โพสต์ถูกสร้างโดย NCSA_THAICERT

ตรวจพบช่องโหว่ร้ายแรงในระบบภายในของชิปโทรศัพท์มือถือ เสี่ยงถูกแฮกโดยไม่ต้องกดหรือโต้ตอบใด ๆ รีบอัปเดตระบบด่วน️

สำนักงานคณะกรรมการการรักษาความมั่นคงปลอดภัยไซเบอร์แห่งชาติ (สกมช.) / ThaiCERT ขอแจ้งเตือนภัยเกี่ยวกับช่องโหว่หมายเลข CVE-2025-21483 ระดับ Critical คะแนน CVSS 9.8 ซึ่งส่งผลกระทบต่อสมาร์ตโฟน Android ที่ใช้ชิปเซ็ต Qualcomm Snapdragon

ช่องโหว่นี้ถูกตรวจพบและเผยแพร่ข้อมูลในปี 2568
• ผู้ผลิตชิปและผู้ผลิตมือถือออกแพตช์รักษาความปลอดภัย ตั้งแต่ช่วง พฤศจิกายน - ธันวาคม 2568
• ผู้ใช้งานที่ยังไม่ได้อัปเดตเป็นปัจจุบัน ยังเสี่ยงต่อการถูกโจมตี

ช่องทางที่อาจถูกใช้ในการโจมตี
แฮกเกอร์สามารถโจมตีผ่านการส่งข้อมูลจากอินเทอร์เน็ตสู่โทรศัพท์ ซึ่งระบบจะประมวลผลข้อมูลโดยอัตโนมัติ เช่น
• SMS/MMS โดยเฉพาะข้อความแนบภาพหรือวิดีโอ
• แอปพลิเคชันแชทที่มีการโทรผ่านอินเทอร์เน็ต เช่น WhatsApp, LINE, Messenger — การประมวลผลสัญญาณ "การโทรเข้า" อาจเรียกใช้ระบบที่มีช่องโหว่
• ข้อมูลจากอินเทอร์เน็ตบางรูปแบบ ที่ทำให้ระบบในเครื่องเริ่มทำงานอัตโนมัติ (เป็นข้อมูลที่ถูกทำขึ้นมาเฉพาะเพื่อโจมตีระบบ)
เมื่อข้อมูลเหล่านี้เข้ามา เครื่องจะประมวลผลเองทันที หากยังมีช่องโหว่ อาจถูกโจมตีได้โดยที่ผู้ใช้ไม่รู้ตัว

ทำไมไม่ต้องกดลิงก์ก็โดนได้
รูปแบบการโจมตี Zero-Click ผู้ใช้งาน ไม่ต้องกด ไม่ต้องเปิด และไม่ต้องโต้ตอบใด ๆ ระบบก็สามารถถูกโจมตีได้
• โทรศัพท์มือถือจะประมวลผลข้อมูลบางส่วนโดยอัตโนมัติ เพื่อแสดงการแจ้งเตือน เช่น มีคนโทรเข้าหรือได้รับ MMS
• แฮกเกอร์แนบคำสั่งอันตรายไว้ในข้อมูลเหล่านั้น
• ระหว่างที่ระบบกำลังประมวลผลข้อมูล คำสั่งอันตรายนั้นจะทำงานทันที โดยผู้ใช้ไม่ต้องกดลิงก์ รับสาย หรือโต้ตอบใด ๆ

ผู้ที่ได้รับผลกระทบ
• ผู้ที่ใช้สมาร์ตโฟนระบบ Android ทุกยี่ห้อ ควรจะตรวจสอบหากพบว่ายังไม่ได้อัปเดตแพตช์ความปลอดภัยล่าสุด ควรรีบดำเนินการ

️ สัญญาณที่อาจบ่งบอกว่าอาจจะถูกโจมตีแล้ว
· เครื่องร้อนผิดปกติขณะไม่ได้ใช้งาน
· แบตเตอรี่ลดลงรวดเร็วผิดปกติในช่วงเวลาสั้น ๆ
· การใช้อินเทอร์เน็ตพุ่งสูงผิดปกติ
· มีการแจ้งเตือนการโทรเข้า หรือข้อความ แปลก ๆ ที่ไม่ทราบที่มา
หากพบอาการเหล่านี้ร่วมกับการยังไม่ได้อัปเดตแพตช์ความปลอดภัย ถือว่ามีความเสี่ยง

️ วิธีป้องกัน (ควรทำทันที!)
อัปเดตแพตช์ความปลอดภัยเป็นเวอร์ชันล่าสุด
ขั้นตอนการอัปเดต

1. ไปที่ การตั้งค่า (Settings)
2. เลือก อัปเดตซอฟต์แวร์ / เกี่ยวกับโทรศัพท์ (Software Update / About Phone)
3. กด ดาวน์โหลดและติดตั้ง (Download and Install)
4. หากมีอัปเดต ให้ติดตั้งทันที
5. ตรวจสอบว่าแพตช์ความปลอดภัยเป็นเดือน พฤศจิกายน หรือ ธันวาคม 2568

ข้อควรทำก่อนอัปเดต (สำคัญมาก)

1. เชื่อมต่อ Wi-Fi เพื่อความเสถียรและประหยัดเน็ต
2. ชาร์จแบตเตอรี่ให้มีอย่างน้อย 75% ป้องกันเครื่องดับระหว่างดำเนินการ

️ หากอัปเดตไม่ได้/ไม่สำเร็จ
• เช็กพื้นที่จัดเก็บข้อมูล: หากพื้นที่ว่างไม่พอ ระบบอาจไม่ดาวน์โหลดไฟล์อัปเดต ให้ลบไฟล์ที่ไม่จำเป็นออกก่อน
• อุปกรณ์รุ่นเก่า: โทรศัพท์รุ่นเก่าบางรุ่นอาจไม่รองรับ Android เวอร์ชันใหม่หรือแพตช์ความปลอดภัยล่าสุด โปรดตรวจสอบกับผู้ผลิตโทรศัพท์ของท่าน
• สำหรับผู้ที่ยังไม่มีให้อัปเดต หรือใช้เครื่องรุ่นเก่า หากเช็กแล้วยังไม่มีแพตช์ใหม่มา ให้ทำดังนี้เพื่อลดความเสี่ยงชั่วคราว:

1. ปิดการรับ MMS อัตโนมัติ: ไปที่แอปข้อความ (Messages) > การตั้งค่า > ปิด "ดาวน์โหลด MMS อัตโนมัติ" (Auto-retrieve MMS)
2. หลีกเลี่ยงการเปิดไฟล์แปลกปลอมจากคนที่ไม่รู้จักในทุกช่องทาง

ย้ำ! การอัปเดตนี้ฟรีและข้อมูลในเครื่องไม่หาย (เช่น รูปภาพ, รายชื่อผู้ติดต่อ) รีบดำเนินการอัปเดตโดยเร็วที่สุด เพื่อความปลอดภัยของข้อมูลส่วนบุคคลของท่าน

ด้วยความปรารถนาดี
สำนักงานคณะกรรมการการรักษาความมั่นคงปลอดภัยไซเบอร์แห่งชาติ (สกมช.) / ThaiCERT

ที่มา 1.: https://support.google.com/android/answer/7680439
2. https://source.android.com/docs/security/bulletin/2025-11-01?utm&hl=th
3. https://nvd.nist.gov/vuln/detail/CVE-2025-21483

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

เมื่อวันที่ 3 ธันวาคม 2025 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 1 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว ดังนี้

• CVE-2021-26828 OpenPLC ScadaBR Unrestricted Upload of File with Dangerous Type Vulnerability

ทั้งนี้ คำสั่ง BOD 22-01 ของ CISA กำหนดให้มี แคตตาล็อก Known Exploited Vulnerabilities (KEV) เพื่อรวบรวมช่องโหว่ (CVEs) ที่มีความเสี่ยงสูงและถูกใช้งานโจมตีจริง หน่วยงาน Federal Civilian Executive Branch (FCEB) ต้องดำเนินการแก้ไขช่องโหว่ที่ระบุภายในเวลาที่กำหนด เพื่อปกป้องเครือข่ายจากภัยคุกคาม

ทาง CISA จะปรับปรุงและเพิ่มช่องโหว่ใหม่เข้าสู่แคตตาล็อก KEV อย่างต่อเนื่อง เพื่อให้ครอบคลุมความเสี่ยงที่ตรวจพบจริงในปัจจุบันและอนาคต

อ้างอิง
https://www.cisa.gov/news-events/alerts/2025/12/03/cisa-adds-one-known-exploited-vulnerability-catalog
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Industrial Sector

• CISA, Australia, And Partners Author Joint Guidance On Securely Integrating Artificial Intelligence In Operational Technology
  "CISA and the Australian Signals Directorate’s Australian Cyber Security Centre, in collaboration with federal and international partners, have released new cybersecurity guidance: Principles for the Secure Integration of Artificial Intelligence in Operational Technology. This guidance aims to help critical infrastructure owners and operators integrate artificial intelligence (AI) into operational technology (OT) systems securely, balancing the benefits of AI—such as increased efficiency, enhanced decision-making, and cost savings—with the unique risks it poses to the safety, security, and reliability of OT environments."
  https://www.cisa.gov/news-events/alerts/2025/12/03/cisa-australia-and-partners-author-joint-guidance-securely-integrating-artificial-intelligence
  https://www.cisa.gov/resources-tools/resources/principles-secure-integration-artificial-intelligence-operational-technology
  https://www.cisa.gov/sites/default/files/2025-12/joint-guidance-principles-for-the-secure-integration-of-artificial-intelligence-in-operational-technology-508c.pdf

New Tooling

• Portmaster: Open-Source Application Firewall
  "Portmaster is a free and open source application firewall built to monitor and control network activity on Windows and Linux. The project is developed in the EU and is designed to give users stronger privacy without asking them to manage every rule by hand."
  https://www.helpnetsecurity.com/2025/12/03/portmaster-open-source-application-firewall/
  https://github.com/safing/portmaster

Vulnerabilities

• Attackers Actively Exploiting Critical Vulnerability In King Addons For Elementor Plugin
  "On July 24th, 2025, we received a submission for a Privilege Escalation vulnerability in King Addons for Elementor, a WordPress plugin with more than 10,000 active installations. This vulnerability makes it possible for an unauthenticated attacker to grant themselves administrative privileges by specifying the administrator user role during registration. The vendor released the patched version on September 25th, 2025, and we originally disclosed this vulnerability in the Wordfence Intelligence vulnerability database on October 30th, 2025. Our records indicate that attackers started exploiting the issue the next day, on October 31st, 2025. The Wordfence Firewall has already blocked over 48,400 exploit attempts targeting this vulnerability."
  https://www.wordfence.com/blog/2025/12/attackers-actively-exploiting-critical-vulnerability-in-king-addons-for-elementor-plugin/
  https://www.bleepingcomputer.com/news/security/critical-flaw-in-wordpress-add-on-for-elementor-exploited-in-attacks/
  https://thehackernews.com/2025/12/wordpress-king-addons-flaw-under-active.html
  https://securityaffairs.com/185286/hacking/king-addons-flaw-lets-anyone-become-wordpress-admin.html
  https://www.securityweek.com/critical-king-addons-vulnerability-exploited-to-hack-wordpress-sites/
• Critical Security Vulnerability In React Server Components
  "On November 29th, Lachlan Davidson reported a security vulnerability in React that allows unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints. Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components. This vulnerability was disclosed as CVE-2025-55182 and is rated CVSS 10.0."
  https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
  https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182
  https://thehackernews.com/2025/12/critical-rsc-bugs-in-react-and-nextjs.html
  https://www.darkreading.com/vulnerabilities-threats/critical-react-flaw-triggers-immediate-action
  https://cyberscoop.com/react-server-vulnerability-critical-severity-security-update/
  https://www.theregister.com/2025/12/03/exploitation_is_imminent_react_vulnerability/
• Chrome 143 Patches High-Severity Vulnerabilities
  "Google on Tuesday promoted Chrome 143 to the stable channel with patches for 13 vulnerabilities reported by external researchers. The fresh round of Chrome patches resolves four high-severity flaws, including a type confusion issue in the V8 JavaScript and WebAssembly engine, tracked as CVE-2025-13630. The remaining high-severity defects include inappropriate implementation bugs in Google Updater (CVE-2025-13631) and DevTools (CVE-2025-13632), and a use-after-free flaw in Digital Credentials (CVE-2025-13633)."
  https://www.securityweek.com/chrome-143-patches-high-severity-vulnerabilities/
• CISA Adds One Known Exploited Vulnerability To Catalog
  "CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2021-26828 OpenPLC ScadaBR Unrestricted Upload of File with Dangerous Type Vulnerability"
  https://www.cisa.gov/news-events/alerts/2025/12/03/cisa-adds-one-known-exploited-vulnerability-catalog
• Microsoft "mitigates" Windows LNK Flaw Exploited As Zero-Day
  "Microsoft has silently "mitigated" a high-severity Windows LNK vulnerability exploited by multiple state-backed and cybercrime hacking groups in zero-day attacks. Tracked as CVE-2025-9491, this security flaw allows attackers to hide malicious commands within Windows LNK files, which can be used to deploy malware and gain persistence on compromised devices. However, the attacks require user interaction to succeed, as they involve tricking potential victims into opening malicious Windows Shell Link (.lnk) files. Threat actors distribute these files in ZIP or other archives because email platforms commonly block .lnk attachments due to their risky nature."
  https://www.bleepingcomputer.com/news/microsoft/microsoft-mitigates-windows-lnk-flaw-exploited-as-zero-day/
  https://thehackernews.com/2025/12/microsoft-silently-patches-windows-lnk.html
  https://www.securityweek.com/microsoft-silently-mitigated-exploited-lnk-vulnerability/

Malware

• Shai-Hulud V2 Poses Risk To NPM Supply Chain
  "On November 24, 2025, security researchers detected a second wave of the Shai-Hulud malware campaign targeting the npm ecosystem. Dubbed The Second Coming by its operators, Shai-Hulud V2 builds upon its predecessor, Shai-Hulud V1, and has established itself as an aggressive software supply chain attack. Within hours of its initial detection, the campaign had compromised over 700 npm packages, created more than 27,000 malicious GitHub repositories, and exposed approximately 14,000 secrets across 487 organizations."
  https://www.zscaler.com/blogs/security-research/shai-hulud-v2-poses-risk-npm-supply-chain
• Technical Analysis Of Matanbuchus 3.0
  "Matanbuchus is a malicious downloader, written in C++, which has been offered as a Malware-as-a-Service (MaaS) since 2020. Over this time, Matanbuchus has undergone several development stages. In July 2025, version 3.0 of Matanbuchus was identified in-the-wild. Matanbuchus offers threat actors the option to deploy additional payloads and perform hands-on keyboard activity via shell commands. Despite its simplicity, Matanbuchus has been more recently associated with ransomware operations."
  https://www.zscaler.com/blogs/security-research/technical-analysis-matanbuchus-3-0
• Hook For Gold: Inside GoldFactory's Сampaign That Turns Apps Into Goldmines
  "In February 2024, Group-IB uncovered sophisticated mobile threat campaigns that show how fast banking malware is evolving across the Asia-Pacific region. Ongoing monitoring of this evolving threat revealed a surge of aggressive mobile Trojans targeting both iOS and Android users, all operated by a single threat actor tracked as GoldFactory. Since releasing our initial report, we have continued to monitor the group’s activity and our latest research sheds light on how cybercriminals have evolved in their tactics and tools."
  https://www.group-ib.com/blog/turning-apps-into-gold/
• V3G4 Botnet Evolves: From DDoS To Covert Cryptomining
  "Cyble Research & Intelligence Labs (CRIL) has identified an active Linux-targeting campaign that deploys a Mirai-derived botnet, paired with a stealthy, fileless-configured cryptominer. The threat actor employs a multi-stage infection chain starting with a downloader that delivers architecture-specific V3G4 binaries across x86_64, ARM, and MIPS systems. Once active, the bot masquerades as systemd-logind, performs environment reconnaissance, conducts large-scale raw-socket SSH scanning, maintains persistent C2 communication, and ultimately launches a concealed XMRig-based Monero miner dynamically configured at runtime."
  https://cyble.com/blog/v3g4-mirai-botnet-evolves/
• DIANNA Explains 4: Nimbus Manticore—Monstrous Malware
  "Hey humans, DIANNA here. I’m back again with another malware teardown. This time, we're looking at a piece of malware called Nimbus Manticore, and I'll say this upfront—whoever named this malware has a flair for the dramatic. The capabilities, though? All business. Nimbus Manticore represents a serious challenge for organizations because it's not just designed to compromise a single endpoint. It's built to move laterally through your network, escalate privileges, and establish a persistent presence across multiple systems."
  https://www.deepinstinct.com/blog/dianna-explains-4-nimbus-manticore-monstrous-malware
• How a Fake ChatGPT Installer Tried To Steal My Password
  "Over the Thanksgiving holiday, I embarked on a small project to evaluate AI browsers, including the buzzy ChatGPT Atlas. Like most people, I clicked the first result I saw: a sponsored link. The page looked nearly identical to the real Atlas site: same layout, design, copy. The only subtle giveaway was the domain: a Google Sites URL. That’s increasingly common in modern phishing kits—tools like v0.dev make it trivial to clone a legitimate site in minutes, and hosting on Google Sites adds a false sense of credibility for anyone who thinks Google = trustworthy. Given our work here at Fable, I was pretty excited to have stumbled on this, and decided to give it a whirl and see just how much damage I could cause."
  https://fablesecurity.com/blog-chatgpt-installer-stole-my-password/
  https://hackread.com/fake-chatgpt-atlas-clickfix-steal-passwords/
• French NGO Reporters Without Borders Targeted By Calisto In Recent Campaign
  "In May and June 2025, TDR team analysts were contacted by two organisations — including the French NGO Reporters Without Borders (RSF) — over suspicions of a new spear phishing attempts by the intrusion set Calisto (also known as ColdRiver or Star Blizzard). Calisto is a Russia-nexus intrusion set active since at least April 2017, attributed by the USA, the UK, New Zealand and Australia to the Russian intelligence service FSB, more specifically to the Center 18 for Information Security (TsIB), military unit 64829, also known to operate the intrusion set Gamaredon. Sekoia.io concurs with such attribution as past Calisto operations investigated by TDR analyst showed objectives and victimology that align closely with Russian strategic interests."
  https://blog.sekoia.io/ngo-reporters-without-borders-targeted-by-calisto-in-recent-campaign/
  https://www.infosecurity-magazine.com/news/star-blizzard-targets-reporters/
• The $9M yETH Exploit: How 16 Wei Became Infinite Tokens
  "On November 30, 2025, Check Point Research detected a critical exploit targeting Yearn Finance’s yETH pool on Ethereum. Within hours, approximately $9 million was stolen from the protocol. The attacker achieved this by minting an astronomical number of tokens—235 septillion yETH (a 41-digit number)—while depositing only 16 wei, worth approximately $0.000000000000000045. This represents one of the most capital-efficient exploits in DeFi history."
  https://research.checkpoint.com/2025/16-wei/
  https://www.infosecurity-magazine.com/news/yearn-finance-yeth-pool-exploit/
• DNS Uncovers Infrastructure Used In SSO Attacks
  "We recently received a tip from a customer that their institution was under recurring attacks that targeted their student single sign-on (SSO) portal. The threat actor leveraged Evilginx (likely version 3.0), an open source, advanced phishing adversary-in-the-middle (AITM, aka MITM) framework designed to steal login credentials and session cookies. Evilginx is widely used by cybercriminals to undermine multi-factor authentication (MFA) security, and this actor has used it to target at least 18 universities and educational institutions across the United States since April 2025. The campaigns were delivered through email and the phishing domains used subdomains that mimicked the legitimate SSO sites. Figure 1 shows a timeline of attack volumes, based on DNS, against the schools."
  https://blogs.infoblox.com/threat-intelligence/dns-uncovers-infrastructure-used-in-sso-attacks/
  https://www.malwarebytes.com/blog/news/2025/12/attackers-have-a-new-way-to-slip-past-your-mfa
• How Attackers Use Real IT Tools To Take Over Your Computer
  "A new wave of attacks is exploiting legitimate Remote Monitoring and Management (RMM) tools like LogMeIn Resolve (formerly GoToResolve) and PDQ Connect to remotely control victims’ systems. Instead of dropping traditional malware, attackers trick people into installing these trusted IT support programs under false pretenses–disguising them as everyday utilities. Once installed, the tool gives attackers full remote access to the victim’s machine, evading many conventional security detections because the software itself is legitimate."
  https://www.malwarebytes.com/blog/news/2025/12/how-attackers-use-real-it-tools-to-take-over-your-computer
• Shai Hulud 2.0, Now With a Wiper Flavor
  "In September, a new breed of malware distributed via compromised Node Package Manager (npm) packages made headlines. It was dubbed “Shai-Hulud”, and we published an in-depth analysis of it in another post. Recently, a new version was discovered. Shai Hulud 2.0 is a type of two-stage worm-like malware that spreads by compromising npm tokens to republish trusted packages with a malicious payload. More than 800 npm packages have been infected by this version of the worm. According to our telemetry, the victims of this campaign include individuals and organizations worldwide, with most infections observed in Russia, India, Vietnam, Brazil, China, Türkiye, and France."
  https://securelist.com/shai-hulud-2-0/118214/
• Malicious Rust Crate Evm-Units Serves Cross-Platform Payloads For Silent Execution
  "The Socket Threat Research Team recently discovered a malicious Rust package named evm-units, written by ablerust, with over 7,000 all-time downloads. Based on the victim’s OS and whether Qihoo360 antivirus is running, the package downloads a payload, writes it to the system temp directory, and silently executes it. The package appears to return the Ethereum version number, so the victim is none the wiser. The package names and code behavior (EVM utilities, genuine Uniswap helper library), combined with the Qihoo360 targeting and multi-OS loader pattern, make it likely that the payload steals cryptocurrency. The targeting of Qihoo360 also suggests that the threat actor is focusing on Asian markets, as Qihoo360 is a Chinese-made antivirus with dominant marketshare throughout Asia."
  https://socket.dev/blog/malicious-rust-crate-evm-units-serves-cross-platform-payloads
  https://thehackernews.com/2025/12/malicious-rust-crate-delivers-os.html
• ValleyRAT Campaign Targets Job Seekers, Abuses Foxit PDF Reader For DLL Side-Loading
  "Cybercriminal operations continue to escalate in both aggressiveness and sophistication, achieving greater impact through the strategic integration of multiple methods. The campaign investigated in this article demonstrates a layered application of tried-and-tested techniques: social‑engineering lures targeting job seekers, obfuscation through deeply nested directory paths, and execution via DLL sideloading."
  https://www.trendmicro.com/en_us/research/25/l/valleyrat-campaign.html
• Massive Gambling Network Doubles As Hidden C2 And Anonymity Infrastructure, Researchers Say
  "A sprawling network that’s seemingly maintained to serve (illegal) online gambling opportunities and deliver malware to Indonesian citizens is likely also being used to provide threat actors command and control (C2) and anonymity services. “The infrastructure has been active for at least 14 years and currently spans 328,039 domains: 236,433 purchased domains, 90,125 hacked websites, and 1,481 hijacked subdomains, including subdomains of government websites,” says Kobi Ben Naim, CEO and Head of Research at Malanta."
  https://www.helpnetsecurity.com/2025/12/03/indonesian-online-gambling-network/

Breaches/Hacks/Leaks

• Marquis Data Breach Impacts Over 74 US Banks, Credit Unions
  "Financial software provider Marquis Software Solutions is warning that it suffered a data breach that impacted dozens of banks and credit unions across the US. Marquis Software Solutions provides data analytics, CRM tools, compliance reporting, and digital marketing services to over 700 banks, credit unions, and mortgage lenders. In data breach notifications filed with US Attorney General offices, Marquis says it suffered a ransomware attack on August 14, 2025, after its network was breached through its SonicWall firewall."
  https://www.bleepingcomputer.com/news/security/marquis-data-breach-impacts-over-74-us-banks-credit-unions/
  https://www.bankinfosecurity.com/marketing-compliance-software-vendor-to-banks-breached-a-30184
• French DIY Retail Giant Leroy Merlin Discloses a Data Breach
  "French home improvement and gardening retailer Leroy Merlin is notifying customers that their personal info has been compromised in a data breach. Leroy Merlin operates in multiple European countries as well as in South Africa and Brazil, employs 165,000 people, and has an annual revenue of $9.9 billion."
  https://www.bleepingcomputer.com/news/security/french-diy-retail-giant-leroy-merlin-discloses-a-data-breach/
• Freedom Mobile Discloses Data Breach Exposing Customer Data
  "Freedom Mobile, the fourth-largest wireless carrier in Canada, has disclosed a data breach after attackers hacked into its customer account management platform and stole the personal information of an undisclosed number of customers. Founded in 2008 as Wind Mobile by telecommunications provider Globalive, Freedom has over 2,2 million subscribers and now says it provides coverage to 99% of Canadians."
  https://www.bleepingcomputer.com/news/security/freedom-mobile-discloses-data-breach-exposing-customer-data/
• University Of Phoenix Discloses Data Breach After Oracle Hack
  "The University of Phoenix (UoPX) has joined a growing list of U.S. universities breached in a Clop data theft campaign targeting vulnerable Oracle E-Business Suite instances in August 2025. Founded in 1976 and headquartered in Phoenix, Arizona, UoPX is a private for-profit university with nearly 3,000 academic staff and over 100,000 enrolled students. The university disclosed the data breach on its official website on Tuesday, while its parent company, Phoenix Education Partners, filed an 8-K form with the U.S. Securities and Exchange Commission (SEC)."
  https://www.bleepingcomputer.com/news/security/university-of-phoenix-discloses-data-breach-after-oracle-hack/
  https://therecord.media/university-of-phoenix-data-breach
  https://www.securityweek.com/penn-and-phoenix-universities-disclose-data-breach-after-oracle-hack/
  https://securityaffairs.com/185279/data-breach/university-of-pennsylvania-and-university-of-phoenix-disclose-data-breaches.html

General News

• Chinese Researchers Simulate Large-Scale Electronic Warfare Against Elon Musk’s Starlink
  "When Russian forces rolled into Ukraine in early 2022, one of the first moves by Kyiv was sending a post to Elon Musk on X: Ukraine needs satellite internet. Within days, thousands of Starlink terminals arrived, restoring command and control across the battlefield despite Russia’s best efforts to black out communications. Moscow initially tried to jam the signals – and reportedly had some success. But when SpaceX quietly updated its software and reconfigured the constellation, many Russian jammers went silent. The battlefield advantage shifted."
  https://www.scmp.com/news/china/science/article/3333523/chinese-researchers-simulate-large-scale-electronic-warfare-against-elon-musks-starlink
  https://www.darkreading.com/cyberattacks-data-breaches/china-researches-ways-disrupt-satellite-internet
• CISOs Are Questioning What a Crisis Framework Should Look Like
  "CISOs increasingly assume the next breach is coming. What concerns them most is whether their teams will understand the incident quickly enough to limit the fallout. A recent report by Binalyze looks at how investigation practices are holding up across large US enterprises."
  https://www.helpnetsecurity.com/2025/12/03/binalyze-crisis-management-framework-report/
• Threat Intelligence Programs Are Broken, Here Is How To Fix Them
  "Security teams often gather large amounts of threat data but still struggle to improve detection or response. Analysts work through long lists of alerts, leaders get unclear insights, and executives see costs that do not lead to better outcomes. A recent report from ISACA notes that this gap remains wide across enterprises, and explains that organizations collect information at a pace that makes it hard to understand what matters."
  https://www.helpnetsecurity.com/2025/12/03/isaca-threat-intelligence-programs-report/
  DOJ Takes Down Myanmar Scam Center Website Spoofing TickMill Trading Platform
  "The Department of Justice announced the dismantling of a website used by a scam center in Myanmar to siphon thousands of dollars from multiple victims. An affidavit filed this week supported the domain seizure of tickmilleas.com — a spoof of legitimate forex and commodities trading platform TickMill. The recently created Scam Center Strike Force tracked the fake website back to the prominent Tai Chang scam compound in Kyaukhat, Myanmar. This is the third domain taken down by U.S. officials in connection with the Tai Chang scam compound — which international law enforcement agencies raided three weeks ago."
  https://therecord.media/doj-takes-down-myanmar-scam-site-trickmill-spoof
  https://www.helpnetsecurity.com/2025/12/03/law-enforcement-agencies-cybercrime-efforts-2025/
• Cloudflare's 2025 Q3 DDoS Threat Report -- Including Aisuru, The Apex Of Botnets
  "Welcome to the 23rd edition of Cloudflare’s Quarterly DDoS Threat Report. This report offers a comprehensive analysis of the evolving threat landscape of Distributed Denial of Service (DDoS) attacks based on data from the Cloudflare network. In this edition, we focus on the third quarter of 2025. The third quarter of 2025 was overshadowed by the Aisuru botnet with a massive army of an estimated 1–4 million infected hosts globally. Aisuru unleashed hyper-volumetric DDoS attacks routinely exceeding 1 terabit per second (Tbps) and 1 billion packets per second (Bpps). The number of these attacks surged 54% quarter-over-quarter (QoQ), averaging 14 hyper-volumetric attacks daily. The scale was unprecedented, with attacks peaking at 29.7 Tbps and 14.1 Bpps."
  https://blog.cloudflare.com/ddos-threat-report-2025-q3/
  https://www.bleepingcomputer.com/news/security/aisuru-botnet-behind-new-record-breaking-297-tbps-ddos-attack/
• Seasonal Surge: Why HR Phishing Peaks In Q4 And The Seven Themes Behind It
  "Q3 and Q4 of each year tend to see the most Human Resources (HR) task-related phishing threats, but the specific theme used by threat actors changes based on current events. This has led to the explosion of termination as a phishing lure, particularly during Q3 2025. By exploiting fear, threat actors can lower an employee’s guard and increase their likelihood of falling victim to an attack. Such malicious emails can appear legitimate as they spoof trusted and generally known entities, like the HR department."
  https://cofense.com/blog/seasonal-surge-why-hr-phishing-peaks-in-q4-and-the-seven-themes-behind-it
• Ransomware And Supply Chain Attacks Neared Records In November
  "Ransomware attacks hit their second-highest levels on record in November, as the number of attacks rose for the seventh consecutive month. The 640 ransomware attacks recorded by Cyble in November 2025 are second only to February 2025’s record totals (chart below)."
  https://cyble.com/blog/ransomware-attacks-november-2025/
• While ECH Adoption Is Low, Risks Remain For Enterprises, End Users
  "Two years ago, the introduction of Encrypted Client Hello (ECH) divided enterprise cybersecurity professionals and privacy advocates. An extension to the Transport Layer Security (TLS) 1.3 Internet encryption standard, ECH protects communications between an endpoint device and a Web server. While ECH increased user privacy, it reduced visibility, which is not so great for security. You are already familiar with TLS: The padlock symbol and https designation in the address bar of your browser indicate the website uses this Internet standard. However, this only means that the content between the client machine and the server is encrypted after the connection has been established."
  https://www.darkreading.com/data-privacy/while-ech-adoption-is-low-risks-remain-for-enterprises-end-users
• The Ransomware Holiday Bind: Burnout Or Be Vulnerable
  "There's never a good time to get hit by ransomware, but fallout can be even more devastating when attacks hit during off-hours, weekends or holidays. That's the time when threat actors strike, knowing enterprises are understaffed. Ransomware gangs are a steady, rising threat that reports show operate as legitimate businesses, complete with customer service and help desk personnel. That reflects in well-thought out attack steps, including timing which commonly correlates with organizations' weekend and holiday downtime, an important tool against staffer burnout."
  https://www.darkreading.com/cyberattacks-data-breaches/the-ransomware-holiday-bind-burnout-or-be-vulnerable
• UK's Cyber Service For Telcos Blocks 1 Billion Malicious Site Attempts
  "Almost one billion early-stage cyber-attacks have been prevented in the past year in the UK thanks to a recent service deployed by the National Cyber Security Agency (NCSC). The results were announced by British Security Minister, Dan Jarvis, during the Financial Times’ Cyber Resilience Summit: Europe, held in London on December 3. On the morning of the event Jarvis had come from a visit to telecommunications firm, BT, which is a partner of the NCSC’s Share and Defend service."
  https://www.infosecurity-magazine.com/news/uk-cyber-service-blocks-billion/
• Exploits And Vulnerabilities In Q3 2025
  "In the third quarter, attackers continued to exploit security flaws in WinRAR, while the total number of registered vulnerabilities grew again. In this report, we examine statistics on published vulnerabilities and exploits, the most common security issues impacting Windows and Linux, and the vulnerabilities being leveraged in APT attacks that lead to the launch of widespread C2 frameworks. The report utilizes anonymized Kaspersky Security Network data, which was consensually provided by our users, as well as information from open sources."
  https://securelist.com/vulnerabilities-and-exploits-in-q3-2025/118197/
• The Most Interesting Cybercrime Takedowns Of 2025
  "Every year seems to bring with it the next “biggest data breach in history.” But in an encouraging turn of events, more and more of the world’s most prolific attackers are being caught and arrested. 2024 saw a record-setting data breach that compromised over 2.9 billion sensitive files around the world, but it also saw the swift arrest of the person responsible, an attacker going by the alias USDoD. A new trend shows that data breaches from external threats might be the least of your worries, though."
  https://blog.barracuda.com/2025/12/03/cybercrime-takedowns-2025
• Disinformation And Cyber-Threats Among Top Global Exec Concerns
  "Business leaders in the world’s most important economies have ranked misinformation/disinformation, cyber insecurity and the adverse effects of AI among the biggest threats to their respective countries, according to the World Economic Forum (WEF). The WEF Executive Opinion Survey 2025 was compiled from interviews with 11,000 executives across 116 economies. They were asked to select the top five risks most likely to pose the biggest threat to their respective countries in the next two years, out of a total of 34 risks."
  https://www.infosecurity-magazine.com/news/disinformation-cyberthreats-global/
• Twins With Hacking History Charged In Insider Data Breach Affecting Multiple Federal Agencies
  "Twin brothers Muneeb and Sohaib Akhter were arrested in Alexandria, Va., Wednesday for allegedly stealing and destroying government data held by a government contractor minutes after they were fired from the company earlier this year, the Justice Department said. Prosecutors accuse the 34-year-old brothers of the crimes during a weeklong spree in February, compromising data from multiple federal agencies including the Department of Homeland Security, Internal Revenue Service and the Equal Employment Opportunity Commission."
  https://cyberscoop.com/muneeb-sohaib-akhter-government-contractors-insider-attack/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) จำนวน 5 รายการ เมื่อวันที่ 2 ธันวาคม 2025 พื่อให้ข้อมูลที่ทันเวลาเกี่ยวกับประเด็นด้านความมั่นคงปลอดภัย ช่องโหว่ และการโจมตีที่เกี่ยวข้องกับระบบ ICS โดยมีรายละเอียดดังนี้

• ICSA-25-336-01 Industrial Video & Control Longwatch
• ICSA-25-336-02 Iskra iHUB and iHUB Lite
• ICSMA-25-336-01 Mirion Medical EC2 Software NMIS BioDose
• ICSA-25-201-01 Mitsubishi Electric CNC Series (Update A)
• ICSA-23-157-02 Mitsubishi Electric MELSEC iQ-R Series/iQ-F Series (Update C)

CISA แนะนำให้ผู้ใช้งานและผู้ดูแลระบบ ตรวจสอบคำแนะนำ ICS ที่เผยแพร่ล่าสุด เพื่อศึกษารายละเอียดทางเทคนิคและแนวทางการลดความเสี่ยง (mitigations)

อ้างอิง
https://www.cisa.gov/news-events/alerts/2025/12/02/cisa-releases-five-industrial-control-systems-advisories

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Healthcare Sector

• Mirion Medical EC2 Software NMIS BioDose
  "Successful exploitation of these vulnerabilities could allow an attacker to modify program executables, gain access to sensitive information, gain unauthorized access to the application, and execute arbitrary code."
  https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-336-01

Industrial Sector

• Industrial Video & Control Longwatch
  "Successful exploitation of this vulnerability could allow an unauthenticated attacker to gain remote code execution with elevated privileges."
  https://www.cisa.gov/news-events/ics-advisories/icsa-25-336-01
• Iskra iHUB And iHUB Lite
  "Successful exploitation of this vulnerability could allow a remote attacker to reconfigure devices, update firmware, and manipulate connected systems without any credentials."
  https://www.cisa.gov/news-events/ics-advisories/icsa-25-336-02

Vulnerabilities

• PyTorch Users At Risk: Unveiling 3 Zero-Day PickleScan Vulnerabilities
  "JFrog Security Research found 3 zero-day critical vulnerabilities in PickleScan, which would allow attackers to bypass the most popular Pickle model scanning tool. PickleScan is a widely used, industry-standard tool for scanning ML models and ensuring they contain no malicious content. Each discovered vulnerability enables attackers to evade PickleScan’s malware detection and potentially execute a large-scale supply chain attack by distributing malicious ML models that conceal undetectable malicious code. In this blog post, we will explain how PickleScan works and why, despite using model scanning tools, Pickle is still unsafe given these recently discovered zero-day vulnerabilities."
  https://jfrog.com/blog/unveiling-3-zero-day-vulnerabilities-in-picklescan/
  https://www.infosecurity-magazine.com/news/picklescan-flaws-expose-ai-supply/
• CISA Adds Two Known Exploited Vulnerabilities To Catalog
  "CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2025-48572 Android Framework Privilege Escalation Vulnerability
  CVE-2025-48633 Android Framework Information Disclosure Vulnerability"
  https://www.cisa.gov/news-events/alerts/2025/12/02/cisa-adds-two-known-exploited-vulnerabilities-catalog
  https://securityaffairs.com/185252/security/u-s-cisa-adds-android-framework-flaws-to-its-known-exploited-vulnerabilities-catalog.html
• CVE-2025-61260 — OpenAI Codex CLI: Command Injection Via Project-Local Configuration
  "OpenAI Codex CLI is OpenAI’s command-line tool that brings AI model-backed reasoning into developer workflows. It can read, edit, and run code directly from the terminal, making it possible to interact with projects using natural language commands, automate tasks, and streamline day-to-day development One of its key features is MCP (Model Context Protocol) – a standardized way to integrate external tools and services into the Codex environment, allowing developers to extend the CLI’s capabilities with custom functionality and automated workflows."
  https://research.checkpoint.com/2025/openai-codex-cli-command-injection-vulnerability/
  https://www.securityweek.com/vulnerability-in-openai-coding-agent-could-facilitate-attacks-on-developers/

Malware

• Shai-Hulud 2.0 Aftermath: Trends, Victimology And Impact
  "Wiz Research and Wiz CIRT have been responding to the Shai-Hulud 2.0 incident (aka Sha1-Hulud) since news first broke on November 24, 2025. As of now we’re continuing to observe active spread, albeit at a significantly lower pace. This gives us an opportunity to step back and share what we’ve learned throughout this incident, and reflect on the future. This blog post assumes familiarity with the phases of Sha1-Hulud. For a detailed account of the initial incident, and our recommendations on response, refer to our previous blog post."
  https://www.wiz.io/blog/shai-hulud-2-0-aftermath-ongoing-supply-chain-attack
  https://www.bleepingcomputer.com/news/security/shai-hulud-20-npm-malware-attack-exposed-up-to-400-000-dev-secrets/
• North Korea Lures Engineers To Rent Identities In Fake IT Worker Scheme
  "In an unprecedented intelligence operation, security researchers exposed how North Korean IT recruiters target and lure developers into renting their identities for illicit fundraising. Famous Chollima (also known as WageMole), part of North Korea’s state-sponsored Lazarus group, is known for social-engineering campaigns to infiltrate Western companies for espionage and revenue generation for the regime."
  https://www.bleepingcomputer.com/news/security/north-korea-lures-engineers-to-rent-identities-in-fake-it-worker-scheme/
  https://thehackernews.com/2025/12/researchers-capture-lazarus-apts-remote.html
• Uncovering a Calendly-Themed Phishing Campaign Targeting Business Ad Manager Accounts
  "We recently investigated a sophisticated phishing campaign targeting Google Workspace and Facebook Business accounts with Calendly-themed phishing lures, based around a fake job opportunity. We were first alerted to the campaign when a Push customer was hit with a highly targeted email-based attack, where the attacker used an Attacker-in-the-Middle (AiTM) phishing toolkit to target the customer’s Google Workspace account."
  https://pushsecurity.com/blog/uncovering-a-calendly-themed-phishing-campaign
  https://www.bleepingcomputer.com/news/security/fake-calendly-invites-spoof-top-brands-to-hijack-ad-manager-accounts/
• MuddyWater: Snakes By The Riverbank
  "ESET researchers have identified new MuddyWater activity primarily targeting organizations in Israel, with one confirmed target in Egypt. MuddyWater, also referred to as Mango Sandstorm or TA450, is an Iran-aligned cyberespionage group known for its persistent targeting of government and critical infrastructure sectors, often leveraging custom malware and publicly available tools. In this campaign, the attackers deployed a set of previously undocumented, custom tools with the objective of improving defense evasion and persistence. Among these tools is a custom Fooder loader designed to execute MuddyViper, a C/C++ backdoor. Several versions of Fooder masquerade as the classic Snake game, and its internal logic includes a custom delay function inspired by the game’s mechanics, combined with frequent use of Sleep API calls."
  https://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/
  https://thehackernews.com/2025/12/iran-linked-hackers-hits-israeli_2.html
  https://www.darkreading.com/cyberattacks-data-breaches/irans-muddywater-levels-up-muddyviper-backdoor
  https://therecord.media/iran-linked-hackers-target-israel-egypt-phishing
  https://www.bankinfosecurity.com/iran-hackers-take-inspiration-from-snake-video-game-a-30177
  https://securityaffairs.com/185244/apt/muddywater-strikes-israel-with-advanced-muddyviper-malware.html
  https://www.helpnetsecurity.com/2025/12/02/eset-muddywater-cyber-campaign/
• New eBPF Filters For Symbiote And BPFdoor Malware
  "eBPF—extended Berkeley Packet Filter—is a very interesting kernel technology that lets users load tiny, sandboxed programs into the Linux kernel to inspect or modify network packets, system calls, and more. The technology was introduced in 2015 to renovate the “old” BPF technology of 1992, which was no longer adapted to modern computer architectures (e.g., 64-bit). As usual, the technology was quickly noticed by malware authors, resulting in the Bvp47 malware in 2015, as well as a collection of rootkits, such as Ebpfkit and TripleCross. However, due to the required skills needed to use or exploit eBPF, the malware remains rare (in number). Today, the malware scene mostly consists of two families: Symbiote and BPFDoor, both from 2021."
  https://www.fortinet.com/blog/threat-research/new-ebpf-filters-for-symbiote-and-bpfdoor-malware
• Dragons In Thunder
  "During investigations into two incidents at Russian companies, we identified malicious activity that involved the exploitation of RCE vulnerabilities, including CVE-2025-53770 in Microsoft SharePoint, as well as CVE-2025-4427 and CVE-2025-4428 in Ivanti Endpoint Manager Mobile. In addition to the exploitation of vulnerabilities, we discovered samples of the KrustyLoader and Sliver malware, as well as traces of the Tactical RMM and MeshAgent tools. Detailed analysis showed the presence of at least two groups: QuietCrabs (also known as UTA0178 and UNC5221) and Thor. QuietCrabs were seen exploiting these vulnerabilities within just a few hours of PoC code being published."
  https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/dragons-in-thunder/
  https://www.helpnetsecurity.com/2025/12/02/threat-research-ransomware-espionage-attack/
• Unraveling Water Saci's New Multi-Format, AI-Enhanced Attacks Propagated Via WhatsApp
  "Brazil has seen a recent surge of threats delivered via WhatsApp. As observed in our previously published research on the SORVEPOTEL malware and the broader Water Saci campaign, this popular platform has been used to launch sophisticated campaigns. Unsuspecting users receive convincing messages from trusted contacts, often crafted to exploit social engineering tactics and encourage interaction with malicious content. While the core objectives of these campaigns remain consistent, this wave showcases advanced techniques in infection, persistence, and evasion, underscoring how legitimate platforms are increasingly being exploited to reach Brazilian targets more effectively."
  https://www.trendmicro.com/en_us/research/25/l/water-saci.html
• CastleLoader & CastleRAT: Behind TAG150’s Modular Malware Delivery System
  "TAG-150, a MaaS operator active since March 2025, uses CastleLoader and CastleRAT in multi-stage attacks. CastleLoader acts as a loader that retrieves and executes additional malware through deceptive domains and malicious GitHub repositories, while CastleRAT functions as a remote access trojan providing attackers with system control, command execution, and data theft capabilities. Darktrace detected and blocked early attack activity, leveraging Autonomous Response to prevent further compromise and protect enterprise networks."
  https://www.darktrace.com/blog/castleloader-castlerat-behind-tag150s-modular-malware-delivery-system
• APT36 Python Based ELF Malware Targeting Indian Government Entities
  "CYFIRMA has uncovered an active cyber-espionage campaign conducted by APT36 (Transparent Tribe), a Pakistan-based threat actor known for persistent targeting of Indian government and strategic sectors. The latest activity demonstrates the group’s growing technical maturity and adaptability, as it deploys tailored malware specifically crafted to compromise Linux-based BOSS operating environments. The intrusion begins with spear-phishing emails designed to lure recipients into opening weaponized Linux shortcut files. Once executed, these files silently download and run malicious components in the background while presenting benign content to the user, thereby facilitating stealthy initial access and follow-on exploitation."
  https://www.cyfirma.com/research/apt36-python-based-elf-malware-targeting-indian-government-entities/

Breaches/Hacks/Leaks

• University Of Pennsylvania Confirms New Data Breach After Oracle Hack
  "The University of Pennsylvania (Penn) has announced a new data breach after attackers stole documents containing personal information from its Oracle E-Business Suite servers in August. The private Ivy League research university was founded in 1740 and has 5,827 faculty members and 29,109 students, with an 8:1 student-to-faculty ratio. It also has an academic operating budget of $4.7 billion and an endowment of $24.8 billion as of June 30, 2025."
  https://www.bleepingcomputer.com/news/security/university-of-pennsylvania-confirms-data-theft-after-oracle-ebs-hack/
  https://cyberscoop.com/university-pennsylvania-oracle-e-business-suite-clop-attacks/
  https://www.theregister.com/2025/12/02/clop_university_of_pennsylvania/
• Everest Ransomware Claims ASUS Breach And 1TB Data Theft
  "A new claim by the Everest ransomware group suggests that ASUS, one of the world’s largest hardware and electronics companies, has been compromised. According to a post on the group’s dark web leak site, they are in possession of more than 1TB of stolen data, which they say includes camera source code. In this case, “Camera Source Code” likely refers to proprietary firmware or software used in ASUS devices with built-in cameras, such as laptops or smartphones. This could include low-level control code for camera modules, internal drivers, or even entire applications tied to image processing or device integration."
  https://hackread.com/everest-ransomware-asus-breach-1tb-data/

General News

• The Collapse Of Trust At The Identity Layer
  "Identity verification has become the latest front in the fight against industrialized fraud, according to a new report from Regula. The shift is visible across sectors that once relied on predictable verification routines. Criminals have learned to target the identity step itself, and the impact is spreading through financial services, healthcare, telecoms, crypto platforms, and aviation."
  https://www.helpnetsecurity.com/2025/12/02/regula-identity-verification-threats-report/
• Creative Cybersecurity Strategies For Resource-Constrained Institutions
  "In this Help Net Security interview, Dennis Pickett, CISO at RTI International, talks about how research institutions can approach cybersecurity with limited resources and still build resilience. He discusses the tension between open research and the need to protect sensitive information, noting that workable solutions come from understanding how people get their jobs done. Pickett explains how security teams can partner with researchers to set guardrails that support innovation rather than slow it. He also shares observations on emerging risks, state interest in advanced technologies, and the challenge of managing data across diverse disciplines."
  https://www.helpnetsecurity.com/2025/12/02/dennis-pickett-rti-international-research-institutions-cybersecurity/
• Attackers Keep Finding New Ways To Fool AI
  "AI development keeps accelerating while the safeguards around it move on uneven ground, according to The International AI Safety Report. Security leaders are being asked to judge exposure without dependable benchmarks. Across the AI ecosystem, developers are adopting layered controls throughout the lifecycle. They combine training safeguards, deployment filters, and post release tracking tools. A model may be trained to refuse harmful prompts. After release, its inputs and outputs may pass through filters. Provenance tags and watermarking can support incident reviews."
  https://www.helpnetsecurity.com/2025/12/02/ai-safety-risks-report/
• Korea Arrests Suspects Selling Intimate Videos From Hacked IP Cameras
  "The Korean National Police have arrested four individuals suspected of hacking over 120,000 IP cameras across the country and then selling stolen footage to a foreign adult site. Although the suspects or the websites haven’t been named, the police are already taking action against viewers of the illicitly gained content, as well as the operators of the website, through international collaboration."
  https://www.bleepingcomputer.com/news/security/korea-arrests-suspects-selling-intimate-videos-from-hacked-ip-cameras/
• Researchers Use Poetry To Jailbreak AI Models
  "Three years into the "AI future," researchers' creative jailbreaking efforts never cease to amaze. Researchers from the Sapienza University of Rome, the Sant’Anna School of Advanced Studies, and large language model (LLM) safety and compliance consultancy Dexai showed how one can jailbreak leading AI models by framing prompts as a rhyming poem. The group published their findings in a white paper Nov. 19."
  https://www.darkreading.com/threat-intelligence/researchers-use-poetry-to-jailbreak-ai-models
  https://arxiv.org/html/2511.15304v1
  https://www.malwarebytes.com/blog/news/2025/12/whispering-poetry-at-ai-can-make-it-break-its-own-rules
• Most Companies Fear State-Sponsored Cyber-Attacks And Want More Government Help
  "The vast majority of British and American cybersecurity professionals are worried about state-sponsored cyber-attacks, and a quarter (23%) say their biggest concern for the year ahead is a lack of preparedness for “geopolitical escalation or wartime cyber operations," according to research by IO. The compliance software vendor polled 3000 cybersecurity managers in the US and UK to compile its State of Information Security Report 2025."
  https://www.infosecurity-magazine.com/news/companies-fear-state-attacks-more/
• The Great Disconnect: Unmasking The ‘Two Separate Conversations’ In Security
  "It is often the case that I witness a conversation that is actually two separate conversations. What do I mean by that? If you are an astute listener and observer, you have probably noticed how often two people are having two completely different conversations. It is seldom the case that either person realizes it, and thus, more often than not, people have difficulty communicating effectively with one another. Quite simply put, they are not having the same conversation."
  https://www.securityweek.com/the-great-disconnect-unmasking-the-two-separate-conversations-in-security/
• SOC Threat Radar — December 2025
  "The SOC team recently noticed a rise in the suspicious use of ScreenConnect. This includes attackers attempting to connect endpoints to targets’ ScreenConnect deployments, and attackers deploying ScreenConnect themselves to control hosts remotely. ScreenConnect is a trusted and popular remote device management tool used by many organizations and their managed service providers. As a result, the detection of ScreenConnect does not immediately arouse suspicion."
  https://blog.barracuda.com/2025/12/02/soc-threat-radar-december-2025
• The Browser Defense Playbook: Stopping The Attacks That Start On Your Screen
  "The predominance of cloud-based apps and the trend towards remote work have made the browser the place where most work happens. In fact, about 85% of daily work takes place there. In many ways, it’s a win for all involved. Users can work from a wider range of locations and devices, accessing full “desktops” inside a browser tab. Organizations can manage apps and browser access easier than through localized desktop software. This all allows for greater central management, lower costs and better flexibility."
  https://unit42.paloaltonetworks.com/browser-defense-playbook/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Industrial Sector

• APT And Financial Attacks On Industrial Organizations In Q3 2025
  "This summary provides an overview of reports on APT and financial attacks on industrial enterprises disclosed in Q3 2025, as well as the related activities of groups observed attacking industrial organizations. For each topic, we summarize the key facts, findings and conclusions of researchers that we believe may be useful to professionals addressing practical issues of cybersecurity in industrial enterprises."
  https://ics-cert.kaspersky.com/publications/reports/2025/12/01/apt-and-financial-attacks-on-industrial-organizations-in-q3-2025/

Vulnerabilities

• Google Addresses 107 Android Vulnerabilities, Including Two Zero-Days
  "Google disclosed two actively exploited zero-day vulnerabilities Monday, which it addressed among a total of 107 defects in the company’s monthly security update for Android devices. The zero-days — CVE-2025-48633 and CVE-2025-48572 — are both high-severity defects affecting the Android framework, which attackers can exploit to access information and escalate privileges, respectively. Google said both vulnerabilities, which had not been added to the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog as of Monday afternoon, may be under limited, targeted exploitation."
  https://cyberscoop.com/android-security-update-december-2025/

Malware

• SmartTube YouTube App For Android TV Breached To Push Malicious Update
  "The popular open-source SmartTube YouTube client for Android TV was compromised after an attacker gained access to the developer's signing keys, leading to a malicious update being pushed to users. The compromise became known when multiple users reported that Play Protect, Android's built-in antivirus module, blocked SmartTube on their devices and warned them of a risk. The developer of SmartTube, Yuriy Yuliskov, admitted that his digital keys were compromised late last week, leading to the injection of malware into the app."
  https://www.bleepingcomputer.com/news/security/smarttube-youtube-app-for-android-tv-breached-to-push-malicious-update/
• Glassworm's Resurgence
  "Security can't take holidays off, but the code marketplace scanners just might. Over the past week, we've identified and tracked an unprecedented 23 extensions which copy other popular extensions, update after publishing with malware, manipulate download counts, and use KNOWN attack signatures which have been in use for months. Many of these relate to Glassworm malware, but there could be mulitple campaigns at work also."
  https://secureannex.com/blog/glassworm-continued/
  https://www.bleepingcomputer.com/news/security/glassworm-malware-returns-in-third-wave-of-malicious-vs-code-packages/
• 4.3 Million Browsers Infected: Inside ShadyPanda's 7-Year Malware Campaign
  "Koi researchers have identified a threat actor we're calling ShadyPanda - responsible for a seven-year browser extension campaign that has infected 4.3 million Chrome and Edge users. Our investigation uncovered two active operations: A 300,000-user RCE backdoor: Five extensions, including the "Featured" and "Verified" Clean Master, were weaponized in mid-2024 after years of legitimate operation. These extensions now run hourly remote code execution - downloading and executing arbitrary JavaScript with full browser access. They monitor every website visit, exfiltrate encrypted browsing history, and collect complete browser fingerprints."
  https://www.koi.ai/blog/4-million-browsers-infected-inside-shadypanda-7-year-malware-campaign
  https://thehackernews.com/2025/12/shadypanda-turns-popular-browser.html
  https://www.bleepingcomputer.com/news/security/shadypanda-browser-extensions-amass-43m-installs-in-malicious-campaign/
  https://www.theregister.com/2025/12/01/chrome_edge_malicious_browser_extensions/
• Albiriox Exposed: A New RAT Mobile Malware Targeting Global Finance And Crypto Wallets
  "Over the past few months, the Cleafy Threat Intelligence team has identified and analyzed Albiriox, a newly emerging Android malware family promoted as a Malware-as-a-Service (MaaS) within underground cybercrime forums. First observed in September 2025 during a limited recruitment phase targeting high-reputation forum members, the project transitioned to a publicly available MaaS offering in October 2025. Forum activity, linguistic patterns, and infrastructure analysis indicate that Russian-speaking Threat Actors (TAs) are behind the operation."
  https://www.cleafy.com/cleafy-labs/albiriox-rat-mobile-malware-targeting-global-finance-and-crypto-wallets
  https://thehackernews.com/2025/12/new-albiriox-maas-malware-targets-400.html
  https://www.infosecurity-magazine.com/news/android-maas-malware-albiriox-dark/
  https://www.malwarebytes.com/blog/news/2025/12/new-android-malware-lets-criminals-control-your-phone-and-drain-your-bank-account
  https://www.securityweek.com/new-albiriox-android-malware-developed-by-russian-cybercriminals/
  https://securityaffairs.com/185194/malware/emerging-android-threat-albiriox-enables-full-on‑device-fraud.html
• Two Years, 17K Downloads: The NPM Malware That Tried To Gaslight Security Scanners
  "We train our AI risk engine to look for something most scanners don't: code that tries to manipulate AI-based security tools. As LLMs become part of the security stack, from code review to package analysis, attackers will adapt. They'll start writing code that's designed not just to evade detection, but to actively mislead the AI doing the analysis. We built our engine to catch that. This week, it caught something interesting."
  https://www.koi.ai/blog/two-years-17k-downloads-the-npm-malware-that-tried-to-gaslight-security-scanners
  https://www.infosecurity-magazine.com/news/malware-ai-detection-npm-package/

Breaches/Hacks/Leaks

• Retail Giant Coupang Data Breach Impacts 33.7 Million Customers
  "South Korea's largest retailer, Coupang, has suffered a data breach that exposed the personal information of 33.7 million customers. The firm has warned on its Korean-language site that the incident occurred on June 24, 2025, but it only discovered it and began the investigation on November 18, 2025. "On November 18, 2025, Coupang became aware of unauthorized access to personal information related to the accounts of approximately 4,500 customers," reads the public statement."
  https://www.bleepingcomputer.com/news/security/retail-giant-coupang-suffers-data-breach-impacting-337-million-people/
  https://hackread.com/coupang-data-breach-south-korean-accounts/
  https://www.infosecurity-magazine.com/news/south-korea-coupang-34m-customer/
  https://www.theregister.com/2025/12/01/coupang_breach/
• Royal Borough Of Kensington And Chelsea Reveals Data Breach
  "The Royal Borough of Kensington and Chelsea (RBKC) has told residents that their data may have been compromised in a cyber-attack on an IT service provider discovered last week. The council, London’s smallest but most densely populated, revealed the news in an update on Friday. “After discovering unusual activity first thing Monday morning, we have been taking all necessary steps to shut down and isolate systems and make them as safe as possible,” it said."
  https://www.infosecurity-magazine.com/news/royal-borough-kensington-chelsea/

General News

• Treating MCP Like An API Creates Security Blind Spots
  "In this Help Net Security interview, Michael Yaroshefsky, CEO at MCP Manager, discusses how Model Context Protocol’s (MCP) trust model creates security gaps that many teams overlook and why MCP must not be treated like a standard API. He explains how misunderstandings about MCP’s runtime behavior, governance, and identity requirements can create exposure. With MCP usage expanding across organizations, well-defined controls and a correct understanding of the protocol become necessary."
  https://www.helpnetsecurity.com/2025/12/01/michael-yaroshefsky-mcp-manager-mcp-security-gaps/
• Offensive Cyber Power Is Spreading Fast And Changing Global Security
  "Offensive cyber activity has moved far beyond a handful of major powers. More governments now rely on digital operations to project influence during geopolitical tension, which raises new risks for organizations caught in the middle. A new policy brief from the Geneva Centre for Security Policy examines how these developments influence international stability and what steps could lower the chance of dangerous escalation."
  https://www.helpnetsecurity.com/2025/12/01/global-offensive-cyber-operations-risks/
• The Weekend Is Prime Time For Ransomware
  "Over half of organizations that experienced a ransomware event in the past year were hit during a weekend or holiday, according to a Semperis report. Those periods often come with thin staffing, slower investigation, and fewer eyes on identity systems. Intruders know that reduced attention allows them to move deeper before alarms are raised. 60% of incidents happened after a merger, acquisition, restructuring, or similar shift inside the business. The most common trigger was an M&A effort. When identity environments are being consolidated, inconsistencies appear. Attackers look for these weak points and move quickly when they find them."
  https://www.helpnetsecurity.com/2025/12/01/semperis-ransomware-risk-trends-report/
• When Hackers Wear Suits: Protecting Your Team From Insider Cyber Threats
  "In the ever-evolving landscape of cyber threats, a new and insidious danger is emerging, shifting focus from external attacks to internal infiltration. Hackers are now impersonating seasoned cybersecurity and IT professionals to gain privileged access within organizations. These aren't just phishing attempts; they are calculated schemes where malicious actors manipulate the hiring process to become "trusted" staff, all with the intent of breaching company databases or stealing sensitive information."
  https://www.bleepingcomputer.com/news/security/when-hackers-wear-suits-protecting-your-team-from-insider-cyber-threats/
• Europol And Partners Shut Down ‘Cryptomixer’
  "From 24 to 28 November 2025, Europol supported an action week conducted by law enforcement authorities from Switzerland and Germany in Zurich, Switzerland. The operation focused on taking down the illegal cryptocurrency mixing service ‘Cryptomixer’, which is suspected of facilitating cybercrime and money laundering."
  https://www.europol.europa.eu/media-press/newsroom/news/europol-and-partners-shut-down-cryptomixer
  https://www.eurojust.europa.eu/news/cryptocurrency-mixing-service-used-launder-money-taken-down
  https://therecord.media/cryptomixer-service-takedown-bitcoin-seized
  https://www.bleepingcomputer.com/news/security/police-takes-down-cryptomixer-cryptocurrency-mixing-service/
  https://www.darkreading.com/cyberattacks-data-breaches/police-disrupt-cryptomixer-seize-millions-crypto
  https://cyberscoop.com/cryptomixer-takedown-seizure-europol/
  https://www.infosecurity-magazine.com/news/europol-takes-down-illegal/
  https://hackread.com/cryptomixer-domains-infrastructure-bitcoin-seized/
  https://www.securityweek.com/29-million-worth-of-bitcoin-seized-in-cryptomixer-takedown/
  https://securityaffairs.com/185217/cyber-crime/law-enforcement-shuts-down-cryptomixer-in-major-crypto-crime-takedown.html
  https://www.helpnetsecurity.com/2025/12/01/cryptomixer-takedown-seizure/
• Officials Accuse North Korea’s Lazarus Of $30 Million Theft From Crypto Exchange
  "A recent cyberattack on South Korea’s largest cryptocurrency exchange was allegedly conducted by a North Korean government-backed hacking group. Yonhap News Agency reported on Friday that South Korean government officials are involved in the investigation surrounding $30 million worth of cryptocurrency that was stolen from Upbit on Wednesday evening. On Friday, South Korean officials told the news outlet that North Korea’s Lazarus hacking group was likely involved in the theft based on the tactics used to break into the cryptocurrency platform and the methods deployed to launder the stolen funds."
  https://therecord.media/officials-accuse-north-korea-hackers-of-attack-on-crypto-exchange

อ้างอิง
Electronic Transactions Development Agency (ETDA)

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

เมื่อวันที่ 28 พฤศจิกายน 2025 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 1 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว ดังนี้

• CVE-2021-26829 OpenPLC ScadaBR Cross-site Scripting Vulnerability

ทั้งนี้ คำสั่ง BOD 22-01 ของ CISA กำหนดให้มี แคตตาล็อก Known Exploited Vulnerabilities (KEV) เพื่อรวบรวมช่องโหว่ (CVEs) ที่มีความเสี่ยงสูงและถูกใช้งานโจมตีจริง หน่วยงาน Federal Civilian Executive Branch (FCEB) ต้องดำเนินการแก้ไขช่องโหว่ที่ระบุภายในเวลาที่กำหนด เพื่อปกป้องเครือข่ายจากภัยคุกคาม

ทาง CISA จะปรับปรุงและเพิ่มช่องโหว่ใหม่เข้าสู่แคตตาล็อก KEV อย่างต่อเนื่อง เพื่อให้ครอบคลุมความเสี่ยงที่ตรวจพบจริงในปัจจุบันและอนาคต

อ้างอิง
https://www.cisa.gov/news-events/alerts/2025/11/28/cisa-adds-one-known-exploited-vulnerability-catalog
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

New Tooling

• Your IP Address Might Be Someone Else's Problem (And Here's How To Find Out)
  "We built something new at GreyNoise Labs, and it started with a question we kept hearing: “How do I know if my home network has been compromised?” It’s not a theoretical concern. Over the past year, residential proxy networks have exploded and have been turning home internet connections into exit points for other people’s traffic. Sometimes folks knowingly install software that does this in exchange for a few dollars. More often, malware sneaks onto devices, usually via nefarious apps or browser extensions, and quietly turns them into nodes in someone else’s infrastructure."
  https://www.greynoise.io/blog/your-ip-address-might-be-someone-elses-problem
  https://check.labs.greynoise.io/
  https://www.bleepingcomputer.com/news/security/greynoise-launches-free-scanner-to-check-if-youre-part-of-a-botnet/

Vulnerabilities

• CISA Adds One Known Exploited Vulnerability To Catalog
  "CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2021-26829 OpenPLC ScadaBR Cross-site Scripting Vulnerability"
  https://www.cisa.gov/news-events/alerts/2025/11/28/cisa-adds-one-known-exploited-vulnerability-catalog
  https://thehackernews.com/2025/11/cisa-adds-actively-exploited-xss-bug.html
• The Hidden Dangers Of Calendar Subscriptions: 4 Million Devices At Risk
  "Day-to-day workload can become overwhelming as time passes alongside the growing tasks and responsibilities of both personal and professional lives. Therefore, a well-structured digital calendar may be an essential organizational tool to navigate through the day, helping with the support we need to manage our time and ongoing commitments."
  https://www.bitsight.com/blog/hidden-dangers-calendar-subscriptions-4-million-devices-risk
  https://www.infosecurity-magazine.com/news/threat-actors-exploit-calendar-subs/

Malware

• Tomiris Wreaks Havoc: New Tools And Techniques Of The APT Group
  "While tracking the activities of the Tomiris threat actor, we identified new malicious operations that began in early 2025. These attacks targeted foreign ministries, intergovernmental organizations, and government entities, demonstrating a focus on high-value political and diplomatic infrastructure. In several cases, we traced the threat actor’s actions from initial infection to the deployment of post-exploitation frameworks. These attacks highlight a notable shift in Tomiris’s tactics, namely the increased use of implants that leverage public services (e.g., Telegram and Discord) as command-and-control (C2) servers. This approach likely aims to blend malicious traffic with legitimate service activity to evade detection by security tools."
  https://securelist.com/tomiris-new-tools/118143/
• Bootstrap Script Exposes PyPI To Domain Takeover Attacks
  "ReversingLabs researchers have discovered vulnerable code in legacy Python packages that could make possible an attack on the Python Package Index (PyPI) via a domain compromise. Although the vulnerable code is mostly unused in modern development environments, it may still be used in legacy production. RL Spectra Assure Community’s machine learning model, which detects packages with behaviors similar to known malware, found the vulnerability in bootstrap files for a build tool that installs the Python package distribute and performs other tasks in the bootstrapping process."
  https://www.reversinglabs.com/blog/bootstrap-script-exposes-pypi-to-domain-takeover-attack
  https://thehackernews.com/2025/11/legacy-python-bootstrap-scripts-create.html
• Inside The GitHub Infrastructure Powering North Korea’s Contagious Interview Npm Attacks
  "The Socket Threat Research Team continues to track North Korea’s Contagious Interview operation as it systematically infiltrates the npm ecosystem. Since we last reported on this campaign, it has added at least 197 more malicious npm packages and over 31,000 additional downloads, with state-sponsored threat actors targeting blockchain and Web3 developers through fake job interviews and “test assignments”. This sustained tempo makes Contagious Interview one of the most prolific campaigns exploiting npm, and it shows how thoroughly North Korean threat actors have adapted their tooling to modern JavaScript and crypto-centric development workflows."
  https://socket.dev/blog/north-korea-contagious-interview-npm-attacks
  https://thehackernews.com/2025/11/north-korean-hackers-deploy-197-npm.html
  https://securityaffairs.com/185170/apt/contagious-interview-campaign-expands-with-197-npm-ppackages-spreading-new-ottercookie-malware.html
• PostHog Admits Shai-Hulud 2.0 Was Its Biggest Ever Security Bungle
  "PostHog says the Shai-Hulud 2.0 npm worm compromise was "the largest and most impactful security incident" it's ever experienced after attackers slipped malicious releases into its JavaScript SDKs and tried to auto-loot developer credentials. In a postmortem released by PostHog, one of the various package maintainers impacted by Shai-Hulud 2.0, the company says contaminated packages – which included core SDKs like posthog-node, posthog-js, and posthog-react-native – contained a pre-install script that ran automatically when the software was installed. That script ran TruffleHog to scan for credentials, exfiltrated any found secrets to new public GitHub repositories, then used stolen npm credentials to publish further malicious packages – enabling the worm to spread."
  https://www.theregister.com/2025/11/28/posthog_shaihulud/
  https://posthog.com/blog/nov-24-shai-hulud-attack-post-mortem
• Over 2,000 Fake Shopping Sites Spotted Before Cyber Monday
  "Shoppers looking for great deals this holiday season need to be extra careful, as a massive operation involving over 2,000 fake online stores has been found, timed perfectly to steal money and personal details during peak sales like Black Friday and Cyber Monday. Cybersecurity firm CloudSEK recently discovered this huge network and shared its research with Hackread.com. According to CloudSEK’s analysis, these aren’t isolated incidents; they are highly organised operations using identical methods to trick people, making this one of the largest coordinated scam efforts seen this shopping season."
  https://hackread.com/fake-shopping-sites-cyber-monday/

Breaches/Hacks/Leaks

• Public GitLab Repositories Exposed More Than 17,000 Secrets
  "After scanning all 5.6 million public repositories on GitLab Cloud, a security engineer discovered more than 17,000 exposed secrets across over 2,800 unique domains. Luke Marshall used the TruffleHog open-source tool to check the code in the repositories for sensitive credentials like API keys, passwords, and tokens. The researcher previously scanned Bitbucket, where he found 6,212 secrets spread over 2.6 million repositories. He also checked the Common Crawl dataset that is used to train AI models, which exposed 12,000 valid secrets."
  https://www.bleepingcomputer.com/news/security/public-gitlab-repositories-exposed-more-than-17-000-secrets/
  https://trufflesecurity.com/blog/scanning-5-6-million-public-gitlab-repositories-for-secrets
• French Football Federation Discloses Data Breach After Cyberattack
  "The French Football Federation (FFF) disclosed a data breach on Friday after attackers used a compromised account to gain access to administrative management software used by football clubs. After detecting the unauthorized access, FFF's security team disabled the compromised account and reset all user passwords across the system. However, before they were detected and evicted from the breached systems, the threat actors stole personal and contact information from members of French football clubs."
  https://www.bleepingcomputer.com/news/security/french-football-federation-fff-discloses-data-breach-after-cyberattack/
  https://www.infosecurity-magazine.com/news/french-football-federation-data/
  https://www.securityweek.com/french-soccer-federation-hit-by-cyberattack-member-data-stolen/
  https://securityaffairs.com/185160/data-breach/attackers-stole-member-data-from-french-soccer-federation.html
• Brit Telco Brsk Confirms Breach As Bidding Begins For 230K+ Customer Records
  "British telco Brsk is investigating claims that it was attacked by cybercriminals who made off with more than 230,000 files. An advert posted to a cybercrime forum last week claimed to list 230,105 records stolen from the telco, with interested parties invited to bid for access to the data via Telegram. According to the advert, the stolen data includes customers' full names, email and home addresses, installation details, location data, phone numbers, and indicators of whether they are considered a vulnerable person."
  https://www.theregister.com/2025/11/28/brsk_breach/

General News

• Man Behind In-Flight Evil Twin WiFi Attacks Gets 7 Years In Prison
  "A 44-year-old man was sentenced to seven years and four months in prison for operating an “evil twin” WiFi network to steal the data of unsuspecting travelers during flights and at various airports across Australia. The man, an Australian national, was charged in July 2024 after Australian authorities had confiscated his equipment in April and confirmed that he was engaging in malicious activities during domestic flights and at airports in Perth, Melbourne, and Adelaide."
  https://www.bleepingcomputer.com/news/security/man-behind-in-flight-evil-twin-wifi-attacks-gets-7-years-in-prison/
• Social Data Puts User Passwords At Risk In Unexpected Ways
  "Many CISOs already assume that social media creates new openings for password guessing, but new research helps show what that risk looks like in practice. The findings reveal how much information can be reconstructed from public profiles and how that data influences the strength of user passwords. The study also examines how LLMs behave when asked to generate or evaluate passwords based on that same personal information."
  https://www.helpnetsecurity.com/2025/11/28/research-social-media-password-risk/
  https://arxiv.org/pdf/2511.16716
• Fragmented Tooling Slows Vulnerability Management
  "Security leaders know vulnerability backlogs are rising, but new data shows how quickly the gap between exposures and available resources is widening, according to a new report by Hackuity. Organizations use a formalized approach to manage vulnerabilities, but their tooling remains fragmented. Respondents rely on an average of four detection tools, and cloud or container configuration audits are the most common at 85%. This mix suggests broad coverage, but it also explains why teams struggle with visibility, correlation of findings, and consistent prioritization."
  https://www.helpnetsecurity.com/2025/11/28/hackuity-vulnerability-management-trends-report/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

Financial Sector

• Criminal Networks Industrialize Payment Fraud Operations
  "Fraud operations are expanding faster than payment defenses can adjust. Criminal groups function like coordinated businesses that develop tools, automate tasks, and scale attacks. New data from a Visa report shows how these shifts are reshaping risk across the financial sector."
  https://www.helpnetsecurity.com/2025/11/27/visa-payment-fraud-trends-report/

Malware

• Shai-Hulud 2.0 Campaign Targets Cloud And Developer Ecosystems
  "This blog continues our investigation on the Node Package Manager (NPM) supply chain attack that took place on September 15, where attackers executed a highly targeted phishing campaign to compromise the account of an NPM package maintainer. Our previous blog detailed how the malicious code injected onto JavaScript packages diverted cryptocurrency assets by hijacking web APIs and manipulating network traffic, and how the Shai-hulud worm in the attack payload steals cloud service tokens, deploys secret-scanning tools, and spreads to additional accounts. An incident this November 24 reported hundreds of NPM repositories compromised by what appears to be a new Shai-hulud campaign with the repository description, "Sha1-Hulud: The Second Coming.""
  https://www.trendmicro.com/en_us/research/25/k/shai-hulud-2-0-targets-cloud-and-developer-systems.html
• • Is Zendesk Scattered Lapsus$ Hunters’ Latest Campaign Target?
    "ReliaQuest has uncovered indications of a potential new campaign from the notorious threat collective “Scattered Lapsus$ Hunters,” this time targeting users of the customer support software Zendesk. ReliaQuest’s Threat Research team identified Zendesk-related domains, including more than 40 typosquatted domains and impersonating URLs, created within the past six months. These domains, such as znedesk[.]com or vpn-zendesk[.]com, are clearly designed to mimic legitimate Zendesk environments. Some host phishing pages, like fake single sign-on (SSO) portals that appear before Zendesk authentication. It’s a classic tactic probably aimed at stealing credentials from unsuspecting users. We also identified Zendesk-related impersonating domains that contained multiple different organizations’ names or brands within the URL, making it even more likely that unsuspecting users would trust and click on these links."
    https://reliaquest.com/blog/zendesk-scattered-lapsus-hunters-latest-target/
    https://www.infosecurity-magazine.com/news/scattered-lapsus-hunters-zendesk/
    https://www.theregister.com/2025/11/27/scattered_lapsus_hunters_zendesk/
• Meet Rey, The Admin Of ‘Scattered Lapsus$ Hunters’
  "A prolific cybercriminal group that calls itself “Scattered LAPSUS$ Hunters” has dominated headlines this year by regularly stealing data from and publicly mass extorting dozens of major corporations. But the tables seem to have turned somewhat for “Rey,” the moniker chosen by the technical operator and public face of the hacker group: Earlier this week, Rey confirmed his real life identity and agreed to an interview after KrebsOnSecurity tracked him down and contacted his father."
  https://krebsonsecurity.com/2025/11/meet-rey-the-admin-of-scattered-lapsus-hunters/
  https://hackread.com/report-names-teen-scattered-lapsus-hunters-group/

Breaches/Hacks/Leaks

• OpenAI Discloses API Customer Data Breach Via Mixpanel Vendor Hack
  "OpenAI is notifying some ChatGPT API customers that limited identifying information was exposed following a breach at its third-party analytics provider Mixpanel. Mixpanel offers event analytics that OpenAI uses to track user interactions on the frontend interface for the API product. According to the AI company, the cyber incident affected “limited analytics data related to some users of the API” and did not impact users of ChatGPT or other products."
  https://www.bleepingcomputer.com/news/security/openai-discloses-api-customer-data-breach-via-mixpanel-vendor-hack/
  https://openai.com/index/mixpanel-incident/
  https://www.infosecurity-magazine.com/news/openai-warns-mixpanel-data-breach/
  https://www.securityweek.com/openai-user-data-exposed-in-mixpanel-hack/
  https://hackread.com/openai-api-mixpanel-data-breach-chatgpt/
  https://securityaffairs.com/185121/data-breach/openai-data-may-have-been-exposed-after-a-cyberattack-on-analytics-firm-mixpanel.html
  https://www.theregister.com/2025/11/27/openai_mixpanel_api/
• Asahi Admits Ransomware Gang May Have Spilled Almost 2M People's Data
  "Asahi has finally done the sums on September's ransomware attack in Japan, conceding the crooks may have helped themselves to personal data tied to almost 2 million people. Back on September 29, Asahi disclosed a "system failure caused by a cyberattack" that knocked out ordering, shipping, and call center systems across its Japanese operations. Days later, the attack was claimed by the Qilin ransomware crew, which reckons it stole some 27 GB of internal files – including employee records, contracts, financial documents, and other sensitive assets."
  https://www.theregister.com/2025/11/27/asahi_ransomware_numbers/
  https://www.infosecurity-magazine.com/news/asahi-15-million-customers/
  https://www.securityweek.com/asahi-data-breach-impacts-2-million-individuals/
  https://securityaffairs.com/185126/data-breach/asahi-says-crooks-stole-data-of-approximately-2m-customers-and-employees.html

General News

• Your Critical Infrastructure Is Running Out Of Time
  "Cyber attackers often succeed not because they are inventive, but because the systems they target are old. A new report by Cisco shows how unsupported technology inside national infrastructure creates openings that attackers can exploit repeatedly. The findings show how widespread this problem has become and how much it influences national resilience."
  https://www.helpnetsecurity.com/2025/11/27/cisco-legacy-system-vulnerabilities-report/
• The Identity Mess Your Customers Feel Before You Do
  "Customer identity has become one of the most brittle parts of the enterprise security stack. Teams know authentication matters, but organizations keep using methods that frustrate users and increase risk. New research from Descope shows how companies manage customer identity and the issues that have been building in the background."
  https://www.helpnetsecurity.com/2025/11/27/descope-customer-identity-issues-report/
• Fraud Fears But No Breach Spike Expected This Festive Season
  "Security experts have dismissed fears that threat actors could step up cyber-attacks on distracted retailers this Black Friday and in the run up to Christmas, although concerns persist. Huntsman Security analyzed data security incidents reported to the UK's Information Commissioner's Office (ICO) between Q3 2024 and Q2 2025. It found that the 1381 incidents reported by the retail and manufacturing sector had only minor seasonal peaks, with none outside a margin of error. Some 355 incidents were reported to the regulator in the busiest time of the year for retailers (Q4), versus 323 in Q3 2024, 317 in Q2 2025 and 386 in Q2 2025. The latter period included the massive ransomware breaches at M&S and the Co-Op Group."
  https://www.infosecurity-magazine.com/news/fraud-fears-no-breach-spike/
• Ransomware Reshaping Cyber As National Security Priority
  "Non-stop, high-profile ransomware attacks against Britain and the United States have transformed cybersecurity into a national security priority, Anne Neuberger, the former White House deputy national security adviser for cyber, said at a Wednesday event in London. "For too long, it's been a tech thing, 'go get your CIO to fix it,'" Neuberger told attendees at an event hosted by think tank Royal United Services Institute, where she serves as a distinguished fellow."
  https://www.bankinfosecurity.com/ransomware-reshaping-cyber-as-national-security-priority-a-30160
• As Space Becomes Warfare Domain, Cyber Is On The Frontlines
  "Space is becoming a domain of warfare, with private sector companies on the front lines - and the first shots will likely be fired in cyberspace, a senior U.S. intelligence official warned this month. "Cybersecurity for space systems is very likely to be on the front lines of conflict involving space," said Johnathon Martin, acting deputy director of the Office of the Chief Architect at the National Reconnaissance Office, which builds, launches and operates U.S. spy satellites."
  https://www.bankinfosecurity.com/as-space-becomes-warfare-domain-cyber-on-frontlines-a-30148
• FCC Warns Of Hackers Hijacking Radio Equipment For False Alerts
  "Hackers have been hijacking US radio transmission equipment to air bogus emergency tones and offensive material, according to a notice issued Wednesday by the US Federal Communications Commission (FCC). The wave of intrusions triggered unauthorized uses of the Emergency Alert System’s distinctive Attention Signal, which is normally reserved for tornadoes, hurricanes, earthquakes and other urgent threats. In particular, threat actors appeared to target Barix network audio devices and reconfigure them to capture attacker-controlled streams instead of regular programming."
  https://www.infosecurity-magazine.com/news/fcc-hackers-hijacking-radio/
  https://docs.fcc.gov/public/attachments/DA-25-996A1.pdf
  https://www.theregister.com/2025/11/27/fcc_radio_hijack/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand