NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ
    1. หน้าแรก
    2. NCSA_THAICERT
    3. กระทู้
    • รายละเอียด
    • ติดตาม 0
    • คนติดตาม 3
    • กระทู้ 2,368
    • กระทู้ 2,369
    • ดีที่สุด 0
    • Controversial 0
    • กลุ่ม 2

    โพสต์ถูกสร้างโดย NCSA_THAICERT

    • ETDA Cyber Threat Intelligence 14 July 2026

      Vulnerabilities

      • Full Broker Takeover, No Login Required: Miggo Discovers Critical RabbitMQ Vulnerabilities Putting Application Data At Risk
        "Miggo's security team discovered two critical access-control flaws in RabbitMQ: one that leaks the broker's confidential OAuth secret to an unauthenticated attacker in a single request, a direct path to full broker takeover in the configurations that use that secret, and one that lets any logged-in user silently read other tenants' data. Both are now patched."
        https://www.miggo.io/post/full-broker-takeover-no-login-required-miggo-discovers-critical-rabbitmq-vulnerabilities-putting-application-data-at-risk
        https://www.securityweek.com/rabbitmq-vulnerability-threatens-enterprise-systems/
      • CISA Adds One Known Exploited Vulnerability To Catalog
        "CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
        CVE-2008-4128 Cisco IOS Cross-Site Request Forgery Vulnerability"
        https://www.cisa.gov/news-events/alerts/2026/07/13/cisa-adds-one-known-exploited-vulnerability-catalog
        https://securityaffairs.com/195262/security/u-s-cisa-adds-a-cisco-ios-flaw-to-its-known-exploited-vulnerabilities-catalog.html
      • New MemGhost Attack Plants Persistent False Memories In AI Agents Through One Email
        "Give an AI assistant a memory and access to your inbox, and you hand an attacker a way to rewrite what it thinks it knows about you. A single email can trick that agent into saving a false "fact" about the user, hide the change, and quietly steer its answers in later sessions. When it works, the person reads an ordinary-looking reply and never learns their assistant was tampered with. The researchers named the attack stealth memory injection and built a tool that writes the emails automatically. The paper, "When Claws Remember but Do Not Tell," landed on arXiv on 6 July 2026."
        https://thehackernews.com/2026/07/new-memghost-attack-plants-persistent.html
        https://arxiv.org/abs/2607.05189v1

      Malware
      Beware Of Phishing Emails Disguised As Money Transfer Confirmations
      "Recently, the AhnLab SEcurity intelligence Center (ASEC) identified a case of phishing emails that disguise themselves as payment confirmation notices. These emails impersonate employees of a specific company in Korea and trick recipients into opening a malicious XLS file attached to the email, which is disguised as a payment confirmation notice."
      https://asec.ahnlab.com/en/94432/

      • Beware Of Phishing Emails Disguised As Project Proposals
        "The AhnLab SEcurity intelligence Center (ASEC) recently confirmed that phishing emails disguised as project proposals are being circulated. The body of the email pretends to request that the proposal and confirmed delivery schedule be submitted as soon as possible, and prompts the recipient to download the attached compressed file."
        https://asec.ahnlab.com/en/94433/
      • One Misconfigured Server, Three Active Campaigns: Full Exposure Of Three AiTM Phishing Operators
        "On a late April 2026 afternoon, a routine internet scan flagged an open directory on 185.163.204.7: a server located in Budapest, running python3 -m http.server 8080 on a public interface with directory listing enabled. What was exposed was not a misconfigured web root, it was a complete operational snapshot of a live attack platform. Phishing configurations, credential harvesting logs, backup archives, RMM installers, combolists and the operator's own Telegram session files were all publicly accessible. The command that left it open was still sitting in the .bash_history file, readable through the same listing. Behind the open directory was an active threat actor running an Evilginx-based Adversary-in-the-Middle (AiTM) phishing platform and a SimpleHelp remote management console, all on the same host."
        https://blog.lexfo.fr/opendir-to-phishing-operator.html
        https://thehackernews.com/2026/07/misconfigured-server-reveals-three.html
        https://www.infosecurity-magazine.com/news/open-directory-exposes-evilginx/
      • CrashStealer: C++ MacOS Infostealer Posing As Crash Reporter
        "In early May, a suspicious macOS sample uploaded to VirusTotal surfaced through our sample-processing pipeline, and Jamf Threat Labs began tracking it. It impersonated Apple's crash reporting framework and, at that point, looked like an infostealer still in development. By early July we were seeing in-the-wild detections of the payload matching one of our in-house rules, indicating the project had matured from development into active use. We track this malware under the name CrashStealer."
        https://www.jamf.com/blog/crashstealer-macos-infostealer-analysis/
        https://www.bleepingcomputer.com/news/security/new-crashstealer-malware-poses-as-apple-crash-reporting-tool/
        https://thehackernews.com/2026/07/crashstealer-macos-malware-uses.html
      • US And Allies Warn Of Russian Critical Infrastructure Attacks
        "Cybersecurity agencies from the United States and eight other countries have issued a joint warning that Russian state hackers are targeting vulnerable and poorly configured routers to infiltrate critical infrastructure networks. The joint advisory, co-authored by the NSA, FBI, and CISA, along with 15 other agencies from Australia, the United Kingdom, Canada, New Zealand, Estonia, Finland, France, and Italy, attributes the attacks to hackers from the Russian Federal Security Service (FSB) Center 16."
        https://www.bleepingcomputer.com/news/security/us-and-allies-share-defense-tips-against-russian-hackers-targeting-critical-infrastructure/
        https://www.ic3.gov/CSA/2026/260713.pdf
        https://www.darkreading.com/endpoint-security/weak-security-fuel-russian-cyberattacks
        https://cyberscoop.com/russian-fsb-cisco-joint-cybersecurity-advisory/
        https://www.infosecurity-magazine.com/news/russian-state-hackers-vulnerable/
      • Software Developers Are The Target. New Trojan Attacks Supply Chains And Inflicts Multifaceted Damage On Infected PCs
        "A new trojan engaging in supply chain attacks has recently come under the scrutiny of our antivirus laboratory. The malware primarily targets C++ and C# project files. This malicious sample is particularly dangerous as its payload incorporates multiple damaging features, allowing it to steal data, access clipboard content, operate as a backdoor, engage in rogue mining. and also infect other files. First discovered in the last quarter of 2025, the malware has been updated and upgraded by its makers ever since. It mainly spreads over the Internet via infected executable files and Python scripts. The infection process is quite complex, so let’s examine the entire sequence phase by phase."
        https://news.drweb.com/show/?i=15276&lng=en
        https://hackread.com/siggen-backdoor-windows-developers-visual-studio-projects/
      • OAuth Client ID Spoofing: Why Fake Client IDs Are Gaining Traction For Stealthy Enumeration
        "What if attackers could enumerate your entire organization's accounts without generating a single successful sign-in event? The Entra sign‑in logs are a primary telemetry source for identifying malicious authentication activity, including user enumeration, password spraying, and initial access attempts. To evade detection, attackers routinely distribute requests using rotating user agents (as seen in UNK_CustomCloak) and proxy services that cycle source IPs per request. Proofpoint researchers have identified multiple campaigns where attackers extend this evasive tradecraft by spoofing the OAuth client ID (application ID), a globally unique identifier (GUID) assigned to applications. The identifier is passed as client_id in authentication requests and recorded as the application ID in Entra sign-in logs."
        https://www.proofpoint.com/us/blog/threat-insight/oauth-client-id-spoofing-why-fake-client-ids-are-gaining-traction-stealthy
        https://www.infosecurity-magazine.com/news/novel-spoofing-technique-targets/
        https://www.helpnetsecurity.com/2026/07/13/entra-id-oauth-client-id-spoofing/
      • Fake Crypto Gift Card Sites Are Getting Harder To Spot
        "You want to turn some crypto into a gift card. You search, click a promising result, and land on a site that looks polished and legitimate: a dark theme, trust badges, and promises of instant delivery and no ID checks. You wouldn’t think to question it. But a professional-looking website isn’t proof that it’s legitimate."
        https://www.malwarebytes.com/blog/threat-intel/2026/07/fake-crypto-gift-card-sites-are-getting-harder-to-spot
      • Google And Microsoft Pull ModHeader With 1.6 Million Installs After Dormant Collector Found
        "Google and Microsoft have pulled ModHeader, a popular header-editing extension with roughly 1.6 million installs across Chrome and Edge, after researchers found a hidden browsing-history collector built into its official store version. The collector was dormant. An empty allow-list kept it switched off, and no proof has emerged that it ever gathered or sent a single browsing domain. The analysis came from Stripe OLT, a UK security firm, which checked the code against Google's own Web Store signature and confirmed the collector shipped inside the genuine extension, not a counterfeit."
        https://thehackernews.com/2026/07/google-and-microsoft-pull-modheader.html

      Breaches/Hacks/Leaks

      • Centers Laboratory Data Breach Affects 540,000 Individuals
        "Healthcare diagnostics company Centers Laboratory (Centers Lab NJ LLC) has informed the US government that a data breach discovered nearly one year ago affects more than 540,000 individuals. According to a data breach notice posted on its website, the New Jersey-based provider of testing and laboratory services for healthcare organizations discovered an intrusion in its IT environment in August 2025. An investigation showed that threat actors had gained “limited access” to Centers Laboratory systems between August 9 and August 14, exfiltrating personal and protected health information, including names, dates of birth, SSNs, driver’s license or state identification numbers, passport numbers, and health insurance and medical information."
        https://www.securityweek.com/centers-laboratory-data-breach-affects-540000-individuals/
      • Japan's Largest Taxi Operator Shuts Systems After Cyberattack
        "Japan's largest taxi operator, Nihon Kotsu, announced that its systems were compromised in a cyberattack, forcing the company to shut down part of its infrastructure. The incident occurred over the weekend, early Saturday morning, and impacted operations, including the company's taxi dispatch system, which remains offline as of today. Nihon Kotsu is Japan's largest taxi and chauffeur (hire) operator by group revenue, with annual revenue of roughly $1 billion (¥155 billion)."
        https://www.bleepingcomputer.com/news/security/japans-largest-taxi-operator-shuts-systems-after-cyberattack/
      • Lidl Discloses Online Shop Breach After Service Provider Hack
        "German discount supermarket chain Lidl notified customers in Germany, Belgium, and the Netherlands that attackers stole their personal information in a breach at a service provider. Lidl, owned by Schwarz Group, the largest food retailer in Europe, has over 376,000 employees and operates 12,000 stores across Europe and the United States. The discount giant notified affected customers of the incident over email last week and published separate notifications on its support websites in Belgium and the Netherlands."
        https://www.bleepingcomputer.com/news/security/lidl-discloses-online-shop-breach-after-service-provider-hack/
        https://securityaffairs.com/195270/data-breach/lidl-notified-online-shop-customers-in-germany-belgium-and-the-netherlands-of-a-data-breach.html
        https://www.helpnetsecurity.com/2026/07/13/lidl-data-breach-customer-data/
      • Russian Celebrity Journalist Ksenia Sobchak Says Hackers Accessed Telegram Channels Via Email Breach
        "Hackers briefly took control of several Telegram channels belonging to the controversial Russian journalist and media executive Ksenia Sobchak last week, publishing what they claimed were excerpts from her private correspondence. The posts appeared on Sobchak's Telegram channels, Sobchak and Bloody Lady, last week. Her news channel, Caution, News, later said the posts were published by hackers who had compromised the channels."
        https://therecord.media/ksenia-sobchak-russian-hackers-leak

      General News

      • 99.9% Of Fixable AI Vulnerabilities Remain Unpatched
        "Organizations build, deploy, and operate AI in the cloud, but basic cybersecurity hygiene is often sacrificed for speed, according to Orca Security’s 2026 State of AI Security Report. Fifty-six percent of AI adopters have deployed agent frameworks into production, and 51.5% use AI to build custom applications. Orca also found that 81.2% of companies running AI packages have at least one known vulnerability, and 99.9% of AI vulnerability alerts with an available fix remain unpatched. These findings show how quickly AI has become operational infrastructure without a corresponding increase in security maturity."
        https://www.helpnetsecurity.com/2026/07/13/ai-infrastructure-security-risks-report/
      • Enterprises Are Rethinking Where Their AI Applications Run
        "Growing demand for compute capacity, power, cooling and low-latency connectivity is prompting organizations to reassess where AI applications run, according to CoreSite. Public cloud continues to support experimentation and rapid deployment, while colocation is increasingly used for workloads that require predictable performance, dedicated infrastructure or close proximity to cloud services and enterprise data."
        https://www.helpnetsecurity.com/2026/07/13/colocation-for-ai-workloads-report/
      • Why SBOMs, Signing, And Provenance Still Don’t Tell You If Software Is Safe
        "We have made real progress in software supply chain security, improving visibility into software components, authenticity and build integrity. Much of this progress traces back to Executive Order 14028, which pushed agencies, contractors and enterprises to invest in SBOMs, signing and provenance. All of that matters, but it is not enough. The current software trust model still stops short of the question that determines risk at execution: What is this code capable of doing if it runs?"
        https://www.helpnetsecurity.com/2026/07/13/sbom-zero-trust-for-code/
      • Cyber / Russia: Statement By The High Representative On Behalf Of The European Union Denouncing Russia’s Malicious Cyber Ecosystem Targeting The EU, Its Member States And International Partners
        "The EU and its member states denounce Russia’s malicious cyber activities and leveraging of a cyber ecosystem encompassing state and non-state actors, ranging from intelligence services to cybercriminals groups, hacktivists and private companies. Today, we expose the 16th Centre of Russia’s Federal Security Service (FSB) as controlling a variety of cyber threat groups including TURLA. For years, the FSB has conducted a wide range of malicious cyber activities with growing severity affecting the EU, its member states, as well as international partners, notably Ukraine. These activities have included infiltration of governmental networks and sabotage of critical infrastructure."
        https://www.consilium.europa.eu/en/press/press-releases/2026/07/13/cyber-russia-statement-by-the-high-representative-on-behalf-of-the-european-union-denouncing-russia-s-malicious-cyber-ecosystem-targeting-the-eu-its-member-states-and-international-partners/
        https://www.bleepingcomputer.com/news/security/eu-and-uk-hit-russia-with-first-joint-cyber-sanctions-package/
        https://therecord.media/russia-blamed-for-poland-grid-cyberattack-in-joint-uk-eu-sanctions-package
        https://www.bankinfosecurity.com/eu-uk-sanction-russian-nation-state-hackers-a-32213
        https://cyberscoop.com/eu-uk-russian-cyberespionage-sanctions/
        https://www.securityweek.com/eu-targets-russian-intelligence-officers-accused-of-running-a-yearslong-cyber-spying-campaign/
        https://securityaffairs.com/195242/intelligence/eu-targets-fsb-linked-hackers-in-new-sanctions-over-cyber-sabotage.html
        https://www.helpnetsecurity.com/2026/07/13/eu-uk-russia-cyber-activity-sanctions/
      • AI-Generated Code Has Made Security Debt a Governance Problem
        "AI-generated code is part of everyday software development. Developers use it to prototype, refactor, troubleshoot, and move from idea to implementation with less friction than ever before. The productivity gains are undeniable, which means that security leaders now face a hard question: whether their organizations can govern the risk that AI creates at that same speed. That challenge is rooted in scale. AI changes how quickly software can be created, while many application security programs still depend on controls designed for a slower development model."
        https://cyberscoop.com/governing-ai-code-security-risks-op-ed/
      • 'Yellow Teams' Are Defining The Future Of AI Security
        "A small number of engineering teams are developing the defenses that organizations will need against future advanced AI attacks. They're also building the frameworks attackers will utilize to carry out those attacks. In April, Anthropic invited more than 50 organizations to participate in its Project Glasswing initiative to preview Claude Mythos, which the company claimed at the time was the most advanced cybersecurity AI. OpenAI followed suit shortly after, inviting organizations to play with its own GPT 5.5 under the Daybreak program."
        https://www.darkreading.com/cybersecurity-operations/yellow-teams-defining-future-ai-security
      • Hacker Conversations: Jesse McGraw (GhostExodus), From Blackhat Hacker To Redemption
        "Jesse McGraw isn’t a hacker; at least, not by his own definition. He accepts he was a hacker, and a blackhat hacker, and that he still retains the mindset of a hacker. But he is no longer a hacker, he says. He realized he was a hacker while in high school. “My one and only friend was a hacker, and I had never seen anything like what he did.” Before then, McGraw had thought computers were just something used for word processing; a tool that could be used for its intended purpose. Then he saw this person programming in math class."
        https://www.securityweek.com/hacker-conversations-jesse-mcgraw-ghostexodus-from-blackhat-hacker-to-redemption/
      • Treasury Sanctions Malware And Infrastructure Providers Supporting Ransomware Attacks Against Americans
        "Today, the Office of Foreign Assets Control (OFAC) is designating two individuals and one entity enabling ransomware actors’ and other cybercriminals’ malign activities, notably ransomware attacks against Americans. These include First VPN Service (1VPNS), a virtual private network (VPN) provider selling services to ransomware groups, and its administrator, Dmytro Rashevskyi (Rashevskyi). OFAC is also designating Yegeniy Vladimirovich Silayev (Silayev), an individual who sells “cryptors,” which are tools used to disguise ransomware and other malware as safe programs to prevent security systems from detecting or deactivating them. Ransomware groups utilizing these individuals’ services have caused billions of dollars in losses to U.S. businesses and critical infrastructure providers."
        https://home.treasury.gov/news/press-releases/sb0559
        https://therecord.media/first-vpn-administrator-us-sanctions-ransomware-groups
      • AI Security Threats In 2026: Annual Insights From Check Point Research
        "For years, the cyber security industry tracked AI as a force multiplier: something that made existing attack techniques faster, cheaper, and more accessible. That framing was accurate. But the annual AI Security Report 2026 from Check Point Research documents a transition that goes further. AI has crossed from assistant to operator. Where it once helped attackers prepare, it now runs the operation. What follows is a structured review of the report’s key findings, grounded in original incidents and case studies from the past twelve months."
        https://blog.checkpoint.com/ai-security/ai-security-threats-in-2026-insights-from-check-point-research/

      อ้างอิง

      Electronic Transactions Development Agency (ETDA) 68cdc970-377f-4b0d-b739-a36d4d9818e2-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • ETDA Cyber Threat Intelligence 13 July 2026

      Financial Sector

      • Only 28% Of Financial Workforce MFA Is Phishing-Resistant
        "Passwords remain part of many workforce authentication flows in financial organizations, making phishing and credential theft major identity security risks, according to a new Secret Double Octopus report. Banks and financial organizations use a mix of authentication methods, combining phishing-resistant technologies with methods that remain vulnerable to phishing attacks."
        https://www.helpnetsecurity.com/2026/07/10/financial-identity-security-trends-report/
      • Fresh ATM Crypto Software Bugs: Jackpot Or Bust?
        "A researcher has discovered nine vulnerabilities in an ATM and corporate security program. The researcher and major ATM manufacturer Diebold Nixdorf disagree, though, about whether it could allow attackers to steal cash or not. At Black Hat USA 2026, Matt Burch, principal security researcher for Atredis Partners, will present nine new vulnerabilities he discovered in CryptWare CryptoPro Secure Disk. CryptoPro, for short, is a full‑disk encryption (FDE) and pre‑boot authentication solution for Windows that, strangely, is marketed to both corporations generally and ATM manufacturers specifically."
        https://www.darkreading.com/vulnerabilities-threats/atm-crypto-software-bugs-jackpot-bust

      Healthcare Sector

      • Healthcare Ransomware Roundup: H1 2026 Stats On Attacks, Ransoms, And Data Breaches
        "During the first six months of 2026, the healthcare sector suffered an average of 2.3 ransomware attacks per day. Attacks increased by nearly 14 percent when compared to H2 2025, rising from 360 to 410. Of the 410 attacks we recorded in H1 2026, 247 were on hospitals, clinics, and other direct care providers. 163 hit businesses operating within the healthcare sector, such as pharmaceutical/medical manufacturers, medical billing providers, and healthcare tech companies. Attacks on healthcare providers rose just over three percent from H2 2025, but attacks on healthcare businesses rose nearly 35 percent."
        https://www.comparitech.com/news/healthcare-ransomware-roundup-h1-2026-stats-on-attacks-ransoms-and-data-breaches/
        https://www.darkreading.com/threat-intelligence/cybercriminals-healthcare-businesses-attacks-surge

      Industrial Sector

      • OpenPLC v3
        "Successful exploitation of this vulnerability could allow an authenticated attacker to write arbitrary files to the filesystem and escalate this into arbitrary native code execution through the normal OpenPLC program compilation process, potentially resulting in code execution as the OpenPLC runtime user."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-190-01
      • Schneider Electric PowerChute Serial Shutdown
        "Successful exploitation of these vulnerabilities could allow attackers to overwrite critical files, forge or inject malicious log data, gain unauthorized account access, trigger denial‑of‑service conditions, truncate or alter logging information, reset user credentials, or expose sensitive information."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-190-02
      • Schneider Electric Easergy MiCOM Px40 Series
        "Schneider Electric is aware of a vulnerability in its Easergy MiCOM Px40 Series products. The Easergy MiCOM Px40 is a protection relay series for Medium Voltage, High Voltage and Extra High Voltage protection. Failure to apply the mitigations provided below may risk unauthorized exposure of basic device identification through the SNMP protocol."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-190-03

      Vulnerabilities

      • URGENT - Progress Tells ShareFile Customers To Shut Down Storage Zone Controllers Over Security Threat
        "Progress Software has told ShareFile customers to shut down the Windows servers running their Storage Zone Controllers, confirming to The Hacker News that it is responding to a "credible external security threat." The company has temporarily disabled access to the affected accounts, a step it says it took "out of an abundance of caution" while it works with internal and external security experts. It says it has no indication of unauthorized access to any ShareFile accounts or data, and that it notified customers after learning of the threat. What Progress has not said is what the threat is or who is behind it."
        https://thehackernews.com/2026/07/urgent-progress-tells-sharefile.html
        https://www.bleepingcomputer.com/news/security/progress-urges-sharefile-customers-to-shut-down-servers-over-credible-threat/
        https://securityaffairs.com/195194/hacking/progress-told-sharefile-customers-to-pull-the-plug-on-their-servers-heres-what-we-know.html
      • Zimbra Urges Customers To Patch Critical Web Client XSS Flaw
        "The Zimbra security team urged customers to patch a critical vulnerability affecting the Classic Web Client used to access the Zimbra Collaboration suite. Zimbra is a very popular email and collaboration software suite used by hundreds of millions of people, including thousands of businesses and hundreds of government agencies worldwide. Also known as the Classic UI, this Ajax-based webmail interface is faster than Zimbra's modern web client, which requires more resources when loading large email folders. The company released Zimbra 10.1.19 this Tuesday to patch this stored cross-site scripting (XSS) security flaw, which has yet to receive a CVE ID for easy tracking. Attackers can exploit this Classic Web Client security issue through specially crafted emails that execute malicious code when the email is opened."
        https://www.bleepingcomputer.com/news/security/zimbra-urges-customers-to-patch-critical-web-client-xss-flaw/
        https://blog.zimbra.com/2026/07/patch-release-update-zimbra-10-1-19/
        https://thehackernews.com/2026/07/critical-zimbra-flaw-could-let-crafted_0483473395.html
        https://securityaffairs.com/195130/hacking/update-now-critical-zimbra-classic-web-client-flaw-could-expose-mailboxes.html
      • CISA Adds Two Known Exploited Vulnerabilities To Catalog
        "CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
        CVE-2026-48939 iCagenda Unrestricted Upload of File with Dangerous Type Vulnerability
        CVE-2026-56291 Balbooa Forms Unrestricted Upload of File with Dangerous Type Vulnerability"
        https://www.cisa.gov/news-events/alerts/2026/07/10/cisa-adds-two-known-exploited-vulnerabilities-catalog
        https://securityaffairs.com/195164/security/u-s-cisa-adds-icagenda-and-balbooa-forms-flaws-to-its-known-exploited-vulnerabilities-catalog.html
      • Unfit To Boot: Breaking U-Boot's FIT Signature Verification
        "U-Boot is one of the most widely used bootloaders in the world. It runs on a huge variety of hardware, from home routers and smart cameras to the Baseboard Management Controllers (BMCs), which are commonly used to remotely manage servers in large data centres. As a bootloader, its job usually includes initialising the CPU and memory, bringing up the essential peripherals, and finally handing over execution to the next stage of the boot chain."
        https://www.binarly.io/blog/unfit-to-boot-breaking-u-boots-fit-signature-verification
        https://www.bleepingcomputer.com/news/security/new-u-boot-flaws-could-enable-stealthy-firmware-attacks/
        https://thehackernews.com/2026/07/six-new-u-boot-flaws-could-let.html
        https://securityaffairs.com/195150/security/critical-u-boot-bugs-undermine-secure-boot-on-millions-of-devices.html
      • Bypassing Tangem Card Security With a Laser Attack
        "After uncovering a genuine check bypass on the Tangem Android application and a brute-force attack on the card's authentication protocol, the Ledger Donjon turned its attention to the card itself with more advanced tools and sophisticated techniques. What we found is a critical vulnerability that lets an attacker with physical access to a single Tangem card reset its password and steal all associated funds."
        https://donjon.ledger.com/blog/bypassing-tangem-card-security-with-laser-attack/
        https://thehackernews.com/2026/07/laser-attack-resets-tangem-wallet.html
      • I Sent a WhatsApp Message To An AI Agent. It Ran My Code On The Host.
        "There's a particular feeling you get when you watch an AI agent cheerfully execute a payload you just sent it over WhatsApp. It's somewhere between fascination and dread. Like watching someone hold the front door open for a burglar because they said they were from maintenance. Last week, I sent a perfectly normal-looking debugging request to an OpenClaw AI assistant over WhatsApp. Thirty seconds later, I had arbitrary code execution on the host machine. The AI — Claude Sonnet 4, arguably the most safety-aligned model commercially available — didn't just allow it. It helped. It formatted the output nicely and asked if I needed anything else."
        https://medium.com/@chinmohannayak/i-sent-a-whatsapp-message-to-an-ai-agent-it-ran-my-code-on-the-host-adbbcbb0e0ad
        https://thehackernews.com/2026/07/researcher-details-whatsapp-to-host.html
      • XRING: Crashing XQUIC With Spec-Compliant QPACK Instructions
        "During recent research into the different QUIC stacks for our active TLS scanner, JA4Scan, I found a deterministic remote crash in XQUIC, Alibaba's QUIC and HTTP/3 library, dubbed XRING. XQUIC enables HTTP/3 support for Tengine, the Nginx-based web server Alibaba runs across its cloud and CDN infrastructure, including sites like Taobao or AliPay. A remote, unauthenticated client sends spec-compliant HTTP/3 operation traffic and the server process terminates. The crash requires only 260 bytes of client traffic. Every XQUIC version is impacted. There is no patch available."
        https://foxio.io/blog/xring-crashing-xquic-with-spec-compliant-qpack-instructions
        https://thehackernews.com/2026/07/unpatched-xring-flaw-in-xquic-lets.html
      • Study Of 281 Free Android VPN Apps Finds Traffic Leaks, Unencrypted Data, And Tracking
        "Researchers ran 281 of the most popular free VPN apps on the Google Play Store through a new testing system and found that many fail at the basics people install a VPN for, i.e., keeping their traffic private and secure. The apps flagged with at least one problem have been installed more than 2.4 billion times. The problems are basic, not sophisticated. 29 apps let user traffic leak outside the encrypted tunnel, including the DNS lookups that reveal which websites you visit. 61 apps send some data in plain text that anyone watching the traffic on that network can read."
        https://thehackernews.com/2026/07/study-of-281-free-android-vpn-apps.html
      • The ‘Ghost’ In The Database: Recovering Active ADFS Signing Keys Via Machine DPAPI
        "The "Golden SAML" technique, first described by CyberArk researchers in 2017, and further detailed by Mandiant researchers in 2021, remains one of the most effective methods for threat actors to forge identity assertions in the Microsoft ecosystem. By obtaining the private key of an ADFS token-signing certificate, an attacker can authenticate as any user to any SAML-federated application, bypassing multifactor authentication (MFA), conditional access, and all identity-based controls."
        https://cloud.google.com/blog/topics/threat-intelligence/recovering-active-adfs-signing-keys-machine-dpapi
      • We Put The Exploit In a Picture. The AI Code Reviewer Never Opened It.
        "Almost nobody reviews the pull request. We surveyed 6,480 pull requests across the 300 most active public repositories of the last ninety days, and 73% of the ones that got merged reached the default branch with no substantive human review and no bot review at all. The thing filling that gap is a new kind of reviewer: an LLM that reads every diff and comments like a human would. Cursor Bugbot and CodeRabbit are the two with real deployment. Hence, we built a pull request that steals a repository's secrets and walks straight past both of them. The trick is that the malicious instruction is not text. It is a picture."
        https://asset-group.github.io/disclosures/ghostcommit/
        https://www.bleepingcomputer.com/news/security/ghostcommit-hides-prompt-injection-in-images-to-fool-ai-agents-steal-secrets/

      Malware

      • Malicious Go Module Exposes GitHub Malware Lure Network Spanning 222 Repositories
        "Our investigation began with a malicious Go module, github[.]com/kaleidora/dnsub-scanning-tool, that posed as a DNS/subdomain scanner. The module did more than impersonate a developer utility: it exposed a Windows malware-staging chain that used hidden PowerShell execution, public dead-drop resolution, protected archive delivery, and RAT/infostealer deployment. Pivoting from that module revealed the larger finding: a GitHub-based lure network of 222 confirmed repositories across 190 accounts, built to make malicious or deceptive software projects look active, plausible, and recently maintained."
        https://socket.dev/blog/malicious-go-module-exposes-github-malware-lure-network
        https://www.securityweek.com/network-of-200-github-repositories-used-for-malware-infection/
        https://securityaffairs.com/195101/security/222-github-repositories-linked-to-fake-go-package-malware-operation.html
      • One Target, Two Flags | Rival Espionage Actors Converge On Pakistani Law Enforcement
        "Suspected China- and India-nexus threat actors carried out intrusions into several Pakistani law enforcement organizations between 2024 and 2026. Our analysis of C2 netflow data revealed that suspected China- and India-nexus threat actors operating PlugX, ShadowPad, Cobalt Strike, and Remcos infrastructure have converged on this victim class. All of these threat actors were active against Balochistan Police, the principal police force serving the Pakistani province of the same name, at various points between 2024 and 2026."
        https://www.sentinelone.com/labs/one-target-china-india-espionage-converge-on-pakistani-law-enforcement/
        https://therecord.media/china-india-ran-separate-spy-campaigns-against-same-police-force
        https://thehackernews.com/2026/07/hackers-weaponize-balochistan-police.html
        https://www.securityweek.com/china-india-linked-hackers-both-targeted-same-pakistani-police-force/
      • Operation Phnom Penh: Silver Fox Ghost Distributor Targets Specific Victims With MODBEACON Custom Trojan
        ""Silver Fox / UTG-Q-1000" has long been regarded as a byword for low-sophistication, high-activity cybercriminal operations that distribute counterfeit software via SEO channels. However, behind the scenes lies an organizational structure resembling foreign Malware-as-a-Service (MaaS), composed of multiple distributors. These distributors conduct activities across Asia using counterfeit software installers distributed through SEO campaigns, leveraging variants of Ghost and WinOS (ValleyRat) trojan families. In 2025, we countered one such distributor[1], whose remote-control objective was limited to delivering fraud links in IM group chats, with no involvement in information theft or political motives."
        https://ti.qianxin.com/blog/articles/operation-phnom-penh-silverfox-ghost-distributor-targets-specific-victims-with-modbeacon-en/
        https://thehackernews.com/2026/07/new-modbeacon-rat-uses-grpc-streaming.html
      • How WP-SHELLSTORM Exposed 1.4M WordPress Sites
        "Every so often, a threat actor’s mistake hands over the keys to their entire operation. That’s what happened here: a Python SimpleHTTPServer instance, left open for 22 days, exposed the full toolkit, logs, and target lists of a professional, financially motivated cybercrime group. The SOCRadar Threat Intelligence Team found it. What turned up, now tracked as WP-SHELLSTORM, is a modern webshell access-brokerage operation: over 1.4 million targeted domains, 27 CVEs weaponized, more than 5,700 active webshells, and a second, quieter campaign hitting enterprise Java infrastructure that hasn’t surfaced in other public reporting on this actor."
        https://socradar.io/blog/wp-shellstorm-expose-1-4m-wordpress-sites/
        https://thehackernews.com/2026/07/exposed-hacker-server-reveals-wp.html
      • Attackers Exploit 'Ill Bloom' Vulnerability To Drain Over $5 Million From Cryptocurrency Wallets
        "Security firm Coinspect has disclosed a crypto wallet flaw it calls Ill Bloom, and attackers are already using it. The flaw is in how some wallet software generated its recovery phrase, the words that control the money. When that phrase is made with weak randomness, an attacker can work it out and take everything it controls. The firm has confirmed one coordinated sweep on May 27 that drained about $3.1 million from 431 wallets, and it told The Hacker News that a further $2.1 million in USDT was stolen from an exposed wallet afterward, pushing confirmed losses past $5 million."
        https://thehackernews.com/2026/07/attackers-exploit-ill-bloom.html
      • No Manners Here: The Ruthless Rise Of The Gentlemen Ransomware
        "The Gentlemen (aka Storm-2697) is a Ransomware-as-a-Service (RaaS) program active since at least July 2025. Public reporting indicates that the operators were likely active months earlier as an affiliate (known as ArmCorp) of Qilin RaaS, which Unit 42 tracks as Spikey Scorpius. Their ransomware variants are written in both C and Go programming languages, enabling the threat actors to spread their encryptors across different operating systems and virtual infrastructure. Figure 1 below illustrates the desktop wallpaper used by the ransomware after deployment."
        https://unit42.paloaltonetworks.com/the-gentlemen-ransomware/
      • Deadlock Ransomware Group
        "DeadLock is a financially motivated ransomware group that emerged in mid-July 2025. The group employs double extortion tactics, demanding ransom payments in cryptocurrencies while threatening to sell stolen data on underground markets. They utilize innovative techniques, such as blockchain smart contracts, to manage their command-and-control infrastructure, enhancing their evasion capabilities."
        https://socradar.io/free-tools/ransomware-intelligence/groups/deadlock
      • Jscrambler Npm Package Publishes Malicious Preinstall Binary
        "On July 11, 2026, version 8.14.0 of jscrambler was published to npm carrying a malicious preinstall hook that drops and executes a platform-specific native binary on Linux, Windows, and macOS. jscrambler is the official CLI client for the Jscrambler Code Integrity API, a commercial JavaScript obfuscation and web-app protection service, with a clean version history dating back to 0.1.0. The compromised release was flagged by StepSecurity's AI Release Analyzer with a suspicion score of 0 (the maximum suspicion rating) on publish."
        https://www.stepsecurity.io/blog/jscrambler-npm-package-publishes-malicious-preinstall-binary
        https://safedep.io/jscrambler-npm-supply-chain-compromise/
        https://thehackernews.com/2026/07/compromised-jscrambler-8140-npm-release.html

      Breaches/Hacks/Leaks

      • Police Suspects Dutch Hackers Were Involved In Odido Breach
        "The Dutch National Police (Politie) says it has found "strong indications" that Dutch hackers have been involved in a February breach at the telecommunications provider Odido. "This includes a telephone conversation that was made with Odido customer service shortly before the hack. In this conversation, a Dutch-speaking man posed as Odido's IT employee. The company was then misled through phishing, after which the data theft took place," the police said in a Thursday press release."
        https://www.bleepingcomputer.com/news/security/police-suspects-dutch-hackers-were-involved-in-odido-breach/
        https://therecord.media/dutch-police-suspect-dutch-accomplice-in-odido-cyberattack
      • Fashion Mart Miinto Unzips Breach Details, Warns Shoppers To Watch For Phisherfolk
        "Danish ecommerce company Miinto admitted an intruder has been looking at its order data, according to emails it sent to customers this week. The emails, seen by The Register, do not comment on the scale of the data accessed by the perp or how exactly the breach occurred, although UK-based customers of the Copenhagen-HQ'd biz have received them. “We are writing to let you know about a security incident that may have affected some of the personal data associated with a purchase you made on Miinto,” the email states."
        https://www.theregister.com/security/2026/07/10/miinto-fesses-up-to-breach-says-customers-open-to-phishing/5269891

      General News

      • The Open Source Library Holding Up Your Stack Might Have One Maintainer
        "Every serious software product runs on code that someone else wrote and released for free. A web service leans on a cryptography library, a data pipeline pulls in a parser, and a mobile app ships a handful of small utilities that one person maintains in spare time. All of it carries the same label. A new paper argues that the single label hides differences large enough to change how each piece behaves once it lands in production. Researchers sorted open source software into fourteen sub-genres, each defined by who starts and sustains a project and to what end. Their review screened close to four thousand unique papers drawn from two scholarly indexes. The result is a typology, along with an argument that the kind of project a study samples sets how far its conclusions travel."
        https://www.helpnetsecurity.com/2026/07/10/open-source-software-library-types/
        https://arxiv.org/pdf/2607.01750
      • Most Data Brokers Won’t Tell You What Happened To Your Deletion Request
        "Data brokers collect personal details on most adults in the United States and sell them to buyers that include employers, landlords, insurance companies, and government agencies. California gives residents a way to push back. You can ask a broker to delete your records, or to stop selling and sharing them. A team at UC Irvine decided to find out what happens when someone sends those requests to the whole California registry. The answer gives consumers little comfort. The researchers sent deletion and opt-out requests to every reachable broker on California’s public list in the fall of 2025. That worked out to 322 deletion requests and close to 360 opt-out requests. To keep real people out of the mix, they built two made-up identities, one for each request type, each with a working email address and a plausible California address."
        https://www.helpnetsecurity.com/2026/07/10/trouble-with-data-broker-deletion-requests/
        https://arxiv.org/pdf/2607.04552
      • Evolving Windows Vulnerability Management To Meet The Speed Of AI-Powered Discovery
        "Windows has adapted to emerging threats for decades, all while operating at unparalleled scale. It’s our responsibility to bring clarity, transparency and sustained investment so customers understand what is happening, what Microsoft is doing and how they can reduce their exposure. The pace of vulnerability discovery is changing with advances in AI making it possible to find more issues, faster, across more code, with new mechanisms that can accelerate both discovery and analysis. The fastest way to reduce customer exposure is to find issues before attackers can use them. Windows is expanding its ability across the platform to find issues earlier, accelerate the engineering work to fix them, strengthen validation and deliver timely, high-quality updates that keep customers protected."
        https://blogs.windows.com/windowsexperience/2026/07/09/evolving-windows-vulnerability-management-to-meet-the-speed-of-ai-powered-discovery/
        https://www.theregister.com/security/2026/07/10/microsoft-warns-customers-ai-will-mean-busier-patch-tuesdays/5269618
        https://www.infosecurity-magazine.com/news/microsoft-increase-number-security/
      • Armenian National Extradited To The United States Pleads Guilty To Ransomware Extortion Conspiracy
        "An Armenian national extradited from Ukraine to the United States pleaded guilty yesterday for his role in Ryuk ransomware attacks and an extortion conspiracy targeting companies throughout the United States, including a technology company operating in Oregon. Karen Serobovich Vardanyan, 34, pleaded guilty to conspiracy and computer fraud."
        https://www.justice.gov/usao-or/pr/armenian-national-extradited-united-states-pleads-guilty-ransomware-extortion-conspiracy
        https://www.bleepingcomputer.com/news/security/ryuk-ransomware-member-pleads-guilty-in-the-us-faces-15-years-in-prison/
        https://therecord.media/ryuk-operator-pleads-guilty-alphv-conspirator-sentenced
        https://cyberscoop.com/karen-vardanyan-armenian-ryuk-ransomware-guilty/
        https://securityaffairs.com/195216/uncategorized/ryuk-ransomware-member-pleads-guilty-over-attacks-on-u-s-organizations.html
      • Man Serving Federal Prison Sentence Charged With Theft Of Forfeited Cryptocurrency
        "Rossen G. Iossifov, 53, a Bulgarian national, made an initial appearance in federal court in the Eastern District of Kentucky yesterday on charges of the destruction or removal of property to prevent seizure, aiding and abetting, and conspiracy to commit money laundering. The charges stem from Iossifov’s alleged role in the unauthorized withdrawal and transfer of approximately $290,000 in cryptocurrency that had been seized and forfeited by the United States."
        https://www.justice.gov/opa/pr/man-serving-federal-prison-sentence-charged-theft-forfeited-cryptocurrency
        https://www.bleepingcomputer.com/news/security/money-launderer-accused-of-stealing-seized-crypto-while-in-prison/
      • Lessons From CISA’s Cyber Incident
        "Sharing experiences from incident response activities help other organizations learn from such experiences and enables them to take necessary precautions to prevent similar incidents from happening in their environments. For years, CISA has said this type of information exchange is critical to identifying trends and contributing to broader national awareness. Now, it is our turn. On Friday, May 15, CISA began an internal incident response when an investigative reporter inquired about internal CISA Amazon AWS GovCloud Keys and other information being made available in a public repository. The reporter received this information from a security researcher whose company continuously scans public code repositories."
        https://www.cisa.gov/news-events/news/lessons-cisas-cyber-incident
        https://www.infosecurity-magazine.com/news/cisa-incident-response-exposed-aws/
      • When Cyberattacks Turn Physical: Threats Of Violence In Digital Extortion
        "Cyberattacks have always had real‑world consequences. A ransomware incident can halt production, delay patient care or shut down public services. But until recently, most attacks relied strictly on digital leverage: encrypt data, threaten to leak it and demand payment. Threat intelligence and industry reporting now point to a clear shift toward hybrid attacks that combine cyber intrusion, psychological pressure and real-world intimidation. In practical terms, attackers are no longer satisfied with controlling systems. They are increasingly trying to control outcomes and influence decisions and behavior by introducing fear that extends beyond the network."
        https://blog.barracuda.com/2026/07/09/cyberattacks-physical-threats-ransomware-trend
      • Ransomware Never Stopped: Over 9,000 Confirmed Attacks Since 2018
        "Ransomnews has independently confirmed 9,291 ransomware attacks worldwide between January 2018 and July 2026, tracking incidents only when verified through victim disclosures, regulatory filings, official statements, or credible press reporting. Leak-site listings alone don’t qualify, operators inflate, duplicate, and occasionally fabricate claims. The result is a dataset that’s smaller than what most ransomware statistics cite, and more defensible. “Confirmed ransomware attacks have run at roughly 1,400 to 1,550 per year since 2023, after a visible dip in 2022. The 2020 to 2021 surge, the 2022 trough (which coincided with the Conti shutdown and the Russia-Ukraine war reshuffling the ecosystem), and the post-2023 plateau are all visible in the yearly series. The current year always shows a partial count.” reads the Ransomnews ‘s report."
        https://securityaffairs.com/195117/cyber-crime/ransomware-never-stopped-over-9000-confirmed-attacks-since-2018.html

      อ้างอิง

      Electronic Transactions Development Agency (ETDA) 19eb53a0-3599-46c5-a7a9-0537ec9ea7f8-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • ETDA Cyber Threat Intelligence 10 July 2026

      Vulnerabilities

      • Chrome 150 Update Patches 27 Vulnerabilities
        "Google on Wednesday announced a Chrome 150 security update that resolves 27 vulnerabilities, including two critical-severity flaws. The two critical bugs are use-after-free issues in Chrome’s Ozone and Views components. Both were found by Google last month. The Chrome refresh resolves a total of 13 use-after-free defects, including 10 high-severity and one medium-severity weakness."
        https://www.securityweek.com/chrome-150-update-patches-27-vulnerabilities/
      • Microsoft Patches RoguePlanet Defender Zero-Day Vulnerability
        "Microsoft has released a security patch to address a Defender zero-day vulnerability known as "RoguePlanet," disclosed after the June 2026 Patch Tuesday. The flaw (tracked as CVE-2026-50656) was disclosed by a security researcher using the "Nightmare Eclipse" handle as part of an ongoing dispute with Microsoft over the company's bug bounty and vulnerability disclosure practices. They also shared a proof-of-concept exploit in a self-hosted Git repository, claiming that Microsoft had previously removed their repos hosting exploits on GitHub and GitLab."
        https://www.bleepingcomputer.com/news/microsoft/microsoft-patches-rogueplanet-defender-zero-day-vulnerability/
        https://thehackernews.com/2026/07/microsoft-patches-rogueplanet-defender.html
        https://www.darkreading.com/vulnerabilities-threats/microsoft-rogueplanet-zero-day-threat
        https://www.malwarebytes.com/blog/news/2026/07/microsoft-fixes-rogueplanet-zero-day-in-defender
        https://www.securityweek.com/microsoft-patches-defender-rogueplanet-vulnerability/
        https://securityaffairs.com/195016/security/microsoft-fixed-defender-flaw-rogueplanet-cve-2026-50656.html
        https://www.theregister.com/security/2026/07/09/microsoft-closes-book-on-nightmare-eclipses-rogueplanet-zero-day/5269280
        https://www.helpnetsecurity.com/2026/07/09/microsoft-releases-fix-for-rogueplanet-defender-flaw-cve-2026-50656/
      • WolfSSL, GeoVision, VTK Vulnerabilities
        "Cisco Talos’ Vulnerability Discovery & Research team recently disclosed three vulnerabilities in WolfSSF, fourteen in GeoVision, and one vulnerability in VTK-DICOM. The vulnerabilities mentioned in this blog post have been patched by their respective vendors, in adherence to Cisco’s third-party vulnerability disclosure policy."
        https://blog.talosintelligence.com/wolfssl-vulnerabilities/
      • Palo Alto Networks Patches 13 Vulnerabilities
        "Palo Alto Networks on Wednesday published advisories describing more than a dozen vulnerabilities affecting its products. The new advisories cover 13 vulnerabilities specific to Palo Alto Networks products, as well as more than 500 flaws patched recently by Google in Chromium, which the cybersecurity giant uses for its Prisma browser. The most severe of the newly patched vulnerabilities is CVE-2026-0288. Assigned high severity and highest urgency ratings, the CVE covers multiple buffer overflows in the PAN-OS software, which powers Palo Alto’s firewalls."
        https://www.securityweek.com/palo-alto-networks-patches-13-vulnerabilities/

      Malware

      • RedHook Returns With a Dangerous Upgrade
        "RedHook is an Android Remote Access Trojan (RAT) that has re-emerged with significant improvements. While retaining core RAT functionalities, such as screen streaming and keylogging, the latest iterations demonstrate a sophisticated shift toward privilege abuse. This analysis details how RedHook abuses Android’s ADB Wireless Debugging features to autonomously obtain shell-level access (uid 2000). Also, by examining the malware’s persistence stack and its expanded command-and-control capabilities, this report provides technical insights into this evolving mobile threat. RedHook was first documented by Cyble researchers in July 2025."
        https://www.group-ib.com/blog/redhook-android-rat-upgraded/
      • How The Reddit And Discord False Report Scam Steals Accounts
        "A stranger messages you on Reddit. They say someone reported them, and the reporting account looks a lot like yours. Was it you? It wasn’t. That’s not really the point of the message. This version relies entirely on social engineering. There is no malware and no malicious links. It starts with a conversation, but the goal is to trick you into handing over a login or verification code so the scammer can access your Reddit account."
        https://www.malwarebytes.com/blog/threat-intel/2026/07/how-the-reddit-and-discord-false-report-scam-steals-accounts
        https://www.helpnetsecurity.com/2026/07/09/reddit-false-report-scam-direct-message/
      • Fake Installers, Fake Reviews, Fake Services – Real Proxies, Real Victims
        "Residential proxies are one of the hottest topics in cybersecurity today. Turns out, they are often not in residences, and they facilitate a wide range of criminal activity. In the simplest terms, a little piece of software in a TV, digital picture frame, or your phone might enable a company to sell access to your device’s bandwidth to their own customers. Those companies—proxy providers—often have affiliate programs where they pay for installation of the software. Sound familiar? It’s the same model as the advertising networks we often write about. Residential proxies are yet another tangled ecosystem full of buyers and sellers, with players in every shade of grey. This blog tells the story of a bad actor who operates an end-to-end malicious proxy business grounded in a collection of clever lookalike domains."
        https://www.infoblox.com/blog/threat-intelligence/fake-installers-fake-reviews-fake-services-real-proxies-real-victims/
        https://thehackernews.com/2026/07/fake-7-zip-installers-turn-devices-into.html
        https://securityaffairs.com/194990/malware/fake-vpn-and-7-zip-apps-turn-victims-into-residential-proxy-nodes.html
      • Compromised Injective SDK Npm Package Exfiltrates Wallet Keys And Mnemonics
        "Socket detected a malicious @injectivelabs/[email protected] release published to npm with fake telemetry functionality that exfiltrates wallet private keys and mnemonic phrases. The affected package is part of the Injective Labs TypeScript SDK and receives roughly 50,000 weekly downloads, making the incident significant for developers and applications that handle Injective wallet workflows."
        https://socket.dev/blog/compromised-injective-sdk-npm-package
        https://www.ox.security/blog/injectivelabs-npm-package-hijacked-impacting-87-dependent-packages/
        http://www.stepsecurity.io/blog/injective-npm-supply-chain-attack-18-packages-backdoored-to-steal-crypto-wallet-keys
        https://www.bleepingcomputer.com/news/security/injective-sdk-on-npm-infected-with-cryptocurrency-wallet-stealer/
      • Helix, a New Name In The Data Extortion Ecosystem?
        "ReliaQuest has identified a data extortion group operating under the name "Helix." However, the playbook it runs and the identity gaps it exploits extend well beyond the group itself. Helix uses vishing to initiate contact—we've even seen the group spoof a target's direct manager by name on caller ID. Device code phishing then sidesteps Conditional Access policies, and automated tools enumerate and mass-download SharePoint libraries before bulk exfiltration triggers an alert. ReliaQuest has confirmed shared infrastructure across attacks on multiple targets, including a phishing domain with target-specific subdomains, suggesting a widespread campaign."
        https://reliaquest.com/blog/threat-spotlight-helix-new-name-in-data-extortion-ecosystem
        https://www.bleepingcomputer.com/news/security/new-helix-vishing-group-emerges-in-sharepoint-data-theft-attacks/
      • Inside Forg365: A Telegram-Distributed Sneaky 2FA-Style PhaaS Targeting Microsoft 365
        "Forg365 is a mature Microsoft 365-focused phishing-as-a-service platform that combines device-auth phishing, AiTM delivery, AntiBot evasion, campaign delivery, session persistence, AI-assisted lure creation, and post-compromise mailbox operations inside a commercial operator ecosystem."
        https://zerobec.com/blog/inside-forg365-telegram-distributed-sneaky2fa-style-phaas
        https://www.bleepingcomputer.com/news/security/new-forg365-phishing-platform-uses-ai-to-target-microsoft-365-accounts/
      • When AI Infrastructure Becomes Part Of The Attack Surface
        "Darktrace investigated a compromised AI gateway connected to Amazon Bedrock services that was later observed communicating with cryptomining infrastructure. The incident highlights how AI gateways are becoming part of the enterprise attack surface and demonstrates the importance of behavioral analysis, cloud visibility, and securing AI infrastructure alongside identities and workloads."
        https://www.darktrace.com/blog/when-ai-infrastructure-becomes-part-of-the-attack-surface
        https://www.darkreading.com/cyber-risk/ai-gateways-keys-kingdom
        https://hackread.com/ai-gateway-amazon-bedrock-hijacked-cryptomining/
      • GodDamn Ransomware: Latest Beast Rebrand Uses Malicious Driver To Disable Defenses
        "Analysis of a recent GodDamn ransomware attack indicates that this seemingly new ransomware is in fact the latest rebrand of the Beast ransomware, which in itself was a rebrand of the Monster ransomware, which was first seen in 2022. The Symantec Threat Hunter Team tracks the developer behind these ransomware families as Hyadina."
        https://www.security.com/blog-post/goddamn-ransomware-beast-rebrand
        https://thehackernews.com/2026/07/goddamn-ransomware-uses-poisonx-driver.html
        https://www.darkreading.com/cyberattacks-data-breaches/goddamn-ransomware-byovd-smite-companies
        https://securityaffairs.com/195042/malware/goddamn-ransomware-uses-poisonx-to-blind-security-software.html
      • GigaWiper: Anatomy Of a Destructive Backdoor Assembled From Multiple Malware
        "In October 2025, Microsoft Threat Intelligence identified destructive wiping activity and uncovered a sophisticated Go programming language (Golang)-based backdoor we now track as GigaWiper, a versatile implant that combines robust command-and-control (C2) capabilities with multiple destructive payloads, including disk wiping, fake ransomware, and system-level sabotage. GigaWiper is particularly notable for its makeup. It’s not a single, purpose-built tool, but an amalgamation of separate malware families that were folded into GigaWiper as on-demand backdoor commands, giving threat actors the flexibility to choose their mode of destruction:"
        https://www.microsoft.com/en-us/security/blog/2026/07/09/gigawiper-anatomy-of-a-destructive-backdoor-assembled-from-multiple-malware/
        https://thehackernews.com/2026/07/new-gigawiper-windows-backdoor-bundles.html
        https://hackread.com/microsoft-gigawiper-backdoor-destroy-windows-pcs/
      • Analyzing AI-Augmented Network Enumeration
        "We recently came across an incident in early June where a threat actor used a vibe-coded PowerShell script for Active Directory (AD) enumeration. The script looked for the Domain Controller (DC) and mapped users, computers, and domains, before creating a directory and exporting out a number of files, and finally creating AD_Report.html to measure the success of the enumeration attempt. AI-assisted tradecraft continues to change the threat landscape. Defenders should focus on the fundamental behaviors of the attack lifecycle, because while AI can change the code syntax, it can't easily change the underlying parts of an attack, like enumeration."
        https://www.huntress.com/blog/ai-coded-malware-vibe-coding-active-directory
        https://www.infosecurity-magazine.com/news/vibe-coded-malware-ai-powershell/
      • Coordinated GitHub API Enumeration And Access Token Abuse
        "Datadog Security Research is tracking several overlapping campaigns that systematically enumerate corporate GitHub organizations, repositories, and user accounts through the GitHub API. Operators rely on automated scraping tooling with custom or legitimate-sounding user agents, leveraging GitHub "ghost" accounts that are often years old, or compromised OAuth tokens and personal access tokens (PATs) from legitimate users. Most requests target public data, making it look like ordinary API traffic. In some cases, the activity escalated past public information enumeration, appearing to successfully clone private repositories."
        https://securitylabs.datadoghq.com/articles/coordinated-github-api-enumeration/
        https://thehackernews.com/2026/07/dormant-github-accounts-help-attackers.html
      • From Invoice To AnyDesk: Uncovering a Phishing Campaign Targeting Russian Aerospace Organizations
        "The Seqrite Threat Research Team identified a targeted spear-phishing campaign disguised as a legitimate business invoice. The phishing email impersonates a legitimate Russian research institute associated with aerospace and aviation systems and is delivered using a spoofed domain designed to mimic the organization. The malicious email contains a password-protected attachment that ultimately deploys additional payloads on the victim’s system. Analysis indicates that the threat actor’s primary objective is to establish persistent remote access by silently configuring AnyDesk for unattended access, exfiltrating AnyDesk configuration data to an attacker-controlled email account and implementing persistence mechanisms to retain long-term control of the compromised host."
        https://www.seqrite.com/blog/from-invoice-to-anydesk-uncovering-a-phishing-campaign-targeting-russian-aerospace-organizations/
      • CrowdStrike Uncovers New Prompt Injection Techniques
        "Prompt injection is among the defining security challenges of the AI era. As organizations move from chatbots to AI agents, adversaries are finding more ways to manipulate the language, context, and data these systems trust. With the rise of powerful AI agents that can crawl webpages, access file stores, and even write shell commands, indirect prompt injection has emerged as a critical threat vector. Adversaries can hide these attacks in the data consumed by these agents and then hijack their capabilities to cause further damage."
        https://www.crowdstrike.com/en-us/blog/crowdstrike-uncovers-new-prompt-injection-techniques/
      • Large-Scale Exploitation Campaign Targeting Website Content Management Systems (CMS)
        "A large-scale exploitation campaign is targeting various vulnerabilities in content management systems (CMS) globally, including in Australia, with many small to medium sized Australian businesses impacted. As part of this campaign, malicious cyber actors are actively scanning websites for opportunities to deploy webshells, leveraging various vulnerabilities affecting CMS software and plugins. These vulnerabilities primarily allow unauthenticated file upload, remote code execution, server side request forgery or deserialisation."
        https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/large-scale-exploitation-campaign-targeting-website-content-management-systems-cms

      Breaches/Hacks/Leaks

      • AssuranceAmerica Data Breach Exposes Records Of 6.9 Million Drivers
        "American insurance company AssuranceAmerica has disclosed a data breach impacting nearly 7 million drivers after attackers gained access to its systems earlier this year. AssuranceAmerica operates through a network of over 9,500 independent agents and provides auto, renters, and commercial auto insurance coverage across 14 U.S. states. While the company has yet to publish a press release regarding the incident, it revealed in a filing with Maine's Office of the Attorney General that the data breach has exposed the information of 6,998,886 people."
        https://www.bleepingcomputer.com/news/security/assuranceamerica-data-breach-exposes-records-of-69-million-drivers/
        https://www.malwarebytes.com/blog/data-breaches/2026/07/6-9-million-drivers-license-numbers-stolen-from-assuranceamerica
        https://securityaffairs.com/195027/data-breach/assuranceamerica-breach-exposes-7-million-drivers-licenses-after-employee-account-hack.html

      General News

      • Q2 2026 Statistical Report On Malware Targeting Windows Web Servers
        "In the second quarter of 2026, the AhnLab SEcurity intelligence Center (ASEC) compiled an analysis of the current attack status for poorly managed Windows web servers and classified the malware used in these attacks. The targets were Internet Information Services (IIS) web servers and Apache Tomcat web servers running in Windows environments."
        https://asec.ahnlab.com/en/94398/
      • Statistical Report On Malware Targeting Linux SSH Servers In The Second Quarter Of 2026
        "In the second quarter of 2026, the AhnLab SEcurity intelligence Center (ASEC) collected and analyzed attack logs targeting poorly managed Linux SSH servers through honeypots. The scope of the analysis covers attack sources that progressed to executing actual malware installation commands, as well as statistics on the malware used in those attacks."
        https://asec.ahnlab.com/en/94396/
      • Statistical Report On Malware Targeting Windows Database Servers In The Second Quarter Of 2026
        "The AhnLab SEcurity intelligence Center (ASEC) analyzed attack logs from the second quarter of 2026 targeting MS-SQL server and MySQL server installations on Windows. This report summarizes the damage status, attack status, and the classification of the malware and tools used in the attacks."
        https://asec.ahnlab.com/en/94397/
      • Inside The Underground Economy: 5 Dark Web Trends Shaping The 2026 Threat Landscape
        "The dark web is no longer just a hidden marketplace for stolen credentials; it has grown far beyond that point and now affects nearly every phase of the cyberattack lifecycle. Markets that once traded only compromised accounts now also sell ransomware services, initial network access, exploit kits, phishing infrastructure, and even AI-powered attack tools. What used to be a place for selling stolen data has become the operational backbone of modern cybercrime."
        https://cyble.com/blog/dark-web-trends-2026-cyber-threat-landscape/
      • Messaging Fraud Trends Point To Smarter Attacks, Stronger Blocking
        "Fraudsters spent 2025 investing in scale. New routes, new tools, and higher message volumes moved through the SMS, voice, and chat channels that businesses rely on to reach customers. Money follows that activity. The Communications Fraud Control Association puts global telecom fraud losses at around 42 billion dollars for the year, several billion higher than its estimate for the prior year. Blocked volumes rose alongside the threat. Infobip, a communications platform that handles billions of interactions each month, reports that blocked messages grew 77% between 2024 and 2025. This means attackers pushed more traffic, and detection systems caught a wider range of it. Some markets also show better outcomes as detection infrastructure matured, a sign that defenses are catching up in places where they had lagged."
        https://www.helpnetsecurity.com/2026/07/09/infobip-messaging-fraud-trends/
      • A Single Malware File Can Outweigh An Entire AI Dataset
        "Antivirus vendors and security startups keep shipping AI features that promise to read malware the way a seasoned analyst would. The results inside security teams tell a quieter story. A new paper argues that static analysis of software, the job of deciding whether a program is malicious by examining its contents on disk, remains one of the hardest places to make generative AI work. The scale of the problem explains much of the difficulty. Standard datasets in other fields look small next to a single security sample. ImageNet, the benchmark that helped launch deep learning in computer vision, fits in about 17 GB once its images are resized down, and it holds more than a million of them. Routine static analysis means processing single files that outweigh entire datasets from other research areas."
        https://www.helpnetsecurity.com/2026/07/09/research-ai-in-cybersecurity/
        https://arxiv.org/pdf/2606.28929
      • Over 5,800 Arrests, USD 293 Million Intercepted In Global Fraud Bust
        "A global anti-fraud operation involving 97 countries and territories has led to the arrest of 5,811 individuals and the interception of USD 293 million in illicit assets. Operation First Light 2026 (15 Jan 2026 – 30 April 2026), coordinated by INTERPOL, focused on combatting social engineering scams and associated money laundering activities. Social engineering is a broad term that refers to techniques that exploit a person’s trust to obtain money or confidential information. This type of fraud can include business email compromise, sextortion, as well as romance, impersonation or investment scams."
        https://www.interpol.int/News-and-Events/News/2026/Over-5-800-arrests-USD-293-million-intercepted-in-global-fraud-bust
        https://www.bleepingcomputer.com/news/security/police-arrests-5-800-suspects-in-global-anti-fraud-crackdown/
        https://cyberscoop.com/interpol-cybercrime-crackdown-operation-first-light/
        https://www.infosecurity-magazine.com/news/china-interpol-cybercrime-crackdown/
        https://securityaffairs.com/195056/security/interpol-operation-first-light-nets-5811-arrests-and-seizes-293-million.html
        https://www.helpnetsecurity.com/2026/07/09/interpol-fraud-bust-social-engineering-scams/
      • Friendly Fire: Hijacking Defensive Cyber AI Agents For Remote Code Execution
        "We are revealing a proof-of-concept exploit that enables remote code execution in Anthropic’s Claude Code CLI (with Claude Sonnet 4.6 & 5, Opus 4.8) and OpenAI’s Codex CLI (with GPT-5.5) when employed to defensively assess the security of an open-source or third-party library. Our attack only requires an out-of-the-box configuration of Claude Code in “auto-mode” or Codex in “auto-review” and leverages prompt injections disseminated across a library’s source code that target AI-enabled cyber defense without the need for hooks, skills, plugins, MCP servers, or configuration files as an injection vector. As such, we warn against the recent initiatives that mandate the acceleration of AI-enabled defensive tools without consideration of the substantial and unmitigated risks associated with the deployment of defensive AI, especially in the context of safety-critical infrastructure—where AI is most urgently being considered for deployment."
        https://ainowinstitute.org/publications/friendly-fire-exploit-brief
        https://thehackernews.com/2026/07/friendly-fire-ai-agents-built-to-catch.html
      • A New Ransomware Leader Emerges As June 2026 Attack Volumes Climb Worldwide
        "June reversed the brief calm of May. Organizations faced an average of 2,270 weekly cyber attacks, a 10% rise from the previous month and a 17% increase compared with June last year. What makes this month notable is not just the size of the jump but its reach. Rather than one region or sector absorbing the bulk of the growth, the increase showed up almost everywhere at once, suggesting attackers spread their effort wider rather than concentrating it."
        https://blog.checkpoint.com/research/a-new-ransomware-leader-emerges-as-june-2026-attack-volumes-climb-worldwide/
      • AI Agents Are a New Kind Of Identity & Most Organizations Aren't Ready
        "I recently read an opinion piece on TechTarget by Todd Thiemann, a principal analyst at Omdia, on identity security for AI agents. It is one of the clearest things I have read on this topic, but it also made me think about something that I want to dig into further because it's the most important factor in enterprise security right now, and it's not getting the attention it deserves: the development environment. Thiemann makes a point that I have been making for a while now, and it's worth repeating loudly: AI agents are not just another type of non-human identity. They are fundamentally different. If you're still treating them like a service account or an API token, you are already behind."
        https://www.darkreading.com/identity-access-management-security/ai-agents-new-kind-identity-most-organizations-not-ready
      • Iran's Cyber Crosshairs Focus Beyond Critical Infrastructure
        "For many CISOs, the headlines detailing Iranian-linked strikes on water utilities and power grids trigger a dangerous sense of immunity: "I'm not a utility; I'm not a target." There is a comforting, yet flawed, assumption that these operations are merely geopolitical theater confined to the high-stakes arena of critical infrastructure. But in the modern threat landscape, obscurity is not a defense, and "non-critical" status is not a shield. If your organization has a digital heartbeat and an Internet-facing vulnerability, you're already at risk from multiple potential threats, whether you realize it or not."
        https://www.darkreading.com/cyber-risk/iran-cyber-crosshairs-beyond-critical-infrastructure
      • As Global Conflicts Go Digital, Businesses Need Wartime Gameplans
        "Intellect Services could hardly be less interesting. A midsized, family-owned business in Ukraine that sold tax software. Its owners really can't be faulted for not anticipating that they might one day be a huge pawn in a regional cyberwar. To Russian foreign military intelligence, Intellect Services was totally interesting. The company's platform, M.E.Doc, was ubiquitous across Ukrainian businesses. Compromising M.E.Doc they could, in effect, impact most of the country's economy. And like other midsize businesses, the company wasn't likely to have any kind of exceptional cybersecurity defenses getting in Russia's way."
        https://www.darkreading.com/cybersecurity-operations/businesses-wartime-cybersecurity-gameplans
      • 78% Of CISOs Say C-Level Do Not Fully Understand Employee-Driven Cyber Risk
        "More than three quarters of CISOs across Europe say C-level senior decision-makers do not fully understand the cyber risk posed by employees, according to new research, at a time when AI is making human-targeted attacks more sophisticated, scalable, convincing and increasingly frequent. The survey of 200 CISOs across the UK, France, Germany and Sweden, carried out by MetaCompliance, the human cyber risk management company, reveals a growing disconnect between the risks organisations face at the human layer and the level of senior understanding, alignment and support needed to manage them effectively."
        https://www.metacompliance.com/company-news/78-of-cisos-say-c-level-do-not-fully-understand-employee-driven-cyber-risk
        https://www.infosecurity-magazine.com/news/cisos-fear-execs-dont-understand/
      • ENISA’s View On Cybersecurity In The Frontier AI Era
        "This publication provides national competent authorities in Member States and EU policymakers, defenders, and service providers with an initial set of recommendations to support them in their respective roles towards developing the necessary operational capabilities to face machine-speed threats. The recommendations are not an all-inclusive checklist. ENISA aims to further refine and expand these recommendations in close cooperation with Member States and EUIBAs and will align these to upcoming European Commission Action Plan."
        https://www.enisa.europa.eu/publications/enisas-view-on-cybersecurity-in-the-frontier-ai-era
        https://www.enisa.europa.eu/sites/default/files/2026-07/ENISA view on cybersecurity in the frontier AI era_en_0.pdf
      • Florida Ransomware Negotiator Who Extorted And Attacked Multiple U.S. Victims Sentenced To Prison
        "Angelo Martino, 41, of Land O’Lakes, Florida, formerly employed as a ransomware negotiator, was sentenced today to 70 months for his role in conspiring with Blackcat/ALPHV (BlackCat) actors to extort multiple victims, as well as conspiring with other former cybersecurity professionals to attack additional victims in 2023. “Angelo Martino’s victims shared heartbreaking accounts of how their businesses were nearly destroyed, while the people they hired to help them instead betrayed them to ransomware gangs,” said Assistant Attorney General A. Tysen Duva of the Justice Department’s Criminal Division."
        https://www.justice.gov/opa/pr/florida-ransomware-negotiator-who-extorted-and-attacked-multiple-us-victims-sentenced-prison
        https://cyberscoop.com/digitalmint-ransomware-negotiator-angelo-martino-sentenced/
      • June 2026 Dark Web Breach Incident Trend Report
        "The June 2026 Dark Web Breach Incident Trend Report is based on major data breach cases posted on the deep web and dark web forums. Due to the nature of some sources, it was difficult to fully verify the accuracy of certain information, so the report includes content that requires further verification."
        https://asec.ahnlab.com/en/94411/
      • June 2026 Dark Web Issue Trend Report
        "The June 2026 Dark Web Issue Trend Report summarizes major issues that occurred on the deep web and dark web. Due to the nature of the sources, it is sometimes difficult to fully verify the accuracy of certain information, and this is noted accordingly."
        https://asec.ahnlab.com/en/94416/
      • June 2026 Dark Web Threat Actor Trend Report
        "The June 2026 Dark Web Threat Actor Trend Report focuses on trends among threat actors—including hacktivists—operating on the deep web and dark web. It is noted that the accuracy of some information could not be verified."
        https://asec.ahnlab.com/en/94417/

      อ้างอิง

      Electronic Transactions Development Agency (ETDA) 6b3b3c38-8813-4563-9263-cb10c24b1944-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • CISA เพิ่มช่องโหว่ iCagenda และ Balbooa Forms ที่ถูกใช้โจมตีจริงเข้า KEV

      CISA เพิ่มช่องโหว่ iCagenda และ Balbooa Forms ที่ถูกใช้โจมต.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 0394270a-b472-49ea-ab9e-ea4ddee1645a-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • Zimbra เตือนช่องโหว่ XSS ใน Classic Web Client เสี่ยงรันโค้ดอันตรายผ่าน Email

      Zimbra เตือนช่องโหว่ XSS ใน Classic Web Client เสี่ยงรันโค้ดอ.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 15893241-5ec4-4f3a-ae67-cc0638f00ac1-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • ตรวจพบ GigaWiper แบ็กดอร์สายพันธุ์ใหม่บน Windows ผสานความสามารถโจมตีลบข้อมูลและเรียกค่าไถ่

      ตรวจพบ GigaWiper แบ็กดอร์สายพันธุ์ใหม่บน Windows ผสาน.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 2fe6aa38-09dd-4cf0-bdc6-282f0b654e3e-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • Google ออกอัปเดต Chrome 150 แก้ช่องโหว่ 27 รายการ รวมถึงช่องโหว่ระดับ Critical

      Google ออกอัปเดต Chrome 150 แก้ช่องโหว่ 27 รายการ รวมถึ.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand f2b7cbdc-a71f-4e2c-8ceb-89e1b849203c-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • Mount Royal University ยืนยันเหตุข้อมูลรั่วไหล หลังแฮกเกอร์อ้างโจมตีและเรียกค่าไถ่

      Mount Royal University ยืนยันเหตุข้อมูลรั่วไหล หลังแฮกเ.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 897726ea-ecee-4c3c-a814-7a9b2ecdb19a-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • แฮกเกอร์เพียงตัวคนเดียว สามารถใช้ AI เจาะระบบคลาวด์ AWS สำเร็จได้ภายใน 72 ชั่วโมง

      แฮกเกอร์เพียงตัวคนเดียว สามารถใช้ AI เจาะระ.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 2cb3968b-ceec-4a54-84e1-f3b8c01ca5cf-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • CISA เพิ่ม 4 ช่องโหว่ที่ถูกใช้โจมตีจริงใน Adobe ColdFusion, Joomla และ Langflow เข้า KEV

      CISA เพิ่ม 4 ช่องโหว่ที่ถูกใช้โจมตีจริงใน Adobe ColdF.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 4a343551-82a6-4e37-adc1-5c89cd43d9c5-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • KDDI เผยเหตุข้อมูลรั่วไหล กระทบประชาชนกว่า 12 ล้านราย หลังแพลตฟอร์มอีเมลของ ISP ถูกโจมตี

      KDDI เผยเหตุข้อมูลรั่วไหล กระทบประชาชนกว่า 12 .png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand a4713865-2f2c-43e6-a792-919852612002-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • เตือนภัยกลุ่มแฮกเกอร์ UAT-7810 ใช้ยมัลแวร์ LONGLEASH พุ่งเป้าโจมตีเราเตอร์เพื่อสร้างเครือข่ายพรางตัว

      เตือนภัยกลุ่มแฮกเกอร์ UAT-7810 ใช้ยมัลแวร์ LONGLEASH .png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 02052452-58fc-47b1-abaf-f7731bb5acb1-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • Cyber Threat Intelligence 09 July 2026

      Vulnerabilities

      • Foxit PDF Reader Flaws Enable Arbitrary Code Execution
        "Foxit shipped Foxit PDF Reader 2026.1.2 and PDF Editor 2026.1.2 for Windows. The release fixes 28 security flaws. Twenty of them can lead to arbitrary code execution when someone opens a crafted PDF. So far, no vendor or researcher has confirmed active exploitation or a public proof-of-concept."
        https://securityonline.info/foxit-pdf-reader-code-execution/
      • IonStack Part II: GhostLock, a Stack-UAF That Has Existed In ALL Linux Distributions For 15 Years
        "GhostLock (CVE-2026-43499) is a Linux kernel vulnerability found by VEGA that exists in every major distribution since 2011. Triggering the bug does not require any special kernel config or privilege. By turning it into a 97% stable privilege escalation and container escape, Google has rewarded us $92,337 in kernelCTF. This writeup covers the technical details of the exploit."
        https://nebusec.ai/research/ionstack-part-2/
        https://thehackernews.com/2026/07/15-year-old-ghostlock-flaw-enables-root.html
      • GitHub 'Verified' Commits Can Be Rewritten Into New Hashes Without Breaking Signatures
        "New research shows that a signed Git commit's hash is not the one-of-a-kind name that much of the software world assumes it to be. Given any signed commit, someone without the signing key can mint a second commit with the same files, author, and date, and a valid signature, GitHub still stamps "Verified." Everything a reviewer would check matches. The commit's hash does not. That matters because so many systems treat a verified commit hash as a permanent, unique name for its contents."
        https://thehackernews.com/2026/07/github-verified-commits-can-be.html
        https://arxiv.org/abs/2607.02820

      Malware

      • CAI Cloud Worm Gives Competitors' Malware The Boot, Then Steals Secrets And Mines For Coin
        "There's no honor among thieves as a new worm steals from other infectious software. It pilfers “multiple” victims’ credentials and mines for cryptocurrency while killing competitors’ processes, including similar secret-harvesting malware. It’s called Cloud AI Infrastructure Attack Framework (CAI), and it’s a centralized botnet that targets cloud-native developer tools like Docker, Kubernetes, Redis, etcd, Kubelet, and Ray for credential theft and cryptomining. The scripts “are heavily inspired” by the likes of other similar credential-stealing worms that have wreaked havoc across cloud environments and supply chains this year, “using code comments like ‘PCPJack-aligned,’” according to security researcher Michael R."
        https://www.theregister.com/cyber-crime/2026/07/07/cai-cloud-worm-gives-competitors-malware-the-boot-then-steals-secrets-and-mines-for-coin/5267856
      • What If You Received An Email About Transferring Your Kakao Account? Check This First.
        "Recently, a phishing email disguised as an official Kakao account transfer notification has been identified. The email attempts to instill anxiety by claiming that the user’s Kakao account is scheduled to be transferred, and prompts the user to click on the “Verify Account” link included in the body of the message. If a user enters their email address and password on the linked phishing page, the entered credentials may be transmitted to an external server controlled by the threat actor. In this article, we’ll examine the phishing tactics used in these Kakao account migration emails and the precautions users should take."
        https://asec.ahnlab.com/en/94388/
      • Files Locked Behind a White Padlock: A Warning From WhiteLock Ransomware
        "If files start getting locked one by one and even remote access tools stop working, your system may already be infected with ransomware. The recently identified WhiteLock ransomware encrypts key files on Windows systems and then generates a ransom note demanding payment. A key characteristic of this ransomware is that it communicates with external servers during the encryption process and terminates Services related to remote access tools—such as AnyDesk and TeamViewer—to prevent victims from responding remotely. In this article, we’ll examine the main operating mechanisms of WhiteLock ransomware and the security considerations to keep in mind when responding to a ransomware attack."
        https://asec.ahnlab.com/en/94390/
      • Coordinated Npm And PyPI Campaign Typosquats Popular Secure Payment Apps
        "Socket’s AI scanner detected a cluster of npm and PyPI malware published on July 7, 2026. The 17 packages, published nearly simultaneously, target SDK developers and users of the popular PaySafe, Skrill and Neteller payment applications. Ultimately, the packages perform credential and token theft, exfiltrating stolen data to AWS infrastructure."
        https://socket.dev/blog/npm-pypi-campaign-typosquats-popular-secure-payment-apps
        https://www.bleepingcomputer.com/news/security/fake-paysafe-skrill-sdks-on-npm-and-pypi-steal-credentials/
      • Vishing Actors Target Entra Passkey Enrollment
        "Since April 2026, a threat actor tracked as O-UNC-066 (also known as "Pink" by Palo Alto Networks Unit 42) has deployed a panel-controlled phishing kit targeting the passkey enrollment process for Microsoft 365 customers. Okta has observed the targeting of enterprise organizations across the food and beverage, technology, healthcare, automotive, construction, and aviation industries by this cluster of activity. The primary motivation of the threat actors is data extortion. The threat actor registers domains that incorporate the word passkey as part of a voice-enabled phishing (“vishing”) scheme. The threat actor then calls targeted users on the phone in an attempt to persuade them that they need to register a new passkey."
        https://www.okta.com/en-au/blog/threat-intelligence/vishing-actors-target-microsoft-entra-passkey-enrollment-/
        https://www.bleepingcomputer.com/news/security/entra-passkey-enrollment-vishing-targets-microsoft-365-users/
      • Inside An AI-Assisted Cloud Attack: Familiar Techniques At Unfamiliar Speed
        "This case study shows that AI-enabled attackers do not necessarily need novel malware or zero-days. The real shift is speed, scale, and orchestration: familiar cloud attack techniques were executed faster and across more surfaces than defenders could comfortably contain."
        https://www.sygnia.co/blog/inside-an-ai-assisted-cloud-attack/
        https://www.darkreading.com/cloud-security/lone-attacker-ai-breach-aws-cloud-environment
        https://www.infosecurity-magazine.com/news/threat-actor-agentic-ai-cloud/
      • Meta Phishers Abuse Business Account Manager Service
        "Huntress is tracking a threat actor who has figured out how to manipulate a legitimate service offering from Meta to send a spam lure email that passes validation. The phishing group conducting this operation began as late as November 2025 but have recently added new infrastructure and a new spin to the attack: starting in June, they modified their phishing lure to incorporate a chatbot, run through a fraudulent account on Facebook Messenger, and began sending credentials to a private Telegram channel."
        https://www.huntress.com/blog/meta-business-manager-phishing
        https://www.infosecurity-magazine.com/news/phishing-facebook-fake-verification/
      • Beware Of Agentic Botnets: Scalable Untargeted Promptware Attacks Via Universal And Transferable Adversarial HalluSquatting
        "We show that attackers can exploit predictable LLM hallucinations of resource identifiers to launch scalable, untargeted prompt injection attacks without requiring any direct channel to LLM applications. By preemptively registering hallucinated resources—a technique we call adversarial hallucination squatting (HalluSquatting)—we demonstrate remote tool execution and remote code execution at scale across a range of popular agentic LLM applications, which could be exploited to the establishment of a botnet."
        https://sites.google.com/view/agentic-botnets/home
        https://thehackernews.com/2026/07/new-hallusquatting-attack-could-trick.html
      • New Ghost Phishing Wave Is Breaking Traditional Email Security
        "A recent EvilTokens campaign targeting businesses across the US and Europe is exposing a new email security blind spot. This “ghost phishing” technique keeps the malicious page hidden until it decrypts and comes to life inside the victim’s browser. For security leaders, the risk is clear: traditional URL checks may miss the attack while Microsoft 365 access, sensitive data, and response time are already at stake."
        https://thehackernews.com/2026/07/new-ghost-phishing-wave-is-breaking.html
      • ClickFix To Cash-Out: Anatomy Of a Mexican Banking-Fraud Toolkit
        "A Mexican banking fraud operation we're tracking as REF6045 doesn't run on autopilot. A human operator is behind the wheel, monitoring infected machines and deciding what happens next. Victims are infected through fake CAPTCHA pages that trick them into running a single command, which installs SCMBANKER, a PowerShell toolkit with components dating back to at least October 2025. Once installed, the operator can see when a victim opens a banking session, lock the screen behind a fake bank warning, push the victims towards live phone interaction, redirect the browser, or replace account numbers copied to the clipboard. For a full takeover, they can also deploy a commercial remote-access tool."
        https://www.elastic.co/security-labs/mexican-banking-fraud-scmbanker-ref6045
        https://thehackernews.com/2026/07/scmbanker-malware-uses-clickfix-lures.html
      • Targeted Phishing Attacks On Manufacturing Companies
        "We have identified a new targeted phishing campaign in which cybercriminals attempted to attack manufacturing companies. The attack employed a multi-stage approach — before sending the phishing link directly, the attackers engaged in correspondence with the victim to lower their guard. The email texts were apparently generated using large language models. As of this post’s publication, the attack is still ongoing, so we recommend staying vigilant!"
        https://www.kaspersky.com/blog/manufacturing-phishing-2026/56097/

      Breaches/Hacks/Leaks

      • Moody Bible Institute Breach Leaves 2.3M Accounts Needing Salvation, Says Cyber Expert
        "Data on more than 2.3 million people associated with Moody Bible Institute (MBI) has been exposed online after the Christian college was targeted by ShinyHunters. The attack was first disclosed by MBI in June, and the extortion crew later leaked the stolen data. Have I Been Pwned has since added the cache to its breach notification database, putting a figure on the number of exposed accounts. MBI is one of many victims of ShinyHunters' pay-or-leak attacks in 2026, and while the organization has not explicitly commented on whether it negotiated with the criminals, the leak suggests that the group's extortion demands were not met."
        https://www.theregister.com/security/2026/07/06/moody-bible-institute-breach-leaves-23m-accounts-needing-salvation-says-cyber-expert/5266827
      • Mount Royal University Confirms Breach As Hackers Claim Attack
        "Mount Royal University in Calgary says hackers stole and then deleted data from its file storage systems after breaching the university's network. In an update published on its website, MRU states that it has engaged technical teams and external cybersecurity experts to investigate the incident and to support recovery efforts following a cyberattack on June 17. The incident disrupted a broad range of university systems, including online services, internet access, and certain internal systems."
        https://www.bleepingcomputer.com/news/security/mount-royal-university-confirms-breach-as-hackers-claim-attack/
      • Telco Giant KDDI Says Data Breach Affects Over 12 Million People
        "Japanese telecommunications giant KDDI revealed that millions of people had their email addresses and passwords exposed after attackers breached an email platform used by five internet service providers (ISPs) in the country. KDDI is the second-largest mobile telecommunications provider in Japan, with 45,000 employees and annual revenue of $32.4 billion. The company disclosed last month that it blocked the attackers' access and implemented defensive measures after discovering the incident on June 17, and revealed that the breach impacted the STNet, JCOM, Chubu Telecommunications C, NIFTY Corporation, and BIGLOBE ISP operators.

      https://www.bleepingcomputer.com/news/security/japanese-telecom-giant-kddi-says-data-breach-affects-12-million-people/

      General News

      • Orbia CISO Miranda Ritchie On Building Security Into Sustainable Infrastructure
        "In this interview with Help Net Security, Miranda Ritchie, CISO at Orbia, talks about protecting industrial systems where software runs water, chemical and manufacturing processes. She explains why a cyber incident in these settings can harm people, equipment and the environment, and how spread-out sites and aging control hardware widen the risk. Ritchie describes tying security to safety culture, embedding cyber teams early in new projects, and treating nothing as trusted just because it sits on the network. Her view: speed and security can support each other."
        https://www.helpnetsecurity.com/2026/07/08/miranda-ritchie-orbia-industrial-cybersecurity/
      • When AI Agents Look Like Attackers: What Behavioral Telemetry Tells Us
        "AI coding agents (Claude Code, Cursor, Codex, and others built on skill packs such as GStack) are showing up in customer environments. They write code, install dependencies, automate browser tasks, and troubleshoot failures by trying alternative approaches. From the perspective of an endpoint behavioral engine, some of that activity is indistinguishable from typical activity seen on customer networks – or, in some cases, from actions that might be undertaken by an active adversary."
        https://www.sophos.com/en-us/blog/2607_agents_vs_telemetry
        https://thehackernews.com/2026/07/ai-coding-agents-found-triggering.html
      • GitHub Copilot Refuses Harmful Requests In Chat, Then Writes Them In Code
        "An AI coding assistant that refuses to answer a dangerous request in its chat box can answer it anyway if the same request is broken into small, ordinary-looking steps inside a code editor. That is the finding of a new study of GitHub Copilot by researchers Abhishek Kumar and Carsten Maple. The models they tested through Copilot, Claude from Anthropic, and Gemini from Google, refused almost every harmful request when asked directly. Reframed as steps in a normal coding task, they produced the harmful answers in all 816 of the study's workflow runs."
        https://thehackernews.com/2026/07/github-copilot-refuses-harmful-requests.html
        https://arxiv.org/abs/2607.03968
        https://www.theregister.com/security/2026/07/08/github-copilot-sorry-dave-i-cant-do-that-harmful-thing-unless-you-ask-me-in-code/5268654
      • GhostApproval: A Trust Boundary Gap In AI Coding Assistants
        "The value of AI coding assistants is simple and straightforward: the agent proposes an action, then you approve. Before any file is modified, a confirmation dialog appears: the Human-in-the-Loop safety net that keeps you in control. But what if the controls you see aren’t the controls you’re actually operating? Symbolic links have been a security headache since the early days of Unix. From /tmp race conditions to privilege escalation exploits, symlinks have a long history of bypassing security boundaries by making one path silently resolve to another. It's a well-documented attack primitive - CWE-61 dates back decades. So what happens when you apply this classic trick to AI coding assistants?"
        https://www.wiz.io/blog/ghostapproval-a-trust-boundary-gap-in-ai-coding-assistants
        https://www.theregister.com/security/2026/07/08/bug-in-top-ai-coding-agents-shows-that-unix-era-security-headaches-never-really-die/5268025
      • ESET Threat Report H1 2026
        "The first half of 2026 shows how attackers continue to improve the efficiency and scalability of their operations. Rather than relying on entirely new methods and tools, they are quickly adapting established techniques to new platforms, technologies, and user behaviors. Artificial intelligence is playing a growing role in this development. In H1 2026, ESET analyzed nearly 900,000 AI skills – small functional components used by AI agents – and identified tens of thousands of suspicious and thousands of outright malicious instances. The number of AI skills within this new ecosystem is growing rapidly “as we speak”, further expanding the attack surface."
        https://www.welivesecurity.com/en/eset-research/eset-threat-report-h1-2026/
        https://www.helpnetsecurity.com/2026/07/08/eset-ai-threat-trends-report/

      อ้างอิง
      Electronic Transactions Development Agency (ETDA) 8a083dec-a552-43d8-ab84-a505b569a61c-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • BeyondTrust เตือนช่องโหว่ Critical ใน RS และ PRA เสี่ยงถูกข้ามการยืนยันตัวตน

      BeyondTrust เตือนช่องโหว่ Critical ใน RS และ PRA เสี่ยงถูกข้.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand be8fa15a-be16-4485-9e7b-385cd91ed8de-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • ช่องโหว่ Backdoor ในเราเตอร์ Tenda เปิดทางผู้โจมตี Bypass Login และได้สิทธิ์ผู้ดูแลระบบ ยังไม่มีแพตช์แก้ไข

      ช่องโหว่ Backdoor ในเราเตอร์ Tenda เปิดทางผู้โจมตี By.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 19eada3b-a673-4e12-baee-424507a89c83-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • ผู้ไม่หวังดีพุ่งเป้าสแกนช่องโหว่ความรุนแรงระดับวิกฤตบน Gitea Docker หลังการเปิดเผยข้อมูลเพียง 13 วัน

      ผู้ไม่หวังดีพุ่งเป้าสแกนช่องโหว่ความรุน.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 80258978-dbe1-4272-9dbe-848ef3288907-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • CISA เพิ่มช่องโหว่ที่ถูกใช้โจมตี 1 รายการลงในแคตตาล็อก

      เมื่อวันที่ 7 กรกฏาคม 2569 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 1 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว มีรายละเอียดดังนี้

      • CVE-2026-48282 Adobe ColdFusion Path Traversal Vulnerability

      ทาง CISA จะปรับปรุงและเพิ่มช่องโหว่ใหม่เข้าสู่แคตตาล็อก KEV อย่างต่อเนื่อง เพื่อให้ครอบคลุมความเสี่ยงที่ตรวจพบจริงในปัจจุบันและอนาคต

      อ้างอิง

      https://www.cisa.gov/news-events/alerts/2026/07/07/cisa-adds-one-known-exploited-vulnerability-catalog

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • CISA เพิ่มช่องโหว่ที่ถูกใช้โจมตี 3 รายการลงในแคตตาล็อก

      เมื่อวันที่ 7 กรกฏาคม 2569 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 3 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว มีรายละเอียดดังนี้

      • CVE-2026-48908 JoomShaper SP Page Builder Unrestricted Upload of File with Dangerous Type Vulnerability
      • CVE-2026-55255 Langflow Authorization Bypass Through User-Controlled Key Vulnerability
      • CVE-2026-56290 Joomlack Page Builder Improper Access Control Vulnerability

      อ้างอิง
      https://www.cisa.gov/news-events/alerts/2026/07/07/cisa-adds-three-known-exploited-vulnerabilities-catalog
      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 788160c0-7841-4cfc-9a7e-b950c61fc1c4-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • Cyber Threat Intelligence 08 July 2026

      Industrial Sector

      • Hydro-Québec Le Circuit Electrique Charging Station Backend
        "Successful exploitation of these vulnerabilities could lead to privilege escalation, or result in a denial-of-service attack."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-188-01
      • Siemens SINEC OS
        "SINEC OS before V4.0 contains multiple vulnerabilities. Siemens has released a new version for RUGGEDCOM RST2428P and recommends to update to the latest version."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-188-05
      • Hitachi Energy PROMOD V
        "Hitachi Energy is aware of insecure HTTP transmission vulnerability in PROMOD V product versions listed in this document. This vulnerability could allow attackers to intercept or manipulate sensitive data in transit, potentially leading to credential theft, session hijacking, or unauthorized access."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-188-02
      • Hitachi Energy e-Mesh EMS
        "Hitachi Energy is aware of a buffer overflow vulnerability that affects e-mesh EMS product versions listed in this document. Successful exploitation of this vulnerability could lead to a buffer overflow condition, potentially resulting in application outages (denial of service) and possible arbitrary code execution. Please refer to the Recommended Immediate Actions for information about the mitigation/remediation."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-188-03
      • Siemens Mendix Studio Pro
        "Mendix Studio Pro versions before V11.12 are affected by a file parsing vulnerability that could be triggered when the application reads specially crafted malicious project during the build pipeline. This could allow an attacker to execute arbitrary code in the context of that user. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens is preparing further fix versions and recommends countermeasures for products where fixes are not, or not yet available."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-188-04
      • Labcenter Proteus 9
        "Successful exploitation of these vulnerabilities could disclose information and allow a malicious user to execute arbitrary code on affected installations."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-188-06
      • Digi International PortServer TS, Digi One SP IA
        "Successful exploitation of these vulnerabilities could allow an attacker to bypass authentication and gain access to restricted resources, obtain credentials, and inject malicious scripts."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-188-07
      • Threat Landscape For Industrial Automation Systems. Q1 2026
        "The percentage of ICS computers on which malicious objects were blocked continued to decrease, reaching 19.6% in Q1 2026. This is the lowest value in three years, and it is 1.4 times lower than in Q2 2023."
        https://securelist.com/industrial-threat-report-q1-2026/120643/

      New Tooling

      • Apple Container: Open-Source Tool For Linux Containers On The Mac
        "Developers on Apple silicon Macs have run Linux containers through software built around a single shared virtual machine for years. Apple’s open-source Container project gives each Linux workload its own lightweight virtual machine. Container is written in Swift and tuned for Apple silicon. It creates and runs Linux containers as lightweight virtual machines, and it works with OCI-compatible images, so a developer can pull from and push to any standard registry. Images built with it run in any other OCI-compatible application. Under the hood, it draws on the Containerization Swift package for low-level container, image, and process management."
        https://www.helpnetsecurity.com/2026/07/07/apple-container-open-source-linux-mac/
        https://github.com/apple/container

      Vulnerabilities

      • Security Advisory Bulletin 066
        "A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi Connect Application to execute a Command Injection on the host device."
        https://community.ui.com/releases/Security-Advisory-Bulletin-066-066/984eceb3-49c8-4227-942d-671c289b3afc
      • BeyondTrust Warns Of Critical Flaws In Remote Access Software
        "BeyondTrust warned customers to patch two critical security flaws in its Remote Support (RS) and Privileged Remote Access (PRA) software that could allow attackers to bypass authentication. The first vulnerability, tracked as CVE-2026-40138, affects the company's RS remote desktop and assistance platform (versions 25.3.2 or earlier) and the PRA enterprise cybersecurity solution (versions 25.3.2 or earlier). This vulnerability stems from an improper authentication weakness in the authentication subsystem, and successful exploitation enables attackers without privileges to bypass access controls and access targeted appliances, including accounts with elevated privileges."
        https://www.bleepingcomputer.com/news/security/beyondtrust-warns-of-critical-flaws-in-remote-access-software/
        https://www.beyondtrust.com/trust-center/security-advisories/bt26-03
        https://thehackernews.com/2026/07/beyondtrust-patches-critical-auth.html
      • Tenda Firmware (multiple Versions) Contains Hidden Authentication Backdoor
        "Several versions of Tenda firmware contain an undocumented authentication backdoor that grants administrative access to the devices' web management interfaces. An attacker can expoit this vulnerability, tracked as CVE-2026-11405, to bypass the password verification process and obtain full administrative control without valid credentials."
        https://kb.cert.org/vuls/id/213560
        https://thehackernews.com/2026/07/certcc-warns-of-hidden-admin-backdoor.html
        https://www.bleepingcomputer.com/news/security/hidden-backdoor-in-tenda-router-firmware-grants-admin-access/
        https://securityaffairs.com/194878/security/hidden-tenda-router-backdoor-grants-admin-access-no-patch-available.html
      • CISA Adds Three Known Exploited Vulnerabilities To Catalog
        "CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
        CVE-2026-48908 JoomShaper SP Page Builder Unrestricted Upload of File with Dangerous Type Vulnerability
        CVE-2026-55255 Langflow Authorization Bypass Through User-Controlled Key Vulnerability
        CVE-2026-56290 Joomlack Page Builder Improper Access Control Vulnerability"
        https://www.cisa.gov/news-events/alerts/2026/07/07/cisa-adds-three-known-exploited-vulnerabilities-catalog
      • CISA Adds One Known Exploited Vulnerability To Catalog
        "CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
        CVE-2026-48282 Adobe ColdFusion Path Traversal Vulnerability"
        https://www.cisa.gov/news-events/alerts/2026/07/07/cisa-adds-one-known-exploited-vulnerability-catalog
      • Rogue Agent: How a Single Code Block Could Hijack Your AI Conversations In Google’s DialogFlow
        "Varonis Threat Labs discovered a critical vulnerability in Google Cloud Platform’s (GCP) Dialogflow CX service, Google’s flagship conversational AI platform for building interactive experiences across voice and text chatbots. We’ve named this latest discovery Rogue Agent. The vulnerability allowed attackers to exploit the Code Blocks feature to inject persistent malicious code into the Dialogflow agents’ pipeline, silently exfiltrating conversations and conducting large-scale phishing campaigns. To initiate, the exploit requires a single edit permission known as dialogflow.playbooks.update on one agent."
        https://www.varonis.com/blog/rogue-agent-dialogflow-attack
        https://www.darkreading.com/application-security/dialogflow-cx-rogue-agent-flaw-enabled-ai-chatbot-data-theft
        https://thehackernews.com/2026/07/rogue-agent-flaw-could-have-let.html
      • GitLost: How We Tricked GitHub’s AI Agent Into Leaking Private Repos
        "Noma Labs discovered a critical prompt injection vulnerability within GitHub’s new Agentic Workflows, allowing an unauthenticated attacker to silently pull data from private repositories by posting a crafted GitHub Issue in a public repository belonging to the same organization as the private repositories. Noma Labs named the vulnerability GitLost."
        https://noma.security/blog/gitlost-how-we-tricked-githubs-ai-agent-into-leaking-private-repos/
        https://thehackernews.com/2026/07/public-github-issue-could-trick-github.html
        https://www.darkreading.com/cyber-risk/gitlost-leaks-private-data-github-agentic-workflows
        https://hackread.com/gitlost-github-ai-agent-leaking-repository-data/
      • WriteOut: Abusing The Sandbox For a Critical Cross-Tenant Vulnerability In Writer AI
        "Every AI platform tells you the same comforting bedtime story. Don't worry, the code runs in a sandbox. Whatever the model generates, whatever the user uploads, whatever the agent decides to do at 2 a.m. with no human watching, it's all safely boxed in. The box is the boundary. Enter Writer AI, an enterprise platform where teams build their own AI agents. We found a way to turn Writer's own sandbox against its users: an agent could hand an attacker the keys to any account on the platform. We dubbed it WriteOut, and Writer has since fixed it. Until they did, an outsider could go from having no access to taking over any Writer AI organization inside industry-leading enterprises, with nothing more than a link."
        https://www.sandsecurity.ai/blog/writeout-writer-ai-cross-tenant
        https://thehackernews.com/2026/07/writer-ai-flaw-could-let-agent-previews.html

      Malware

      • Vidar Infostealer Being Spread Through Phishing Emails
        "First identified in 2018, Vidar operates under a Malware-as-a-Service (MaaS) model and continues to be distributed through various attack cases to this day. AhnLab SEcurity intelligence Center (ASEC) has been monitoring cases of Vidar distribution targeting Korea, and this report summarizes the Vidar distribution cases identified in the first half of 2026."
        https://asec.ahnlab.com/en/94363/
      • Connecting Scattered Spider: Defining A Cybercrime Collective Through Shared TTPs
        "Scattered Spider has attracted a lot of attention in recent years, including the mass media, especially after being attributed as the responsible party for a number of high profile attacks. Its initial days can be traced back to 2022, when notorious attacks started being attributed to Scattered Spider, such as the attack which compromised around 125 Twilio customers in August 2022 or the Caesars Palace and MGM Resort incidents in September 2023. These high profile attacks have led to law enforcement agencies taking action against the so-called Scattered Spider members. However, attacks attributed to Scattered Spider never stopped, with CISA and other organizations releasing advisories warning about its attacks even in 2025."
        https://www.group-ib.com/blog/connecting-scattered-spider/
        https://thehackernews.com/2026/07/court-filing-reveals-windows-device-id.html
        https://www.infosecurity-magazine.com/news/scattered-spider-as-cybercrime/
      • One Email Closer To The Edge: UNK_MassTraction & The Physics Of Exploitation
        "Beginning in May 2026, Proofpoint observed a new cluster of activity – tracked as UNK_MassTraction – exploiting CVE-2024-42009, a cross-site scripting vulnerability in Roundcube. The campaign targeted physics and engineering departments at major US and Canadian universities, with a focus on administrators and professors in departments with either national security ties, or entities studying astrophysics and particle physics. While the targeting appeared specific to these departments, the exploit only requires that the email is opened in the mail client to achieve access to the mailserver so the recipients may have been inconsequential."
        https://www.proofpoint.com/us/blog/threat-insight/one-email-closer-edge-unkmasstraction-physics-exploitation
        https://thehackernews.com/2026/07/suspected-china-aligned-hackers-exploit.html
        https://www.bankinfosecurity.com/chinese-cyberespionage-exploits-university-roundcube-servers-a-32165
        https://cyberscoop.com/china-espionage-attacks-us-canada-universities-proofpoint/
        https://www.infosecurity-magazine.com/news/china-aligned-cluster-roundcube/
      • UAT-7810 Continues Building ORB Networks Using New Malware
        "Talos assesses with high confidence that UAT-7810 is a China-nexus threat actor based on the infrastructure that it provides to secondary China-nexus APTs such as UAT-5918. Open-source reporting has also illustrated overlapping tooling between UAT-5918 and UAT-7810. However, at this time, Talos considers UAT-5918 and UAT-7810 separate APT actors tasked with their own set of objectives and targets. Talos’ latest findings on UAT-7810 indicate that the threat actor continues to develop their custom-made malware dubbed “SHORTLEASH” with a newer version already being developed and hosted on attacker-controlled infrastructure. We track this new version of SHORTLEASH as “LONGLEASH.”"
        https://blog.talosintelligence.com/uat-7810/
        https://www.bleepingcomputer.com/news/security/chinese-hackers-develop-longleash-malware-to-expand-orb-network/
      • RedWing: A Mobile Malware-As-a-Service Operation
        "The zLabs team has uncovered RedWing, a new Android spyware variant offered as a Malware-as-a-Service (MaaS) through a Telegram channel and appears to have links to Russian threat actors. Malicious operators distribute this rental-based malware through mobile-targeted phishing sites. A substantial number of the associated payloads and droppers currently evade detection by conventional security tools. This discovery looks like a new variant of the oblivion malware, due to the similarity on the dropper stage and some of the overlays used."
        https://zimperium.com/blog/redwing-a-mobile-malware-as-a-service-operation
        https://thehackernews.com/2026/07/redwing-maas-packages-android-bank.html
      • DEBULL: Storm-2372-Style Microsoft Device-Code Phishing With GraphSpy Post-Exploitation
        "The tradecraft has strong characteristics previously described in Microsoft Storm-2372 reporting: messaging or Teams-style lures, device-code authentication, Microsoft Authentication Broker usage, geo-plausible infrastructure, and device-registration relevant follow-on activity. We do not attribute the campaign directly to Storm-2372. We assess that the operator is using Storm-2372-style tradecraft through a reusable tooling layer we track as DEBULL. Follow-up analysis exposed the backend behind the campaign. The same IP that created the attacker-side Microsoft Authentication Broker session also served a DEBULL login panel directly."
        https://zerobec.com/blog/debull-storm-2372-microsoft-device-code-phishing-graphspy
        https://thehackernews.com/2026/07/debull-tooling-abuses-microsoft-device.html
      • Vidar Stealer Unmasked: Code Signing Abuse, Go Loaders And File Inflation
        "In April 2026, Unit 42 researchers identified a financially motivated campaign delivering Vidar stealer and the XMRig cryptocurrency miner to consumer and small- and medium-sized business victims worldwide. Attackers lure victims via malvertising to pages for downloading files that impersonate cracked versions of copyright-protected software. Upon execution, the loader drops and runs both Vidar stealer and XMRig. Vidar stealer targets information like browser credentials, cookies and crypto wallets. XMRig mines Monero cryptocurrency."
        https://unit42.paloaltonetworks.com/vidar-stealer-xmrig-miner-campaign-analysis/

      Breaches/Hacks/Leaks

      • Accenture Confirms Breach After Hacker Offers Stolen Data For Sale
        "IT services giant Accenture has confirmed it suffered a security breach after a threat actor claimed to have stolen 35 GB of source code and other data from the company. "We are aware of this isolated matter, and we have remediated its source. There is no impact to Accenture operations and service delivery," Accenture told BleepingComputer. Accenture is a global professional services company that provides consulting, technology, cloud, engineering, and managed services to businesses and governments worldwide."
        https://www.bleepingcomputer.com/news/security/accenture-confirms-breach-after-hacker-offers-stolen-data-for-sale/
      • County Government Reportedly Paid $1 Million To Cyber Extortion Group
        "A government entity in the US reportedly paid a $1 million ransom to the Kairos cyber extortion group to prevent the public dissemination of information stolen in a May 2025 intrusion, Ransom-ISAC reports. A leaked negotiation transcript shows that the extortion group demanded $3 million in cryptocurrency from the victim organization, but eventually settled for $1 million. Kairos claimed to have stolen over 2 terabytes of data, or approximately 1.6 million files, after accessing the victim’s environment in a brute-force attack."
        https://www.securityweek.com/county-government-reportedly-paid-1-million-to-cyber-extortion-group/
      • Major Japanese Telco Says Cyberattack Exposed 12 Million Emails
        "One of Japan's largest telecommunications providers said Monday that a cyberattack targeting an email platform it operates for internet service providers exposed more than 12.2 million customer email addresses and 7.6 million passwords. The company said the breach affected an email system used to manage customer email accounts, webmail services and email storage for five Japanese internet service providers. KDDI first disclosed the unauthorized access in June but only confirmed the scale of the data exposure after completing its forensic investigation and submitting a report to Japan's communications ministry earlier this week."
        https://therecord.media/major-japanese-telco-cyberattack-12-million-emails

      General News

      • Q2 2026 Vulnerability Trends Report
        "A total of 20,701 new CVEs were reported in the second quarter of 2026. Of these, 2,317 were “Critical” vulnerabilities with a CVSS score of 9.0 Or higher, accounting for 11.2% Of the total. Medium- and high-risk vulnerabilities, including those rated “High,” accounted for 51.7% Of the total. While the overall volume remained similar to Q1, the number of “Critical” vulnerabilities—which can cause immediate damage—increased by 62.5% From 1,426 in Q1."
        https://asec.ahnlab.com/en/94360/
      • Windows Platform Security For AI Agents
        "AI agents are no longer just answering questions, they are taking actions across systems with increasing autonomy. As they become persistent participants in how software runs, they introduce new risk to control and trust, challenging the security assumptions that have defined computing for decades. Developers are building agents that read files, invoke services, modify environments and chain operations together at increasing speed. That capability is powerful, but it raises a critical question: how do you ensure these systems remain trustworthy when they operate autonomously, at scale, on real data?"
        https://blogs.windows.com/windowsdeveloper/2026/06/02/windows-platform-security-for-ai-agents/
        https://www.helpnetsecurity.com/2026/07/07/microsoft-execution-containers-ai-agents-constraints/
      • Power Shortages Could Slow AI Data Center Expansion
        "AI adoption is increasing demand for data center capacity at the same time operators are running into limits around power, equipment, land, and permitting, according to NTT Data. Access to electricity is becoming a deciding factor in where new data centers are built, when new capacity comes online and how quickly AI projects can expand."
        https://www.helpnetsecurity.com/2026/07/07/ai-data-centers-demand-expansion/
      • CISO Conversations: Tarah Wheeler, Cybersecurity Leader, Thought Leader And Original Thinker
        "Tarah Wheeler is CISO at TPO Group. TPO is an acronym for technology, policy and operations, and the firm provides cybersecurity consultancy for high-stakes organizations such as critical industries and federal agencies. But despite this elevated position, her journey was far from typical. “I absolutely did not choose this career on purpose,” she said. “No, I fell backwards into it. I feel like this career dragged me into an alley, coshed me over the head, and said, ‘You’re one of us now. kid’.” For Americans unfamiliar with British slang, the ‘cosh’ phrase would be better understood as ‘hit me over the head with a baseball bat’ – and it may be worth noting that although born in Washington, Wheeler is currently studying at Oxford in the UK."
        https://www.securityweek.com/ciso-conversations-tarah-wheeler-cybersecurity-leader-thought-leader-and-original-thinker/

      อ้างอิง
      Electronic Transactions Development Agency (ETDA) db681405-4874-44b2-8b40-19c467a38620-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • Adobe เตือนเร่งอัปเดต ColdFusion หลังยืนยันช่องโหว่ Critical ถูกใช้โจมตีจริง

      Adobe เตือนเร่งอัปเดต ColdFusion หลังยืนยันช่องโหว่ C.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 728df355-67fb-4a8d-89a5-ea8914205baf-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT