โพสต์ถูกสร้างโดย NCSA_THAICERT

ThaiCERT ติดตามข่าวสารภัยคุกคามทางไซเบอร์ พบรายงานช่องโหว่สองรายการ ได้แก่ CVE-2026-1281 และ CVE-2026-1340 (CVSS:v3.1: 9.8) ในผลิตภัณฑ์ Ivanti Endpoint Manager Mobile (EPMM) ผู้โจมตีสามารถโจมตีได้จากภายนอกเครือข่ายโดยไม่ต้องยืนยันตัวตน

1. รายละเอียดเหตุการณ์
   • ผู้พัฒนาเปิดเผยช่องโหว่ CVE-2026-1281 และ CVE-2026-1340 ที่ส่งผลต่อระบบ Ivanti Endpoint Manager Mobile ซึ่งเป็นโซลูชันบริหารจัดการอุปกรณ์มือถือในองค์กร
   • ช่องโหว่ทั้งสองรายการจัดว่าเป็นประเภท Code Injection / Remote Code Execution (RCE) โดยผู้โจมตีสามารถรันโค้ดอันตรายบนระบบเป้าหมายโดยไม่ต้องยืนยันตัวตน

2. เวอร์ชันที่ได้รับผลกระทบ
   • EPMM 12.5.x, 12.6.x, หรือ 12.7.x

3. พฤติกรรมการโจมตี
   • ผู้โจมตีจะส่ง HTTP/HTTPS request และรันคำสั่งบนระบบ EPMM
   • ทำการสแกนระบบแบบอัตโนมัติหรือ botnet เพื่อคัดกรองเป้าหมาย
   • หลังจากโจมตีสำเร็จ ผู้โจมตีอาจทำการติดตั้ง web shells, backdoors, การดาวน์โหลดมัลแวร์ หรือการทำ reconnaissance ภายในระบบ
   • ปัจจุบันพบการโจมตีอย่างต่อเนื่อง โดยเป็นการสแกนและการยิง payload แบบอัตโนมัติ ไปยังเซิร์ฟเวอร์ EPMM

4. แนวทางการป้องกันและลดความเสี่ยง
   4.1 อัปเดตระบบและปฏิบัติตามคำแนะนำของผู้พัฒนาอย่างเคร่งครัด
   4.2 ควบคุมการเข้าถึงเครือข่าย โดยจำกัดการเข้าถึงอินเทอร์เฟซการจัดการ EPMM เฉพาะจากเครือข่ายภายในหรือผ่าน VPN เท่านั้น หรือใช้มาตรการ network segmentation เพื่อแยกระบบ MDM ออกจากเครือข่ายหลักและระบบความสำคัญสูง
   4.3 ระบบตรวจจับและตอบสนองภัยคุกคาม เช่น ใช้เครื่องมือ WAF/IDS/IPS เพื่อตรวจจับและบล็อกพฤติกรรมที่ผิดปกติ, ตรวจสอบ log ของระบบอย่างสม่ำเสมอเพื่อหาพฤติกรรม HTTP

5. มาตรการชั่วคราว (กรณียังไม่สามารถอัปเดตได้ทันที)
   5.1 ปิดการเข้าถึงแบบสาธารณะ
   5.2 จำกัดการเข้าถึงเฉพาะ IP ที่เชื่อถือได้
   5.3 ปรับแต่ง WAF และ IPS
   5.4 ตรวสอบ IoCs และหากพบระบบที่อาจถูกโจมตี ให้แยกระบบนั้นออกจากเครือข่ายทันทีเพื่อลดผลกระทบ

6. แหล่งอ้างอิง (References)
   6.1 https://dg.th/x5fpbrcikt
   6.2 https://dg.th/z35rkhilp6
   6.3 https://dg.th/1a8kb4hnxu

แนะนำให้หน่วยงานที่ใช้งาน Ivanti EPMM และยังไม่ได้แพตช์ ดำเนินการแก้ไขโดยเร่งด่วนที่สุด

Financial Sector

• January 2026 Security Issues In Korean & Global Financial Sector
  "This report comprehensively addresses actual cyber threats and related security issues that have occurred in domestic and international financial sector companies. It includes an analysis of malware and phishing cases disseminated targeting the financial sector, presents the top 10 major malware aimed at the financial sector, and provides statistics on industries of domestic accounts leaked via Telegram.. It also details cases of phishing emails targeting the financial sector. Additionally, it analyzes major threats and cases related to finance that have occurred on the dark web., threats of credit card data leakage and actual cases,, threats of database leaks in financial institutions and occurrences., ransomware intrusion threats targeting the financial sector and damage cases caused by infections,, and various cyber attack threats against financial institutions along with actual damage cases."
  https://asec.ahnlab.com/en/92626/
• FBI: More Than 700 ATM Jackpotting Incidents With Losses Over $20 Million Occurred In 2025
  "Criminals are increasingly using malware to steal money out of ATMs, with hundreds of incidents taking place in 2025 alone. In a flash alert on Thursday, the FBI said it has tracked more than 1,900 ATM jackpotting incidents since 2020 and over 700 in 2025 that involved more than $20 million in losses. FBI officials explained that criminals are now taking advantage of physical and software vulnerabilities that allow them to deploy malware on ATMs and dispense cash without transactions."
  https://therecord.media/fbi-atm-jackpotting-2025-report
  https://www.ic3.gov/CSA/2026/260219.pdf
  https://www.theregister.com/2026/02/19/crims_atm_jackpotting/

Industrial Sector

• ICS Cybersecurity In 2026: Vulnerabilities And The Path Forward
  "CISA/ICS-CERT has been the authoritative source about vulnerabilities in operational technology/industrial control systems (OT/ICS) since they started the ICS Advisory (ICSA) program in 2010. Between March 2010 and January 31, 2026, CISA/ICS-CERT published 3,637 ICS advisories about 12,174 vulnerabilities affecting 2,783 products from 689 vendors. One hundred seventy eight (178) of these advisories were dedicated to medical devices — nearly 5 %. However, there is a growing number of vulnerabilities on critical devices that are not tracked with associated ICSAs which may leave asset owners and network administrators with blind spots on their networks."
  https://www.forescout.com/blog/ics-cybersecurity-in-2026-vulnerabilities-and-the-path-forward/
  https://www.infosecurity-magazine.com/news/industrial-control-system-vulns/
• Cyberattacks On Automobile Manufacturers, Taxi Fleets, And Logistics Providers: The Risks To Automotive Infrastructure In 2026
  "Modern cars are complex digital devices with extensive remote communication capabilities that expand the vehicle’s attack surface. Attackers can target not only cars directly but also the systems to which they are connected. Kaspersky experts share a cyberthreat forecast for the automotive industry in 2026. In 2026, financially motivated attackers will continue to target the infrastructure of automobile manufacturers, which may result in production shutdowns or the theft of confidential data. There were several such incidents in 2025."
  https://ics-cert.kaspersky.com/publications/blog/2026/02/19/risks-for-the-automotive-industry-in-2026/

Vulnerabilities

• Microsoft Patches CVE-2026-26119 Privilege Escalation In Windows Admin Center
  "Microsoft has disclosed a now-patched security flaw in Windows Admin Center that could allow an attacker to escalate their privileges. Windows Admin Center is a locally deployed, browser-based management tool set that lets users manage their Windows Clients, Servers, and Clusters without the need for connecting to the cloud. The high-severity vulnerability, tracked as CVE-2026-26119, carries a CVSS score of 8.8 out of a maximum of 10.0"
  https://thehackernews.com/2026/02/microsoft-patches-cve-2026-26119.html
  https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26119
  https://www.helpnetsecurity.com/2026/02/19/windows-admin-center-cve-2026-26119/
• How AI SAST Traced Data Flows To Uncover Six OpenClaw Vulnerabilities
  "In our previous post, we discussed how Endor Labs' AI SAST engine successfully identified seven exploitable vulnerabilities in OpenClaw through systematic analysis and validation. Now that OpenClaw has published patches and security advisories, we can share the technical details of how agentic data flow analysis uncovered these issues and enabled proof-of-concept development. This post examines six disclosed vulnerabilities, walking through how the AI SAST engine traced data paths from user-controlled sources to dangerous sinks and how we validated each finding with working exploits."
  https://www.endorlabs.com/learn/how-ai-sast-traced-data-flows-to-uncover-six-openclaw-vulnerabilities
  https://www.infosecurity-magazine.com/news/researchers-six-new-openclaw/

Malware

• German Rail Giant Deutsche Bahn Hit By Large-Scale DDoS Attack
  "Deutsche Bahn, Germany’s national rail operator, has been dealing with a large-scale distributed denial-of-service (DDoS) attack that has disrupted some of its IT systems. Regular status updates from Deutsche Bahn indicated that the attack began on February 17 and continued into February 18. According to the rail giant, the attack came in waves and its scale is substantial. The DDoS attack disrupted Deutsche Bahn’s information and ticketing systems, including its websites and the DB Navigator app."
  https://www.securityweek.com/german-rail-giant-deutsche-bahn-hit-by-large-scale-ddos-attack/
  https://www.theregister.com/2026/02/18/deutsche_bahn_ddos/
  https://securityaffairs.com/188254/breaking-news/germanys-national-rail-operator-deutsche-bahn-hit-by-a-ddos-attack.html
• PromptSpy Ushers In The Era Of Android Threats Using GenAI
  "ESET researchers uncovered the first known case of Android malware abusing generative AI for context-aware user interface manipulation. While machine learning has been used to similar ends already – just recently, researchers at Dr.WEB found Android.Phantom, which uses TensorFlow machine learning models to analyze advertisement screenshots and automatically click on detected elements for large scale ad fraud – this is the first time we have seen generative AI deployed in this manner. Because the attackers rely on prompting an AI model (in this instance, Google’s Gemini) to guide malicious UI manipulation, we have named this family PromptSpy. This is the second AI powered malware we have discovered – following PromptLock in August 2025, the first known case of AI-driven ransomware."
  https://www.welivesecurity.com/en/eset-research/promptspy-ushers-in-era-android-threats-using-genai/
  https://www.bleepingcomputer.com/news/security/promptspy-is-the-first-known-android-malware-to-use-generative-ai-at-runtime/
  https://thehackernews.com/2026/02/promptspy-android-malware-abuses-google.html
  https://www.theregister.com/2026/02/19/genai_malware_android/
  https://www.helpnetsecurity.com/2026/02/19/promptspy-android-malware-generative-ai/
• Hackers Target Microsoft Entra Accounts In Device Code Vishing Attacks
  "Threat actors are targeting technology, manufacturing, and financial organizations in campaigns that combine device code phishing and voice phishing (vishing) to abuse the OAuth 2.0 Device Authorization flow and compromise Microsoft Entra accounts. Unlike previous attacks that utilized malicious OAuth applications to compromise accounts, these campaigns instead leverage legitimate Microsoft OAuth client IDs and the device authorization flow to trick victims into authenticating. This provides attackers with valid authentication tokens that can be used to access the victim's account without relying on regular phishing sites that steal passwords or intercept multi-factor authentication codes."
  https://www.bleepingcomputer.com/news/security/hackers-target-microsoft-entra-accounts-in-device-code-vishing-attacks/
• Massiv: When Your IPTV App Terminates Your Savings
  "Modern mobile threat landscape offers multiple malware families used by lots of single threat actors or organised criminal groups. They are constantly on the lookout for the ways to deliver the Trojans to the victims in the most natural, smooth and unsuspicious way. A modern Android banking Trojan, which is usually distributed through side-loading, must convincingly masquerade as a legitimate application so that it does not raise suspicion and persuades victims to proceed with the installation."
  https://www.threatfabric.com/blogs/massiv-when-your-iptv-app-terminates-your-savings
  https://thehackernews.com/2026/02/fake-iptv-apps-spread-massiv-android.html
  https://www.bleepingcomputer.com/news/security/new-massiv-android-banking-malware-poses-as-an-iptv-app/
  https://www.bankinfosecurity.com/massiv-attack-android-trojan-targets-iptv-users-a-30794
• Brand Trust As a Weapon: Multi-Brand Impersonation Campaigns Deliver JWrapper Malware
  "In recent threat campaigns, attackers have begun abusing the trust placed in DocuSign, a widely used electronic signature platform, to deliver JWrapper-ackaged malware. By impersonating DocuSign and SimpleHelp communications and embedding malicious executables within seemingly legitimate documents or download links, threat actors trick users into executing harmful payloads."
  https://cofense.com/blog/brand-trust-as-a-weapon-multi-brand-impersonation-campaigns-deliver-jwrapper-malware
• Supply Chain Attack Targeting Cline Installs OpenClaw
  "Our software supply chain security feed detected a compromised release of the popular AI assistant Cline. It was first reported by Adnan Khan and is tracked as GHSA-9ppg-jx86-fqw7. Version 2.3.0 of the Cline CLI npm package uses a post-install hook to automatically install OpenClaw on the same machine. The malicious version has been flagged in the meantime, but the tarball and metadata are still available at the time of writing. As visible from the metadata, the attacker supposedly got hold of a long-lived token to publish the malicious version, thereby bypassing the trusted publication process established by the Cline maintainers."
  https://www.endorlabs.com/learn/supply-chain-attack-targeting-cline-installs-openclaw
  https://www.darkreading.com/application-security/supply-chain-attack-openclaw-cline-users
• Starkiller: New Phishing Framework Proxies Real Login Pages To Bypass MFA
  "Most phishing kits rely on static HTML clones of login pages. While effective, they’re inherently fragile: even minor interface updates from the impersonated brand can immediately reveal the deception. A new framework called Starkiller (not to be confused with the legitimate BC Security red team tool of the same name) takes a different approach. Sold openly as a commercial-grade cybercrime platform by a threat group calling itself Jinkusu, Starkiller is distributed like a SaaS product. It launches a headless Chrome instance—a browser that operates without a visible window—inside a Docker container, loads the brand’s real website, and acts as a reverse proxy between the target and the legitimate site."
  https://abnormal.ai/blog/starkiller-phishing-kit
  https://www.darkreading.com/threat-intelligence/starkiller-phishing-kit-mfa
  https://www.infosecurity-magazine.com/news/starkiller-phishing-kit-bypasses/
• Beyond Tax Returns: How Shared Malware Infrastructure Scales Brand Abuse In Indonesia
  "The fraud campaign involving fake Coretax apps represents a sophisticated, industrialized threat targeting Indonesia’s digital public infrastructure. Initiated in July 2025 and experiencing a significant escalation in January 2026 — timed to coincide with the national tax season — the campaign leverages the impersonation of the official Coretax web platform to facilitate large-scale financial fraud. The attack chain integrates phishing websites, social engineering (WhatsApp), malicious APK sideloading, and voice phishing (vishing) to achieve full device compromise and unauthorized transfer execution."
  https://www.group-ib.com/blog/indonesia-tax-impersonation-goldfactory-malware/
• Remcos RAT Expands Real-Time Surveillance Capabilities
  "A newly observed variant of Remcos RAT has introduced real-time surveillance features and stronger evasion techniques, marking a shift in how the malware operates on compromised Windows systems. The updated strain no longer relies primarily on storing stolen data locally. Instead, it establishes direct online communication with attacker-controlled servers, enabling immediate monitoring and data theft. The latest build can stream webcam footage in real time and transmit captured keystrokes instantly, reducing forensic traces left on infected machines."
  https://www.infosecurity-magazine.com/news/remcos-rat-expands-real-time/
• (Don't) TrustConnect: It's a RAT In An RMM Hat
  "RMM tools continue to be many attackers’ top choice for initial access. Such enterprise remote support software like SimpleHelp, SuperOps, Datto, N-able and others are frequently delivered via email campaigns by cybercrime actors or used as follow-on payloads once an actor achieves initial access. (As always, the legitimate RMM tools mentioned in this report are just that — legitimate. It’s the threat actors doing the abusing. We call out brand names strictly to explain what the actors misused, not because the vendors themselves had any hand in the activity.) But at the end of January, Proofpoint observed a weird twist on the RMM landscape: a threat actor created a malware masquerading as an RMM called “TrustConnect Agent.”"
  https://www.proofpoint.com/us/blog/threat-insight/dont-trustconnect-its-a-rat
  https://www.theregister.com/2026/02/19/rmm_rat_trustconnect/
• Arkanix Stealer: a C++ & Python Infostealer
  "In October 2025, we discovered a series of forum posts advertising a previously unknown stealer, dubbed “Arkanix Stealer” by its authors. It operated under a MaaS (malware-as-a-service) model, providing users not only with the implant but also with access to a control panel featuring configurable payloads and statistics. The set of implants included a publicly available browser post-exploitation tool known as ChromElevator, which was delivered by a native C++ version of the stealer. This version featured a wide range of capabilities, from collecting system information to stealing cryptocurrency wallet data. Alongside that, we have also discovered Python implementation of the stealer capable of dynamically modifying its configuration. The Python version was often packed, thus giving the adversary multiple methods for distributing their malware. It is also worth noting that Arkanix was rather a one-shot malicious campaign: at the time of writing this article, the affiliate program appears to be already taken down."
  https://securelist.com/arkanix-stealer/119006/
• VShell And SparkRAT Observed In Exploitation Of BeyondTrust Critical Vulnerability (CVE-2026-1731)
  "On Feb. 6, 2026, BeyondTrust released a security advisory regarding CVE-2026-1731. BeyondTrust is an identity and access management platform. This specific vulnerability involves a pre-authentication remote code execution (RCE) issue within BeyondTrust remote support software. It could allow attackers to execute operating system commands in the context of the site user, which may lead to system compromise, including unauthorized access, data exfiltration and service disruption."
  https://unit42.paloaltonetworks.com/beyondtrust-cve-2026-1731/
• Dark Web Profile: Sinobi Ransomware
  "Sinobi Ransomware is a cybercrime operation that emerged in mid-2025, operating as a Ransomware-as-a-Service model. It is believed that the group is a rebrand or direct successor of the Lynx Ransomware group, which itself evolved from the INC Ransomware family. The group calls itself Sinobi, which closely resembles Shinobi (ninja), a term that appears across video games, film, music, comics, and entertainment, most notably in Sega’s long running Shinobi game series and other media titles."
  https://socradar.io/blog/dark-web-profile-sinobi-ransomware/
• GrayCharlie Hijacks Law Firm Sites In Suspected Supply-Chain Attack
  "Insikt Group has been monitoring GrayCharlie, a threat actor overlapping with SmartApeSG and active since mid-2023, for some time, and is now publishing its first report on the group. GrayCharlie compromises WordPress sites and injects them with links to externally hosted JavaScript that redirects visitors to NetSupport RAT payloads delivered via fake browser update pages or ClickFix mechanisms. These infections often progress to the deployment of Stealc and SectopRAT. Insikt Group identified a large amount of infrastructure linked to GrayCharlie, primarily tied to MivoCloud and HZ Hosting Ltd. This includes NetSupport RAT command-and-control (C2) servers, both actor-controlled and compromised staging infrastructure, and higher-tier infrastructure used to administer operations."
  https://www.recordedfuture.com/research/graycharlie-hijacks-law-firm-sites-suspected-supply-chain-attack
  https://assets.recordedfuture.com/insikt-report-pdfs/2026/cta-2026-0218.pdf
• Uncovering The Sophisticated Phishing Campaign Bypassing M365 MFA
  "KnowBe4 Threat Labs has detected a sophisticated phishing campaign targeting North American businesses and professionals. This attack compromises Microsoft 365 accounts (Outlook, Teams, OneDrive) by abusing the OAuth 2.0 Device Authorization Grant flow, bypassing strong passwords and Multi-Factor Authentication (MFA). The victim is directed to the legitimate Microsoft domain (microsoft.com/devicelogin) portal to enter an attack-supplied device code. This action authenticates the victim and issues a valid OAuth access token to the attacker’s application. The real-time theft of these tokens grants the attacker persistent access to the victim’s Microsoft 365 accounts and corporate data."
  https://blog.knowbe4.com/uncovering-the-sophisticated-phishing-campaign-bypassing-m365-mfa

Breaches/Hacks/Leaks

• Univ. Of Mississippi Medical Center Dealing With Cyberattack
  "The University of Mississippi Medical Center on Thursday said a ransomware attack has triggered its emergency operations plan and forced its hospitals to cancel all clinic and elective procedures at all locations statewide. The FBI is investigating the incident. "It's too early for us to communicate what we do and don't know, but we are in the process of surging resources both locally and nationally into this incident," said Robert Eikhoff, FBI special agent in charge for Mississippi at a press conference held by the medical center Thursday afternoon, according to a local media outlet."
  https://www.bankinfosecurity.com/univ-mississippi-medical-center-dealing-cyberattack-a-30808
• Abu Dhabi Finance Week Exposed VIP Passport Details
  "Organizers of one of the Middle East's biggest business and investment summits appear to have inadvertently exposed passport details and other identity information of some 700 attendees, including former British Prime Minister David Cameron and former White House communications director Anthony Scaramucci. An independent security researcher found the sensitive data sitting unprotected on a cloud storage system associated with Abu Dhabi Finance Week (ADFW), according to London's Financial Times, the first to report on the incident. The researcher, whom the Financial Times identified as Roni Suchowski, apparently discovered the data using off-the-shelf software for scanning cloud services for unsecured and publicly accessible data."
  https://www.darkreading.com/cyber-risk/abu-dhabi-finance-week-leaked-vip-passport-details
• Data Protection Failures On Moldovan Portals Leave Citizens At Risk
  "Breaches involving government entities may be politically motivated, such as the 2022 compromise of the Presidency of Moldova’s email server or the 2024 compromise of Moldova’s parliamentary email servers just days before the country’s presidential election. Other incidents may be due to human error or may be financially motivated. In Part 1, DataBreaches describes a data exposure vulnerability with Moldova’s job application portal. In Part 2, DataBreaches reports on a dark web listing of data allegedly hacked from Moldova’s energy compensation portal."
  https://databreaches.net/2026/02/19/data-protection-failures-on-moldovan-portals-exposed-citizens-to-risk/
  https://databreaches.net/2026/02/19/leaked-data-raises-questions-about-hackers-claims-and-moldovas-prior-denial/
• Intimate Products Maker Tenga Spilled Customer Data
  "Tenga confirmed reports published by several outlets that the company notified customers of a data breach. The Japanese manufacturer of adult products appears to have fallen victim to a phishing attack targeting one of its employees. Tenga reportedly wrote in the data breach notification:"
  https://www.malwarebytes.com/blog/news/2026/02/intimate-products-producer-tenga-spilled-customer-data
• Leading Japanese Semiconductor Supplier Responding To Ransomware Attack
  "Japanese semiconductor test equipment supplier Advantest said it is dealing with a ransomware attack that has impacted several company systems. The company said it detected unusual activity within its IT environment on Sunday and activated incident response protocols and isolated the impacted systems. “Preliminary findings appear to indicate that an unauthorized third party may have gained access to portions of the company’s network and deployed ransomware,” Advantest said."
  https://therecord.media/leading-japanese-semiconductor-supplier-ransomware
• Ransomware Gang Threatens Cheyenne And Arapaho Tribes After Shutting Down Schools
  "The government of the Cheyenne and Arapaho Tribes is being extorted by cybercriminals after a ransomware attack shut down its schools and critical systems in January. The Rhysida ransomware gang took credit for the attack this week and demanded 10 bitcoin, or about $660,000, in exchange for not leaking information stolen from the systems of the Cheyenne and Arapaho Tribes, a federally recognized government headquartered in Concho, Oklahoma. Officials previously confirmed the ransomware attack in January."
  https://therecord.media/cheyenne-arapaho-ransomware-rhysida

General News

• January 2026 APT Group Trends Report
  "Sandworm attempted to destroy OT and IT equipment using DynoWiper after exploiting a vulnerable configuration of FortiGate, targeting at least 30 energy facilities, including wind and solar power plants in Poland, by the end of December 2025. They directly damaged RTUs, IEDs, and serial devices or manipulated settings to cause loss of remote control and operational disruption, and even conducted large-scale wiper deployment using GPO. This represents the most significant sabotage attack that has caused a substantial impact on the stability of the European power grid, making it the top priority threat group this month."
  https://asec.ahnlab.com/en/92627/
• More Than 40% Of South Africans Were Scammed In 2025
  "Africans lose money to scammers nearly twice as often as people from other countries do, according to recent survey data, and the financial costs in countries like South Africa are serious. In October, the Global Anti-Scam Alliance (GASA) released its "Global State of Scams 2025 Report," based on quick online questionnaires taken by 46,000 adults in 42 countries. It found that during the preceding 12 months, 57% of citizens experienced some kind of scam and 23% of them lost money to one."
  https://www.darkreading.com/cybersecurity-analytics/south-africans-scammed-2025
• Public Mobile Networks Are Being Weaponized For Combat Drone Operations
  "On June 1, 2025, Ukraine launched a coordinated drone strike on five airfields inside Russia, disabling or destroying aircrafts. The attack involved more than 100 drones carrying explosive payloads and targeting aircraft on the ground. The drones used mobile networks to transmit telemetry, receive instructions, and send back images during the operation, highlighting the integration of civilian mobile networks into combat drone operations. Enea researchers examined the progression of that integration, how mobile-connected drones have been used in conflict, and what the trend signals for national infrastructure."
  https://www.helpnetsecurity.com/2026/02/19/enea-mobile-connected-drones-report/
• Attackers Keep Finding The Same Gaps In Security Programs
  "Attackers keep getting in, often through the same predictable weak spots: identity systems, third-party access, and poorly secured perimeter devices. A new threat report from Barracuda based on Managed XDR telemetry from 2025 shows that many successful incidents still start with basic access and configuration failures, not advanced malware. The report draws on more than two trillion IT events, nearly 600,000 security alerts, and more than 300,000 protected assets monitored over the year. Barracuda’s SOC triaged around 53,000 high-severity threats through its SOAR platform."
  https://www.helpnetsecurity.com/2026/02/19/managed-xdr-threat-report-security-programs/
• Major Operation In Africa Targeting Online Scams Nets 651 Arrests, Recovers USD 4.3 Million
  "Law enforcement agencies from 16 African countries have made 651 arrests and recovered more than USD 4.3 million in an international cybercrime operation against online scams. Operation Red Card 2.0 (8 December 2025 to 30 January 2026) targeted the infrastructure and actors behind high-yield investment scams, mobile money fraud and fraudulent mobile loan applications. During the eight-week operation, investigations exposed scams linked to over USD 45 million in financial losses and identified 1,247 victims, predominantly from the African continent but also from other regions of the world. Authorities also seized 2,341 devices and took down 1,442 malicious IPs, domains and servers, as well as other related infrastructure."
  https://www.interpol.int/News-and-Events/News/2026/Major-operation-in-Africa-targeting-online-scams-nets-651-arrests-recovers-USD-4.3-million
  https://www.fortinet.com/blog/industry-trends/interpol-operation-red-card-20-turning-collaboration-into-real-worl-cybercrime-disruption
  https://www.bleepingcomputer.com/news/security/police-arrests-651-suspects-in-african-cybercrime-crackdown/
  https://thehackernews.com/2026/02/interpol-operation-red-card-20-arrests.html
• Connected And Compromised: When IoT Devices Turn Into Threats
  "The number of Internet of Things (IoT) devices operating in a home or office continues to balloon, but security awareness is lagging despite the considerable risks the technologies pose, from credential theft to network access. IoT security is a long-standing topic that evolves as an influx of devices emerges onto the landscape. Devices require internet connectivity, yet many lack sufficient passcode and encryption features and ship with insecure default settings, placing much of the responsibility on the user."
  https://www.darkreading.com/iot/connected-compromised-iot-devices-turn-threats
• Threat Intelligence Has a Human-Shaped Blind Spot
  "Last weekend, someone used email bombing software to deluge my personal inbox with hundreds of mailing list subscriptions in less than an hour. The goal wasn't to overwhelm my inbox, it was to hide three specific messages. Buried at the bottom of the pile were three welcome emails from American Express for a credit card I didn't apply for. The scheme worked — briefly. By the time I noticed the Amex messages, they were 800 emails deep. Email bombing is certainly not a new technique for covering up the evidence of fraud, but what struck me was where else I'd seen it before. Deluge-by-email has been an online harassment tactic for years. It is a cheap way to make victims feel violated, powerless, and overwhelmed."
  https://www.darkreading.com/threat-intelligence/human-shaped-blind-spot
• OpenClaw Security Issues Continue As SecureClaw Open Source Tool Debuts
  "OpenClaw is rarely out of the news, but not necessarily under that name. This ‘autonomous personal assistant’ started life as Clawdbot, changed its name to Moltbot, and is now OpenClaw. All references to any of these names refer to the same product. On February 14, 2026, Peter Steinberger – the developer of OpenClaw – announced he is joining OpenAI. OpenClaw is transitioning into the OpenClaw Foundation with OpenAI providing financial and technical support. The most continuous and consistent news, however, remains OpenClaw’s security failings."
  https://www.securityweek.com/openclaw-security-issues-continue-as-secureclaw-open-source-tool-debuts/
• Have Your Say: NIST Seeks Feedback On Draft Cybersecurity Framework For Transit
  "Transit systems never stop moving, and neither do cyberthreats. The National Institute for Standards and Technology’s (NIST’s) newly released draft cybersecurity framework for transit agencies is open for public comment, and the people who run and secure these systems have a chance to help shape what comes next. Public transportation systems are increasingly attractive targets for cybercriminals. And the consequences of a successful attack can extend far beyond IT disruption. As transit agencies adopt more connected technologies, integrate operational technology (OT) with IT systems and rely on digital tools to manage daily operations, their attack surfaces continue to expand."
  https://blog.barracuda.com/2026/02/19/nist-feedback-cybersecurity-framework-transit
  https://www.nccoe.nist.gov/projects/transit-cybersecurity-framework-csf-community-profile

อ้างอิง
Electronic Transactions Development Agency (ETDA)

ศูนย์ประสานการรักษาความมั่นคงปลอดภัยระบบคอมพิวเตอร์แห่งชาติ (ThaiCERT) ได้ตรวจพบและติดตามสถานการณ์การโจมตีรูปแบบใหม่ที่ใช้เทคนิค Device Code Phishing ร่วมกับ Voice Phishing (Vishing) มุ่งเป้าบัญชี Microsoft Entra โดยอาศัยกระบวนการยืนยันตัวตนที่ถูกต้องตามขั้นตอนของ Microsoft เพื่อหลอกให้เหยื่อดำเนินการเข้าสู่ระบบและยืนยันตัวตนด้วยตนเอง ส่งผลให้ผู้โจมตีได้รับ Access Token และ Refresh Token ที่ถูกต้องโดยไม่ต้องขโมยรหัสผ่านหรือดักรหัส MFA ทำให้เกิดความเสี่ยงต่อการรั่วไหลของข้อมูล ความเสียหายต่อชื่อเสียง และผลกระทบต่อความต่อเนื่องทางธุรกิจอย่างมีนัยสำคัญ

1. รายละเอียดภัยคุกคาม
   พบการโจมตีรูปแบบใหม่ที่มุ่งเป้าไปยังบัญชี Microsoft Entra โดยใช้เทคนิคผสมผสานระหว่าง Device Code Phishing และ Voice Phishing (Vishing) เพื่อหลอกให้ผู้ใช้ทำการยืนยันตัวตนผ่านกระบวนการ OAuth 2.0 Device Authorization Grant อย่างถูกต้องตามขั้นตอนจริงของ Microsoft ส่งผลให้ผู้โจมตีได้รับ Access Token และ Refresh Token ที่ถูกต้อง ซึ่งสามารถนำไปใช้เข้าถึงระบบขององค์กรได้โดยไม่ต้องขโมยรหัสผ่านหรือดักรหัส MFA

จากรายงานข่าว พบความเชื่อมโยงว่ากลุ่มแฮกเกอร์ ShinyHunters อาจอยู่เบื้องหลังการโจมตีดังกล่าว โดยก่อนหน้านี้ ShinyHunters เคยถูกเชื่อมโยงกับการโจมตีแบบ Vishing ที่มุ่งเจาะบัญชี SSO ของ Okta และ Microsoft Entra เพื่อขโมยข้อมูล สะท้อนแนวโน้มการใช้ Social Engineering ควบคู่กับกระบวนการยืนยันตัวตนที่ถูกต้องตามกฎหมาย เพื่อหลีกเลี่ยงกลไกป้องกันแบบดั้งเดิมขององค์กร

2. ภาพรวมกระบวนการโจมตี
   2.1 ผู้โจมตีใช้ Client ID ของแอป OAuth ที่ถูกต้อง (รวมถึงแอปของ Microsoft) เพื่อสร้าง device_code และ user_code
   2.2 ติดต่อเหยื่อผ่านโทรศัพท์ (Vishing) หรืออีเมล เพื่อหลอกให้กรอกรหัสที่หน้าเว็บไซต์ microsoft[.]com/devicelogin
   2.3 เหยื่อเข้าสู่ระบบและยืนยัน MFA ตามขั้นตอนปกติ ทำให้กระบวนการดูน่าเชื่อถือ
   2.4 หลังจากยืนยันตัวตนสำเร็จ ผู้โจมตีใช้ device_code แลก Refresh Token และ Access Token
   2.5 ใช้โทเคนดังกล่าวเข้าถึง Microsoft Entra และแอป SaaS ที่ผูกกับ SSO เพื่อเข้าถึงหรือขโมยข้อมูลองค์กร

3. ผลิตภัณฑ์ที่ได้รับผลกระทบ
   3.1 Microsoft Entra (ชื่อเดิม Azure AD)
   3.2 Microsoft 365
   3.3 แอปพลิเคชัน SaaS ที่เชื่อมต่อผ่าน SSO ภายใน Tenant เช่น Salesforce, Google Workspace, Dropbox, SAP, Slack, Zendesk, Atlassian เป็นต้น
   3.4 ระบบที่เปิดใช้งาน OAuth 2.0 Device Authorization Flow

4. แนวทางการบรรเทาและป้องกันความเสี่ยง

แม้ Microsoft จะยังไม่มีรายงานเฉพาะเกี่ยวกับแคมเปญ Vishing/Device Code Phishing ดังกล่าวโดยตรง แต่จากเอกสารคำแนะนำด้านความปลอดภัยของ Microsoft และแนวทางการป้องกันของ Microsoft Entra สามารถดำเนินมาตรการบรรเทาความเสี่ยงได้ดังนี้
4.1 บังคับใช้ Phishing-Resistant Authentication
กำหนดให้ใช้วิธีการยืนยันตัวตนที่ทนทานต่อการฟิชชิง เช่น FIDO2 Security Keys หรือ Passkeys ผ่าน Conditional Access เพื่อลดความเสี่ยงจากการถูกหลอกให้กรอกข้อมูลยืนยันตัวตน แม้ผู้ใช้จะเข้าสู่หน้า login ที่ถูกต้องก็ตาม
4.2 ควบคุมและจำกัด OAuth Application Consent
กำหนด App Consent Policies เพื่อจำกัดสิทธิ์การยินยอมแอปพลิเคชัน โดยอนุญาตเฉพาะแอปที่ได้รับการตรวจสอบหรือได้รับอนุมัติจากผู้ดูแลระบบ และปิดการให้ผู้ใช้ยินยอมแอปภายนอกโดยอัตโนมัติ เพื่อลดความเสี่ยงจาก Consent Phishing
4.3 บล็อกหรือจำกัดการใช้งาน Device Code Flow ผ่าน Conditional Access
หากองค์กรไม่มีความจำเป็นต้องใช้ OAuth 2.0 Device Authorization Flow ควรปิดการใช้งาน หรือกำหนดเงื่อนไขจำกัดการใช้งานเฉพาะอุปกรณ์หรือเครือข่ายที่เชื่อถือได้ เพื่อลดพื้นผิวการโจมตี
4.4 บังคับใช้นโยบาย Conditional Access แบบ Zero Trust
กำหนดให้การเข้าถึงทรัพยากรสำคัญต้องมาจากอุปกรณ์ที่ผ่านการบริหารจัดการ (Managed/Compliant Devices) และกำหนดเงื่อนไขตามระดับความเสี่ยงของผู้ใช้ (Risk-based Policies) เช่น การบังคับ MFA เพิ่มเติมเมื่อพบพฤติกรรมผิดปกติ
4.5 เพิกถอน Sign-in Sessions และ Refresh Tokens เมื่อพบความเสี่ยง
หากตรวจพบพฤติกรรมต้องสงสัย ควรดำเนินการ Revoke Sign-in Sessions หรือเพิกถอน Refresh Token ของผู้ใช้ทันที เนื่องจากการเปลี่ยนรหัสผ่านเพียงอย่างเดียวอาจไม่เพียงพอหากผู้โจมตีมี Token ที่ยังไม่หมดอายุอยู่
4.6 เปิดใช้งานการตรวจจับความเสี่ยงของ Entra ID Protection
ใช้ความสามารถด้าน Identity Protection เพื่อตรวจจับการเข้าสู่ระบบที่มีความเสี่ยง (Risky Sign-ins) และกำหนดให้ระบบบังคับแก้ไขความเสี่ยงโดยอัตโนมัติ เช่น บังคับเปลี่ยนรหัสผ่านหรือทำ MFA เพิ่มเติม

5. คำแนะนำด้านความปลอดภัยเพิ่มเติม
   5.1 ห้ามกรอกรหัส Device Code จากคำแนะนำทางโทรศัพท์หรืออีเมลโดยไม่ได้ตรวจสอบแหล่งที่มา
   5.2 อบรมผู้ใช้งานให้เข้าใจรูปแบบการโจมตีแบบ Vishing และ OAuth Abuse
   5.3 เปิดใช้งานการแจ้งเตือนเมื่อมีการเพิ่ม OAuth Application ใหม่ใน Tenant
   5.4 ใช้ระบบ Endpoint Detection and Response (EDR) และ Cloud App Security เพื่อตรวจจับพฤติกรรมผิดปกติ
   5.5 ทบทวนสิทธิ์การเข้าถึงแบบ Least Privilege เพื่อลดผลกระทบหากบัญชีถูกยึดครอง

6. แหล่งอ้างอิง
   6.1 https://dg.th/w5cbgo4jke
   6.2 https://dg.th/cmayi3qrgn

ศูนย์ประสานการรักษาความมั่นคงปลอดภัยระบบคอมพิวเตอร์แห่งชาติ (ThaiCERT) แจ้งเตือนช่องโหว่ความปลอดภัยระดับ Critical ในโทรศัพท์ Grandstream GXP1600 Series เป็นอุปกรณ์ VoIP ที่นิยมใช้ ซึ่งทำให้ผู้ไม่หวังดีสามารถเข้าควบคุมอุปกรณ์จากระยะไกล หรือดักฟังการสื่อสารได้ หากไม่ได้ดำเนินมาตรการป้องกันที่เหมาะสม

1. รายละเอียดช่องโหว่
   ช่องโหว่หมายเลข CVE-2026-2329 ได้รับคะแนนความรุนแรง CVSS V4.0 : 9.3 (Critical) เป็นช่องโหว่ประเภท Stack-based Buffer Overflow เกิดขึ้นในบริการ Web-based API ของอุปกรณ์ ซึ่งเปิดให้เข้าถึงผ่านเครือข่ายโดยค่าเริ่มต้น และมีการตรวจสอบข้อมูลนำเข้าไม่เพียงพอ ทำให้ผู้ไม่หวังดีสามารถส่งข้อมูลที่ถูกปรับแต่งเป็นพิเศษเพื่อทำให้เกิด Buffer Overflow และสั่งรันคำสั่งจากระยะไกล (Remote Code Execution: RCE) ได้ โดยไม่ต้องใช้รหัสผ่าน

2. รุ่นและเวอร์ชันที่ได้รับผลกระทบ
   รุ่นที่ได้รับผลกระทบ

• GXP1610
• GXP1615
• GXP1620
• GXP1625
• GXP1628
• GXP1630
  เวอร์ชันที่ได้รับผลกระทบ 1.0.7.79 และก่อนหน้า
  เวอร์ชันที่แก้ไขแล้ว: 1.0.7.81

3. แนวทางการแก้ไขและป้องกัน
   3.1 อัปเดตเฟิร์มแวร์เป็นเวอร์ชัน 1.0.7.81 โดยด่วนที่สุด
   3.2 จำกัดหรือปิดการเข้าถึง Web Management Interface จากภายนอกหรือจำกัดให้เข้าได้เฉพาะ IP ที่เชื่อถือได้เท่านั้น
   3.3 แยกเครือข่ายอุปกรณ์ VoIP ออกจาก Network หลัก และไม่ควรเชื่อมต่อกับอินเทอร์เน็ตสาธารณะโดยตรง
   3.4 ควรเปลี่ยนรหัสผ่าน (Admin Password) และ SIP Password ใหม่ทันที หลังการอัปเดต

อ้างอิง

1. https://dg.th/hliwc9vnsp
2. https://dg.th/9bfprn5ylq
3. https://dg.th/7kys39utop

หน่วยงานที่ใช้งานอุปกรณ์ดังกล่าวควรดำเนินการตรวจสอบและอัปเดตโดยเร็วที่สุด เพื่อป้องกันความเสี่ยงต่อระบบสื่อสารภายในหน่วยงาน

#CyberSecurity #ThaiCERT #CVE20262329 #VoIP #Grandstream #RCE

เช็กด่วน! ช่องโหว่กล้องวงจรปิด Honeywell "แฮกเกอร์เข้าถึงกล้องวงจรปิดได้โดยไม่ต้องใช้รหัสผ่าน"

ศูนย์ประสานการรักษาความมั่นคงปลอดภัยระบบคอมพิวเตอร์แห่งชาติ (ThaiCERT) แจ้งเตือนภัยคุกคามด้านความมั่นคงปลอดภัยไซเบอร์เกี่ยวกับช่องโหว่ในกล้องวงจรปิด Honeywell ที่อาจทำให้ผู้ไม่หวังดีสามารถยึดบัญชีและเข้าถึงกล้องได้ทันที

1. รายละเอียดช่องโหว่ที่สำคัญ
   CVE-2026-1670 มีความรุนแรง CVSS V3.x : 9.8 ในผลิตภัณฑ์กล้องวงจรปิด (CCTV) ของ Honeywell โดยช่องโหว่นี้อาจทำให้ผู้ไม่หวังดีสามารถข้ามการยืนยันตัวตน (Authentication Bypass) เพื่อเข้าควบคุมระบบได้โดยไม่ต้องใช้รหัสผ่าน

2. กล้องวงจรปิดรุ่นที่ได้รับผลกระทบ
   2.1 I-HIB2PI-UL 2MP IP (เวอร์ชัน 6.1.22.1216)
   2.2 SMB NDAA MVO-3 WDR_2MP_32M_PTZ_v2.0
   2.3 PTZ WDR 2MP 32M WDR_2MP_32M_PTZ_v2.0
   2.4 25M IPC WDR_2MP_32M_PTZ_v2.0

3. แนวทางการตรวจสอบและการป้องกัน
   3.1 ตรวจสอบเวอร์ชันและดำเนินการอัปเดตเฟิร์มแวร์ (Patch) เวอร์ชันล่าสุด
   3.2 จำกัดการเข้าถึงจากอินเทอร์เน็ต เพื่อหลีกเลี่ยงการเชื่อมต่อกล้องวงจรปิดเข้ากับอินเทอร์เน็ตโดยตรง หากจำเป็นต้องดูออนไลน์ ให้ใช้งานผ่าน VPN ที่มีความปลอดภัยสูง
   3.3 กำหนดค่า Firewall ปิดพอร์ตที่ไม่ใช้งาน และจำกัดสิทธิ์การเข้าถึงด้วย IP Whitelist
   3.4 ตรวจสอบประวัติการตั้งค่าและอีเมลที่ใช้สำหรับกู้คืนรหัสผ่านให้เป็นข้อมูลทางการของหน่วยงาน

"ThaiCET เตือน อย่าปล่อยให้ตาที่คอยระวังภัยกลายเป็นช่องทางให้โจรแอบส่อง"

อ้างอิง
1.https://dg.th/ztpo0uv7j9
2.https://dg.th/asftpb1v65
3.https://dg.th/1vhbtporg2

#Honeywell #CCTV #CyberSecurity #Warning #กล้องวงจรปิด #เตือนภัยแฮกเกอร์

ด้วยความปรารถนาดี
สำนักงานคณะกรรมการการรักษาความมั่นคงปลอดภัยไซเบอร์แห่งชาติ (สกมช.) / ThaiCERT

ThaiCERT แจ้งเตือนพบการโจมตีแบบมีการใช้งานจริง (Actively Exploited) หลัง CISA เพิ่มช่องโหว่จำนวน 4 รายการเข้า (KEV) Catalog โดยช่องโหว่ดังกล่าวถูกยืนยันว่ามีการนำไปใช้โจมตีจริงแล้ว หากไม่เร่งอัปเดตแพตช์ อาจนำไปสู่การถูกยึดเครื่อง (RCE), การอัปโหลดไฟล์อันตรายเพื่อสั่งรันคำสั่งบนเซิร์ฟเวอร์, การเข้าถึงข้อมูลสำคัญโดยไม่ได้รับอนุญาต และการติดตั้งมัลแวร์เพื่อขยายผลในเครือข่ายได้

รายละเอียดช่องโหว่ที่เกี่ยวข้อง
1.1 CVE-2026-2441 (CVSS: 8.8) เป็นช่องโหว่ Use-after-free ในส่วน CSS ของ Google Chrome ในเวอร์ชันก่อน 145.0.7632.75 ซึ่งอาจทำให้ผู้โจมตีจากระยะไกลรันโค้ดภายใน sandbox ผ่านเว็บHTML ที่ถูกสร้างขึ้นเป็นพิเศษ
1.2 CVE-2024-7694 (CVSS: 7.2) เป็นช่องโหว่การอัปโหลดไฟล์ไม่ปลอดภัย (Unrestricted File Upload) ในโปรแกรม ThreatSonar Anti-Ransomware จาก team 5 ทำให้ผู้โจมตีที่มีสิทธิ์ผู้ดูแลระบบบนแพลตฟอร์มสามารถอัปโหลดไฟล์อันตรายและนำไปสู่การสั่งรันคำสั่งบนเซิร์ฟเวอร์ได้ กระทบเวอร์ชันต่ำกว่า 3.5.0
1.3 CVE-2020-7796 (CVSS: 9.8) เป็นช่องโหว่ใน Zimbra Collaboration Suite (ZCS) ที่อาจถูกใช้เพื่อสั่งให้เซิร์ฟเวอร์ไปเชื่อมต่อหรือดึงข้อมูลจากระบบภายในแทนผู้โจมตี ทำให้มีความเสี่ยงต่อการเข้าถึงข้อมูลสำคัญ โดยเฉพาะกรณีติดตั้ง WebEx zimlet และเปิดใช้งาน zimlet JSP เวอร์ชันก่อน 8.8.15 Patch 7
1.4 CVE-2008-0015 (CVSS: 8.8) เป็นช่องโหว่เก่าใน Microsoft Windows Video ActiveX Control แต่พบการกลับมาใช้โจมตีจริง โดยเป็นช่องโหว่ Stack-based Buffer Overflow ที่อาจทำให้ผู้โจมตีสามารถเรียกใช้โค้ดจากระยะไกล (RCE) ได้

แนวทางการป้องกันและลดความเสี่ยง
2.1 Google Chrome อัปเดตเป็นเวอร์ชัน 145.0.7632.75 หรือใหม่กว่า และรีสตาร์ทเบราว์เซอร์หลังอัปเดต
2.2 TeamT5 ThreatSonar อัปเดตเป็นเวอร์ชัน 3.5.0 ขึ้นไป จำกัดสิทธิ์ผู้ดูแล และตรวจสอบไฟล์ คำสั่งที่ถูกอัปโหลดหรือรันผิดปกติ
2.3 Zimbra อัปเกรดเป็น 8.8.15 Patch 7 หรือใหม่กว่า หากไม่จำเป็นควรปิด WebEx zimlet และปิดการใช้งาน zimlet JSP เพื่อลดความเสี่ยง SSRF
2.4 Windows รุ่นเก่า/Legacy พิจารณาเลิกใช้งานหรือแยกเครือข่าย (isolation) และลดการใช้งาน ActiveX เบราว์เซอร์แบบ legacy รวมถึงจำกัดการท่องเว็บของเครื่อง

ข้อเสนอแนะเพิ่มเติม
3.1 ตรวจสอบว่ามีระบบที่ใช้ Chrome,ThreatSonar,Zimbra หรือเครื่อง Windows รุ่นเก่าหลงเหลืออยู่หรือไม่ เพื่อเร่งแก้ไข
3.2 เฝ้าระวัง Log เหตุผิดปกติ เช่น คำขอ SSRF ไปยังปลายทางภายใน (localhost/169.254.* หรือช่วง IP ภายใน), การอัปโหลดไฟล์ผิดปกติบน ThreatSonar, และพฤติกรรมเบราว์เซอร์ที่นำไปสู่การดาวน์โหลดไฟล์ เรียกใช้โปรเซสผิดปกติ
3.3 ลดการเปิดเผยบริการต่ออินเทอร์เน็ต จำกัดการเข้าถึงคอนโซลบริหารจัดการอีเมลเซิร์ฟเวอร์ด้วย VPN, MFA และ allowlist เท่าที่จำเป็น
3.4 ใช้หลักการ Least Privilege ลลดความเสียหายหากระบบถูกยึด และลดโอกาสการลุกลามไปยังระบบอื่นในองค์กร

อ้างอิง (References)
4.1 https://dg.th/my6du2f7br
4.2 https://dg.th/o2vzcai3ux
4.3 https://dg.th/wqd1z25byh
4.4 https://dg.th/v2shz6fo9u
4.5 https://dg.th/r2gt0c4akx
4.6 https://dg.th/wd6tfb2kr9

Industrial Sector

• Honeywell CCTV Products
  "Successful exploitation of this vulnerability could lead to account takeovers and unauthorized access to camera feeds; an unauthenticated attacker may change the recovery email address, potentially leading to further network compromise."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-048-04
  https://www.bleepingcomputer.com/news/security/critical-infra-honeywell-cctvs-vulnerable-to-auth-bypass-flaw/
• GE Vernova Enervista UR Setup
  "Successful exploitation of these vulnerabilities may allow code execution with elevated privileges."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-048-03
• Delta Electronics ASDA-Soft
  "Successful exploitation of this vulnerability may allow an attacker to write arbitrary data beyond the bounds of a stack-allocated buffer, leading to the corruption of a structured exception handler (SEH)."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-048-02
• Siemens Simcenter Femap And Nastran
  "Siemens Simcenter Femap and Nastran is affected by multiple file parsing vulnerabilities that could be triggered when the application reads files in NDB and XDB formats. If a user is tricked to open a malicious file with any of the affected products, this could lead the application to crash or potentially lead to arbitrary code execution. Siemens has released new versions for the affected products and recommends to update to the latest versions."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-048-01

New Tooling

• SecureClaw: Dual Stack Open-Source Security Plugin And Skill For OpenClaw
  "AI agent frameworks are being used to automate work that involves tools, files, and external services. That type of automation creates security questions around what an agent can access, what it can change, and how teams can detect risky behavior. SecureClaw is an open-source project that adds security auditing and rule-based controls to OpenClaw agent environments. The tool is published by Adversa AI and is designed to work with OpenClaw and related agents such as Moltbot and Clawdbot."
  https://www.helpnetsecurity.com/2026/02/18/secureclaw-open-source-security-plugin-skill-openclaw/
  https://github.com/adversa-ai/secureclaw

Vulnerabilities

• From PDF To Pwn: Scalable 0day Discovery In PDF Engines And Services Using Multi-Agent LLMs
  "When preparing to emerge from stealth, we sought to demonstrate the efficacy of our research workflow by targeting Apryse WebViewer (formerly PDFTron) and Foxit PDF cloud services. These platforms are widely deployed, feature-rich, and combine client-side UI logic with complex server-side SDKs, making them an ideal proving ground for vulnerability research. Our strategy involved a human-agent symbiosis: our researchers manually identified foundational vulnerability patterns, which were then taught to the Novee agent. Once the agent internalized the “scent” of these bugs, it autonomously explored the massive attack surface of both vendors. The result was the discovery of 13 distinct vulnerability categories, ranging from critical XSS to OS Command Injection."
  https://novee.security/blog/from-pdf-to-pwn-scalable-0day-discovery-in-pdf-engines-and-services-using-multi-agent-llms-2/
  https://www.securityweek.com/vulnerabilities-in-popular-pdf-platforms-allowed-account-takeover-data-exfiltration/
• CVE-2026-2329: Critical Unauthenticated Stack Buffer Overflow In Grandstream GXP1600 VoIP Phones (FIXED)
  "Rapid7 Labs conducted a zero-day research project against the Grandstream GXP1600 series of Voice over Internet Protocol (VoIP) phones. This research resulted in the discovery of a critical unauthenticated stack-based buffer overflow vulnerability, CVE-2026-2329. A remote attacker can leverage CVE-2026-2329 to achieve unauthenticated remote code execution (RCE) with root privileges on a target device. A vendor supplied firmware update, version 1.0.7.81, is available to fully remediate CVE-2026-2329. The vulnerability is present in the device's web-based API service, and is accessible in a default configuration. As all models in the GXP1600 series share a common firmware image, the vulnerability affects all six models in the series: GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, and GXP1630. CVE-2026-2329 has a CVSSv4 score of 9.3 (Critical), and a Common Weakness Enumeration (CWE) of CWE-121: Stack-based Buffer Overflow."
  https://www.rapid7.com/blog/post/ve-cve-2026-2329-critical-unauthenticated-stack-buffer-overflow-in-grandstream-gxp1600-voip-phones-fixed/
  https://www.darkreading.com/threat-intelligence/grandstream-bug-voip-security-blind-spot
  https://thehackernews.com/2026/02/grandstream-gxp1600-voip-phones-exposed.html
• Four Vulnerabilities Expose a Massive Security Blind Spot In IDE Extensions
  "IDEs are the weakest link in an organization’s supply chain security, and extensions are often a blind spot for security teams. Developers store their most sensitive information – business logic, API keys, database configurations, environment variables, and sometimes even customer data – on their local file systems, all accessible through the IDE. The OX Security Research team found vulnerabilities in four popular VS Code extensions (later confirmed on Cursor and Windsurf). Three were assigned CVEs – CVE-2025-65715, CVE-2025-65716, and CVE-2025-65717 – totaling over 120 million downloads and posing a significant threat to developers worldwide."
  https://www.ox.security/blog/four-vulnerabilities-expose-a-massive-security-blind-spot-in-ide-extensions/
  https://thehackernews.com/2026/02/critical-flaws-found-in-four-vs-code.html
  https://securityaffairs.com/188185/security/vs-code-extensions-with-125m-installs-expose-users-to-cyberattacks.html
• Notepad++ Fixes Hijacked Update Mechanism Used To Deliver Targeted Malware
  "Notepad++ has released a security fix to plug gaps that were exploited by an advanced threat actor from China to hijack the software update mechanism to selectively deliver malware to targets of interest. The version 8.9.2 update incorporates what maintainer Don Ho calls a "double lock" design that aims to make the update process "robust and effectively unexploitable." This includes verification of the signed installer downloaded from GitHub (implemented in version 8.8.9 and later), as well as the newly added verification of the signed XML returned by the update server at notepad-plus-plus[.]org."
  https://thehackernews.com/2026/02/notepad-fixes-hijacked-update-mechanism.html
  https://www.bleepingcomputer.com/news/security/notepad-plus-plus-boosts-update-security-with-double-lock-mechanism/
  https://securityaffairs.com/188192/hacking/notepad-patches-flaw-used-to-hijack-update-system.html
  https://www.theregister.com/2026/02/18/notepadplusplus_security_update/
  https://www.helpnetsecurity.com/2026/02/18/notepad-secure-update-download/
• CISA Adds Two Known Exploited Vulnerabilities To Catalog
  "CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2021-22175 GitLab Server-Side Request Forgery (SSRF) Vulnerability
  CVE-2026-22769 Dell RecoverPoint for Virtual Machines (RP4VMs) Use of Hard-coded Credentials Vulnerability"
  https://www.cisa.gov/news-events/alerts/2026/02/18/cisa-adds-two-known-exploited-vulnerabilities-catalog
  https://therecord.media/fed-agencies-ordered-to-patch-dell-bug-after-exploitation-warning
• Firebase Misconfiguration Exposes 300M Messages From Chat & Ask AI Users
  "A massive security failure has put the private conversations of millions at risk after an unprotected database was left accessible online. Discovered by an independent researcher, the leak exposed roughly 300 million messages from more than 25 million users of Chat & Ask AI, a popular app with over 50 million downloads across the Google Play and Apple App Stores. The app is owned by Codeway, a Turkish technology firm founded in Istanbul in 2020, and acts as a ‘wrapper’, allowing a single gateway for users to interact with famous AI models like OpenAI’s ChatGPT, Google’s Gemini, and Anthropic’s Claude. Because it serves as a gateway to multiple systems, a single technical slip-up can have a massive impact on the privacy of its global user base."
  https://hackread.com/firebase-misconfiguration-chat-ask-ai-users-expose/
• Microsoft Says Bug Causes Copilot To Summarize Confidential Emails
  "Microsoft says a Microsoft 365 Copilot bug has been causing the AI assistant to summarize confidential emails since late January, bypassing data loss prevention (DLP) policies that organizations rely on to protect sensitive information. According to a service alert seen by BleepingComputer, this bug (tracked under CW1226324 and first detected on January 21) affects the Copilot "work tab" chat feature, which incorrectly reads and summarizes emails stored in users' Sent Items and Drafts folders, including messages that carry confidentiality labels explicitly designed to restrict access by automated tools."
  https://www.bleepingcomputer.com/news/microsoft/microsoft-says-bug-causes-copilot-to-summarize-confidential-emails/

Malware

• Telegram Channels Expose Rapid Weaponization Of SmarterMail Flaws
  "Flare researchers monitoring underground Telegram channels and cybercrime forums have observed threat actors rapidly sharing proof-of-concept exploits, offensive tools, and stolen administrator credentials related to recently disclosed SmarterMail vulnerabilities, providing insight into how quickly attackers weaponize new security flaws. The activity occurred within days of the vulnerabilities being disclosed, with threat actors sharing and selling exploit code and compromised access tied to CVE-2026-24423 and CVE-2026-23760, critical flaws that enable remote code execution and authentication bypass on exposed email servers."
  https://www.bleepingcomputer.com/news/security/telegram-channels-expose-rapid-weaponization-of-smartermail-flaws/
• Scammers Use Fake “Gemini” AI Chatbot To Sell Fake “Google Coin”
  "Scammers have found a new use for AI: creating custom chatbots posing as real AI assistants to pressure victims into buying worthless cryptocurrencies. We recently came across a live “Google Coin” presale site featuring a chatbot that claimed to be Google’s Gemini AI assistant. The bot guided visitors through a polished sales pitch, answered their questions about investment, projecting returns, and ultimately ended with victims sending an irreversible crypto payment to the scammers."
  https://www.malwarebytes.com/blog/ai/2026/02/scammers-use-fake-gemini-ai-chatbot-to-sell-fake-google-coin
  https://www.darkreading.com/endpoint-security/scam-abuses-gemini-chatbots-convince-people-buy-fake-crypto
• Technical Deep Dive: The Monero Mining Campaign
  "In the contemporary threat landscape, while ransomware grabs headlines with high-impact disruptions, cryptojacking operations have quietly evolved into sophisticated, persistent threats. This report details a comprehensive forensic analysis of a recently identified cryptocurrency mining campaign. This operation distinguishes itself not merely by its payload but by its high level of technical integration and redundant persistence mechanisms."
  https://www.trellix.com/blogs/research/technical-deep-dive-the-monero-mining-campaign/
  https://www.infosecurity-magazine.com/news/cryptojacking-driver-boost-monero/
• Job Scam Uses Fake Google Forms Site To Harvest Google Logins
  "As part of our investigation into a job-themed phishing campaign, we came across several suspicious URLs that all looked like this: https://forms.google.ss-o[.]com/forms/d/e/{unique_id}/viewform?form=opportunitysec&promo= The subdomain forms.google.ss-o[.]com is a clear attempt to impersonate the legitimate forms.google.com. The “ss-o” is likely introduced to look like “single sign-on,” an authentication method that allows users to securely log in to multiple, independent applications or websites using one single set of credentials (username and password)."
  https://www.malwarebytes.com/blog/scams/2026/02/job-scam-uses-fake-google-forms-site-to-harvest-google-logins
• Journalism Under Attack: Predator Spyware In Angola
  "A new investigation by Amnesty International’s Security Lab has discovered evidence that the Predator spyware was used in 2024 to target Teixeira Cândido – an Angolan journalist, jurist, press freedom activist, and former Secretary-General of the Syndicate of Angolan Journalists (Sindicato dos Journalists Angolanos). This is the first forensically confirmed case of the Predator spyware being used to target civil society in Angola."
  https://securitylab.amnesty.org/latest/2026/02/journalism-under-attack-predator-spyware-in-angola/
  https://therecord.media/predator-spyware-used-to-infect-phone-angola-journalist
• The Booking.com Phishing Campaign Targeting Hotels And Customers
  "Since the start of January, we have observed a resurgence in malicious activity targeting the hotel and retail sector. The primary motivation driving this incident is financial fraud, targeting two victims: hotel businesses and hotel customers, in sequential order. The threat actor(s) utilise impersonation of the Booking.com platform through two distinct phishing kits dedicated to harvesting credentials and banking information from each victim respectively."
  https://www.bridewell.com/insights/blogs/detail/the-booking.com-phishing-campaign-targeting-hotels-and-customers

Breaches/Hacks/Leaks

• French Ministry Confirms Data Access To 1.2 Million Bank Accounts
  "A hacker gained access to data from 1.2 million French bank accounts using stolen credentials belonging to a government official, according to the French Economy Ministry. French authorities said affected account holders will be notified in the coming days. “The French Economy Ministry said on Wednesday, February 18, that a hacker gained access to a national bank account database and consulted information on 1.2 million accounts.” reports French daily newspaper LeMonde. “Since the end of January, the hacker used the stolen credentials of an official to access and consult “parts of the file of all of the accounts open in French banks and which contains personal data such as bank account numbers, name of the account holder, address and in certain cases the account owner’s tax number,” the ministry said in a statement.”"
  https://securityaffairs.com/188200/hacking/french-ministry-confirms-data-access-to-1-2-million-bank-accounts.html
• Adidas Investigates Third-Party Data Breach After Criminals Claim They Pwned The Sportswear Giant
  "Adidas has confirmed it is investigating a third-party breach at one of its partner companies after digital thieves claimed they stole information and technical data from the German sportswear giant. "We have been made aware of a potential data protection incident at one of our independent licensing partners and distributor for martial arts products," an Adidas spokesperson told The Register. "This is an independent company with its own IT systems.""
  https://www.theregister.com/2026/02/18/adidas_investigates_thirdparty_data_breach/
• ShinyHunters Allegedly Drove Off With 1.7M CarGurus Records
  "CarGurus allegedly suffered a data breach with 1.7 million corporate records stolen, according to a notorious cybercrime crew that posted the online vehicle marketplace on its leak site on Wednesday. "This is a final warning to reach out by 20 Feb 2026 before we leak along with several annoying (digital) problems that'll come your way," ShinyHunters wrote in its announcement, seen by The Register and shared on social media. The digital crooks claimed the compromised files included personally identifiable information and "other internal corporate data.""
  https://www.theregister.com/2026/02/18/shinyhunters_cargurus_breach/

General News

• The UK’s Cyber Threat Has Changed. Most Organizations Haven’t.
  "For years, ransomware shaped how UK organizations thought about cyber risk. In 2025, that assumption quietly broke. The UK became the most targeted country in Europe, accounting for 16% of all recorded attacks across the region. But volume alone doesn’t explain what changed. The real shift was intent. Attackers didn’t just increase activity; they changed tactics. Disruption overtook monetization. Organizations that spent years preparing for one dominant threat model found themselves exposed to another."
  https://blog.checkpoint.com/research/the-uks-cyber-threat-has-changed-most-organizations-havent/
• The Defense Industrial Base Is a Prime Target For Cyber Disruption
  "Cyber threats against the defense industrial base (DIB) are intensifying, with adversaries shifting from traditional espionage toward operations designed to disrupt production capacity and compromise supply chains. In this Help Net Security interview, Luke McNamara, Deputy Chief Analyst, Google Threat Intelligence Group, explains how attackers target the broader defense ecosystem and why identity has become the new security boundary."
  https://www.helpnetsecurity.com/2026/02/18/luke-mcnamara-google-dib-defense-industrial-base-cybersecurity/
• Everyone Uses Open Source, But Patching Still Moves Too Slowly
  "Enterprise security teams rely on open source across infrastructure, development pipelines, and production applications, even when they do not track it as a separate category of technology. Open source has become a default building block in many environments, and the operational risks now look like standard enterprise security problems: patch delays, version sprawl, and aging platforms that stay online longer than planned. TuxCare’s 2026 Open Source Landscape Report describes an open source footprint that continues to expand through developer-led adoption, with security incidents still closely tied to unpatched vulnerabilities."
  https://www.helpnetsecurity.com/2026/02/18/open-source-adoption-patching-challenges/
• 'Promptware' Attacks Await An Unprepared AI Industry
  "The large language model industry has mostly treated prompt injection attacks as a risk analogous to traditional web server prompt injection attacks. Researchers now say the industry has been solving the wrong problem. Prompt injection, or feeding rogue instructions to an artificial intelligence system, merits its own classification as "promptware" - malware that uses a large language model as its own execution engine, say researchers in a paper co-authored by researchers at Tel Aviv University, Ben-Gurion University of the Negev and Harvard University."
  https://www.bankinfosecurity.com/promptware-attacks-await-unprepared-ai-industry-a-30785
  https://arxiv.org/pdf/2601.09625v2
• Hackers Increasingly Prefer Fast And Low-Complexity Attacks
  "There's no need to invest into sophisticated hacking operations when moving fast and exploiting well-trod techniques gives threat actors all the access they want. Across a range of different types of attacks, "threat actors are increasingly prioritizing accessible and low-complexity entry points, rather than investing in sophisticated exploits," says a new report from cybersecurity firm Arctic Wolf. Unsurprisingly, phishing is a regular standby. The vast majority of business email compromise attacks started with an infection from a phishing email, a figure that probably will only climb upward as artificial intelligence makes "fraudulent messages more convincing and scalable.""
  https://www.bankinfosecurity.com/hackers-increasingly-prefer-fast-low-complexity-attacks-a-30787
  https://arcticwolf.com/resource/aw/arctic-wolf-threat-report-2026
• “Good Enough” Emulation: Fuzzing a Single Thread To Uncover Vulnerabilities
  "This blog describes efforts at emulating functionality of the Socomec DIRIS M-70 gateway to discover vulnerabilities. In vulnerability research, knowing which tool to use for the job at hand is crucial. This post will highlight multiple emulation tools and approaches used, detail the benefits and drawbacks of each, and reveal how a "good enough" approach can really pay off."
  https://blog.talosintelligence.com/good-enough-emulation/
• A CISO's Playbook For Defending Data Assets Against AI Scraping
  "Areejit Banerjee, Senior Manager of Data Protection Strategy & Product Trust; Researcher in AI Governance, Purdue University: Organizations with commercially valuable data face a near-certainty that AI-driven scrapers are already trying to harvest it at scale, turning public endpoints into high-throughput extraction pipelines. Many security teams still treat scraping as a nuisance bot problem to be handled by a vendor, a few WAF rules, and wishful thinking. That framing breaks down as soon as the scraped data underpins revenue or competitive advantage. When attackers can lift the very datasets that fund your business, scraping is no longer a low-priority ticket; it is a board-level risk."
  https://www.darkreading.com/cyber-risk/ciso-playbook-defending-data-assets-against-ai-scraping
• The Era Of The Digital Parasite: Why Stealth Has Replaced Ransomware
  "For years, ransomware encryption functioned as the industry’s alarm bell. When systems locked up, defenders knew an attack had occurred. Not anymore. New empirical data show that attackers are actively dismantling that signal. According to Picus Security’s Red Report 2026, adversaries are no longer optimizing for disruption; they’re optimizing for residency. Based on a thorough analysis of more than 1.1 million malicious files and 15.5 million adversarial actions from 2025, this year’s report documents a decisive shift in attacker behavior: a noticeable impact has become a liability. Stealthy long-term presence is now the objective."
  https://www.helpnetsecurity.com/2026/02/18/picus-security-red-report-identity-driven-cyberattacks/
• Record Number Of Ransomware Victims And Groups In 2025
  "Security researchers observed a 30% annual increase in ransomware victims listed on extortion sites last year, with AI helping to lower the barrier to entry for new threat groups. Searchlight Cyber's new report, Ransomware’s Record Year: Tracking a Volatile Landscape in H2 2025, tracked 7458 victims on dark web leak sites in 2025. These numbers were split virtually 50:50 between the first and second half of the year. To put the annual growth figure in perspective, victim numbers increased by just 13% between 2023 and 2024. At the same time, the number of ransomware groups hit a new high of 124, with 73 new groups identified in 2025."
  https://www.infosecurity-magazine.com/news/record-number-ransomware-victims/
  https://slcyber.io/whitepapers-reports/the-ransomware-landscape-in-h2-2025/
• Your AI-Generated Password Isn't Random, It Just Looks That Way
  "Generative AI tools are surprisingly poor at suggesting strong passwords, experts say. AI security company Irregular looked at Claude, ChatGPT, and Gemini, and found all three GenAI tools put forward seemingly strong passwords that were, in fact, easily guessable. Prompting each of them to generate 16-character passwords featuring special characters, numbers, and letters in different cases, produced what appeared to be complex passphrases. When submitted to various online password strength checkers, they returned strong results. Some said they would take centuries for standard PCs to crack."
  https://www.theregister.com/2026/02/18/generating_passwords_with_llms/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Financial Sector

• Your Encrypted Data Is Already Being Stolen
  "Quantum computing is often treated as a distant, theoretical cybersecurity issue. According to Ronit Ghose, Global Head, Future of Finance of Citi Institute, that mindset is already putting financial institutions at risk. The biggest misconception, he says, is that quantum threats begin on a single future Q-day, when quantum machines suddenly crack encryption. In reality, adversaries can harvest encrypted data today and decrypt it later, creating long-term exposure for banks handling sensitive identity and transaction data. Ghose argues that quantum risk is both an immediate confidentiality problem and a systemic trust crisis."
  https://www.helpnetsecurity.com/2026/02/17/ronit-ghose-citi-institute-quantum-risk-financial-services/

Industrial Sector

• OT Teams Are Losing The Time Advantage Against Industrial Threat Actors
  "In many industrial environments, internet-facing gateways, remote access appliances, and boundary systems sit close enough to production networks that attackers can move from IT intrusion to operational disruption with limited resistance. Dragos’ 2026 OT/ICS Year in Review describes a threat landscape where adversaries are spending more time learning how physical processes work and less time treating OT access as a passive foothold. A shift in 2025 involved multiple state-aligned groups moving into control-loop mapping. That includes identifying engineering workstations, pulling configuration and alarm files, and collecting enough operational context to interfere with physical outcomes. Control-loop mapping removes a key barrier between unauthorized access and physical impact, since attackers no longer need to guess how a process behaves."
  https://www.helpnetsecurity.com/2026/02/17/ot-cybersecurity-threats-2026-research/
  https://www.dragos.com/ot-cybersecurity-year-in-review#download-report-2026
  https://www.darkreading.com/threat-intelligence/poland-energy-attack-wind-solar-infrastructure
  https://www.infosecurity-magazine.com/news/rise-in-ransomware-targeting/
  https://www.securityweek.com/3-threat-groups-started-targeting-ics-ot-in-2025-dragos/
  https://www.theregister.com/2026/02/17/volt_typhoon_dragos/
• Cyber Insights 2026: The Ongoing Fight To Secure Industrial Control Systems
  "The cybersecurity challenge for Industrial Control Systems (ICS) is they were designed in conditions of peace but now operate in a continuous war zone. Bryson Bort, CEO and founder at SCYTHE, starts his conversations on ICS security with a joke: ‘How can you tell a computer is an ICS?… It’s at least 20 years old.’ The purpose is not to elicit laughter but to make people think. “Once the humor passes and the reality sets in, the scale of the problem – an entrenched ecosystem with the inertia of security challenges baked in for years – becomes apparent..”"
  https://www.securityweek.com/cyber-insights-2026-the-ongoing-fight-to-secure-industrial-control-systems/

Vulnerabilities

• From BRICKSTORM To GRIMBOLT: UNC6201 Exploiting a Dell RecoverPoint For Virtual Machines Zero-Day
  "Mandiant and Google Threat Intelligence Group (GTIG) have identified the zero-day exploitation of a high-risk vulnerability in Dell RecoverPoint for Virtual Machines, tracked as CVE-2026-22769, with a CVSSv3.1 score of 10.0. Analysis of incident response engagements revealed that UNC6201, a suspected PRC-nexus threat cluster, has exploited this flaw since at least mid-2024 to move laterally, maintain persistent access, and deploy malware including SLAYSTYLE, BRICKSTORM, and a novel backdoor tracked as GRIMBOLT. The initial access vector for these incidents was not confirmed, but UNC6201 is known to target edge appliances (such as VPN concentrators) for initial access. There are notable overlaps between UNC6201 and UNC5221, which has been used synonymously with the actor publicly reported as Silk Typhoon, although GTIG does not currently consider the two clusters to be the same."
  https://cloud.google.com/blog/topics/threat-intelligence/unc6201-exploiting-dell-recoverpoint-zero-day/
  https://www.dell.com/support/kbdoc/en-us/000426773/dsa-2026-079
  https://www.bleepingcomputer.com/news/security/chinese-hackers-exploiting-dell-zero-day-flaw-since-mid-2024/
  https://www.theregister.com/2026/02/18/dell_0day_brickstorm_campaign/
  https://cyberscoop.com/china-brickstorm-grimbolt-dell-zero-day/
• Live Server VS Code Extension Allows Remote Exfiltration Of Local Files
  "Live Server is a Visual Studio Code extension that starts a local development HTTP server and automatically reloads the browser when files in the workspace change, supporting both static and dynamic pages. It provides configurable options such as the server root, port, host, default browser, proxy settings, and HTTPS. The extension also supports multiple workspace roots and watches for file changes to trigger live reloads, allowing developers to preview changes in real time without manually refreshing the browser. We discovered a vulnerability in the Live Server extension for VS Code that allows a remote, unauthenticated attacker to exfiltrate files from a developer’s local machine. Attackers only need to send a malicious link to the victim while Live Server is running in the background."
  https://www.ox.security/blog/cve-2025-65717-live-server-vscode-vulnerability/
  https://www.bleepingcomputer.com/news/security/flaws-in-popular-vscode-extensions-expose-developers-to-attacks/
• CISA Adds Four Known Exploited Vulnerabilities To Catalog
  "CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2008-0015 Microsoft Windows Video ActiveX Control Remote Code Execution Vulnerability
  CVE-2020-7796 Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery Vulnerability
  CVE-2024-7694 TeamT5 ThreatSonar Anti-Ransomware Unrestricted Upload of File with Dangerous Type Vulnerability
  CVE-2026-2441 Google Chromium CSS Use-After-Free Vulnerability"
  https://www.cisa.gov/news-events/alerts/2026/02/17/cisa-adds-four-known-exploited-vulnerabilities-catalog

Malware

• Divide And Conquer: How The New Keenadu Backdoor Exposed Links Between Major Android Botnets
  "In April 2025, we reported on a then-new iteration of the Triada backdoor that had compromised the firmware of counterfeit Android devices sold across major marketplaces. The malware was deployed to the system partitions and hooked into Zygote – the parent process for all Android apps – to infect any app on the device. This allowed the Trojan to exfiltrate credentials from messaging apps and social media platforms, among other things."
  https://securelist.com/keenadu-android-backdoor/118913/
  https://thehackernews.com/2026/02/keenadu-firmware-backdoor-infects.html
  https://www.bleepingcomputer.com/news/security/new-keenadu-backdoor-found-in-android-firmware-google-play-apps/
  https://www.darkreading.com/mobile-security/supply-chain-attack-embeds-malware-android-devices
  https://www.helpnetsecurity.com/2026/02/17/firmware-level-android-backdoor-keenadu-tablets/
• Hackers Abuse ScreenConnect To Hijack PCs Via Fake Social Security Emails
  "A new wave of cyberattacks is stalking organisations across the UK, US, Canada, and Northern Ireland. According to the latest research from Forcepoint X-labs, attackers are impersonating the US Social Security Administration (SSA) to bypass security and take total control of private computers. The report, which was shared with Hackread.com, reveals that the attack succeeds by weakening the system’s built-in defences rather than relying on complex new viruses."
  https://hackread.com/hackers-screenconnect-hijack-pcs-fake-social-security-emails/
• CRESCENTHARVEST: Iranian Protestors And Dissidents Targeted In Cyberespionage Campaign
  "Acronis' Threat Research Unit (TRU) has uncovered a malware campaign, dubbed CRESCENTHARVEST, potentially targeting supporters of Iran's ongoing protests with the goal of information theft and long-term espionage. Observed shortly after January 9, the campaign exploits recent geopolitical developments to lure victims into opening malicious .LNK files disguised as protest-related images or videos. These files are bundled with authentic media and a Farsi-language report providing updates from "the rebellious cities of Iran." This pro- protest framing appears to be intended to increase credibility and to attract Farsi-speaking Iranians seeking protest-related information."
  https://www.acronis.com/en/tru/posts/crescentharvest-iranian-protestors-and-dissidents-targeted-in-cyberespionage-campaign/
  https://therecord.media/hackers-target-iran-protest-supporters-cyber-campaign
  https://www.bankinfosecurity.com/fresh-cyberespionage-operation-tied-to-iranian-surveillance-a-30771
• Invitation To Trouble: The Rise Of Calendar Phishing Attacks
  "Before you click “Accept” on calendar invites, think twice — it could be a phishing scheme. The Cofense Phishing Defense Center (PDC) has identified a new tactic involving fake Microsoft and Google Calendar invites designed to steal your login credentials. Phishing invitations are becoming increasingly sophisticated, often mimicking designs from well-known platforms like Microsoft or Google. While they may look convincing, they’re anything but safe. A quick look at the sender's email address is one way to spot an impersonation. It usually doesn't match the actual domain these companies use. Threat actors are taking advantage of emails commonly found in the business world, such as scheduling meetings on calendars. The goal is to deceive employees into entering their login credentials by mimicking routine activities. An example often seen is fake but harmless-looking meeting invites, since these are part of employees’ daily routines, most people don’t think twice before clicking."
  https://cofense.com/blog/invitation-to-trouble-the-rise-of-calendar-phishing-attacks
• Fake Incident Report Used In Phishing Campaign
  "This morning, I received an interesting phishing email. I’ve a “love & hate” relation with such emails because I always have the impression to lose time when reviewing them but sometimes it’s a win because you spot interesting “TTPs” (“tools, techniques & procedures”). Maybe one day, I'll try to automate this process! Today's email targets Metamask[1] users. It’s a popular software crypto wallet available as a browser extension and mobile app. The mail asks the victim to enable 2FA:"
  https://isc.sans.edu/diary/32722
  https://securityaffairs.com/188116/security/poorly-crafted-phishing-campaign-leverages-bogus-security-incident-report.html
• SmartLoader Clones Oura Ring MCP To Deploy Supply Chain Attack
  "Straiker's AI Research (STAR) Labs team has uncovered a trojanized MCP server targeting Oura Ring health data and successfully infiltrated legitimate Model Context Protocol (MCP) registries, exposing thousands of developers and end-users to credential theft and data compromise. SmartLoader, an established malware operation known for distributing info-stealers through deceptive installers, first discovered early in 2024, has constructed an elaborate network of fake GitHub accounts and repositories to distribute trojanized MCP servers, successfully poisoning legitimate MCP registries in the process. Our investigation revealed the threat actors cloned a legitimate Oura MCP Server—a tool that connects AI assistants to Oura Ring health data—and built a deceptive infrastructure of fake forks and contributors to manufacture credibility. The trojanized version of the Oura MCP server delivers the StealC infostealer, targeting developer credentials, browser passwords, and cryptocurrency wallets."
  https://www.straiker.ai/blog/smartloader-clones-oura-ring-mcp-to-deploy-supply-chain-attack
  https://thehackernews.com/2026/02/smartloader-attack-uses-trojanized-oura.html
  https://securityaffairs.com/188135/ai/smartloader-hackers-clone-oura-mcp-project-to-spread-stealc-malware.html
• AI In The Middle: Turning Web-Based AI Services Into C2 Proxies & The Future Of AI Driven Attacks
  "AI is rapidly becoming embedded in day-to-day enterprise workflows, inside browsers, collaboration suites, and developer tooling. As a result, AI service domains increasingly blend into normal corporate traffic, often allowed by default and rarely treated as sensitive egress. Threat actors are already capitalizing on this shift. Across the malware ecosystem, AI is being used to accelerate development and operations: generating and refining code, drafting phishing content, translating lures, producing PowerShell snippets, summarizing stolen data, assisting operators with next decisions during an intrusion, and, in extreme cases, developing full C2 frameworks such as Voidlink. The practical outcome is simple: AI reduces cost and time-to-scale, and helps less-skilled actors execute more complex playbooks."
  https://research.checkpoint.com/2026/ai-in-the-middle-turning-web-based-ai-services-into-c2-proxies-the-future-of-ai-driven-attacks/
  https://thehackernews.com/2026/02/researchers-show-copilot-and-grok-can.html
• Not Safe For Politics: Cellebrite Used On Kenyan Activist And Politician Boniface Mwangi
  "Following the widely-condemned arrest in July 2025 of prominent Kenyan opposition voice Boniface Mwangi, the Citizen Lab analyzed artefacts from devices seized during the arrest. We found that Cellebrite’s forensic extraction tools were used on his Samsung phone while it was in police custody. This case adds to the concerning pattern of the misuse of Cellebrite technology by government clients."
  https://citizenlab.ca/research/cellebrite-used-on-kenyan-activist-and-politician-boniface-mwangi/
  https://therecord.media/spyware-kenya-cellebrite-activist
• Spam Campaign Abuses Atlassian Jira, Targets Government And Corporate Entities
  "Threat actors used Atlassian Jira Cloud and its connected email system to run automated spam campaigns, effectively bypassing traditional email security by abusing the strong domain reputation of Atlassian Jira Cloud products. The campaigns were active from late December 2025 through late January 2026, during which organizations and individuals worldwide — particularly English, French, German, Italian, Portuguese, and Russian–speaking targets — received spam emails from legitimate-looking Atlassian Jira Cloud addresses. In addition, campaigns did not appear to generate generic spam. They also targeted specific sectors, most notably government and corporate entities. The emails redirected targets to pages on investment scams and online casino landing sites, suggesting that actors were likely motivated by financial gain."
  https://www.trendmicro.com/en_us/research/26/b/spam-campaign-abuses-atlassian-jira.html
• Critical Vulnerabilities In Ivanti EPMM Exploited
  "Two critical zero-day vulnerabilities (CVE-2026-1281 and CVE-2026-1340) affecting Ivanti Endpoint Manager Mobile (EPMM) are being actively exploited in the wild, affecting enterprise mobile fleets and corporate networks. These vulnerabilities allow unauthenticated attackers to remotely execute arbitrary code on target servers, granting them full control over mobile device management (MDM) infrastructure without requiring user interaction or credentials."
  https://unit42.paloaltonetworks.com/ivanti-cve-2026-1281-cve-2026-1340/
• Cato CTRL Threat Research: Foxveil – New Malware Loader Abusing Cloudflare, Discord, And Netlify As Staging Infrastructure
  "Cato CTRL has identified a previously undocumented malware loader we track as “Foxveil.” We observed evidence that the malware campaign has been active since August 2025, and we observed two distinct variants (v1 and v2). Foxveil behaves like a modern initial-stage loader: it establishes an initial foothold, frustrates analysis, and retrieves next-stage payloads from threat actor-controlled staging hosted on Cloudflare Pages, Netlify, and, in some cases, Discord attachments. We named the malware Foxveil based on “fox” strings observed within the sample. Its operational advantage comes from blending into trusted cloud infrastructure while relying on in-memory shellcode execution and variant-specific injection and persistence techniques. We also observed a string-mutation routine that rewrites common analysis keywords, which can complicate static detection and reverse engineering."
  https://www.catonetworks.com/blog/cato-ctrl-foxveil-new-malware/
• The North Korean On Your Payroll
  "In September 2025, Okta Threat Intelligence published research from a large-scale analysis into fraudulent employment schemes conducted by Democratic People’s Republic of Korea (DPRK) IT Workers (ITW). That research collated data from over 130 actors, conducting over 6500 interviews with 500 companies. In this post, we look specifically at the activities of two individual personas. We selected these two examples from a large list of actors that we continue to track because they exemplify the typical tools, techniques and procedures (TTPs) employed by DPRK ITW actors. Additionally, each had novel observables that can further inform defenders against these efforts."
  https://www.okta.com/blog/threat-intelligence/the-north-korean-on-your-payroll/

General News

• Poland Arrests Suspect Linked To Phobos Ransomware Operation
  "Polish police have detained a 47-year-old man suspected of ties to the Phobos ransomware group and seized computers and mobile phones containing stolen credentials, credit card numbers, and server access data. Officers from Poland's Central Bureau of Cybercrime Control (CBZC) arrested the suspect in the Małopolska region in a joint operation involving units from Katowice and Kielce. The action is part of "Operation Aether," a broader international effort coordinated by Europol and targeting Phobos ransomware infrastructure and affiliates."
  https://www.bleepingcomputer.com/news/security/poland-arrests-suspect-linked-to-phobos-ransomware-operation/
  https://therecord.media/poland-phobos-ransomware-arrest
  https://cyberscoop.com/phobos-ransomware-affiliate-arrested-poland/
  https://www.securityweek.com/man-linked-to-phobos-ransomware-arrested-in-poland/
  https://securityaffairs.com/188128/cyber-crime/polish-cybercrime-police-arrest-man-linked-to-phobos-ransomware-operation.html
  https://www.helpnetsecurity.com/2026/02/17/phobos-ransomware-affiliate-arrested-in-poland/
  https://www.theregister.com/2026/02/17/poland_phobos_ransomware_arrest/
• Huntress Cyber Threat Report Exposes The Playbook For Organized Cybercrime
  "Cybercrime has become the world’s third-largest economy, with costs projected to reach $12.2 trillion annually by 2031. Today, Huntress exposes the tactics, techniques, and procedures (TTPs) fueling this multi-trillion-dollar illicit market in its 2026 Cyber Threat Report. The in-depth analysis sheds light on the playbook used by organized, profit-driven cybercriminals, uncovering how they weaponize legitimate tools, exploit everyday behaviors, and leverage a vast underground network to exploit people, businesses, and employees across the globe. To produce this report, Huntress analyzed proprietary telemetry from over four million endpoints and nine million identities across the 230,000+ organizations it protects worldwide. This robust dataset served as the foundation for uncovering critical insights into the evolving ransomware ecosystem, shifting adversary tradecraft, and actionable strategies to help organizations prepare for the year ahead. Key findings include:"
  https://www.huntress.com/press-release/huntress-cyber-threat-report-exposes-the-playbook-for-organized-cybercrime
  https://www.darkreading.com/application-security/rmm-abuse-explodes-hackers-ditch-malware
• Over-Privileged AI Drives 4.5 Times Higher Incident Rates
  "A majority (69%) of security leaders agree that identity management needs to evolve in order to handle mounting risks in AI infrastructure deployments, according to a new report from Teleport. The security vendor polled over 200 US infrastructure security leaders to compile its latest report: 2026 State of AI in Enterprise Infrastructure Security. It defined “AI in infrastructure” as AI-powered workloads, agentic systems, machine-to-machine communication, ChatOps, compliance automation, and incident detection."
  https://www.infosecurity-magazine.com/news/overprivileged-ai-45-times-higher/
• API Threats Grow In Scale As AI Expands The Blast Radius
  "Application Programming Interfaces (APIs) remain an attacker-favored exploit route. Aggressors continuously target common failures in identity, access control and exposed interfaces – often at scale and machine speed. AI is increasing the threat surface. In an analysis of more than 60,000 published vulnerabilities disclosed in 2025, Wallarm found more than 11,000 (17%) were API-related. A concurrent analysis of CISA KEV Catalog additions for 2025 found 43% of exploited vulnerabilities were API-related. The report demonstrates the severity of the threat by including details of the top ten API-relevant breaches from 2025. The top three are 700Credit, Qantas, and Salesloft."
  https://www.securityweek.com/api-threats-grow-in-scale-as-ai-expands-the-blast-radius/
  https://hubspot.wallarm.com/hubfs/Wallarm API ThreatStatTM Report-2026.pdf
• 2026 Unit 42 Global Incident Response Report — Attacks Now 4x Faster
  "Each year, thousands of organizations experience a cyber incident. An incident can begin with a SOC alert, zero-day vulnerability, ransom demand or widespread business disruption. When the call comes, our global incident responders quickly mobilize to investigate, contain and eradicate the threat. This year’s Unit 42 2026 Global Incident Response Report analyzed over 750 major cyber incidents across every major industry in over 50 countries to reveal emerging patterns and lessons for defenders."
  https://www.paloaltonetworks.com/blog/2026/02/unit-42-global-ir-report/
  https://cyberscoop.com/attackers-abuse-identity-unit42-palo-alto-networks-incident-response-report/
  https://www.infosecurity-magazine.com/news/cybercriminals-ai-vibe-extortion/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

Vulnerabilities

• Google Patches First Actively Exploited Chrome Zero-Day Of 2026
  "Google released an emergency Chrome update on Friday to patch a zero-day vulnerability that has been exploited in the wild. Chrome 145.0.7632.75/76 for Windows/Mac and 144.0.7559.75 for Linux fix CVE-2026-2441, described as a high-severity use-after-free vulnerability in the browser’s CSS component. “Google is aware that an exploit for CVE-2026-2441 exists in the wild,” Google said in its advisory. Google has credited researcher Shaheen Fazim for reporting the vulnerability. The actively exploited flaw was disclosed to the vendor on February 11, only two days before it was patched."
  https://www.securityweek.com/google-patches-first-actively-exploited-chrome-zero-day-of-2026/
  https://thehackernews.com/2026/02/new-chrome-zero-day-cve-2026-2441-under.html
  https://www.bleepingcomputer.com/news/security/google-patches-first-chrome-zero-day-exploited-in-attacks-this-year/
  https://www.infosecurity-magazine.com/news/google-patches-new-in-wild-chrome/
  https://securityaffairs.com/188029/security/google-fixes-first-actively-exploited-chrome-zero-day-of-2026.html
  https://www.theregister.com/2026/02/16/chromes_zeroday/
  https://www.helpnetsecurity.com/2026/02/16/google-patches-chrome-vulnerability-with-in-the-wild-exploit-cve-2026-2441/

Malware

• Hudson Rock Identifies Real-World Infostealer Infection Targeting OpenClaw Configurations
  "Following our initial research into ClawdBot, Hudson Rock has now detected a live infection where an infostealer successfully exfiltrated a victim’s OpenClaw configuration environment. This finding marks a significant milestone in the evolution of infostealer behavior: the transition from stealing browser credentials to harvesting the “souls” and identities of personal AI agents."
  https://www.hudsonrock.com/blog/6182
  https://www.bleepingcomputer.com/news/security/infostealer-malware-found-stealing-openclaw-secrets-for-first-time/
  https://thehackernews.com/2026/02/infostealer-steals-openclaw-ai-agent.html
• Operation DoppelBrand: Weaponizing Fortune 500 Brands
  "An elusive, financially motivated threat actor dubbed GS7 has been targeting Fortune 500 companies in a broad phishing campaign that turns the company's own brands against them with impersonated websites aimed at harvesting credentials. The campaign — dubbed Operation DoppelBrand — is ongoing, first observed between December and January. The group itself however has a history stretching back to 2022, according to a whitepaper by SOCRadar published today."
  https://www.darkreading.com/cyberattacks-data-breaches/operation-doppelbrand-weaponizing-fortune-500-brands
  https://socradar.io/resources/whitepapers/operation-doppelbrand-fortune-500-access/
  https://www.infosecurity-magazine.com/news/operation-doppelbrand-trusted/
• Google Ads And Claude AI Abused To Spread MacSync Malware Via ClickFix
  "Cyber security researchers at Moonlock Lab, the investigative unit of the popular software developer MacPaw, have uncovered a clever new way that hackers are targeting Mac users. This campaign uses the ClickFix technique, where people are tricked into copying and pasting dangerous commands directly into their computer’s Terminal and the attack starts with a simple Google search."
  https://hackread.com/google-ads-claude-ai-macsync-malware-clickfix/
• OysterLoader Unmasked: The Multi-Stage Evasion Loader
  "OysterLoader, also known as Broomstick and CleanUp, is a malware developed in C++, composed of multiple stages, belonging to the loader (A.k.a.: downloader) malware family. First reported in June 2024 by Rapid7, it is mainly distributed via web sites impersonating legitimate software which are often IT software for instance: PuTTy, WinSCP, Google Authenticator and Ai software. The loader is primarily employed in campaigns leading to Rhysida ransomware. According to Expel reports, OysterLoader is used by the Rhysida ransomware group which is closely associated with the WIZARD SPIDER nebula. Besides, the loader is also used to distribute commodity malware such as Vidar, the most widespread infostealer by January 2026."
  https://blog.sekoia.io/oysterloader-unmasked-the-multi-stage-evasion-loader/
  https://www.infosecurity-magazine.com/news/oysterloader-new-c2-infrastructure/
• LockBit Strikes With New 5.0 Version, Targeting Windows, Linux And ESXI Systems
  "In September 2025, a new version of LockBit ransomware was released, supporting Windows, Linux and ESXi systems, with a primary target being the U.S. business sector. As is typical for the ransomware-as-a-service model, LockBit employs a double-extortion scheme, also exfiltrating files to the attacker's server to increase the likelihood of receiving the ransom. As threat actors advertised, this version has improved defense evasion and fast encryption, and having multiple systems support makes this malware a very serious threat. What’s notable among the multiple systems support its proclaimed capability to “work on all versions of Proxmox.” Proxmox is an open-source virtualization platform and is being adopted by enterprises as an alternative to commercial hypervisors, which makes it another prime target of ransomware attacks."
  https://www.acronis.com/en/tru/posts/lockbit-strikes-with-new-50-version-targeting-windows-linux-and-esxi-systems/
  https://www.helpnetsecurity.com/2026/02/16/lockbit-5-0-ransomware-windows-linux-esxi/

Breaches/Hacks/Leaks

• Washington Hotel In Japan Discloses Ransomware Infection Incident
  "The Washington Hotel brand in Japan has announced that that its servers were compromised in a ransomware attack, exposing various business data. The hospitality group has established an internal task force and engaged external cybersecurity experts to assess the impact of the intrusion, determine whether customer data was compromised, and coordinate recovery efforts."
  https://www.bleepingcomputer.com/news/security/washington-hotel-in-japan-discloses-ransomware-infection-incident/
• Eurail Says Stolen Traveler Data Now Up For Sale On Dark Web
  "Eurail B.V., the operator that provides access to 250,000 kilometers of European railways, confirmed that data stolen in a breach earlier this year is being offered for sale on the dark web. The company said that a threat actor also published a sample of the data on the Telegram messaging platform but it is still trying to determine the type of records and number of customers affected. Eurail B.V. is a Netherlands-based firm that manages and sells passes (Eurail and Interrail) for train travel across Europe, offering flexibility for multi-country trips."
  https://www.bleepingcomputer.com/news/security/eurail-says-stolen-traveler-data-now-up-for-sale-on-dark-web/
• Canada Goose Investigating As Hackers Leak 600K Customer Records
  "ShinyHunters, a well-known data extortion group, claims to have stolen more than 600,000 Canada Goose customer records containing personal and payment-related data. Canada Goose told BleepingComputer the dataset appears to relate to past customer transactions and that it has not found evidence of a breach of its own systems. Founded in 1957, Canada Goose is a Toronto-based performance luxury outerwear brand with a global retail footprint and nearly 4,000 employees."
  https://www.bleepingcomputer.com/news/security/canada-goose-investigating-as-hackers-leak-600k-customer-records/
  https://securityaffairs.com/188046/data-breach/shinyhunters-leaked-600k-canada-goose-customer-records-but-the-firm-denies-it-was-breached.html
  https://www.theregister.com/2026/02/16/canada_goose_shinyhunters/
• Japanese Sex Toys Maker Tenga Discloses Data Breach
  "TENGA Co., Ltd. is a Tokyo-based Japanese sexual wellness and lifestyle company known for its innovative adult products. It employs roughly 125–200 people worldwide across its Japan headquarters and international offices. Tenga operates in personal care product manufacturing and sells products in dozens of countries, with annual revenue estimates in the tens of millions of dollars."
  https://securityaffairs.com/188022/data-breach/japanese-sex-toys-maker-tenga-discloses-data-breach.html
• Hacking a Pharmacy To Get Free Prescription Drugs And More
  "My first disclosure in the healthcare industry has arrived! Ever wondered what it would be like to gain administrative access to a major pharmacy? You’re about to find out. The target was Dava Industry Pharmacy, a division of Zota Healthcare. If you are in the US, you probably haven’t heard of them, but those in India probably will have since they have 2,100+ stores and they claim they are “India’s largest private generic pharmacy retail chain“."
  https://eaton-works.com/2026/02/13/dava-india-hack/
  https://securityaffairs.com/188056/security/a-security-flaw-at-davaindia-pharmacy-allowed-attackers-to-access-customers-data-and-more.html

General News

• Man Arrested For Demanding Reward After Accidental Police Data Leak
  "Dutch authorities arrested a 40-year-old man after he downloaded confidential documents that had been mistakenly shared by the police and refused to delete them unless he received "something in return." Police detained the suspect at his Prinses Beatrixstraat residence in Ridderkerk on Thursday evening for computer hacking after the failed "extortion" attempt, searching his home and seizing data storage devices to recover the files. The incident began when the man contacted police on February 12 about images he had that may be relevant to an ongoing investigation. An officer responded to his inquiry but, instead of sending a link to upload the images, mistakenly shared a download link to confidential police documents."
  https://www.bleepingcomputer.com/news/security/man-arrested-for-demanding-reward-after-accidental-police-data-leak/
  https://www.theregister.com/2026/02/16/dutch_cops_breach/
• Password Managers Less Secure Than Promised
  "Researchers from ETH Zurich have discovered serious security vulnerabilities in three popular, cloud-based password managers. During testing, they were able to view and even make changes to stored passwords. People who regularly use online services have between 100 and 200 passwords. Very few can remember every single one. Password managers are therefore extremely helpful, allowing users to access all their passwords with just a single master password."
  https://ethz.ch/en/news-and-events/eth-news/news/2026/02/password-managers-less-secure-than-promised.html
  https://thehackernews.com/2026/02/study-uncovers-25-password-recovery.html
  https://www.bankinfosecurity.com/exploitable-flaws-found-in-cloud-based-password-managers-a-30770
  https://www.infosecurity-magazine.com/news/vulnerabilities-password-managers/
  https://www.theregister.com/2026/02/16/password_managers/
• Security At AI Speed: The New CISO Reality
  "The CISO role has changed significantly over the past decade, but according to John White, EMEA Field CISO, Torq, the most disruptive shift is accountability driven by agentic AI. In this Help Net Security interview, White explains how security leaders must design and govern hybrid workforces where humans and AI agents operate side by side, making decisions and acting at scale. He notes that automation is moving beyond simple task execution into real-time insight and response. AI agents take on greater responsibility, but CISOs remain accountable for outcomes, and even for inaction when organizations fail to adopt and govern machine-speed security capabilities."
  https://www.helpnetsecurity.com/2026/02/16/john-white-torq-agentic-ai-security/
• In GitHub’s Advisory Pipeline, Some Advisories Move Faster Than Others
  "GitHub Security Advisories are used to distribute vulnerability information in open-source projects and security tools. A new study finds that only a portion of those advisories ever pass through GitHub’s formal review process. A review of GitHub Security Advisories published between 2019 and 2025 examined 288,604 advisories. Of those, 23,563, about 8%, completed GitHub’s review process. Although most advisories remain unreviewed, reviewed entries play an outsized role in security workflows. They feed dependency scanners, alerting systems, and automated remediation tools used by development teams."
  https://www.helpnetsecurity.com/2026/02/16/github-security-advisorie-review-timelines-study/
  https://arxiv.org/pdf/2602.06009
• Open Source Registries Don't Have Enough Money To Implement Basic Security
  "Open source registries are in financial peril, a co-founder of an open source security foundation warned after inspecting their books. And it's not just the bandwidth costs that are killing them. "The problem is they don't have enough money to spend on the very security features that we all desperately need to stop being a bunch of idiots and installing fu when it's malware," said Michael Winser, a co-founder of Alpha-Omega, a Linux Foundation project to help secure the open source supply chain."
  https://www.theregister.com/2026/02/16/open_source_registries_fund_security/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) จำนวน 11 รายการ เมื่อวันที่ 12 กุมภาพันธ์ 2569 เพื่อให้ข้อมูลที่ทันเวลาเกี่ยวกับประเด็นด้านความมั่นคงปลอดภัย ช่องโหว่ และการโจมตีที่เกี่ยวข้องกับระบบ ICS โดยมีรายละเอียดดังนี้

• ICSA-26-043-01 Siemens SINEC NMS
• ICSA-26-043-02 Siemens Polarion
• ICSA-26-043-03 Siemens COMOS
• ICSA-26-043-04 Siemens Desigo CC Product Family and SENTRON Powermanager
• ICSA-26-043-05 Siemens Solid Edge
• ICSA-26-043-06 Siemens SINEC OS
• ICSA-26-043-07 Siemens Siveillance Video Management Servers
• ICSA-26-043-08 Siemens NX
• ICSA-26-043-09 Hitachi Energy SuprOS
• ICSA-26-043-10 Airleader Master
• ICSA-25-140-04 Mitsubishi Electric Iconics Digital Solutions / Mitsubishi Electric GENESIS64 (Update E)

CISA แนะนำให้ผู้ใช้งานและผู้ดูแลระบบ ตรวจสอบคำแนะนำ ICS ที่เผยแพร่ล่าสุด เพื่อศึกษารายละเอียดทางเทคนิคและแนวทางการลดความเสี่ยง (mitigations)

อ้างอิง
https://www.cisa.gov/news-events/ics-advisories
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

เมื่อวันที่ 13 กุมภาพันธ์ 2026 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 1 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว ดังนี้

• CVE-2026-1731 BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) OS Command Injection Vulnerability

ทั้งนี้ คำสั่ง BOD 22-01 ของ CISA กำหนดให้มี แคตตาล็อก Known Exploited Vulnerabilities (KEV) เพื่อรวบรวมช่องโหว่ (CVEs) ที่มีความเสี่ยงสูงและถูกใช้งานโจมตีจริง หน่วยงาน Federal Civilian Executive Branch (FCEB) ต้องดำเนินการแก้ไขช่องโหว่ที่ระบุภายในเวลาที่กำหนด เพื่อปกป้องเครือข่ายจากภัยคุกคาม

ทาง CISA จะปรับปรุงและเพิ่มช่องโหว่ใหม่เข้าสู่แคตตาล็อก KEV อย่างต่อเนื่อง เพื่อให้ครอบคลุมความเสี่ยงที่ตรวจพบจริงในปัจจุบันและอนาคต

อ้างอิง
https://www.cisa.gov/news-events/alerts/2026/02/13/cisa-adds-one-known-exploited-vulnerability-catalog
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand