000/

General News

• Turns Out The C-Suite Loves Shadow AI
  "Senior decision-makers are the heaviest users of unapproved AI tools, and they continue using them despite being aware of the security and privacy risks linked to shadow AI, according to TrustedTech’s Shadow AI in the Workplace report. The study found that 65% of decision-makers use shadow AI, compared with 31% of employees below decision-maker level. The data suggests that shadow AI is not mainly driven by junior employees experimenting with consumer tools. The people creating policies and overseeing teams appear to be some of the most active users of unapproved AI systems."
  https://www.helpnetsecurity.com/2026/05/25/trustedtech-workplace-shadow-ai-use-report/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

ศูนย์ประสานการรักษาความมั่นคงปลอดภัยระบบคอมพิวเตอร์แห่งชาติ (ThaiCERT) ได้ติดตามรายงานการออกอัปเดตความปลอดภัยของ Trend Micro สำหรับผลิตภัณฑ์ Apex One และ Vision One Standard Endpoint Protection (SEP) หลังพบหลายช่องโหว่ในระบบ Endpoint Security โดยมีช่องโหว่ CVE-2026-34926 ที่ได้รับการยืนยันว่าพบความพยายามนำไปใช้โจมตีจริงแล้ว ผู้ใช้งานและผู้ดูแลระบบควรเร่งตรวจสอบเวอร์ชันและดำเนินการอัปเดตโดยเร็ว[1][2]

1. รายละเอียดช่องโหว่
   ช่องโหว่ CVE-2026-34926 (CVSS V3.1: 6.7)[3] เป็นช่องโหว่ Directory Traversal ใน Trend Micro Apex One แบบ On-Premise ซึ่งอาจเปิดโอกาสให้ผู้โจมตีที่สามารถเข้าถึงเซิร์ฟเวอร์และมีบัญชีระดับผู้ดูแลระบบอยู่ก่อนแล้ว แก้ไขข้อมูลสำคัญบนเซิร์ฟเวอร์เพื่อฝังโค้ดอันตรายและกระจายไปยัง Agent ภายในองค์กรได้ ช่องโหว่มีความเสี่ยงสูงในเชิงปฏิบัติ เนื่องจาก Apex One Server เป็นระบบบริหารจัดการ Endpoint Security ที่มีความน่าเชื่อถือสูงภายในองค์กร หากถูกยึดหรือถูกแก้ไข อาจถูกใช้เป็นช่องทางกระจาย payload ไปยังเครื่องลูกข่ายจำนวนมากได้

2. ผลิตภัณฑ์และเวอร์ชันที่ได้รับผลกระทบ
   2.1 Trend Micro Apex One 2019 on-premise: Server Agent build ต่ำกว่า 17079
   2.2 Trend Micro Apex One as a Service: Agent build ต่ำกว่า 14.0.20731
   2.3 Trend Vision One Endpoint Security – SEP: Agent build ต่ำกว่า 14.0.20731

3. แนวทางการป้องกันและแก้ไข
   3.1 อัปเดต Apex One on-premise เป็น SP1 CP Build 18012 หรือเวอร์ชันที่ผู้ผลิตแนะนำ
   3.2 ตรวจสอบให้ Security Agent เป็น build ที่ได้รับการแก้ไขแล้ว
   3.3 จำกัดการเข้าถึง Apex One Server เฉพาะเครือข่ายที่เชื่อถือได้
   3.4 ตรวจสอบบัญชีผู้ดูแลระบบ และเฝ้าระวัง Log ที่เกี่ยวข้อง

4. กรณีไม่สามารถอัปเดตได้ทันที
   4.1 ปิดการเข้าถึงระบบบริหารจัดการจากอินเทอร์เน็ตโดยตรง
   4.2 บังคับใช้งาน VPN/MFA สำหรับการเข้าถึงจากระยะไกล
   4.3 จำกัดสิทธิ์ผู้ดูแลระบบเท่าที่จำเป็น
   4.4 เพิ่มการตรวจสอบ Log, Alert และการเปลี่ยนแปลงบน Apex One Server
   4.5 วางแผนอัปเดตในช่วงเวลาที่กระทบระบบงานน้อยที่สุดค่าที่ถูกแก้ไขโดยไม่ได้รับอนุญาต

5. แหล่งอ้างอิง
   [1] https://dg.th/brhdvu45e0
   [2] https://dg.th/bmuyg0k5vq
   [3] https://dg.th/fvh4oziwyk

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Financial Sector

• April 2026 Security Issues In Korean & Global Financial Sector
  "attack Stage 1 Phishing, Attack Stage 2 Backdoor-Downloader-Dropper, and Attack Stage 3 Infostealer-Ransomware were identified as the top malware in the financial sector. The actual distribution files were identified based on MD5 Hash, and it was explained that there may be many variants of the same family."
  https://asec.ahnlab.com/en/93805/

Vulnerabilities

• Ubiquiti Patches Three Max Severity UniFi OS Vulnerabilities
  "Ubiquiti has released security updates to patch three maximum severity vulnerabilities in UniFi OS that can be exploited by remote attackers without privileges. UniFi OS is a unified operating system that powers UniFi Consoles and helps manage IT infrastructure, including networking, security, and other services, as well as UniFi applications such as UniFi Network, UniFi Protect, UniFi Access, UniFi Talk, and UniFi Connect."
  https://www.bleepingcomputer.com/news/security/ubiquiti-patches-three-max-severity-unifi-os-vulnerabilities/
• LiteSpeed cPanel Plugin CVE-2026-48172 Exploited To Run Scripts As Root
  "A maximum-severity security vulnerability impacting LiteSpeed User-End cPanel Plugin has come under active exploitation in the wild. The flaw, tracked as CVE-2026-48172 (CVSS score: 10.0), relates to an instance of incorrect privilege assignment that an attacker could abuse to run arbitrary scripts with elevated permissions. "Any cPanel user (including an attacker or a compromised account) may exploit the lsws.redisAble function to execute arbitrary scripts as root," LiteSpeed said."
  https://thehackernews.com/2026/05/litespeed-cpanel-plugin-cve-2026-48172.html
  https://blog.litespeedtech.com/2026/05/21/security-update-for-litespeed-cpanel-plugin/
• Trend Micro Warns Of Apex One Zero-Day Exploited In The Wild
  "Japanese cybersecurity software company Trend Micro has addressed an Apex One zero-day vulnerability exploited in attacks targeting Windows systems. Apex One is Trend Micro's enterprise-grade endpoint security platform that protects corporate networks from a wide range of security threats, including malware, ransomware, fileless attacks, and web-based threats. Tracked as CVE-2026-34926, this directory traversal vulnerability in the Apex One (on-premises) server allows local attackers with admin privileges to inject malicious code."
  https://www.bleepingcomputer.com/news/security/trend-micro-warns-of-apex-one-zero-day-exploited-in-attacks/
  https://www.securityweek.com/trendai-patches-apex-one-zero-day-exploited-in-the-wild/
• CISA Adds One Known Exploited Vulnerability To Catalog
  "CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2026-9082 Drupal Core SQL Injection Vulnerability"
  https://www.cisa.gov/news-events/alerts/2026/05/22/cisa-adds-one-known-exploited-vulnerability-catalog
  https://securityaffairs.com/192566/uncategorized/u-s-cisa-adds-a-flaw-in-drupal-core-to-its-known-exploited-vulnerabilities-catalog.html
  https://thehackernews.com/2026/05/drupal-core-sql-injection-bug-actively.html
  https://www.securityweek.com/drupal-vulnerability-in-hacker-crosshairs-shortly-after-disclosure/

Malware

• RondoDox Botnet Exploits 2018 Flaw In Asus Routers
  "Operators behind a botnet picked up on a nearly decade-old flaw in Asus routers allowing an unauthenticated attacker to achieve remote code execution as a root user. Researchers at VulnCheck flagged in-the-wild exploitation of CVE-2018-5999, a critical flaw carrying a 9.8 CVSS score, to the RondoDox botnet. The botnet, which surfaced in mid-2025 and focuses on Linux systems, is often classed as a variant of the Mirai botnet. "Unlike Mirai, this malware’s sole purpose is to execute DoS attacks, while Mirai is not only capable of doing DoS attacks but also scan and exploit other systems," wrote Bitsight in March."
  https://www.bankinfosecurity.com/rondodox-botnet-exploits-2018-flaw-in-asus-routers-a-31768
  https://hackread.com/rondodox-botnet-2018-vulnerability-hijack-asus-routers/
• Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns
  "Unit 42 researchers have observed evidence of cyberattacks by the Iran-nexus advanced persistent threat (APT) group Screening Serpens (aka UNC1549, Smoke Sandstorm and Iranian Dream Job). Based on our visibility, we believe that the group targeted entities in the U.S., Israel and the United Arab Emirates, and likely two additional Middle Eastern entities. This research follows an evolution through cyberattacks in mid-February through April 2026. The timing of these campaigns aligns closely with that of the regional conflict that started in the Middle East on Feb. 28, 2026. We discovered six new remote access Trojan (RAT) variants developed and deployed between February and April 2026."
  https://unit42.paloaltonetworks.com/tracking-iran-apt-screening-serpens/
  https://www.bankinfosecurity.com/iranian-hackers-using-fake-job-sites-to-breach-defense-firms-a-31762
• Megalodon: Mass GitHub Repo Backdooring Via CI Workflows
  "On May 18, 2026, an automated campaign codenamed megalodon pushed 5,718 malicious commits to 5,561 GitHub repositories in a six-hour window. Using throwaway accounts and forged author identities (build-bot, auto-ci, ci-bot, pipeline-bot), the attacker injected GitHub Actions workflows containing base64-encoded bash payloads that exfiltrate CI secrets, cloud credentials, SSH keys, OIDC tokens, and source code secrets to a C2 server at 216[.]126[.]225[.]129:8443. The campaign deployed two payload variants. The mass variant (SysDiag) adds a new workflow triggered on every push and pull request, maximizing automated execution. A targeted variant (Optimize-Build) replaced existing workflows with workflow_dispatch triggers, creating dormant backdoors that the attacker can fire on demand via the GitHub API. The npm package @tiledesk/tiledesk-server versions 2.18.6 through 2.18.12 carry the targeted variant, propagated to npm through routine publishes by the legitimate maintainer from the compromised GitHub repository."
  https://safedep.io/megalodon-mass-github-repo-backdooring-ci-workflows/
  https://thehackernews.com/2026/05/megalodon-github-attack-targets-5561.html
  https://hackread.com/github-repositories-megalodon-supply-chain-attack/
  https://www.theregister.com/security/2026/05/22/megalodon-chums-the-waters-in-55k-github-repo-poisonings/5245342
• SEO Poisoning Campaign Leverages Gemini And Claude Code Impersonation To Deliver Infostealer
  "Financially motivated eCrime actors will likely continue to expand opportunistic campaigns by impersonating AI platforms. These campaigns generate direct supply chain risk for enterprises, as threat actors target software developer tooling, including AI coding assistants and package managers, to compromise developer workstations. In early March 2026, EclecticIQ analysts identified an ongoing infostealer campaign targeting Gemini CLI and Claude Code users. Threat actors use SEO poisoning to surface fake domains above legitimate results, directing victims to attacker-controlled infrastructure that mimics genuine AI agent installation pages."
  https://blog.eclecticiq.com/seo-poisoning-campaign-leverages-gemini-and-claude-code-impersonation-to-deliver-infostealer
  https://www.infosecurity-magazine.com/news/gemini-claude-infostealers-seo/
• Ghostwriter Targets Ukraine Government Entities With Prometheus Phishing Malware
  "The Belarus-aligned threat actor known as Ghostwriter (aka UAC-0057 and UNC1151Ukraine's National Security and Defense Council) has been observed using lures related to Prometheus, a Ukrainian online learning platform, to target government organizations in the country. The activity, per the Computer Emergency Response Team of Ukraine (CERT-UA), involves sending phishing emails to government entities using compromised accounts. It's been active since the spring of 2026."
  https://thehackernews.com/2026/05/ghostwriter-targets-ukraine-government.html
  https://therecord.media/oysterfresh-belarus-linked-campaign-targets-ukraine
  https://securityaffairs.com/192538/apt/ghostwriter-is-back-using-a-ukrainian-learning-platform-as-bait-to-hit-government-targets.html
• FBI Warns Of Kali365 Phishing-As-a-Service After April Microsoft 365 Attacks
  "Cybercriminals are using a new, easy-to-use service to trick people into giving them access to their Microsoft 365 accounts, according to the FBI. The law enforcement agency published an advisory on Thursday about Kali365 — a Telegram-based service for cybercriminals that allows them to capture legitimate "OAuth" tokens enabling widespread access to Microsoft 365 environments. Multiple cybersecurity companies warned last month that they were seeing hundreds of attacks enabled by Kali365. The tool, which the FBI referred to as a Phishing-as-a-Service platform, “lowers the barrier of entry, providing less-technical attackers access to AI-generated phishing lures, automated campaign templates, real-time targeted individual/entity tracking dashboards, and OAuth token capture capabilities.”"
  https://therecord.media/fbi-warns-of-kali365-phishing-attacks
  https://www.ic3.gov/PSA/2026/PSA260521
  https://cyberscoop.com/fbi-phishing-kali365-microsoft365-access-tokens/
  https://hackread.com/fbi-kali365-phishing-service-microsoft-365-account/
  https://www.helpnetsecurity.com/2026/05/22/kali365-microsoft-365-phishing-fbi-warning/
• Analyzing Void Dokkaebi’s Cython-Compiled InvisibleFerret Malware
  "Void Dokkaebi, also tracked as Famous Chollima, is a North Korea-aligned intrusion set that systematically targets software developers who hold cryptocurrency wallet credentials, signing keys, and access to continuous integration/continuous delivery (CI/CD) pipelines and production infrastructure. As previously documented by TrendAI Research, the group poses as recruiters from cryptocurrency and AI firms, luring developers into cloning and executing code repositories as part of fabricated job interviews. TrendAI Research observed that InvisibleFerret, a Python-based malware family composed of multiple modules and delivered through the infection chain, has been obfuscated using Cython."
  https://www.trendmicro.com/en_us/research/26/e/analyzing-void-dokkaebi-invisibleferret-malware.html
• Paved With Intent: ROADtools And Nation-State Tactics In The Cloud
  "ROADtools is an open-source framework written in Python and built for red-teaming and research. It primarily targets the identity and authentication layers of Azure, and focuses on how accounts, applications and tokens operate in tenants. To avoid detection, ROADtools operates through legitimate Microsoft APIs and can mimic typical traffic. Further defense evasion can be achieved by configuring request attributes such as user-agent strings. These capabilities have made ROADtools a valuable asset for attackers. Nation-state threat actors have used it in recent cloud intrusions for discovery, persistence and defense evasion. Attackers involved in a targeted phishing campaign in early 2025 used tooling that matches ROADtools' token management capabilities."
  https://unit42.paloaltonetworks.com/roadtools-cloud-attacks/
• A New SonicWall Scanning Spike Echoes The Pattern That Preceded CVE-2026-0400
  "Between May 9 and May 18, 2026, GreyNoise observed a significant new spike in scanning of SonicWall SonicOS management interfaces. The May 12 peak — approximately 597,000 sessions — was the largest single-day total recorded on the SonicWall SonicOS API Scanner tag in the past 90 days, roughly 46× the typical daily volume for this tag in the 30 days before the elevation. Similar elevations in activity against this GreyNoise tag have preceded new vulnerability disclosures affecting SonicWall (Ten Days Before Zero, GreyNoise 2026). Activity on this tag spiked three times in an earlier sequence — on January 18, January 30, and February 14 — at 37, 25, and 10 days before the February 24 disclosure of CVE-2026-0400. The current spike may be a similar early warning."
  https://www.greynoise.io/blog/sonicwall-scanning-spike-echoes-pattern-preceded-cve-2026-0400
• Laravel-Lang Supply Chain Attack: Every Tag Across Multiple Composer Packages Rewritten To Steal CI Secrets
  "On May 22, 2026, an attacker with push access to the Laravel-Lang GitHub organization rewrote every git tag across multiple popular Composer packages within a single 15 minute window. Anyone running composer update or installing fresh against laravel-lang/http-statuses, laravel-lang/actions, or laravel-lang/attributes now pulls a payload that exfiltrates CI secrets to a typosquatted attacker domain. StepSecurity confirmed end to end exploitation in an isolated runner and has filed security issues in all four repositories."
  https://www.stepsecurity.io/blog/laravel-lang-supply-chain-attack
  https://socket.dev/blog/laravel-lang-compromise
  https://www.aikido.dev/blog/supply-chain-attack-targets-laravel-lang-packages-with-credential-stealer
  https://www.bleepingcomputer.com/news/security/laravel-lang-packages-hijacked-to-deploy-credential-stealing-malware/
  https://thehackernews.com/2026/05/laravel-lang-php-packages-compromised.html
• Malicious Postinstall Hook Found Across 700+ GitHub Repositories, Including Packagist And Node.js Projects
  "Socket researchers identified a coordinated supply chain campaign affecting eight packages on Packagist whose upstream repositories were modified to include the same malicious postinstall script. The script attempted to download a Linux binary from a GitHub Releases URL, save it to /tmp/.sshd, make it executable, and run it in the background. Although the affected packages were all Composer packages, the malicious code was not added to composer.json. Instead, it was inserted into package.json, targeting projects that ship JavaScript build tooling alongside PHP code. That cross-ecosystem placement is notable because developers and security teams reviewing PHP dependencies may focus on Composer metadata while overlooking package.json lifecycle hooks bundled inside the package."
  https://socket.dev/blog/malicious-postinstall-hook-found-across-700-github-repos
  https://thehackernews.com/2026/05/packagist-supply-chain-attack-infects-8.html
• Foul Play: Fake FIFA Websites Target Soccer Fans Looking For World Cup Tickets, Merchandise
  "As the FIFA World Cup 2026 in the United States, Canada, and Mexico draws closer, anticipation is building toward fever pitch. Many soccer fans may still be hunting for tickets, merchandise, travel and hospitality packages – and scammers know exactly how to exploit this demand. In other words, many people are already in the state of mind that scammers count on: interested, impatient and, indeed, maybe a little worried that the tickets or other goods will sell out. Which is ultimately what makes these scams so effective."
  https://www.welivesecurity.com/en/cybersecurity/foul-play-fake-fifa-world-cup-websites-tickets/
• Ghost CMS SQL Injection Flaw Exploited In Large-Scale ClickFix Campaign
  "A large-scale campaign is exploiting a critical SQL injection vulnerability (CVE-2026-26980) in Ghost CMS to inject malicious JavaScript code that triggers ClickFix attack flows. The campaign was discovered by XLab threat intelligence researchers at Chinese cybersecurity company Qianxin, who confirmed impact on more than 700 domains, including university portals, AI/SaaS companies, media outlets, fintech firms, security sites, and personal blogs. According to the researchers, threat actors planted malicious code on the websites of Harvard University, Oxford University, Auburn University, and DuckDuckGo."
  https://www.bleepingcomputer.com/news/security/ghost-cms-sql-injection-flaw-exploited-in-large-scale-clickfix-campaign/

Breaches/Hacks/Leaks

• FBI Director’s Former Apparel Brand Hit By Malware
  "Two months after Iran-linked hackers exfiltrated FBI Director Kash Patel's personal email inbox, the government official's name is tangled up in another cyber incident - this time through a MAGA swag shop he founded. A ClickFix attack on the Based Apparel site tried to trick shoppers into running a malicious command though a fake Cloudflare verification page on Thursday. The entire merchandise shop has been taken offline Friday."
  https://www.bankinfosecurity.com/fbi-directors-former-apparel-brand-hit-by-malware-a-31767
• Hackers Steal Patient And Billing Data From German Hospitals Via Third-Party Provider
  "German university hospitals are grappling with a large-scale patient data breach after unknown hackers targeted an external billing service provider used by medical centers across the country, according to statements from several affected medical institutions. The attack reportedly hit Unimed, a company that handles billing services for privately insured and self-paying patients on behalf of numerous German hospitals. Hospitals said the breach did not compromise their own clinical infrastructure or disrupt patient treatment."
  https://therecord.media/hackers-steal-patient-billing-data-german-hospitals
• Techie Claims Trump Mobile Website Was Leaking Thousands Of People's Data
  "The US President’s oft-maligned Trump Mobile venture may be facing another setback after a security buff claims he discovered a now-plugged website vulnerability that he says was leaking what could be tens of thousands of suckers' customers' details. The individual behind the discovery, who goes by "Louis," says he's a self-taught tech tinkerer and described himself as "just a nerd between jobs with too much time on my hands." He reckons the website’s data could be scooped up with a simple POST request."
  https://www.theregister.com/security/2026/05/22/trump-mobile-site-leaks-customer-data-as-phone-finally-ships/5244828

General News

• The Proliferation And Evolution Of AI-Powered Hacking Tools – From Dark Web Distribution To Autonomous Attacks
  "since the emergence of WormGPT in June 2023, AI-based hacking tools have spread to the dark web, Telegram, GitHub, and Hugging Face. the market has evolved into a mix of paid subscription SaaS and free open-source distributions. key capabilities have been segmented into phishing automation, malware development, reconnaissance, brute force, vulnerability exploitation, and social engineering."
  https://asec.ahnlab.com/en/93816/
• Netherlands Seizes 800 Servers Of Hosting Firm Enabling Cyberattacks
  "Financial crime investigators in the Netherlands (FIOD) arrested two men and seized 800 servers linked to a web hosting company that enabled cyberattacks, interference operations, and disinformation campaigns. FIOD arrested a 57-year-old suspect, who was the company director, and a 39-year-old who headed a separate firm that provided internet connectivity. According to the authorities, the suspects indirectly provided economic resources to Russian and Belarusian entities sanctioned by the European Union (EU)."
  https://www.bleepingcomputer.com/news/security/netherlands-seizes-800-servers-of-hosting-firm-enabling-cyberattacks/
• Former US Execs Plead Guilty To Aiding Tech Support Scammers
  "Two former executives of a call-tracking and analytics company pleaded guilty to concealing a years-long tech support fraud scheme that victimized individuals worldwide. Former CEO Adam Young (from Miami, Florida) and former CSO Harrison Gevirtz (from Las Vegas, Nevada) admitted to a misprision of a felony charge, which carries a maximum penalty of three years in federal prison, a fine of up to $250,000, or both, and are scheduled for sentencing on June 16."
  https://www.bleepingcomputer.com/news/security/former-us-execs-plead-guilty-to-aiding-tech-support-scammers/
• When The Scanner Starts Thinking: Learnings From Mythos & GPT 5.5 Cyber In Security Testing
  "Frontier AI models like Anthropic Mythos and OpenAI GPT 5.5 Cyber present a critical inflection point for enterprise security. While they unlock transformative potential for security engineers seeking to embed AI into their workflows, they also expand the attack surface for organizations facing increasingly sophisticated attacks when used by threat actors. Mythos and GPT 5.5 Cyber do something fundamentally different from previous models. They reason across attack paths, weigh exploitability, and generate security-relevant workflows. The threat chain remains the same. Attackers will continue to find what’s exposed, break in through a weak point, move laterally, and steal data. What’s changed is the expertise required, speed, and scale."
  https://www.zscaler.com/blogs/security-research/when-scanner-starts-thinking-learnings-mythos-gpt-5-5-cyber-security
• AI Attacks Are No Longer Experimental: Key Findings From The March-April 2026 AI Threat Landscape
  "Between late December 2025 and mid-February 2026, Gambit found that a single operator compromised nine Mexican government agencies, reaching tax records, civil registry data, patient files, and electoral infrastructure across a two-month campaign. What made it remarkable was not the scope but the method: the attacker ran the entire operation with commercial AI handling the exploitation work, and researchers only discovered what had happened after recovering materials from attacker-controlled servers. AI was not a productivity tool running in the background. It was the operational core of the attack."
  https://blog.checkpoint.com/research/ai-attacks-are-no-longer-experimental-key-findings-from-the-march-april-2026-ai-threat-landscape/
• Downtime Has Become a $600 Billion Business Problem
  "The average cost of downtime has reached $600 billion for the Global 2000, a 50% increase in two years. According to Splunk’s The Hidden Costs of Downtime report, unplanned outages and service degradation cost each company an average of $300 million. Delayed product launches, brand damage, and stock declines continue to affect companies after systems return online. Customer expectations, cybersecurity threats, rising incident costs, and regulatory pressure have made downtime a priority for technology leaders."
  https://www.helpnetsecurity.com/2026/05/22/splunk-average-downtime-cost-report/
• The New Economics Of Fraud: Cheaper, Faster, More Convincing
  "Scams have become one of the fastest-growing consumer risks, driven by AI-enabled impersonation, social engineering, and sophisticated attack methods, according to Visa’s Spring 2026 Biannual Threats Report. Fraud involves behavioral manipulation, fragmented ecosystems, and faster attack cycles that use AI to pressure people into authorizing payments themselves. The payments ecosystem continues to strengthen core defenses. Token fraud declined 9.6% and enumeration losses fell 16% from July through December 2025 compared with the same period in 2024. Improvements in tokenization, authentication, and network-level detection contributed to those results."
  https://www.helpnetsecurity.com/2026/05/22/visa-consumer-payment-fraud-report/
• Cloud Atlas Activity In The Second Half Of 2025 And Early 2026: New Tools And a New Payload
  "In 2025, we observed pervasive SSH tunnel activity, which has remained active into 2026, affecting many government organizations and commercial companies in Russia and Belarus. Behind some of this activity is Cloud Atlas, a group we have known since 2014. During our investigation, we identified new tools used by this group, as well as indicators of compromise. The group is back to sending out archives containing malicious shortcuts that launch PowerShell scripts. This technique is employed in addition to the previously described use of malicious documents, which exploit an old vulnerability in the Microsoft Office Equation Editor process (CVE-2018-0802) to download and execute malicious code. We have observed the use of third-party public utilities (Tor/SSH/RevSocks) to gain a foothold in infected systems and create additional backup control channels."
  https://securelist.com/cloud-atlas-2026/119895/
• Italy Disrupts CINEMAGOAL Piracy App That Stole Streaming Auth Codes
  "Italian authorities have dismantled a piracy ecosystem centered around the CINEMAGOAL app that provided access to various streaming platforms, including Netflix, Disney+, and Spotify. Unlike typical IPTV service providers that openly market themselves online and expose their operations, CINEMAGOAL's approach was stealthier, as it used an app that customers installed on their devices. During the large-scale anti-piracy operation called “Tutto Chiaro” (All Clear), Italian law enforcement conducted 100 searches across the country and seized materials that could help investigators identify involved individuals, as well as determine the amount of illegal profits."
  https://www.bleepingcomputer.com/news/legal/italy-disrupts-cinemagoal-piracy-app-that-stole-streaming-auth-codes/
  Why Pure Extortion Is Replacing Traditional Ransomware
  "Ransomware groups are quietly changing strategy in 2026. Instead of encrypting systems and causing immediate disruption, many attackers are now focusing on pure extortion: stealing sensitive data and threatening to leak it publicly if victims refuse to pay. This shift is happening for a simple reason. Encryption is noisy, risky, and easier for defenders to detect. Data theft is often faster, quieter, and in many cases more profitable. Several recent reports suggest attackers are increasingly prioritizing credential theft, long-term access, and exfiltration over traditional ransomware deployment. The pressure point is changing too. Companies are no longer paying just to restore operations, they are paying to avoid reputational damage, regulatory fallout, and exposure of sensitive internal documents."
  https://securityaffairs.com/192550/cyber-crime/why-pure-extortion-is-replacing-traditional-ransomware.html
• Claude Mythos AI Finds 10,000 High-Severity Flaws In Widely Used Software
  "Anthropic on Friday disclosed that Project Glasswing has helped uncover more than 10,000 high- or critical-severity vulnerabilities across some of the most "systemically" important software across the world since the cybersecurity initiative went live last month. Project Glasswing is a defensive effort launched by the artificial intelligence (AI) company to secure critical global software infrastructure. It grants a small set of about 50 partners exclusive, early access to Claude Mythos Preview, a frontier model with capabilities to autonomously identify vulnerabilities in widely-used software before bad actors can exploit them."
  https://thehackernews.com/2026/05/claude-mythos-ai-finds-10000-high.html
  https://www.anthropic.com/research/glasswing-initial-update
  https://securityaffairs.com/192576/ai/anthropics-glasswing-10000-vulnerabilities-found-in-one-month-and-the-patching-problem-has-never-been-more-obvious.html
• Dirty Frag, Copy Fail, Fragnesia: The Start Of a Worrisome Linux Security Trend
  "Dirty Frag, Copy Fail, and Fragnesia are less a random cluster of Linux bugs and more the public unveiling of how AI tools can pry open security holes with just a prompt or two. What they also have in common is their shared abuse of a core kernel abstraction: The page cache. What does this mean for you and me? Is this the rainstorm before a downpour of killer Linux security problems, or is this just a shower? It depends on who you ask."
  https://www.theregister.com/security/2026/05/23/dirty-frag-copy-fail-fragnesia-the-start-of-a-worrisome-linux-security-trend/5244742

อ้างอิง
Electronic Transactions Development Agency (ETDA)

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

ศูนย์ประสานการรักษาความมั่นคงปลอดภัยระบบคอมพิวเตอร์แห่งชาติ (ThaiCERT) ได้ติดตามสถานการณ์ข่าวสารภัยคุกคามทางไซเบอร์ พบ Microsoft ออกแพตช์แก้ไขช่องโหว่ Zero-Day ใน Microsoft Defender หลังพบว่าช่องโหว่ดังกล่าวถูกนำไปใช้ในการโจมตีจริง [1]

1. รายละเอียดเหตุการณ์
   Microsoft ออกแพตช์แก้ไขช่องโหว่ Zero-Day ใน Microsoft Defender โดยมีช่องโหว่ที่สำคัญจำนวน 2 รายการดังนี้
   1.1 CVE-2026-41091 (CVSS v3.1: 7.8) เป็นช่องโหว่ประเภท Elevation of Privilege (EoP) ใน Microsoft Defender เกิดจากข้อบกพร่อง Improper Link Resolution Before File Access (Link Following / Symlink Handling) ซึ่งทำให้ Microsoft Defender ตรวจสอบหรือเข้าถึงไฟล์ผ่านลิงก์ (symbolic link / hard link) อย่างไม่ปลอดภัย ส่งผลให้ผู้โจมตีที่มีสิทธิ์ในเครื่องอยู่แล้วสามารถใช้ช่องโหว่นี้เพื่อยกระดับสิทธิ์ (Local Privilege Escalation) ไปสู่สิทธิ์ที่สูงขึ้นในระบบได้ [2]
   1.2 CVE-2026-45498 (CVSS v3.1: 7.5) เป็นช่องโหว่ประเภท Denial of Service (DoS) ใน Microsoft Defender ซึ่งอาจทำให้ผู้โจมตีสามารถทำให้บริการหรือกระบวนการของ Microsoft Defender หยุดทำงานหรือไม่สามารถให้บริการได้ (Availability Impact) ส่งผลให้ระบบป้องกันมัลแวร์อาจทำงานผิดปกติหรือหยุดตอบสนองชั่วคราว [3]

2. ผลกระทบที่อาจเกิดขึ้น
   2.1 ยกระดับสิทธิ์จากผู้ใช้ทั่วไปไปเป็น SYSTEM-level privileges
   2.2 ปิดการทำงานหรือหลบเลี่ยงการป้องกันของ Microsoft Defender
   2.3 เข้าถึงข้อมูลสำคัญหรือ Credential ภายในระบบ
   2.4 ใช้เป็นฐานการโจมตีไปยังระบบอื่น
   2.5 เพิ่มความสามารถในการคงอยู่ในระบบ (Persistence) และหลบเลี่ยงการตรวจจับของระบบรักษาความปลอดภัย

3. ระบบที่ได้รับผลกระทบ
   ระบบที่ใช้งาน Microsoft Defender Antivirus หรือ Microsoft Defender for Endpoint

4. แนวทางการป้องกันและแก้ไข
   4.1 ติดตั้งแพตช์ความปลอดภัยล่าสุดจาก Microsoft ทันที
   4.2 ตรวจสอบการยกระดับสิทธิ์ที่ผิดปกติ
   4.3 ตรวจสอบการปิดการทำงานของ Defender

5. มาตรการชั่วคราว (กรณียังไม่สามารถอัปเดตได้ทันที)
   5.1 จำกัดสิทธิ์ผู้ใช้งานภายใน
   5.2 เปิดใช้งาน Tamper Protection เพื่อป้องกันการแก้ไขค่าของ Microsoft Defender
   5.3 ใช้ Application Control / WDAC / AppLocker เพื่อลดโอกาสการรันโค้ดที่ไม่ได้รับอนุญาต
   5.4 เฝ้าระวัง Event Logs ที่เกี่ยวข้องกับ Defender Service, Security Center และ Privilege Escalation
   5.5 แยกระบบที่มีความเสี่ยงสูงออกจากเครือข่ายสำคัญ
   
   แหล่งอ้างอิง
   [1] https://dg.th/7w6lp1cg0u
   [2] https://dg.th/h9a71ny8k2
   [3] https://dg.th/lm57t0a1wx

ศูนย์ประสานการรักษาความมั่นคงปลอดภัยระบบคอมพิวเตอร์แห่งชาติ (ThaiCERT) ได้ติดตามสถานการณ์ข่าวสารภัยคุกคามทางไซเบอร์ พบ Microsoft ออกมาตรการป้องกันและแก้ไขช่องโหว่ความปลอดภัยใน ASP.NET Machine Key และ ASP.NET Core [1]

1. รายละเอียดช่องโหว่
   บริษัท Microsoft ได้ออกประกาศแจ้งเตือนด้านความมั่นคงปลอดภัยไซเบอร์เกี่ยวกับการโจมตีที่มุ่งเป้าไปยังระบบเว็บแอปพลิเคชันที่พัฒนาด้วย ASP.NET และ ASP.NET Core หมายเลข CVE-2026-45585 (CVSS v3.1: 6.8) หรือที่เรียกว่า “YellowKey” โดยพบว่าผู้ไม่หวังดีสามารถใช้ Machine Key ที่เปิดเผยสู่สาธารณะ หรือใช้ประโยชน์จากช่องโหว่ด้านการตรวจสอบ Cryptographic Signature Verification เพื่อปลอมแปลงข้อมูลยืนยันตัวตนและยกระดับสิทธิ์ในระบบได้ [2]

ทั้งนี้ หน่วยงานสามารถดูรายละเอียดเพิ่มเติมได้ที่ https://dg.th/wc6dv0xjog

2. ระบบที่ได้รับผลกระทบ ได้แก่
   • Microsoft.AspNetCore.DataProtection เวอร์ชัน 10.0.0 ถึง 10.0.6 โดยเฉพาะระบบที่ทำงานบน Linux, macOS และระบบ Non-Windows

3. พฤติกรรมการโจมตี
   ผู้โจมตีสามารถใช้ Machine Keys ที่รั่วไหลหรือถูกเผยแพร่สาธารณะ สร้าง ViewState ปลอมที่ผ่านการตรวจสอบความถูกต้องของระบบ ASP.NET ได้ เมื่อเซิร์ฟเวอร์ประมวลผลข้อมูลดังกล่าว ระบบจะทำการถอดรหัสและรันโค้ดอันตรายภายในหน่วยความจำของ IIS Web Server ส่งผลให้ผู้โจมตีสามารถควบคุมระบบจากระยะไกล (Remote Code Execution: RCE)

4. ผลกระทบ
   4.1 เข้าควบคุมเว็บเซิร์ฟเวอร์หรือระบบงานสำคัญ
   4.2 เข้าถึงข้อมูลสำคัญหรือข้อมูลส่วนบุคคล รวมถึงแก้ไขข้อมูลสำคัญภายในระบบ
   4.3 ปลอมแปลง Session, Cookie หรือ Password Reset Token
   4.4 ใช้ระบบที่ถูกโจมตีเป็นฐานสำหรับโจมตีระบบอื่นภายในองค์กร
   4.5 แก้ไขหรือลบข้อมูลสำคัญขององค์กร

5. แนวทางการป้องกันและลดความเสี่ยง
   5.1 อัปเดต Microsoft.AspNetCore.DataProtection เป็นเวอร์ชัน 10.0.7 หรือเวอร์ชันล่าสุดโดยทันที
   5.2 ตรวจสอบไฟล์ web.config และการตั้งค่าของ IIS ว่ามีการกำหนดค่า Machine Keys แบบ Static หรือไม่
   5.3 ตรวจสอบระบบย้อนหลังเพื่อค้นหาร่องรอยการฝัง Web Shell, Godzilla Framework เป็นต้น

6. มาตรการชั่วคราว (กรณียังไม่สามารถอัปเดตได้ทันที)
   6.1 Rotate ASP.NET Machine Keys และ Data Protection Keys ใหม่ทันที โดยสร้างกุญแจใหม่ที่มีความซับซ้อนสูง และไม่ใช้ค่าที่คัดลอกจากสาธารณะ หรือ Git Repository
   6.2 ปิดการใช้งาน Machine Keys แบบ Static
   6.3 จำกัดการเข้าถึงระบบจากภายนอก
   6.4 เปิดใช้งาน Web Application Firewall (WAF)
   6.5 ปิดฟังก์ชันหรือบริการที่ไม่จำเป็นชั่วคราว
   6.6 บังคับ Reset Session และ Authentication Token เป็นระยะ
   
   แหล่งอ้างอิง
   [1] https://dg.th/tfcokpxrz0
   [2] https://dg.th/wuarfe8z9j