โพสต์ถูกสร้างโดย NCSA_THAICERT

NCSA_THAICERT

Industrial Sector

APT And Financial Attacks On Industrial Organizations In Q3 2025
"This summary provides an overview of reports on APT and financial attacks on industrial enterprises disclosed in Q3 2025, as well as the related activities of groups observed attacking industrial organizations. For each topic, we summarize the key facts, findings and conclusions of researchers that we believe may be useful to professionals addressing practical issues of cybersecurity in industrial enterprises."
https://ics-cert.kaspersky.com/publications/reports/2025/12/01/apt-and-financial-attacks-on-industrial-organizations-in-q3-2025/

Vulnerabilities

Google Addresses 107 Android Vulnerabilities, Including Two Zero-Days
"Google disclosed two actively exploited zero-day vulnerabilities Monday, which it addressed among a total of 107 defects in the company’s monthly security update for Android devices. The zero-days — CVE-2025-48633 and CVE-2025-48572 — are both high-severity defects affecting the Android framework, which attackers can exploit to access information and escalate privileges, respectively. Google said both vulnerabilities, which had not been added to the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog as of Monday afternoon, may be under limited, targeted exploitation."
https://cyberscoop.com/android-security-update-december-2025/

Malware

SmartTube YouTube App For Android TV Breached To Push Malicious Update
"The popular open-source SmartTube YouTube client for Android TV was compromised after an attacker gained access to the developer's signing keys, leading to a malicious update being pushed to users. The compromise became known when multiple users reported that Play Protect, Android's built-in antivirus module, blocked SmartTube on their devices and warned them of a risk. The developer of SmartTube, Yuriy Yuliskov, admitted that his digital keys were compromised late last week, leading to the injection of malware into the app."
https://www.bleepingcomputer.com/news/security/smarttube-youtube-app-for-android-tv-breached-to-push-malicious-update/
Glassworm's Resurgence
"Security can't take holidays off, but the code marketplace scanners just might. Over the past week, we've identified and tracked an unprecedented 23 extensions which copy other popular extensions, update after publishing with malware, manipulate download counts, and use KNOWN attack signatures which have been in use for months. Many of these relate to Glassworm malware, but there could be mulitple campaigns at work also."
https://secureannex.com/blog/glassworm-continued/
https://www.bleepingcomputer.com/news/security/glassworm-malware-returns-in-third-wave-of-malicious-vs-code-packages/
4.3 Million Browsers Infected: Inside ShadyPanda's 7-Year Malware Campaign
"Koi researchers have identified a threat actor we're calling ShadyPanda - responsible for a seven-year browser extension campaign that has infected 4.3 million Chrome and Edge users. Our investigation uncovered two active operations: A 300,000-user RCE backdoor: Five extensions, including the "Featured" and "Verified" Clean Master, were weaponized in mid-2024 after years of legitimate operation. These extensions now run hourly remote code execution - downloading and executing arbitrary JavaScript with full browser access. They monitor every website visit, exfiltrate encrypted browsing history, and collect complete browser fingerprints."
https://www.koi.ai/blog/4-million-browsers-infected-inside-shadypanda-7-year-malware-campaign
https://thehackernews.com/2025/12/shadypanda-turns-popular-browser.html
https://www.bleepingcomputer.com/news/security/shadypanda-browser-extensions-amass-43m-installs-in-malicious-campaign/
https://www.theregister.com/2025/12/01/chrome_edge_malicious_browser_extensions/
Albiriox Exposed: A New RAT Mobile Malware Targeting Global Finance And Crypto Wallets
"Over the past few months, the Cleafy Threat Intelligence team has identified and analyzed Albiriox, a newly emerging Android malware family promoted as a Malware-as-a-Service (MaaS) within underground cybercrime forums. First observed in September 2025 during a limited recruitment phase targeting high-reputation forum members, the project transitioned to a publicly available MaaS offering in October 2025. Forum activity, linguistic patterns, and infrastructure analysis indicate that Russian-speaking Threat Actors (TAs) are behind the operation."
https://www.cleafy.com/cleafy-labs/albiriox-rat-mobile-malware-targeting-global-finance-and-crypto-wallets
https://thehackernews.com/2025/12/new-albiriox-maas-malware-targets-400.html
https://www.infosecurity-magazine.com/news/android-maas-malware-albiriox-dark/
https://www.malwarebytes.com/blog/news/2025/12/new-android-malware-lets-criminals-control-your-phone-and-drain-your-bank-account
https://www.securityweek.com/new-albiriox-android-malware-developed-by-russian-cybercriminals/
https://securityaffairs.com/185194/malware/emerging-android-threat-albiriox-enables-full-on‑device-fraud.html
Two Years, 17K Downloads: The NPM Malware That Tried To Gaslight Security Scanners
"We train our AI risk engine to look for something most scanners don't: code that tries to manipulate AI-based security tools. As LLMs become part of the security stack, from code review to package analysis, attackers will adapt. They'll start writing code that's designed not just to evade detection, but to actively mislead the AI doing the analysis. We built our engine to catch that. This week, it caught something interesting."
https://www.koi.ai/blog/two-years-17k-downloads-the-npm-malware-that-tried-to-gaslight-security-scanners
https://www.infosecurity-magazine.com/news/malware-ai-detection-npm-package/

Breaches/Hacks/Leaks

Retail Giant Coupang Data Breach Impacts 33.7 Million Customers
"South Korea's largest retailer, Coupang, has suffered a data breach that exposed the personal information of 33.7 million customers. The firm has warned on its Korean-language site that the incident occurred on June 24, 2025, but it only discovered it and began the investigation on November 18, 2025. "On November 18, 2025, Coupang became aware of unauthorized access to personal information related to the accounts of approximately 4,500 customers," reads the public statement."
https://www.bleepingcomputer.com/news/security/retail-giant-coupang-suffers-data-breach-impacting-337-million-people/
https://hackread.com/coupang-data-breach-south-korean-accounts/
https://www.infosecurity-magazine.com/news/south-korea-coupang-34m-customer/
https://www.theregister.com/2025/12/01/coupang_breach/
Royal Borough Of Kensington And Chelsea Reveals Data Breach
"The Royal Borough of Kensington and Chelsea (RBKC) has told residents that their data may have been compromised in a cyber-attack on an IT service provider discovered last week. The council, London’s smallest but most densely populated, revealed the news in an update on Friday. “After discovering unusual activity first thing Monday morning, we have been taking all necessary steps to shut down and isolate systems and make them as safe as possible,” it said."
https://www.infosecurity-magazine.com/news/royal-borough-kensington-chelsea/

General News

Treating MCP Like An API Creates Security Blind Spots
"In this Help Net Security interview, Michael Yaroshefsky, CEO at MCP Manager, discusses how Model Context Protocol’s (MCP) trust model creates security gaps that many teams overlook and why MCP must not be treated like a standard API. He explains how misunderstandings about MCP’s runtime behavior, governance, and identity requirements can create exposure. With MCP usage expanding across organizations, well-defined controls and a correct understanding of the protocol become necessary."
https://www.helpnetsecurity.com/2025/12/01/michael-yaroshefsky-mcp-manager-mcp-security-gaps/
Offensive Cyber Power Is Spreading Fast And Changing Global Security
"Offensive cyber activity has moved far beyond a handful of major powers. More governments now rely on digital operations to project influence during geopolitical tension, which raises new risks for organizations caught in the middle. A new policy brief from the Geneva Centre for Security Policy examines how these developments influence international stability and what steps could lower the chance of dangerous escalation."
https://www.helpnetsecurity.com/2025/12/01/global-offensive-cyber-operations-risks/
The Weekend Is Prime Time For Ransomware
"Over half of organizations that experienced a ransomware event in the past year were hit during a weekend or holiday, according to a Semperis report. Those periods often come with thin staffing, slower investigation, and fewer eyes on identity systems. Intruders know that reduced attention allows them to move deeper before alarms are raised. 60% of incidents happened after a merger, acquisition, restructuring, or similar shift inside the business. The most common trigger was an M&A effort. When identity environments are being consolidated, inconsistencies appear. Attackers look for these weak points and move quickly when they find them."
https://www.helpnetsecurity.com/2025/12/01/semperis-ransomware-risk-trends-report/
When Hackers Wear Suits: Protecting Your Team From Insider Cyber Threats
"In the ever-evolving landscape of cyber threats, a new and insidious danger is emerging, shifting focus from external attacks to internal infiltration. Hackers are now impersonating seasoned cybersecurity and IT professionals to gain privileged access within organizations. These aren't just phishing attempts; they are calculated schemes where malicious actors manipulate the hiring process to become "trusted" staff, all with the intent of breaching company databases or stealing sensitive information."
https://www.bleepingcomputer.com/news/security/when-hackers-wear-suits-protecting-your-team-from-insider-cyber-threats/
Europol And Partners Shut Down ‘Cryptomixer’
"From 24 to 28 November 2025, Europol supported an action week conducted by law enforcement authorities from Switzerland and Germany in Zurich, Switzerland. The operation focused on taking down the illegal cryptocurrency mixing service ‘Cryptomixer’, which is suspected of facilitating cybercrime and money laundering."
https://www.europol.europa.eu/media-press/newsroom/news/europol-and-partners-shut-down-cryptomixer
https://www.eurojust.europa.eu/news/cryptocurrency-mixing-service-used-launder-money-taken-down
https://therecord.media/cryptomixer-service-takedown-bitcoin-seized
https://www.bleepingcomputer.com/news/security/police-takes-down-cryptomixer-cryptocurrency-mixing-service/
https://www.darkreading.com/cyberattacks-data-breaches/police-disrupt-cryptomixer-seize-millions-crypto
https://cyberscoop.com/cryptomixer-takedown-seizure-europol/
https://www.infosecurity-magazine.com/news/europol-takes-down-illegal/
https://hackread.com/cryptomixer-domains-infrastructure-bitcoin-seized/
https://www.securityweek.com/29-million-worth-of-bitcoin-seized-in-cryptomixer-takedown/
https://securityaffairs.com/185217/cyber-crime/law-enforcement-shuts-down-cryptomixer-in-major-crypto-crime-takedown.html
https://www.helpnetsecurity.com/2025/12/01/cryptomixer-takedown-seizure/
Officials Accuse North Korea’s Lazarus Of $30 Million Theft From Crypto Exchange
"A recent cyberattack on South Korea’s largest cryptocurrency exchange was allegedly conducted by a North Korean government-backed hacking group. Yonhap News Agency reported on Friday that South Korean government officials are involved in the investigation surrounding $30 million worth of cryptocurrency that was stolen from Upbit on Wednesday evening. On Friday, South Korean officials told the news outlet that North Korea’s Lazarus hacking group was likely involved in the theft based on the tactics used to break into the cryptocurrency platform and the methods deployed to launder the stolen funds."
https://therecord.media/officials-accuse-north-korea-hackers-of-attack-on-crypto-exchange

อ้างอิง
Electronic Transactions Development Agency (ETDA)

NCSA_THAICERT

Windows 11 พบปัญหาไอคอนรหัสผ่านหายหลังอัปเดตเดื.png

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

NCSA_THAICERT

ผู้โจมตีขโมยข้อมูลสมาชิกจากสหพันธ์ฟุตบอ.png

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

NCSA_THAICERT

GreyNoise เปิดตัวเครื่องมือฟรี ช่วยผู้ใช้งานตรว.png

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

NCSA_THAICERT

เมื่อวันที่ 28 พฤศจิกายน 2025 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 1 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว ดังนี้

CVE-2021-26829 OpenPLC ScadaBR Cross-site Scripting Vulnerability

ทั้งนี้ คำสั่ง BOD 22-01 ของ CISA กำหนดให้มี แคตตาล็อก Known Exploited Vulnerabilities (KEV) เพื่อรวบรวมช่องโหว่ (CVEs) ที่มีความเสี่ยงสูงและถูกใช้งานโจมตีจริง หน่วยงาน Federal Civilian Executive Branch (FCEB) ต้องดำเนินการแก้ไขช่องโหว่ที่ระบุภายในเวลาที่กำหนด เพื่อปกป้องเครือข่ายจากภัยคุกคาม

ทาง CISA จะปรับปรุงและเพิ่มช่องโหว่ใหม่เข้าสู่แคตตาล็อก KEV อย่างต่อเนื่อง เพื่อให้ครอบคลุมความเสี่ยงที่ตรวจพบจริงในปัจจุบันและอนาคต

อ้างอิง
https://www.cisa.gov/news-events/alerts/2025/11/28/cisa-adds-one-known-exploited-vulnerability-catalog
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

NCSA_THAICERT

New Tooling

Your IP Address Might Be Someone Else's Problem (And Here's How To Find Out)
"We built something new at GreyNoise Labs, and it started with a question we kept hearing: “How do I know if my home network has been compromised?” It’s not a theoretical concern. Over the past year, residential proxy networks have exploded and have been turning home internet connections into exit points for other people’s traffic. Sometimes folks knowingly install software that does this in exchange for a few dollars. More often, malware sneaks onto devices, usually via nefarious apps or browser extensions, and quietly turns them into nodes in someone else’s infrastructure."
https://www.greynoise.io/blog/your-ip-address-might-be-someone-elses-problem
https://check.labs.greynoise.io/
https://www.bleepingcomputer.com/news/security/greynoise-launches-free-scanner-to-check-if-youre-part-of-a-botnet/

Vulnerabilities

CISA Adds One Known Exploited Vulnerability To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2021-26829 OpenPLC ScadaBR Cross-site Scripting Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/11/28/cisa-adds-one-known-exploited-vulnerability-catalog
https://thehackernews.com/2025/11/cisa-adds-actively-exploited-xss-bug.html
The Hidden Dangers Of Calendar Subscriptions: 4 Million Devices At Risk
"Day-to-day workload can become overwhelming as time passes alongside the growing tasks and responsibilities of both personal and professional lives. Therefore, a well-structured digital calendar may be an essential organizational tool to navigate through the day, helping with the support we need to manage our time and ongoing commitments."
https://www.bitsight.com/blog/hidden-dangers-calendar-subscriptions-4-million-devices-risk
https://www.infosecurity-magazine.com/news/threat-actors-exploit-calendar-subs/

Malware

Tomiris Wreaks Havoc: New Tools And Techniques Of The APT Group
"While tracking the activities of the Tomiris threat actor, we identified new malicious operations that began in early 2025. These attacks targeted foreign ministries, intergovernmental organizations, and government entities, demonstrating a focus on high-value political and diplomatic infrastructure. In several cases, we traced the threat actor’s actions from initial infection to the deployment of post-exploitation frameworks. These attacks highlight a notable shift in Tomiris’s tactics, namely the increased use of implants that leverage public services (e.g., Telegram and Discord) as command-and-control (C2) servers. This approach likely aims to blend malicious traffic with legitimate service activity to evade detection by security tools."
https://securelist.com/tomiris-new-tools/118143/
Bootstrap Script Exposes PyPI To Domain Takeover Attacks
"ReversingLabs researchers have discovered vulnerable code in legacy Python packages that could make possible an attack on the Python Package Index (PyPI) via a domain compromise. Although the vulnerable code is mostly unused in modern development environments, it may still be used in legacy production. RL Spectra Assure Community’s machine learning model, which detects packages with behaviors similar to known malware, found the vulnerability in bootstrap files for a build tool that installs the Python package distribute and performs other tasks in the bootstrapping process."
https://www.reversinglabs.com/blog/bootstrap-script-exposes-pypi-to-domain-takeover-attack
https://thehackernews.com/2025/11/legacy-python-bootstrap-scripts-create.html
Inside The GitHub Infrastructure Powering North Korea’s Contagious Interview Npm Attacks
"The Socket Threat Research Team continues to track North Korea’s Contagious Interview operation as it systematically infiltrates the npm ecosystem. Since we last reported on this campaign, it has added at least 197 more malicious npm packages and over 31,000 additional downloads, with state-sponsored threat actors targeting blockchain and Web3 developers through fake job interviews and “test assignments”. This sustained tempo makes Contagious Interview one of the most prolific campaigns exploiting npm, and it shows how thoroughly North Korean threat actors have adapted their tooling to modern JavaScript and crypto-centric development workflows."
https://socket.dev/blog/north-korea-contagious-interview-npm-attacks
https://thehackernews.com/2025/11/north-korean-hackers-deploy-197-npm.html
https://securityaffairs.com/185170/apt/contagious-interview-campaign-expands-with-197-npm-ppackages-spreading-new-ottercookie-malware.html
PostHog Admits Shai-Hulud 2.0 Was Its Biggest Ever Security Bungle
"PostHog says the Shai-Hulud 2.0 npm worm compromise was "the largest and most impactful security incident" it's ever experienced after attackers slipped malicious releases into its JavaScript SDKs and tried to auto-loot developer credentials. In a postmortem released by PostHog, one of the various package maintainers impacted by Shai-Hulud 2.0, the company says contaminated packages – which included core SDKs like posthog-node, posthog-js, and posthog-react-native – contained a pre-install script that ran automatically when the software was installed. That script ran TruffleHog to scan for credentials, exfiltrated any found secrets to new public GitHub repositories, then used stolen npm credentials to publish further malicious packages – enabling the worm to spread."
https://www.theregister.com/2025/11/28/posthog_shaihulud/
https://posthog.com/blog/nov-24-shai-hulud-attack-post-mortem
Over 2,000 Fake Shopping Sites Spotted Before Cyber Monday
"Shoppers looking for great deals this holiday season need to be extra careful, as a massive operation involving over 2,000 fake online stores has been found, timed perfectly to steal money and personal details during peak sales like Black Friday and Cyber Monday. Cybersecurity firm CloudSEK recently discovered this huge network and shared its research with Hackread.com. According to CloudSEK’s analysis, these aren’t isolated incidents; they are highly organised operations using identical methods to trick people, making this one of the largest coordinated scam efforts seen this shopping season."
https://hackread.com/fake-shopping-sites-cyber-monday/

Breaches/Hacks/Leaks

Public GitLab Repositories Exposed More Than 17,000 Secrets
"After scanning all 5.6 million public repositories on GitLab Cloud, a security engineer discovered more than 17,000 exposed secrets across over 2,800 unique domains. Luke Marshall used the TruffleHog open-source tool to check the code in the repositories for sensitive credentials like API keys, passwords, and tokens. The researcher previously scanned Bitbucket, where he found 6,212 secrets spread over 2.6 million repositories. He also checked the Common Crawl dataset that is used to train AI models, which exposed 12,000 valid secrets."
https://www.bleepingcomputer.com/news/security/public-gitlab-repositories-exposed-more-than-17-000-secrets/
https://trufflesecurity.com/blog/scanning-5-6-million-public-gitlab-repositories-for-secrets
French Football Federation Discloses Data Breach After Cyberattack
"The French Football Federation (FFF) disclosed a data breach on Friday after attackers used a compromised account to gain access to administrative management software used by football clubs. After detecting the unauthorized access, FFF's security team disabled the compromised account and reset all user passwords across the system. However, before they were detected and evicted from the breached systems, the threat actors stole personal and contact information from members of French football clubs."
https://www.bleepingcomputer.com/news/security/french-football-federation-fff-discloses-data-breach-after-cyberattack/
https://www.infosecurity-magazine.com/news/french-football-federation-data/
https://www.securityweek.com/french-soccer-federation-hit-by-cyberattack-member-data-stolen/
https://securityaffairs.com/185160/data-breach/attackers-stole-member-data-from-french-soccer-federation.html
Brit Telco Brsk Confirms Breach As Bidding Begins For 230K+ Customer Records
"British telco Brsk is investigating claims that it was attacked by cybercriminals who made off with more than 230,000 files. An advert posted to a cybercrime forum last week claimed to list 230,105 records stolen from the telco, with interested parties invited to bid for access to the data via Telegram. According to the advert, the stolen data includes customers' full names, email and home addresses, installation details, location data, phone numbers, and indicators of whether they are considered a vulnerable person."
https://www.theregister.com/2025/11/28/brsk_breach/

General News

Man Behind In-Flight Evil Twin WiFi Attacks Gets 7 Years In Prison
"A 44-year-old man was sentenced to seven years and four months in prison for operating an “evil twin” WiFi network to steal the data of unsuspecting travelers during flights and at various airports across Australia. The man, an Australian national, was charged in July 2024 after Australian authorities had confiscated his equipment in April and confirmed that he was engaging in malicious activities during domestic flights and at airports in Perth, Melbourne, and Adelaide."
https://www.bleepingcomputer.com/news/security/man-behind-in-flight-evil-twin-wifi-attacks-gets-7-years-in-prison/
Social Data Puts User Passwords At Risk In Unexpected Ways
"Many CISOs already assume that social media creates new openings for password guessing, but new research helps show what that risk looks like in practice. The findings reveal how much information can be reconstructed from public profiles and how that data influences the strength of user passwords. The study also examines how LLMs behave when asked to generate or evaluate passwords based on that same personal information."
https://www.helpnetsecurity.com/2025/11/28/research-social-media-password-risk/
https://arxiv.org/pdf/2511.16716
Fragmented Tooling Slows Vulnerability Management
"Security leaders know vulnerability backlogs are rising, but new data shows how quickly the gap between exposures and available resources is widening, according to a new report by Hackuity. Organizations use a formalized approach to manage vulnerabilities, but their tooling remains fragmented. Respondents rely on an average of four detection tools, and cloud or container configuration audits are the most common at 85%. This mix suggests broad coverage, but it also explains why teams struggle with visibility, correlation of findings, and consistent prioritization."
https://www.helpnetsecurity.com/2025/11/28/hackuity-vulnerability-management-trends-report/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

NCSA_THAICERT

Financial Sector

Criminal Networks Industrialize Payment Fraud Operations
"Fraud operations are expanding faster than payment defenses can adjust. Criminal groups function like coordinated businesses that develop tools, automate tasks, and scale attacks. New data from a Visa report shows how these shifts are reshaping risk across the financial sector."
https://www.helpnetsecurity.com/2025/11/27/visa-payment-fraud-trends-report/

Malware

Shai-Hulud 2.0 Campaign Targets Cloud And Developer Ecosystems
"This blog continues our investigation on the Node Package Manager (NPM) supply chain attack that took place on September 15, where attackers executed a highly targeted phishing campaign to compromise the account of an NPM package maintainer. Our previous blog detailed how the malicious code injected onto JavaScript packages diverted cryptocurrency assets by hijacking web APIs and manipulating network traffic, and how the Shai-hulud worm in the attack payload steals cloud service tokens, deploys secret-scanning tools, and spreads to additional accounts. An incident this November 24 reported hundreds of NPM repositories compromised by what appears to be a new Shai-hulud campaign with the repository description, "Sha1-Hulud: The Second Coming.""
https://www.trendmicro.com/en_us/research/25/k/shai-hulud-2-0-targets-cloud-and-developer-systems.html
- Is Zendesk Scattered Lapsus$ Hunters’ Latest Campaign Target?
  "ReliaQuest has uncovered indications of a potential new campaign from the notorious threat collective “Scattered Lapsus$ Hunters,” this time targeting users of the customer support software Zendesk. ReliaQuest’s Threat Research team identified Zendesk-related domains, including more than 40 typosquatted domains and impersonating URLs, created within the past six months. These domains, such as znedesk[.]com or vpn-zendesk[.]com, are clearly designed to mimic legitimate Zendesk environments. Some host phishing pages, like fake single sign-on (SSO) portals that appear before Zendesk authentication. It’s a classic tactic probably aimed at stealing credentials from unsuspecting users. We also identified Zendesk-related impersonating domains that contained multiple different organizations’ names or brands within the URL, making it even more likely that unsuspecting users would trust and click on these links."
  https://reliaquest.com/blog/zendesk-scattered-lapsus-hunters-latest-target/
  https://www.infosecurity-magazine.com/news/scattered-lapsus-hunters-zendesk/
  https://www.theregister.com/2025/11/27/scattered_lapsus_hunters_zendesk/
Meet Rey, The Admin Of ‘Scattered Lapsus$ Hunters’
"A prolific cybercriminal group that calls itself “Scattered LAPSUS$ Hunters” has dominated headlines this year by regularly stealing data from and publicly mass extorting dozens of major corporations. But the tables seem to have turned somewhat for “Rey,” the moniker chosen by the technical operator and public face of the hacker group: Earlier this week, Rey confirmed his real life identity and agreed to an interview after KrebsOnSecurity tracked him down and contacted his father."
https://krebsonsecurity.com/2025/11/meet-rey-the-admin-of-scattered-lapsus-hunters/
https://hackread.com/report-names-teen-scattered-lapsus-hunters-group/

Breaches/Hacks/Leaks

OpenAI Discloses API Customer Data Breach Via Mixpanel Vendor Hack
"OpenAI is notifying some ChatGPT API customers that limited identifying information was exposed following a breach at its third-party analytics provider Mixpanel. Mixpanel offers event analytics that OpenAI uses to track user interactions on the frontend interface for the API product. According to the AI company, the cyber incident affected “limited analytics data related to some users of the API” and did not impact users of ChatGPT or other products."
https://www.bleepingcomputer.com/news/security/openai-discloses-api-customer-data-breach-via-mixpanel-vendor-hack/
https://openai.com/index/mixpanel-incident/
https://www.infosecurity-magazine.com/news/openai-warns-mixpanel-data-breach/
https://www.securityweek.com/openai-user-data-exposed-in-mixpanel-hack/
https://hackread.com/openai-api-mixpanel-data-breach-chatgpt/
https://securityaffairs.com/185121/data-breach/openai-data-may-have-been-exposed-after-a-cyberattack-on-analytics-firm-mixpanel.html
https://www.theregister.com/2025/11/27/openai_mixpanel_api/
Asahi Admits Ransomware Gang May Have Spilled Almost 2M People's Data
"Asahi has finally done the sums on September's ransomware attack in Japan, conceding the crooks may have helped themselves to personal data tied to almost 2 million people. Back on September 29, Asahi disclosed a "system failure caused by a cyberattack" that knocked out ordering, shipping, and call center systems across its Japanese operations. Days later, the attack was claimed by the Qilin ransomware crew, which reckons it stole some 27 GB of internal files – including employee records, contracts, financial documents, and other sensitive assets."
https://www.theregister.com/2025/11/27/asahi_ransomware_numbers/
https://www.infosecurity-magazine.com/news/asahi-15-million-customers/
https://www.securityweek.com/asahi-data-breach-impacts-2-million-individuals/
https://securityaffairs.com/185126/data-breach/asahi-says-crooks-stole-data-of-approximately-2m-customers-and-employees.html

General News

Your Critical Infrastructure Is Running Out Of Time
"Cyber attackers often succeed not because they are inventive, but because the systems they target are old. A new report by Cisco shows how unsupported technology inside national infrastructure creates openings that attackers can exploit repeatedly. The findings show how widespread this problem has become and how much it influences national resilience."
https://www.helpnetsecurity.com/2025/11/27/cisco-legacy-system-vulnerabilities-report/
The Identity Mess Your Customers Feel Before You Do
"Customer identity has become one of the most brittle parts of the enterprise security stack. Teams know authentication matters, but organizations keep using methods that frustrate users and increase risk. New research from Descope shows how companies manage customer identity and the issues that have been building in the background."
https://www.helpnetsecurity.com/2025/11/27/descope-customer-identity-issues-report/
Fraud Fears But No Breach Spike Expected This Festive Season
"Security experts have dismissed fears that threat actors could step up cyber-attacks on distracted retailers this Black Friday and in the run up to Christmas, although concerns persist. Huntsman Security analyzed data security incidents reported to the UK's Information Commissioner's Office (ICO) between Q3 2024 and Q2 2025. It found that the 1381 incidents reported by the retail and manufacturing sector had only minor seasonal peaks, with none outside a margin of error. Some 355 incidents were reported to the regulator in the busiest time of the year for retailers (Q4), versus 323 in Q3 2024, 317 in Q2 2025 and 386 in Q2 2025. The latter period included the massive ransomware breaches at M&S and the Co-Op Group."
https://www.infosecurity-magazine.com/news/fraud-fears-no-breach-spike/
Ransomware Reshaping Cyber As National Security Priority
"Non-stop, high-profile ransomware attacks against Britain and the United States have transformed cybersecurity into a national security priority, Anne Neuberger, the former White House deputy national security adviser for cyber, said at a Wednesday event in London. "For too long, it's been a tech thing, 'go get your CIO to fix it,'" Neuberger told attendees at an event hosted by think tank Royal United Services Institute, where she serves as a distinguished fellow."
https://www.bankinfosecurity.com/ransomware-reshaping-cyber-as-national-security-priority-a-30160
As Space Becomes Warfare Domain, Cyber Is On The Frontlines
"Space is becoming a domain of warfare, with private sector companies on the front lines - and the first shots will likely be fired in cyberspace, a senior U.S. intelligence official warned this month. "Cybersecurity for space systems is very likely to be on the front lines of conflict involving space," said Johnathon Martin, acting deputy director of the Office of the Chief Architect at the National Reconnaissance Office, which builds, launches and operates U.S. spy satellites."
https://www.bankinfosecurity.com/as-space-becomes-warfare-domain-cyber-on-frontlines-a-30148
FCC Warns Of Hackers Hijacking Radio Equipment For False Alerts
"Hackers have been hijacking US radio transmission equipment to air bogus emergency tones and offensive material, according to a notice issued Wednesday by the US Federal Communications Commission (FCC). The wave of intrusions triggered unauthorized uses of the Emergency Alert System’s distinctive Attention Signal, which is normally reserved for tornadoes, hurricanes, earthquakes and other urgent threats. In particular, threat actors appeared to target Barix network audio devices and reconfigure them to capture attacker-controlled streams instead of regular programming."
https://www.infosecurity-magazine.com/news/fcc-hackers-hijacking-radio/
https://docs.fcc.gov/public/attachments/DA-25-996A1.pdf
https://www.theregister.com/2025/11/27/fcc_radio_hijack/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

NCSA_THAICERT

พบการแพร่กระจายมัลแวร์ขโมยข้อมูล (Infostealer) ผ่.png

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

NCSA_THAICERT

หน่วยงานท้องถิ่นหลายแห่งในลอนดอนประกาศร.png

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

NCSA_THAICERT

แฮกเกอร์เริ่มใช้โมเดลภาษา LLM พัฒนา “มัลแวร.png

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

NCSA_THAICERT

Telecom Sector

Mobile Industry Warns Patchwork Cyber Regs Are Driving Up Costs
"Mobile operators' core cybersecurity spending is projected to more than double by 2030 as threats evolve, while poorly designed and fragmented policy frameworks add extra compliance costs, according to industry group the GSMA. The lobbying organization has pushed out a report calling for national policymakers to simplify compliance and incident reporting to make the job of the network operators easier. It also wants to see greater international coordination between governments and regulators to build those frameworks around common standards."
https://www.theregister.com/2025/11/26/gsma_global_standards_mobile_industry/
https://www.gsma.com/solutions-and-impact/connectivity-for-good/public-policy/wp-content/uploads/2025/11/Impact-of-Cybersecurity-Regulation-on-Mobile-Operators.pdf

New Tooling

DeepTeam: Open-Source LLM Red Teaming Framework
"Security teams are pushing large language models into products faster than they can test them, which makes any new red teaming method worth paying attention to. DeepTeam is an open-source framework built to probe these systems before they reach users, and it takes a direct approach to exposing weaknesses. The tool runs on a local machine and uses language models to simulate attacks as well as evaluate the results. It applies techniques drawn from recent research on jailbreaking and prompt injection, which gives teams a way to uncover issues such as bias or exposure of personal data. Once DeepTeam finds a problem, it offers guardrails that can be added to production systems to block similar issues."
https://www.helpnetsecurity.com/2025/11/26/deepteam-open-source-llm-red-teaming-framework/
https://github.com/confident-ai/deepteam

Vulnerabilities

Old Tech, New Vulnerabilities: NTLM Abuse, Ongoing Exploitation In 2025
"Flip phones grew popular, Windows XP debuted on personal computers, Apple introduced the iPod, peer-to-peer file sharing via torrents was taking off, and MSN Messenger dominated online chat. That was the tech scene in 2001, the same year when Sir Dystic of Cult of the Dead Cow published SMBRelay, a proof-of-concept that brought NTLM relay attacks out of theory and into practice, demonstrating a powerful new class of authentication relay exploits."
https://securelist.com/ntlm-abuse-in-2025/118132/
ASUS Warns Of New Critical Auth Bypass Flaw In AiCloud Routers
"ASUS has released new firmware to patch nine security vulnerabilities, including a critical authentication bypass flaw in routers with AiCloud enabled. AiCloud is a cloud-based remote access feature that comes with many ASUS routers, turning them into private cloud servers for remote media streaming and cloud storage. As the Taiwanese electronics manufacturer explained, the CVE-2025-59366 vulnerability "can be triggered by an unintended side effect of the Samba functionality, potentially leading to allow execution of specific functions without proper authorization.""
https://www.bleepingcomputer.com/news/security/asus-warns-of-new-critical-auth-bypass-flaw-in-aicloud-routers/
Popular Forge Library Gets Fix For Signature Verification Bypass Flaw
"A vulnerability in the ‘node-forge’ package, a popular JavaScript cryptography library, could be exploited to bypass signature verifications by crafting data that appears valid. The flaw is tracked as CVE-2025-12816 and received a high severity rating. It arises from the library’s ASN.1 validation mechanism, which allows malformed data to pass checks even when it is cryptographically invalid."
https://www.bleepingcomputer.com/news/security/popular-forge-library-gets-fix-for-signature-verification-bypass-flaw/
Dell ControlVault, Lasso, GL.iNet Vulnerabilities
"Cisco Talos’ Vulnerability Discovery & Research team recently disclosed five vulnerabilities in Dell ControlVault 3 firmware and its associated Windows software, four vulnerabilities in Entr'ouvert Lasso, and one vulnerability in GL.iNet Slate AX. The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy. For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website."
https://blog.talosintelligence.com/dell-controlvault-lasso-gl-inet-vulnerabilities/
B2B Guest Access Creates An Unprotected Attack Vector
"Microsoft Teams is a core collaboration platform for Ontinue and for the organisations we protect. Our ability to engage directly with customers inside their own Teams environments is one of our most valued differentiators, and one they consistently highlight as a strength of our service. However, like all powerful collaboration tools, Teams depends on proper configuration and governance to ensure its security boundaries function as intended. Effective protection is not inherent to the platform; it emerges from how each tenant chooses to manage external access, identity boundaries, and integrated security controls."
https://www.ontinue.com/resource/blog-microsoft-chat-with-anyone-understanding-phishing-risk/
https://hackread.com/microsoft-teams-guest-chat-flaw-malware/

Malware

Bloody Wolf: A Blunt Crowbar Threat To Justice
"Bloody Wolf is an advanced persistent threat (APT) group active since late 2023. The group initially used commercial STRRAT malware. Later, the group switched to deploying the legitimate NetSupport remote administration tool (RAT) in campaigns targeting Kazakhstan and Russia previously described by BI.ZONE analysts. A joint investigation between Group-IB and UKUK has revealed that Bloody Wolf had been conducting a campaign in Kyrgyzstan since at least June 2025. Those threat actors would impersonate the country’s Ministry of Justice through official looking PDF documents and domain names, which in turn hosted malicious Java Archive (JAR) files designed to deploy the NetSupport RAT."
https://www.group-ib.com/blog/bloody-wolf/
Dissecting a New Malspam Chain Delivering Purelogs Infostealer
"The AISI Research Center’s Cybersecurity Observatory publishes the report “Dissecting a new malspam chain delivering Purelogs infostealer” – November 25, 2025. Organizational and personal security remains under constant threat from increasingly sophisticated attack vectors, with malspam continuing to represent one of the most widespread and effective initial infection vectors for distributing malware on a large scale. Despite advances in endpoint protection technologies, malicious campaigns effectively exploit human urgency, curiosity, and trust, often masquerading as legitimate communications, security alerts, or financial documents."
https://securityaffairs.com/185066/cyber-crime/dissecting-a-new-malspam-chain-delivering-purelogs-infostealer.html
https://dimanec.unipegaso.it/wp-content/uploads/sites/5/2025/11/Dissecting-a-new-malspam-chain-delivering-Purelogs-infostealer.pdf
Russian RomCom Utilizing SocGholish To Deliver Mythic Agent To U.S. Companies Supporting Ukraine
"In September 2025, Arctic Wolf Labs identified a U.S.-based company that was targeted by RomCom threat actors via SocGholish, operated by TA569. While the typical initial SocGholish infection chain was followed, roughly 10 minutes post-exploitation, RomCom’s targeted Mythic Agent loader was delivered to the system. This is the first time that a RomCom payload has been observed being distributed by SocGholish."
https://arcticwolf.com/resources/blog/romcom-utilizing-socgholish-to-deliver-mythic-agent-to-usa-companies-supporting-ukraine/
https://thehackernews.com/2025/11/romcom-uses-socgholish-fake-update.html
https://securityaffairs.com/185084/security/for-the-first-time-a-romcom-payload-has-been-observed-being-distributed-via-socgholish.html
Fake Battlefield 6 Pirated Versions And Game Trainers Used To Deploy Stealers And C2 Agents
"Bitdefender Labs has identified malware campaigns exploiting the popularity of EA's Battlefield 6 first-person shooter, distributed via supposedly pirated versions, game installers, and fake game trainers across torrent websites and other easily found domains. Electronic Arts' Battlefield 6, developed by DICE and published by Electronic Arts (EA), was released in October, and it's likely one of the most significant game launches of the year."
https://www.bitdefender.com/en-us/blog/labs/fake-battlefield-6-pirated-games-trainers
https://hackread.com/fake-battlefield-6-downloads-malware-data/
Malicious Chrome Extension Injects Hidden SOL Fees Into Solana Swaps
"Socket’s Threat Research Team discovered a malicious Chrome extension Crypto Copilot, published on June 18, 2024, which markets itself as a tool to “execute trades instantly from your X feed.” Behind the interface, the extension injects an extra transfer into every Solana swap, siphoning a minimum of 0.0013 SOL or 0.05% of the trade amount to a hardcoded attacker-controlled wallet. The fee behavior is never disclosed on the Chrome Web Store listing, and the logic implementing it is buried inside heavily obfuscated code."
https://socket.dev/blog/malicious-chrome-extension-injects-hidden-sol-fees-into-solana-swaps
https://thehackernews.com/2025/11/chrome-extension-caught-injecting.html
ShadowV2 Casts a Shadow Over IoT Devices
"At the end of October, during a global disruption of AWS connections, FortiGuard Labs observed malware named “ShadowV2” spreading via IoT vulnerabilities. These incidents affected multiple countries worldwide and spanned seven different industries. So far, the malware appears to have only been active during the time of the large-scale AWS outage. We believe this activity was likely a test run conducted in preparation for future attacks. The following sections provide a detailed analysis of these incidents and the ShadowV2 malware."
https://www.fortinet.com/blog/threat-research/shadowv2-casts-a-shadow-over-iot-devices
https://www.bleepingcomputer.com/news/security/new-shadowv2-botnet-malware-used-aws-outage-as-a-test-opportunity/
https://www.theregister.com/2025/11/26/miraibased_botnet_shadowv2/
Shai Hulud Strikes Again (v2)
"PostHog has published a detailed post mortem describing how one of its GitHub Actions workflows was abused as an initial access vector for Shai Hulud v2. An attacker briefly opened a pull request that modified a script executed via pull_request_target, exfiltrated a bot personal access token from CI, then used that access to steal additional GitHub secrets including an npm publish token and ship malicious versions of several PostHog SDKs. PostHog has since revoked credentials, tightened workflow reviews, moved to trusted publishing, and reworked its secrets management. Their write up highlights how subtle CI workflow choices can create a path from untrusted contributions to package release credentials."
https://socket.dev/blog/shai-hulud-strikes-again-v2
https://thehackernews.com/2025/11/shai-hulud-v2-campaign-spreads-from-npm.html
The Korean Leaks – Analyzing The Hybrid Geopolitical Campaign Targeting South Korean Financial Services With Qilin RaaS
"The "Korean Leaks" campaign showcases a sophisticated supply chain attack against South Korea's financial sector. This operation combined the capabilities of a major Ransomware-as-a-Service (RaaS) group, Qilin, with potential involvement from North Korean state-affiliated actors (Moonstone Sleet) leveraging Managed Service Provider (MSP) compromise as the initial access vector."
https://www.bitdefender.com/en-us/blog/businessinsights/korean-leaks-campaign-targets-south-korean-financial-services-qilin-ransomware
https://thehackernews.com/2025/11/qilin-ransomware-turns-south-korean-msp.html

Breaches/Hacks/Leaks

London Councils Hit By Serious Cyber “Incidents”
"Multiple local authorities in London appear to be dealing with a serious cybersecurity incident, it has emerged. The Royal Borough of Kensington and Chelsea (RBKC) issued a statement on Tuesday revealing that it and Westminster City Council (WCC) were responding to an incident identified on Monday morning. The two have notified the UK Information Commissioner’s Office (ICO) and are working with the National Cyber Security Centre (NCSC) on incident response."
https://www.infosecurity-magazine.com/news/london-councils-hit-by-serious/
https://www.theregister.com/2025/11/26/cyberattack_london_councils/
https://therecord.media/cyber-issue-london-councils-attack
https://www.bleepingcomputer.com/news/security/multiple-london-councils-it-systems-disrupted-by-cyberattack/
https://www.bankinfosecurity.com/multiple-london-councils-responding-to-cyberattack-a-30146
https://securityaffairs.com/185086/security/multiple-london-councils-faced-a-cyberattack.html
Gainsight Cyber-Attack Affect More Salesforce Customers
"The cyber-attack targeting Gainsight has affected more Salesforce customers than initially expected. In a customer FAQ, first posted on November 20 and regularly updated since, the customer support platform provider said Salesforce initially provided a list of three customers impacted by the breach. Gainsight later found that the number “has been expanded to a larger list.”"
https://www.infosecurity-magazine.com/news/gainsight-cyberattack-more/
https://www.theregister.com/2025/11/26/gainsight_ceos_handful_customers_data_stolen/
https://www.helpnetsecurity.com/2025/11/26/gainsight-breach-salesforce-details-attack-window/

General News

Heineken CISO Champions a New Risk Mindset To Unlock Innovation
"In this Help Net Security interview, Marina Marceta, CISO at Heineken, discusses what it takes for CISOs to be seen as business-aligned leaders rather than technical overseers. She shares how connecting security to business impact can shift perceptions and strengthen partnerships across the company. Marceta focuses on the value of a security culture that supports innovation while keeping risk in check."
https://www.helpnetsecurity.com/2025/11/26/marina-marceta-heineken-business-aligned-security/
Small Language Models Step Into The Fight Against Phishing Sites
"Phishing sites keep rising, and security teams are searching for ways to sort suspicious pages at speed. A recent study explores whether small language models (SLMs) can scan raw HTML to catch these threats. The work reviews a range of model sizes and tests how they handle detection tasks while keeping compute demands in check."
https://www.helpnetsecurity.com/2025/11/26/research-slms-website-phishing-detection/
https://arxiv.org/pdf/2511.15434
Cybersecurity Is Now a Core Business Discipline
"Cyber risk has become the background noise of modern business. We’re seeing nearly two thousand attacks per organization per week in the first quarter of 2025—a 47% rise year-on-year. That surge reflects two realities moving at once: attacks are genuinely increasing because it’s easier and cheaper than ever to mount them, and defenders are getting better at spotting what previously slipped under the radar. In other words, the problem is growing and we’re measuring it more honestly."
https://www.securityweek.com/cybersecurity-is-now-a-core-business-discipline/
The Golden Scale: 'Tis The Season For Unwanted Gifts
"In October 2025, we published two Insights blogs on threat activity affiliated with the cybercriminal alliance known as Scattered LAPSUS$ Hunters (SLSH). After a few weeks of apparent inactivity, the threat actors have returned with a vengeance based on open-source reporting and conversations obtained from a new Telegram channel (scattered LAPSUS$ hunters part 7). This latest Insights threat blog will detail several notable observations made by Unit 42 since mid-November, and prepares organizations as we head into the holiday season."
https://unit42.paloaltonetworks.com/new-shinysp1d3r-ransomware/
Behind The Bargains: Why Phishing Peaks On Black Friday
"Black Friday has evolved into one of the most active shopping periods of the year. No longer is it just one day of shopping after Thanksgiving; the sales have now turned into a full week of high-volume promotions, beginning before Thanksgiving and stretching through Black Friday and Cyber Monday, with many retailers extending deals even longer. Unsurprisingly, this surge in digital activity is very attractive for threat actors."
https://cofense.com/blog/behind-the-bargains-why-phishing-peaks-on-black-friday
Sumsub’s Annual Report: Fraud Shifts To Complex Multi-Step Schemes In 2025, Agentic AI Scams Poised To Surge In 2026
"Sumsub today released its Identity Fraud Report 2025–2026, analyzing millions of verification checks and 4,000,000+ fraud attempts between 2024–2025*. The study blends global and regional dynamics from internal data with findings from Sumsub’s Fraud Exposure Survey 2025, featuring responses from 300+ risk professionals and 1,200+ end users. In 2024, the rise of fraud-as-a-service platforms and ready-made toolkits “democratized” identity crime, making it widely accessible to non-tech-savvy fraudsters. In 2025, that trend matured into the Sophistication Shift: fewer but more professionalized operations designed for higher-impact damage."
https://sumsub.com/newsroom/sumsubs-annual-report-fraud-shifts-to-complex-multi-step-schemes-in-2025-agentic-ai-scams-poised-to-surge-in-2026/
https://sumsub.com/fraud-report-2025/
https://www.darkreading.com/cyberattacks-data-breaches/digital-fraud-industrial-scale-2025
Prompt Injections Loom Large Over ChatGPT's Atlas Browser
"As a new AI-powered Web browser brings agentics closer to the masses, questions remain regarding whether prompt injections, the signature LLM attack type, could get even worse. ChatGPT Atlas is OpenAI's large language model (LLM)-powered Web browser launched Oct. 21 and based on Chromium. Currently available for macOS (with other platforms to come), Atlas comes with native ChatGPT functionality including text generation, Web page summarization, and agent capabilities."
https://www.darkreading.com/application-security/prompt-injections-loom-large-over-chatgpt-atlas-launch
Enterprises Aren't Confident They Can Secure Non-Human Identities (NHIs)
"Non-human identities (NHIs) are poised to experience exponential growth and adoption throughout the coming year, fundamentally transforming how organizations approach cybersecurity. These digital entities, which include service accounts, system identities, machine identities, and other forms of automated identities, serve as the backbone of modern digital infrastructure by enabling communication and interaction between applications, services, and automated systems."
https://www.darkreading.com/identity-access-management-security/enterprise-not-confident-secure-non-human-identities

อ้างอิง
Electronic Transactions Development Agency (ETDA)

NCSA_THAICERT

[TLP_CLEAR] รายงานการรับมือสถานการณ์ความไม่พร้อ_Page1.png

NCSA_THAICERT

มัลแวร์ StealC V2 ใช้ไฟล์โมเดล Blender แฝงตัวในไฟล์ 3D .png

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

NCSA_THAICERT

Harvard University เปิดเผยเหตุข้อมูลรั่วไหล ส่งผลกระท.png

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

NCSA_THAICERT

เตือนภัย พบการโจมตี ClickFix ใช้หน้าจอ Windows Update ปลอ.png

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

NCSA_THAICERT

Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) จำนวน 7 รายการ เมื่อวันที่ 25 พฤศจิกายน 2025 พื่อให้ข้อมูลที่ทันเวลาเกี่ยวกับประเด็นด้านความมั่นคงปลอดภัย ช่องโหว่ และการโจมตีที่เกี่ยวข้องกับระบบ ICS โดยมีรายละเอียดดังนี้

ICSA-25-329-01 Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, Cobalt Share
ICSA-25-329-02 Rockwell Automation Arena Simulation
ICSA-25-329-03 Zenitel TCIV-3+
ICSA-25-329-04 Opto 22 groov View
ICSA-25-329-05 Festo Compact Vision System, Control Block, Controller, and Operator Unit products
ICSA-25-329-06 SiRcom SMART Alert (SiSA)
ICSA-22-333-05 Mitsubishi Electric FA Engineering Software (Update C)

CISA แนะนำให้ผู้ใช้งานและผู้ดูแลระบบ ตรวจสอบคำแนะนำ ICS ที่เผยแพร่ล่าสุด เพื่อศึกษารายละเอียดทางเทคนิคและแนวทางการลดความเสี่ยง (mitigations)

อ้างอิง
https://www.cisa.gov/news-events/alerts/2025/11/25/cisa-releases-seven-industrial-control-systems-advisories
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

NCSA_THAICERT

Industrial Sector

Zenitel TCIV-3+
"Successful exploitation of these vulnerabilities could result in arbitrary code execution or cause a denial-of-service condition."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-03
Festo Compact Vision System, Control Block, Controller, And Operator Unit Products
"Successful exploitation of these vulnerabilities could result in an attacker accessing devices without authentication or modifying configuration files."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-05
SiRcom SMART Alert (SiSA)
"Successful exploitation of this vulnerability could enable an attacker to remotely activate or manipulate emergency sirens."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-06
Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, Cobalt Share
"Successful exploitation of these vulnerabilities could allow an attacker to disclose information or execute arbitrary code."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-01
Rockwell Automation Arena Simulation
"Successful exploitation of this vulnerability could allow local attackers to execute arbitrary code on affected installations of Arena."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-02
Opto 22 Groov View
"Successful exploitation of this vulnerability could result in credential exposure, key exposure, and privilege escalation."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-04

Vulnerabilities

Update Firefox To Patch CVE-2025-13016 Vulnerability Affecting 180 Million Users
"AI security firm AISLE recently discovered a serious vulnerability in the Firefox web browser that went unnoticed for six months. This flaw could have let attackers run their own instructions on a user’s computer, potentially putting over 180 million users at risk."
https://hackread.com/update-firefox-patch-cve-2025-13016-vulnerability/

Malware

RelayNFC: The New NFC Relay Malware Targeting Brazil
"Cyble Research and Intelligence Labs (CRIL) has uncovered an active and evolving phishing campaign targeting users in Brazil. Dubbed RelayNFC, this Android malware family is designed specifically to perform NFC relay attacks for fraudulent contactless payments. RelayNFC is a lightweight yet highly evasive malware because of its Hermes-compiled payload. This makes detection significantly harder, enabling it to stealthily capture victims’ card data and relay it in real time to an attacker-controlled server."
https://cyble.com/blog/relaynfc-nfc-relay-malware-targeting-brazil/
Stop Putting Your Passwords Into Random Websites (Yes, Seriously, You Are The Problem)
"Welcome to watchTowr vs the Internet, part 68. That feeling you’re experiencing? Dread. You should be used to it by now. As is fast becoming an unofficial and, apparently, frowned upon tradition - we identified incredible amounts of publicly exposed passwords, secrets, keys and more for very sensitive environments - and then spent a number of months working out if we could travel back in time to a period in which we just hadn't. Remember, kids - a problem shared is a problem that isn't just your problem anymore. It's the Shared Responsibility model(tm)."
https://labs.watchtowr.com/stop-putting-your-passwords-into-random-websites-yes-seriously-you-are-the-problem/
https://www.bleepingcomputer.com/news/security/code-beautifiers-expose-credentials-from-banks-govt-tech-orgs/
https://thehackernews.com/2025/11/years-of-jsonformatter-and-codebeautify.html
https://www.bankinfosecurity.com/blogs/data-leaks-are-we-so-stupid-about-free-online-services-p-3982
https://www.helpnetsecurity.com/2025/11/25/code-formatting-sites-exposing-secrets/
Fake Adult Websites Pop Realistic Windows Update Screen To Deliver Stealers Via ClickFix
"Novel "JackFix" attack: Acronis TRU researchers discover an ongoing campaign that leverages a novel combination of screen hijacking techniques with ClickFix, displaying a realistic, full-screen Windows Update of “Critical Windows Security Updates” to trick victims into executing malicious commands. Adult content bait strategy: Campaign leverages fake adult websites (xHamster, PornHub clones) as its phishing mechanism, likely distributed via malvertising. The adult theme, and possible connection to shady websites, add to victim’s psychological pressure, making victims more likely to comply with sudden “security update” installation instructions."
https://www.acronis.com/en/tru/posts/fake-adult-websites-pop-realistic-windows-update-screen-to-deliver-stealers-via-clickfix/
https://thehackernews.com/2025/11/jackfix-uses-fake-windows-update-pop.html
https://www.darkreading.com/threat-intelligence/jackfix-attack-clickfix-mitigations
The Dual-Use Dilemma Of AI: Malicious LLMs
"A fundamental challenge with large language models (LLMs) in a security context is that their greatest strengths as defensive tools are precisely what enable their offensive power. This issue is known as the dual-use dilemma, a concept typically applied to technologies like nuclear physics or biotechnology, but now also central to AI. Any tool powerful enough to build a complex system can also be repurposed to break one. This dilemma manifests in several critical ways related to cybersecurity. While defenders can employ LLMs to speed up and improve responses, attackers can also take advantage of them for their workflows."
https://unit42.paloaltonetworks.com/dilemma-of-ai-malicious-llms/
https://www.securityweek.com/wormgpt-4-and-kawaiigpt-new-dark-llms-boost-cybercrime-automation/
https://www.theregister.com/2025/11/25/wormgpt_4_evil_ai_lifetime_cost_220_dollars/
FlexibleFerret Malware Continues To Strike
"Early in 2025, a SentinelOne blog post brought to light a malware family known as FlexibleFerret. This malware family is attributed to DPRK-aligned operators and tied to fake recruitment lures associated with the Contagious Interview operation. In this operation, individuals are led through staged hiring tasks that result in the execution of malicious instructions. Earlier this month, Validin released a blog highlighting the details of an attack that they identified as a new variant of the Contagious Interview campaign. Jamf Threat Labs has been tracking similar activity stemming from in-the-wild detections that began with the execution of a script called /var/tmp/macpatch.sh."
https://www.jamf.com/blog/flexibleferret-malware-continues-to-adapt/
https://www.darkreading.com/cyberattacks-data-breaches/dprks-flexibleferret-tightens-macos-grip
https://www.infosecurity-magazine.com/news/flexibleferret-malware-macos-go/
FBI: Cybercriminals Stole $262M By Impersonating Bank Support Teams
"The FBI warned today of a massive surge in account takeover (ATO) fraud schemes and said that cybercriminals impersonating financial institutions have stolen over $262 million in ATO attacks since the start of the year. Since January 2025, the FBI's Internet Crime Complaint Center (IC3) has received over 5,100 complaints, with the attacks impacting individuals, as well as businesses and organizations across all industry sectors. In these schemes, criminals gain unauthorized access to online bank, payroll, or health savings accounts using various social engineering techniques or fraudulent websites, the FBI said."
https://www.bleepingcomputer.com/news/security/fbi-cybercriminals-stole-262-million-by-impersonating-bank-support-teams-since-january/
https://www.ic3.gov/PSA/2025/PSA251125
https://therecord.media/millions-in-account-takeover-fbi-warns-ahead-of-holidays
https://securityaffairs.com/185060/cyber-crime/fbi-bank-impersonators-fuel-262m-surge-in-account-takeover-fraud.html
Zscaler Threat Hunting Discovers And Reconstructs a Sophisticated Water Gamayun APT Group Attack
"This blog is intended to share an in-depth analysis of a recent multi-stage attack attributed to the Water Gamayun advanced persistent threat group (APT). Drawing on telemetry, forensic reconstruction, and known threat intelligence, the Zscaler Threat Hunting team reconstructed how a seemingly innocuous web search led to a sophisticated exploitation of a Windows MMC vulnerability, ultimately delivering hidden PowerShell payloads and final malware loaders."
https://www.zscaler.com/blogs/security-research/water-gamayun-apt-attack
Smishing Triad Targets Egypt’s Financial Sector And Postal Services
"Recently, during one of our threat hunting operations, our squad identified multiple malicious domains impersonating major Egyptian service providers, including Fawry, the Egypt Post, and Careem. These domains were likely established to support fraud, phishing campaigns, and other malicious activities targeting users and organizations. Before we begin our analysis, we will provide an overview of the Smishing Triad, the cybercriminal group relevant to this report."
https://darkatlas.io/blog/smishing-triad-targets-egypts-financial-sector-and-postal-services
https://www.infosecurity-magazine.com/news/smishing-triad-campaigns-expand/
Threat Spotlight: Akira Ransomware’s SonicWall Campaign Creates Enterprise M&A Risk
"The “Akira” ransomware group has been weaponizing vulnerabilities in SonicWall SSL VPN devices, revealing an overlooked threat for larger enterprises navigating mergers and acquisitions (M&A). These devices, widely used by small- and medium-sized businesses due to their affordability and ease of use, have become launchpads for Akira’s fast-spreading attacks. ReliaQuest analyzed a series of Akira attacks between June and October 2025 that targeted SonicWall SSL VPN devices to uncover a troubling trend. In every incident, Akira operators gained a foothold in larger, acquiring enterprises by compromising SonicWall devices inherited from smaller, acquired business during M&A. In these cases, the acquiring enterprises were unaware that these devices existed in their new environments, leaving critical vulnerabilities exposed."
https://reliaquest.com/blog/threat-spotlight-akira-ransomwares-sonicwall-campaign-creates-enterprise-m&a-risk
https://www.theregister.com/2025/11/25/akira_ransomware_acquisitions/
Influencers In The Crosshairs: How Cybercriminals Are Targeting Content Creators
"It’s not an easy time to be an influencer. Brands are spending less, ad revenue is declining and competition is fierce – including from AI-generated influencers and impersonators. According to one study, around half of the industry makes just $15,000 or less per year, while just one in 10 pull in over $100,000. As if that wasn’t enough, there’s another challenge: influencers are an increasingly popular target for cybercriminals. A recent spear-phishing campaign abusing brands such as Tesla and Red Bull highlights the potential risks."
https://www.welivesecurity.com/en/social-media/influencers-crosshairs-cybercriminals-targeting-content-creators/
Russian Hackers Target US Engineering Firm Because Of Work Done For Ukrainian Sister City
"Hackers working for Russian intelligence attacked an American engineering company this fall, investigators at a U.S. cybersecurity company said Tuesday — seemingly because that firm had worked for a U.S. municipality with a sister city in Ukraine. The findings reflect the evolving tools and tactics of Russia’s cyber war and demonstrate Moscow’s willingness to attack a growing list of targets, including governments, organizations and private companies that have supported Ukraine, even in a tenuous way."
https://www.securityweek.com/russian-hackers-target-us-engineering-firm-because-of-work-done-for-ukrainian-sister-city/

Breaches/Hacks/Leaks

Dartmouth College Confirms Data Breach After Clop Extortion Attack
"Dartmouth College has disclosed a data breach after the Clop extortion gang leaked data allegedly stolen from the school's Oracle E-Business Suite servers on its dark web leak site. The private Ivy League research university, founded in 1769, has an endowment of $9 billion as of June 30, 2025, over 40 academic departments and programs, and more than 4,000 undergraduate students, with a 7:1 undergraduate-to-faculty ratio. In a breach notification letter filed with the office of Maine's Attorney General, Dartmouth says the attackers exploited an Oracle E-Business Suite (EBS) zero-day vulnerability to steal personal information belonging to 1,494 individuals."
https://www.bleepingcomputer.com/news/security/dartmouth-college-confirms-data-breach-after-clop-extortion-attack/
https://www.theregister.com/2025/11/25/clop_dartmouth_college/
Canon Says Subsidiary Impacted By Oracle EBS Hack
"Imaging and optical technology giant Canon has confirmed being targeted in the recent Oracle E-Business Suite (EBS) hacking campaign. However, its investigation has shown that the incident is limited to a subsidiary of Canon U.S.A., Inc., the company told SecurityWeek in an emailed statement. “We have confirmed that the incident only affected the web server, and we have already taken security measures and resumed service,” Canon said. “In addition, we are continuing to investigate further to ensure that there is no other impact.”"
https://www.securityweek.com/canon-says-subsidiary-impacted-by-oracle-ebs-hack/
OnSolve CodeRED Cyberattack Disrupts Emergency Alert Systems Nationwide
"Risk management company Crisis24 has confirmed its OnSolve CodeRED platform suffered a cyberattack that disrupted emergency notification systems used by state and local governments, police departments, and fire agencies across the United States. The CodeRED platform enables these agencies to send alerts to residents during emergencies. The cyberattack forced Crisis24 to decommission the legacy CodeRED environment, causing widespread disruption for organizations that use the platform for emergency notifications, weather alerts, and other sensitive warnings."
https://www.bleepingcomputer.com/news/security/onsolve-codered-cyberattack-disrupts-emergency-alert-systems-nationwide/
Georgia Court Filing Organization Warns Of Outages After Ransomware Allegations
"The organization responsible for managing real estate and civil court filings in Georgia has been knocked offline by a cyberattack that began on Friday. The Georgia Superior Court Clerks' Cooperative Authority (GSCCCA) said it is experiencing a “credible and ongoing cybersecurity threat” that forced the organization to temporarily restrict access to its website and services."
https://therecord.media/georgia-court-filing-org-ransomware-warning

General News

Supply Chain Sprawl Is Rewriting Security Priorities
"Organizations depend on long chains of vendors, but many cybersecurity professionals say these relationships create gaps they cannot see or control. A new ISC2 survey of more than 1,000 cybersecurity professionals shows that supply chain risk sits near the top of their concerns. 70% of respondents said their organizations are concerned about cybersecurity risks linked to third party suppliers. Concern is highest in enterprise environments and in sectors that handle financial or government data."
https://www.helpnetsecurity.com/2025/11/25/isc2-vendor-security-gaps-report/
The 2026 Tech Tsunami: AI, Quantum, And Web 4.0 Collide
"The year 2026 will not be defined by incremental upgrades. It will be shaped by an unprecedented collision of forces: next-generation computing, hyper-automation, and a global cyber security reckoning. Technological convergence and the rise of autonomous systems will redefine global resilience. Artificial intelligence is no longer a single discipline. It has become the connective tissue linking cloud, networks, and physical systems. Quantum research is challenging the fundamental mathematics of digital trust, while Web 4.0 is transforming the internet into an immersive, always-on layer of reality."
https://blog.checkpoint.com/executive-insights/the-2026-tech-tsunami-ai-quantum-and-web-4-0-collide/
How An AI Meltdown Could Reset Enterprise Expectations
"In this Help Net Security interview, Graham McMillan, CTO at Redgate Software, discusses AI, security, and the future of enterprise oversight. He explains why past incidents haven’t pushed the industry to mature. McMillan also outlines the structural shifts he expects once failures start to have business impact."
https://www.helpnetsecurity.com/2025/11/25/graham-mcmillan-redgate-software-ai-security-future/
Aircraft Cabin IoT Leaves Vendor And Passenger Data Exposed
"The expansion of IoT devices in shared, multi-vendor environments, such as aircraft cabins, has created tension between the benefits of data collaboration and the risks to passenger privacy, vendor intellectual property, and regulatory compliance. A new study finds that even with protections that scramble data while it moves between devices, sensitive information often remains exposed once it reaches its destination."
https://www.helpnetsecurity.com/2025/11/25/aircraft-cabin-iot-privacy-exposure/
https://arxiv.org/pdf/2511.15278
AI And Deepfake-Powered Fraud Skyrockets Amid Identity Fraud Stagnation
"AI is reshaping the identity fraud landscape, helping cybercriminals deploy more sophisticated fraud schemes than ever, despite a global stagnation in fraud attempts. The latest of Sumsub’s Identity Fraud Report, published on November 25, 2025, showed that while identity fraud has slightly decreased in 2025, with identity fraud attempts at 2.2% of all analyzed verifications worldwide – compared to 2.6% in 2024 – the most sophisticated of these attempts have jumped 180%."
https://www.infosecurity-magazine.com/news/ai-deepfake-fraud-skyrockets/
Mounting Cyber-Threats Prompt Calls For Economic Security Bill
"UK lawmakers have called on the government to enshrine in law a new approach to economic security, citing a growing menace to the country from cyber and other threats. The House of Commons Business and Trade Committee issued the call as it published a new report yesterday: Toward a new doctrine for economic security. “Britain is now hugely exposed to the risks of economic warfare and bluntly, our current defenses are not fit for the future,” argued committee chair, Liam Byrne."
https://www.infosecurity-magazine.com/news/mounting-cyber-threats-economic/
CISOs Get Real About Hiring In The Age Of AI
"Becky Bracken: Hello, and welcome to Dark Reading Confidential. It's a podcast from the editors of Dark Reading, focused on bringing you real world stories straight from the cyber trenches. Today we are talking about the cybersecurity job market, talent pipeline, and the disruption of both as automation and AI start in earnest to take over those traditional entry level tier one analyst roles."
https://www.darkreading.com/cybersecurity-operations/ciscos-get-real-about-hiring-age-ai
Advanced Security Isn't Stopping Ancient Phishing Tactics
"Phishing is nothing new when it comes to cybersecurity threats, constantly putting users and organizations at risk of compromising sensitive information. But a new study has uncovered alarming insights about the persistent nature of phishing attacks against enterprises in particular, revealing how even some of the most mature companies with the most advanced security systems continue to remain vulnerable — and why phishing attacks aren't going away anytime soon."
https://www.darkreading.com/cyberattacks-data-breaches/advanced-security-phishing-tactics
Cyberthreats Targeting The 2025 Holiday Season: What CISOs Need To Know
"Every year, the holiday season brings a predictable spike in online activity. But in 2025, the volume of newly created malicious infrastructure, account compromise activity, and targeted exploitation of e-commerce systems is markedly higher. Attackers began preparing months in advance, leveraging industrialized tools and services that enable them to scale attacks across multiple platforms, geographies, and merchant categories."
https://www.fortinet.com/blog/threat-research/cyberthreats-targeting-2025-holiday-season-what-cisos-need-to-know
Cato CTRL Threat Research: HashJack – Novel Indirect Prompt Injection Against AI Browser Assistants
"HashJack is a newly discovered indirect prompt injection technique that conceals malicious instructions after the # in legitimate URLs. When AI browsers send the full URL (including the fragment) to their AI assistants, those hidden prompts get executed. This enables threat actors to conduct a variety of malicious activities. Cato CTRL’s findings outline six scenarios including callback phishing, data exfiltration (in agentic modes), misinformation, malware guidance, medical harm, and credential theft. Trusted URL. Clean webpage. Compromised AI browser assistant."
https://www.catonetworks.com/blog/cato-ctrl-hashjack-first-known-indirect-prompt-injection/
https://www.theregister.com/2025/11/25/hashjack_attack_ai_browser_hashtag/
The AI-Fication Of Cyberthreats: Trend Micro Security Predictions For 2026
"Our annual security predictions report is designed to help organizations navigate an ever-changing threat landscape with confidence so they can face the challenges and seize the opportunities that the coming year has in store. Drawing on insights from Trend Micro’s global team of researchers and security experts, this year’s edition highlights the trends we believe will shape 2026 and beyond. The cybersecurity landscape is entering a new era, one shaped by automation and constant connection. Businesses are embracing AI tools to boost efficiency, sharpen decision-making, and unlock new opportunities. However, cybercriminals are also using these tools to automate reconnaissance, launch phishing campaigns, and carry out attacks at scale. What once required deep expertise can now be done with minimal effort, as AI-driven automation levels the playing field between skilled attackers and opportunistic threat actors."
https://www.trendmicro.com/vinfo/gb/security/research-and-analysis/predictions/the-ai-fication-of-cyberthreats-trend-micro-security-predictions-for-2026
https://documents.trendmicro.com/assets/research-reports/the-ai-fication-of-cyberthreats-trend-micro-security-predictions-for-2026.pdf
https://www.theregister.com/2025/11/25/trend_micro_agentic_ai_assisted_ransomware/
Is Your Android TV Streaming Box Part Of a Botnet?
"On the surface, the Superbox media streaming devices for sale at retailers like BestBuy and Walmart may seem like a steal: They offer unlimited access to more than 2,200 pay-per-view and streaming services like Netflix, ESPN and Hulu, all for a one-time fee of around $400. But security experts warn these TV boxes require intrusive software that forces the user’s network to relay Internet traffic for others, traffic that is often tied to cybercrime activity such as advertising fraud and account takeovers."
https://krebsonsecurity.com/2025/11/is-your-android-tv-streaming-box-part-of-a-botnet/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

NCSA_THAICERT

เมื่อวันที่ 24 พฤศจิกายน 2568 Cybersecurity and Infrastructure Security Agency (CISA) ทราบว่ามีผู้ก่อภัยคุกคามทางไซเบอร์หลายกลุ่มกำลังใช้สปายแวร์เชิงพาณิชย์เพื่อโจมตีผู้ใช้แอปพลิเคชันส่งข้อความ (mobile messaging applications) บนมือถืออย่างต่อเนื่อง ผู้ก่อภัยคุกคามเหล่านี้ใช้เทคนิคการเจาะเป้าหมายที่ซับซ้อนร่วมกับการหลอกลวงทางสังคม (social engineering) เพื่อส่งสปายแวร์และเข้าถึงแอปส่งข้อความของเหยื่อโดยไม่ได้รับอนุญาต ซึ่งช่วยให้พวกเขาสามารถติดตั้งเพย์โหลดที่เป็นอันตรายเพิ่มเติมเพื่อลุกลามการโจมตีและยึดครองอุปกรณ์มือถือของเหยื่อได้มากขึ้น

ผู้โจมตีมีวิธีการในการก่อเหตุ ดังนี้

การฟิชชิ่งและใช้ QR Code สำหรับเชื่อมอุปกรณ์ ที่เป็นอันตราย เพื่อเจาะบัญชีของเหยื่อและเชื่อมต่อบัญชีนั้นเข้ากับอุปกรณ์ที่ผู้ก่อเหตุควบคุม
การใช้ช่องโหว่แบบ zero-click ซึ่งไม่ต้องการการกระทำใด ๆ จากผู้ใช้
การปลอมแปลงตัวตน เป็นแพลตฟอร์มแอปส่งข้อความ เช่น Signal และ WhatsApp

แม้ว่าการโจมตีในปัจจุบันจะเป็นลักษณะเหมือนสุ่มมองหาเป้าหมาย (opportunistic) แต่หลักฐานบ่งชี้ว่าผู้ก่อภัยคุกคามเหล่านี้มุ่งเน้นไปยังบุคคลที่มีมูลค่าสูง เช่น เจ้าหน้าที่ระดับสูงทั้งปัจจุบันและอดีตของภาครัฐ ทหาร และผู้ดำรงตำแหน่งทางการเมือง รวมถึงองค์กรภาคประชาสังคม (CSOs) และบุคคลต่าง ๆ ในสหรัฐอเมริกา ตะวันออกกลาง และยุโรป

CISA ขอเน้นย้ำให้ผู้ใช้แอปส่งข้อความตรวจสอบเอกสารคำแนะนำล่าสุด ได้แก่ Mobile Communications Best Practice Guidance และ Mitigating Cyber Threats with Limited Resources: Guidance for Civil Society เพื่อเรียนรู้แนวทางปฏิบัติในการปกป้องการสื่อสารบนมือถือ การใช้งานแอปส่งข้อความ และวิธีลดความเสี่ยงจากสปายแวร์

อ้างอิง
https://www.cisa.gov/news-events/alerts/2025/11/24/spyware-allows-cyber-threat-actors-target-users-messaging-applications?utm_source=https://www.cisa.gov/news-events/alerts/2025/11/24/spyware-allows-cyber-threat-actors-target-users-messaging-applications&utm_medium=GovDelivery

NCSA_THAICERT

Healthcare Sector

The Privacy Tension Driving The Medical Data Shift Nobody Wants To Talk About
"Most people assume their medical data sits in quiet storage, protected by familiar rules. That belief gives a sense of safety, but new research argues that the world around healthcare data has changed faster than the policies meant to guide it. As a result, the system is stuck, and the cost of that stagnation is rising for patients, researchers, and innovators. The paper, written by experts from major U.S. medical institutions, examines how healthcare’s privacy-centric approach limits progress at a moment when data could unlock better tools, lower costs, and broader access to care. The authors argue that privacy remains important, but current frameworks fall behind the ways data is produced, used, and misused in digital environments."
https://www.helpnetsecurity.com/2025/11/24/medical-data-stewardship-privacy/
https://arxiv.org/pdf/2511.15829

New Tooling

Cnspec: Open-Source, Cloud-Native Security And Policy Project
"cnspec is an open source tool that helps when you are trying to keep a sprawling setup of clouds, containers, APIs and endpoints under control. It checks security and compliance across all of it, which makes it easier to see what needs attention. At its core, cnspec looks for vulnerabilities and misconfigurations across public and private cloud environments, Kubernetes clusters, containers, container registries, servers, endpoints, SaaS products, infrastructure as code and APIs. It uses a policy-as-code engine built on a security data fabric, which allows you to codify checks and run them at scale."
https://www.helpnetsecurity.com/2025/11/24/cnspec-open-source-cloud-native-security-policy-project/
https://github.com/mondoohq/cnspec

Vulnerabilities

Critical Vulnerabilities In FluentBit Expose Cloud Environments To Remote Takeover
"A new chain of 5 critical vulnerabilities within Fluent Bit allows attackers to compromise cloud infrastructure. Fluent Bit, an open-source tool for collecting, processing, and forwarding logs is the quiet messenger of modern computing. It is embedded in billions of containers and deployed more than 15 billion times, with over 4 million pulls in the past week alone. It runs everywhere: AI labs, banks, car manufactures, all the major cloud providers such as AWS, Google Cloud, and Microsoft Azure, and more."
https://www.oligo.security/blog/critical-vulnerabilities-in-fluent-bit-expose-cloud-environments-to-remote-takeover
https://thehackernews.com/2025/11/new-fluent-bit-flaws-expose-cloud-to.html
https://www.infosecurity-magazine.com/news/flaws-expose-risks-fluent-bit/
https://www.theregister.com/2025/11/24/fluent_bit_cves/

Malware

RadzaRat: New Android Trojan Disguised As File Manager Emerges With Zero Detection Rate
"The Android malware-as-a-service (MaaS) ecosystem continues to evolve with increasingly sophisticated threats designed to evade security measures while maintaining operational simplicity for would-be attackers. The emergence of RadzaRat, an Android remote access trojan (RAT) recently discovered by Certo’s researchers, exemplifies this troubling trend. What makes this threat particularly concerning is not just its capabilities, but its complete absence from security vendor detection lists and its brazen distribution through legitimate code hosting platforms."
https://www.certosoftware.com/insights/radzarat-new-android-trojan-disguised-as-file-manager-emerges-with-zero-detection-rate/
https://hackread.com/radzarat-spyware-hijack-android-devices/
Malicious Blender Model Files Deliver StealC Infostealing Malware
"A Russian-linked campaign delivers the StealC V2 information stealer malware through malicious Blender files uploaded to 3D model marketplaces like CGTrader. Blender is a powerful open-source 3D creation suite that can execute Python scripts for automation, custom user interface panels, add-ons, rendering processes, rigging tools, and pipeline integration. If the Auto Run feature is enabled, when a user opens a character rig, a Python script can automatically load the facial controls and custom UI panels with the required buttons and sliders."
https://www.bleepingcomputer.com/news/security/malicious-blender-model-files-deliver-stealc-infostealing-malware/
https://www.infosecurity-magazine.com/news/russian-malware-blender-3d-files/
ClickFix Gets Creative: Malware Buried In Images
"This analysis details a multi-stage malware execution chain, originating from a ClickFix lure, that leads to the delivery of infostealing malware, including LummaC2 and Rhadamanthys. A notable discovery during analysis was the campaign's use of steganography to conceal the final malware stages within an image. Rather than simply appending malicious data to a file, the malicious code is encoded directly within the pixel data of PNG images, relying on specific colour channels to reconstruct and decrypt the payload in memory."
https://www.huntress.com/blog/clickfix-malware-buried-in-images
https://www.bleepingcomputer.com/news/security/clickfix-attack-uses-fake-windows-update-screen-to-push-malware/
https://www.theregister.com/2025/11/24/clickfix_attack_infostealers_images/
Shai Hulud Launches Second Supply-Chain Attack: Zapier, ENS, AsyncAPI, PostHog, Postman Compromised
"It's another Monday morning, sitting down at the computer. And I see a stack of alerts from the last hour of packages showing signs of malware in our triage queue. Having not yet finished my first cup of coffee, I see Shai Hulud indicators. Yikes, surely that's a false positive? Nope, welcome to Monday, Shai Hulud struck again. Strap in. The timing is notable, given npm’s recent announcement that it will revoke classic tokens on December 9 after the wave of supply-chain attacks. With many users still not migrated to trusted publishing, the attacker seized the moment for one more hit before npm’s deadline."
https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains
https://thehackernews.com/2025/11/second-sha1-hulud-wave-affects-25000.html
https://www.bleepingcomputer.com/news/security/shai-hulud-malware-infects-500-npm-packages-leaks-secrets-on-github/
https://www.darkreading.com/application-security/infamous-shai-hulud-worm-resurfaces-from-depths
https://hackread.com/shai-hulud-npm-worm-supply-chain-attack/
https://www.theregister.com/2025/11/24/shai_hulud_npm_worm/
https://cyberscoop.com/supply-chain-attack-shai-hulud-npm/
GhostAd: Hidden Google Play Adware Drains Devices And Disrupts Millions Of Users
"Check Point researchers uncover a large-scale Android adware campaign that silently drains resources and disrupts normal phone use through persistent background activity. During an internal threat-hunting investigation, Check Point Harmony Mobile Detection Team identified a network of Android applications on Google Play masquerading as harmless utility and emoji-editing tools. Behind their cheerful icons, these apps created a persistent background advertising engine – one that kept running even after users closed or rebooted their devices, quietly consuming battery and mobile data."
https://blog.checkpoint.com/research/ghostad-hidden-google-play-adware-drains-devices-and-disrupts-millions-of-users/
Checkmarx Zero Takes Down Malicious “Prettier” Alternative Found In VSCode Marketplace
"Checkmarx Zero’s ongoing monitoring of the Visual Studio Code Marketplace has identified a critical Brandjacking style attack in the form of a malicious VSCode extension. Name: prettier-vscode-plus (full identifier: publishingsofficial.prettier-vscode-plus) Publisher Account: publishingsofficial Release Date: 2025-11-21 11:34:12 UTC We identified and reported this extension quickly, and it was removed within 4 hours after its publication, thanks to the efforts of Daniel Miranda and Raphael Silva on the Checkmarx Zero team and coordination with the VSCode Marketplace security team. We detected only 6 downloads and 3 installs before removal."
https://checkmarx.com/zero-post/checkmarx-zero-takes-down-malicious-prettier-alternative-found-in-vscode-marketplace/
https://hackread.com/prettier-extension-vscode-marketplace-anivia-stealer/

Breaches/Hacks/Leaks

146,000 Impacted By Delta Dental Of Virginia Data Breach
"Dental services provider Delta Dental of Virginia (DDVA) is notifying roughly 146,000 people that their personal and health information was compromised in a data breach this year. In the notification letter to the impacted individuals, a copy of which was submitted to the Maine Attorney General’s Office, the organization describes the incident as the compromise of an email account. Between March 21 and April 23, it says, a threat actor accessed and may have exfiltrated emails and attachments containing patient data from the impacted email account."
https://www.securityweek.com/146000-impacted-by-delta-dental-of-virginia-data-breach/
https://securityaffairs.com/185019/data-breach/delta-dental-of-virginia-data-breach-impacts-145918-customers.html
https://www.bankinfosecurity.com/email-hacks-continue-to-plague-healthcare-sector-a-30116
Real-Estate Finance Services Giant SitusAMC Breach Exposes Client Data
"SitusAMC, a company that provides back-end services for top banks and lenders, disclosed on Saturday a data breach it had discovered earlier this month that impacted customer data. As a real-estate (commercial and residential) financing firm, SitusAMC handles back-office operations in areas like mortgage origination, servicing, and compliance for banks and investors. The company generates around $1 billion in annual revenue from 1,500 clients, some of whom are banking giants like Citi, Morgan Stanley, and JPMorgan Chase."
https://www.bleepingcomputer.com/news/security/real-estate-finance-services-giant-situsamc-breach-exposes-client-data/
https://www.bankinfosecurity.com/major-us-banks-gauge-their-exposure-to-situsamc-breach-a-30114
https://www.theregister.com/2025/11/24/situsamc_breach/
Harvard University Discloses Data Breach Affecting Alumni, Donors
"Harvard University disclosed over the weekend that its Alumni Affairs and Development systems were compromised in a voice phishing attack, exposing the personal information of students, alumni, donors, staff, and faculty members. The exposed data includes email addresses, telephone numbers, home and business addresses, event attendance records, donation details, and "biographical information pertaining to University fundraising and alumni engagement activities.""
https://www.bleepingcomputer.com/news/security/harvard-university-discloses-data-breach-affecting-alumni-donors/
https://securityaffairs.com/185034/security/harvard-reports-vishing-breach-exposing-alumni-and-donor-contact-data.html
Mazda Says No Data Leakage Or Operational Impact From Oracle Hack
"Mazda has confirmed being targeted in the recent Oracle E-Business Suite (EBS) hacking campaign. However, the carmaker told SecurityWeek that the incident did not impact system operations or production. In addition, the company said “no data leakage has been confirmed”. A Mazda Motor Europe representative clarified that “traces of an attack” were detected, but its “defensive measures were effective, preventing any system impact or data leakage”. The company said it continues to monitor its systems."
https://www.securityweek.com/mazda-says-no-data-leakage-or-operational-impact-from-oracle-hack/
Hackers Knock Out Systems At Moscow-Run Postal Operator In Occupied Ukraine
"A Russian state-owned postal operator in occupied eastern Ukraine said Monday its systems were disrupted by “external interference” after a pro-Ukraine hacktivist group claimed it had wiped thousands of the company’s devices. Donbas Post, which operates in the Russian-controlled parts of Donetsk and Luhansk, said the incident affected its corporate network, web platform and email systems. The company had restricted access to several services to contain the breach and was working to restore operations."
https://therecord.media/hackers-knock-out-systems-russia-operated-post-ukraine

General News

What Happens When Vulnerability Scores Fall Apart?
"Security leaders depend on vulnerability data to guide decisions, but the system supplying that data is struggling. An analysis from Sonatype shows that core vulnerability indexes no longer deliver the consistency or speed needed for the current software environment. The CVE program still serves as the industry’s naming backbone, and the NVD remains a primary source for severity ratings. These tools were built for an era of slower release cycles. They have not kept up with continuous deployment, heavy dependency use, and automated development workflows."
https://www.helpnetsecurity.com/2025/11/24/sonatype-vulnerability-scoring-gaps-report/
Email Blind Spots Are Back To Bite Security Teams
"The threat landscape is forcing CISOs to rethink what they consider normal. The latest Cybersecurity Report 2026 by Hornetsecurity, based on analysis of more than 70 billion emails and broad threat telemetry, shows attackers adopting automation, AI driven social engineering, and new evasion techniques at scale. Email remains the primary entry point for compromise. Malware in email increased by more than 130% year over year. Scams rose by more than 30% and phishing increased by more than 20%. These categories continue to drive most of the operational impact that organizations experience, including account compromise and business disruption."
https://www.helpnetsecurity.com/2025/11/24/hornetsecurity-email-attack-tactics-report/
The Slow Rise Of SBOMs Meets The Rapid Advance Of AI
"Open-source components power nearly all modern software, but they’re often buried deep in massive codebases—hiding severe vulnerabilities. For years, software bills of materials (SBOMs) have been the security community’s key tool to shine a light on these hidden risks. Yet, despite government advancements in the US and Europe, SBOM adoption in the private sector remains sluggish. Now, some experts warn that the rapid rise of AI-assisted coding could soon eclipse the push to make software supply chains more transparent."
https://cyberscoop.com/sbom-adoption-challenges-ai-coding-transparency/
Quantum Encryption Is Pushing Satellite Hardware To Its Limits
"In this Help Net Security interview, Colonel Ludovic Monnerat, Commander Space Command, Swiss Armed Forces, discusses how securing space assets is advancing in response to emerging quantum threats. He explains why satellite systems must move beyond traditional cryptography to remain protected. Monnerat also describes how future communication architectures will need to integrate quantum-safe methods without disrupting operations."
https://www.helpnetsecurity.com/2025/11/24/ludovic-monnerat-swiss-armed-forces-securing-satellite-architecture/
AI Attack Agents Are Accelerators, Not Autonomous Weapons: The Anthropic Attack
"Anthropic recently published a report that sparked a lively debate about what AI agents can actually do during a cyberattack. The study shows an AI system, trained specifically for offensive tasks, handling 80–90% of the tactical workload in simulated operations. At first glance, this sounds like a giant leap toward autonomous cyber weapons, but the real story is more nuanced, and far less dramatic. Anthropic’s agent excelled at one thing: speed. It generated scripts in seconds, tested known exploits with no fatigue, scanned configurations at scale, and built basic infrastructure faster than any analyst could. These tasks normally take hours or days, and the AI completed them almost instantly. It automated the “grunt work” that fills so much of an attacker’s time."
https://securityaffairs.com/184943/security/ai-attack-agents-are-accelerators-not-autonomous-weapons-the-anthropic-attack.html
Spyware Allows Cyber Threat Actors To Target Users Of Messaging Applications
"CISA is aware of multiple cyber threat actors actively leveraging commercial spyware to target users of mobile messaging applications (apps).1 These cyber actors use sophisticated targeting and social engineering techniques to deliver spyware and gain unauthorized access to a victim’s messaging app, facilitating the deployment of additional malicious payloads that can further compromise the victim’s mobile device."
https://www.cisa.gov/news-events/alerts/2025/11/24/spyware-allows-cyber-threat-actors-target-users-messaging-applications
https://cyberscoop.com/cisa-alert-draws-attention-to-spywares-targeting-of-messaging-apps/
New Research Finds That Claude Breaks Bad If You Teach It To Cheat
"According to Anthropic, its large language model Claude is designed to be a “harmless” and helpful assistant. But new research released by the company Nov. 21 shows that when Claude is taught to cheat in one area, it becomes broadly malicious and untrustworthy in other areas. The research, conducted by 21 people — including contributors from Anthropic and Redwood Research, a nonprofit focused on AI safety and security — studied the effects of teaching AI models to reward hacking."
https://cyberscoop.com/anthropic-claude-breaks-bad-jailbreak-reward-hacking-study/
https://assets.anthropic.com/m/74342f2c96095771/original/Natural-emergent-misalignment-from-reward-hacking-paper.pdf
To Buy Or Not To Buy: How Cybercriminals Capitalize On Black Friday
"The global e‑commerce market is accelerating faster than ever before, driven by expanding online retail, and rising consumer adoption worldwide. According to McKinsey Global Institute, global e‑commerce is projected to grow by 7–9% annually through 2040. At Kaspersky, we track how this surge in online shopping activity is mirrored by cyber threats. In 2025, we observed attacks which targeted not only e‑commerce platform users but online shoppers in general, including those using digital marketplaces, payment services and apps for everyday purchases."
https://securelist.com/black-friday-threat-report-2025/118083/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

NCSA_THAICERT

BadAudio ใช้เทคนิคขั้นสูงหลบการตรวจจับ แทรกซึม.png

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand