โพสต์ถูกสร้างโดย NCSA_THAICERT

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

New Tooling

• Open-Source CI/CD Abuse Detector Guards Against Stolen Credential Attacks
  "CI/CD Abuse Detector is an open-source project that uses a large language model to flag suspicious changes to continuous integration and continuous deployment pipelines, workflows, and automation configurations. The repository contains drop-in templates for GitHub Actions, GitLab CI, and Azure DevOps. The project targets a common attack chain in software supply chain compromises. Stolen developer credentials are used to push modifications to workflow files, which then harvest secrets stored in the CI environment. The detector aims to catch these modifications during code review, before the altered workflow executes."
  https://www.helpnetsecurity.com/2026/06/15/ci-cd-abuse-detector-open-source/

Vulnerabilities

• CVE-2026-48558: SimpleHelp Authentication Bypass Indicators Of Compromise
  "At Horizon3.ai, we have been experimenting with generative AI heavily across all areas of work. One area I commonly work in is vulnerability research. Early in 2026, and inspired by DARPA’s AIxCC, I ventured into creating an autonomous vulnerability research pipeline that would re-implement my research methodologies and hopefully find real, exploitable vulnerabilities. This internal initiative is codenamed “Sua Sponte” – latin for “Of its own accord”."
  https://horizon3.ai/attack-research/disclosures/cve-2026-48558-simplehelp-authentication-bypass-iocs/
  https://www.bleepingcomputer.com/news/security/simplehelp-bug-lets-hackers-create-rogue-remote-support-accounts/
• CISA Adds Two Known Exploited Vulnerabilities To Catalog
  "CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2026-20262 Cisco Catalyst SD-WAN Manager Directory or Path Traversal Vulnerability
  CVE-2026-54420 LiteSpeed cPanel Plugin UNIX Symbolic Link (Symlink) Following Vulnerability"
  https://www.cisa.gov/news-events/alerts/2026/06/15/cisa-adds-two-known-exploited-vulnerabilities-catalog
• Cisco Fixes SD-WAN vManage Flaw Exploited In Zero-Day Attacks
  "Cisco has released security updates to address a vulnerability in the Catalyst SD-WAN Manager, tracked as CVE-2026-20262, that was exploited in attacks to escalate to root privileges. Formerly known as SD-WAN vManage, this network management software allows admins to manage up to 6,000 SD-WAN devices from a single dashboard. The now-patched zero-day security flaw affects all deployment types, regardless of device configuration, including on-prem deployments, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Government (FedRAMP)."
  https://www.bleepingcomputer.com/news/security/cisco-fixes-sd-wan-vmanage-flaw-exploited-in-zero-day-attacks/
  https://www.theregister.com/patches/2026/06/15/cisco-sd-wan-make-me-root-bug-under-attack/5255916
• SearchLeak: How We Turned M365 Copilot Into a One-Click Data Exfiltration Weapon
  "Varonis Threat Labs has uncovered a new three-stage vulnerability chain that turns Microsoft 365 Copilot Enterprise Search into a silent data exfiltration weapon. Dubbed SearchLeak, the chain combines a relatively new class of AI-specific vulnerability known as Parameter-to-Prompt Injection (P2P) with two classic web security bugs: an HTML injection race condition and a server-side request forgery (SSRF)."
  https://www.varonis.com/blog/searchleak
  https://thehackernews.com/2026/06/one-click-microsoft-365-copilot-flaw.html
  https://www.bleepingcomputer.com/news/security/new-attack-turned-microsoft-365-copilot-into-1-click-data-theft-tool/
  https://www.darkreading.com/application-security/copilot-searchleak-attack-1-click-data-theft
• LiteLLM Vulnerability Chain Lets Low-Privilege Users Take Over AI Gateway Servers
  "A default low-privilege account on a LiteLLM proxy can climb to full admin and run code on the server by chaining three vulnerabilities, researchers at Obsidian Security disclosed LiteLLM is a widely deployed open-source AI gateway that brokers calls to more than 100 model providers behind one OpenAI-compatible interface. A server takeover exposes every provider key it holds, the secrets that decrypt its stored credentials, and every prompt and response passing through it."
  https://thehackernews.com/2026/06/litellm-vulnerability-chain-lets-low.html

Malware

• Android.MagicAd Trojan Displays Ads Despite All Restrictions
  "Doctor Web’s experts have discovered Android.MagicAd, a trojan that bypasses Android OS restrictions in various ways to display background ads. One of these methods is universal, while the others are designed for devices from specific manufacturers. These include exploiting third-party software and using the system media player."
  https://news.drweb.com/show/?i=15262&lng=en
  https://hackread.com/android-apps-magicad-trojan-official-stores/
• PhishLumos: Exposing Phishing Campaigns That Evade Detection By Hiding Content
  "Phishing remains one of the most stubbornly persistent threats in cybersecurity: humans are tired, distracted, trusting, and susceptible to urgency and authority in ways that no amount of awareness training can completely overcome. The security community has largely accepted this reality and shifted focus toward automated detection systems that can intercept and block phishing threats before users see them."
  https://www.helpnetsecurity.com/2026/06/15/phishlumos-phishing-campaign-detection/
  https://ieeexplore.ieee.org/document/11534625/authors
• A Hardware Neural Network Backdoor That Hides In Plain Sight
  "Deep learning systems on phones, cars, and other edge devices increasingly run on custom silicon. Specialized chips such as FPGAs and ASICs give these systems the speed and low power consumption that edge applications need. Many of these chips come from third-party design houses and foundries, which adds steps to the supply chain where an outside party can alter a device. Researchers at the University of Tennessee and the University of Florida built an attack that takes advantage of this arrangement. The attack, called HAMLOCK, short for Hardware-Model Logically Combined Attack, divides a backdoor into two parts and places them on opposite sides of the hardware and software boundary."
  https://www.helpnetsecurity.com/2026/06/15/hardware-neural-network-backdoor-research/
• 152 Chrome Live Wallpaper Extensions Hid Ad Tracking And Faked Google Search Traffic
  "Socket's Threat Research Team identified a family of 152 Chrome Web Store new-tab "live wallpaper" extensions, built from one shared codebase but distributed across 38 separate Chrome Web Store publisher accounts and three brand backends, carrying a combined total of approximately 105,000 reported installs. Every listing declares on the Chrome Web Store that it will not collect or use user data, while the linked privacy policy admits the opposite: that the extensions log IP addresses, ISP, click counts, and referrers and share that data with Google AdSense, DoubleClick, and third-party ad partners."
  https://socket.dev/blog/152-chrome-live-wallpaper-extensions-hid-ad-tracking
  https://thehackernews.com/2026/06/152-chrome-wallpaper-extensions-with.html
• OptinMonster Supply Chain Attack Hits 1.2 Million Sites
  "Sansec discovered an active supply-chain attack hitting over 1.2 million sites that use the popular OptinMonster, TrustPulse and PushEngage Wordpress plugins, all operated by Wordpress giant Awesome Motive. Attackers added malicious JavaScript to the legitimate files served by Awesome Motive, which are embedded in their customer's sites. The malware waits for a logged-in administrator, creates a backdoor admin account, and installs a self-hiding backdoor plugin. It then sends the new credentials to tidio.cc, a lookalike of the real tidio.com. The campaign is ongoing as of 13 June 2026."
  https://sansec.io/research/optinmonster-supply-chain-attack
  https://thehackernews.com/2026/06/popular-wordpress-plugin-scripts.html
  https://www.bleepingcomputer.com/news/security/optinmonster-wordpress-plugin-hacked-in-cdn-supply-chain-attack/
  https://securityaffairs.com/193616/malware/supply-chain-attack-hits-popular-wordpress-plugins-through-awesome-motive-cdn.html
  https://www.infosecurity-magazine.com/news/wordpress-plugin-supply-chain/
• UNC1151/Ghostwriter Phishing Campaign Targeting Gmail Accounts
  "The UNC1151/Ghostwriter group remains one of the most active APT groups monitored by the CERT Polska team. For many years, it has consistently conducted phishing campaigns aimed at gaining access to the email accounts of Polish citizens. Once compromised, attackers search for valuable information on these accounts, such as contact lists (used to identify further targets), sensitive documents, or linked accounts (e.g., social media). These linked accounts can then be taken over."
  https://cert.pl/en/posts/2026/06/UNC1151-gmail-campaign/
  https://therecord.media/ghostwriter-targets-personal-gmail-accounts-in-poland
• The Gentlemen Ransomware: 483 Victims And a Leaked Playbook
  "The Gentlemen, a ransomware-as-a-service crew active since around September 2025, has now listed 483 victims on its dark-web leak site, including 380 in 2026 alone, according to Ransomtracker data Ransomnews pulled on 13 June 2026. A May 2026 leak of the gang’s internal chat logs exposed a nine-person core, AI-assisted tooling, and an intrusion model built on stolen infostealer credentials. The group is active and still listing victims weekly."
  https://ransomnews.com/the-gentlemen-ransomware-2026/
  https://securityaffairs.com/193622/uncategorized/infostealers-ai-and-a-90-affiliate-cut-fuel-the-gentlemen-groups-rise.html
• FBI: Fraudsters Use Couriers To Steal Money In Crypto Scams
  "The U.S. Federal Bureau of Investigation (FBI) warned that criminals are using couriers to collect money from victims of cryptocurrency investment scams, also known as pig butchering or romance baiting. Such scams usually start with the fraudsters reaching out to their targets via social media, dating sites, and messaging apps, building trust, and then luring victims into fake investment schemes. However, instead of investing their funds, the scammers will steal the money by moving it into accounts under their control."
  https://www.bleepingcomputer.com/news/security/fbi-fraudsters-use-couriers-to-steal-money-in-crypto-scams/
  https://www.ic3.gov/PSA/2026/PSA260615
• Public And Private Medical Community Targeted By China-Nexus Threat Actor Pursuing Artificial Intelligence, Cyber, Medical, And National Defense Research
  "Google Threat Intelligence Group (GTIG) has identified a sophisticated campaign attributed to UNC6508, a People's Republic of China (PRC)-nexus threat actor, targeting institutions in the North American academic, medical, and military research community. While remaining undetected for over a year, the threat actor compromised externally facing web applications, deployed bespoke malware, pivoted to sensitive internal systems, and abused enterprise administrative tools for covert data exfiltration. The threat actor had broad collection aspirations, including sensitive defense intelligence related to national security, Indo-Pacific command operations, artificial intelligence, uncrewed vehicle systems, cyber offensive programs, and medical research."
  https://cloud.google.com/blog/topics/threat-intelligence/prc-targets-us-medical-research
  https://www.bleepingcomputer.com/news/security/chinese-hackers-breach-redcap-servers-steal-medical-research/
  https://thehackernews.com/2026/06/chinese-hackers-abused-google-workspace.html
  https://www.darkreading.com/threat-intelligence/china-nexus-actor-us-researchers-undetected
  https://cyberscoop.com/google-unc6508-china-espionage-threat/
  https://www.securityweek.com/chinese-hackers-target-medical-military-and-ai-research-in-north-america/
  https://www.theregister.com/research/2026/06/15/google-says-prc-linked-spies-hid-in-medical-research-networks-for-more-than-a-year/5254547
  https://www.helpnetsecurity.com/2026/06/15/chinese-hackers-redcap-medical-research-institutions-breach/
• The Anubis Ransomware Attack On The Adriatic Port Authority
  "A severe ransomware attack orchestrated by the Anubis ransomware group targeted the Adriatic Port Authority, crippling its operations and disrupting maritime logistics across the region. This cyberattack has raised significant concerns about the vulnerabilities in critical infrastructure. Considering ongoing global supply chain disruptions and the emergence of new threats in the maritime security domain, Resecurity forecasts an increase in malicious activity by nation-states, cyber-mercenaries, advanced cybercriminal and espionage groups. Ransomware attacks have repeatedly targeted port authorities and maritime operations across countries, causing widespread disruption and massive financial losses. Below are confirmed cybersecurity incidents:"
  https://www.resecurity.com/blog/article/the-anubis-ransomware-attack-on-the-adriatic-port-authority
  https://www.infosecurity-magazine.com/news/anubis-ransomware-adriatic-port/
• Inside a Malicious Infrastructure Delivering EtherRAT, Phishing Pages, And Malicious Software
  "During our recent threat hunting activities, we found EtherRAT malware being distributed by a website with a strange homepage. This homepage allowed us to discover a vast malicious infrastructure distributing malware, malicious documents, remote desktop software, and phishing pages. EtherRAT is a RAT developed in Node.js which allows an attacker to gain complete control over the machine and execute arbitrary code returned by the Command and Control (C2) server. The malware uses the Etherium blockchain to obtain the C2 server, hence the “Ether” part of the name. EtherRAT is typically distributed via MSI, PowerShell, or JavaScript scripts."
  https://www.malwarebytes.com/blog/threat-intel/2026/06/inside-a-malicious-infrastructure-delivering-etherrat-phishing-pages-and-malicious-software

Breaches/Hacks/Leaks

• ShinyHunters Claims Council Of Europe Hack
  "The notorious extortion group ShinyHunters claims to have hacked the Council of Europe and to have stolen nearly 300 gigabytes of data. Europe’s leading human rights organization and an official United Nations observer, the Council of Europe was founded in 1949 and includes 46 member states, including 27 European Union countries. On Sunday, ShinyHunters added the Council of Europe to its Tor-based leak site, threatening to release more than 297 GB of data allegedly stolen from the organization’s network."
  https://www.securityweek.com/shinyhunters-claims-council-of-europe-hack/
  https://www.bleepingcomputer.com/news/security/council-of-europe-investigates-shinyhunters-data-breach-claims/
  https://www.theregister.com/cyber-crime/2026/06/15/council-of-europe-hacked-in-shinyhunters-peoplesoft-heist/5255757
• Infinite Campus Data Breach Affects 137,000 School Staff Accounts
  "The ShinyHunters extortion gang stole personal information from more than 137,000 school staff accounts in a Salesforce data theft attack that targeted the widely used Infinite Campus K-12 student information system in March. Infinite Campus is an education technology (EdTech) company that provides a student information system (SIS) to over 3,200 school districts across the United States, managing data for 11 million students in 46 states."
  https://www.bleepingcomputer.com/news/security/infinite-campus-data-breach-affects-137-000-school-staff-accounts/
• Cyberattack On Russian Tech Firm Astral Disrupts Business, Government Services For Week
  "The Russian software company Kaluga Astral said on Monday that it had been hit by a cyberattack earlier this month that disrupted several of its services for about a week, affecting customers that rely on its software for tax reporting, electronic document management and other business operations. “We are bringing each service back online only after completing a full security review — we are not willing to compromise security for the sake of speed. That is why the recovery process is taking longer than we would like,” the company said."
  https://therecord.media/cyberattack-on-russian-tech-firm-astral-disrupts-business-government-services

General News

• Onspring CISO On Where Automated GRC Systems Fall Short
  "In this interview with Help Net Security, Nichole Windholz, CISO at Onspring, talks about the limits of automated GRC systems and continuous control monitoring. She explains why color-coded dashboards can hide nuance, how teams can check the data feeding their tools, and which risks resist measurement, such as insider behavior and vendor concentration."
  https://www.helpnetsecurity.com/2026/06/15/nichole-windholz-onspring-automated-grc-systems/
• Senior Engineers Are Spending Their Week Cleaning Up AI-Generated Code
  "At most U.S. technology companies, machines now write the bulk of the code that ships each week. The engineer’s job has shifted toward reviewing what the AI produces, and that review gives the code high marks. Leaders rate AI-generated code as higher quality than the code their own people write, praising its clean structure, consistent style, and low count of obvious bugs at submission time. The same code behaves worse once it runs. Production incidents have climbed over the past year. Senior engineers spend more of their time fixing what the AI generated. A large majority of organizations hit at least one production failure tied to AI code in the past six months, and a sizable share of that code goes back for repair soon after it ships."
  https://www.helpnetsecurity.com/2026/06/15/ai-generated-code-review-issues/
• When AI Leaves The Lab: Testing Frontier Models In Government Cyber Defence
  "The Government Cyber Action Plan aims to boost cyber resilience across the UK public sector by using emerging technologies to manage risk. The Government Cyber Coordination Centre (GC3) - a partnership between the NCSC and the Department for Science, Innovation and Technology - is leading this work, exploring how frontier AI can be applied safely to cyber defence across government."
  https://www.gov.uk/government/case-studies/when-ai-leaves-the-lab-testing-frontier-models-in-government-cyber-defence
  https://www.infosecurity-magazine.com/news/uk-government-400-vulnerabilities/
• Energy, Healthcare, And Finance: Why Midwest Industries Are Facing Surging Cyber Attacks
  "Across the United States, the average organization faced slightly fewer cyber attacks per week in May 2026 than it did a year earlier, according to Check Point Research — the national figure was essentially flat year over year. In the Central US, however, the trend ran the other way. Organizations there faced more attacks than a year ago, and more than the national average — as they did in every month of 2026."
  https://blog.checkpoint.com/usa/energy-healthcare-and-finance-why-midwest-industries-are-facing-surging-cyber-attacks/
• Travel Phishing And Cyber Attacks Are Surging In 2026, Growing 122% Over The Last 3 Years. Here’s What Cyber Criminals Are Actually Doing
  "Every summer, hundreds of millions of people book flights, reserve hotels, and plan vacations online. And every summer, cyber criminals show up to take advantage of exactly that. Check Point Research tracked the threat landscape heading into the 2026 summer travel season, and what they found should give travelers pause before they click “confirm booking.”"
  https://blog.checkpoint.com/research/travel-phishing-and-cyber-attacks-are-surging-in-2026-growing-122-over-the-last-3-years-heres-what-cyber-criminals-are-actually-doing/
• The Beginning Of The End Of Social Engineering
  "Over the past month, the world's largest technology companies have quietly converged on the same idea. In May, Google positioned Gemini as an increasingly integrated part of Android. This week, Apple expanded Apple Intelligence across the iPhone, iPad, and Mac. While much of the attention has focused on productivity and convenience, a more significant shift may be underway. For the first time, operating systems are beginning to move beyond simply executing commands and displaying information. They are becoming active participants in interpreting what users see, hear, receive, and trust."
  https://www.darkreading.com/cyberattacks-data-breaches/beginning-end-social-engineering
• AI Vulnerability Discovery Is Pushing 2026 CVEs Toward 66,000
  "Vulnerability disclosures are piling up faster in 2026 than anyone expected at the start of the year. The running count for the first few months sits well above the original projection, and the Forum of Incident Response and Security Teams (FIRST) now expects the year to land near 66,000 CVEs. The cause sits mostly with one development: AI tools have started hunting for software flaws on their own, and they are good at it. “The teams that will weather the vulnerability storm of 2026 are the ones with trusted networks already in place, who are sharing intelligence and are coordinating response before any crises hit,” said Chris Gibson, CEO of FIRST."
  https://www.helpnetsecurity.com/2026/06/15/first-2026-cve-forecast/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

Vulnerabilities

• Chrome 149 Update Patches 28 Vulnerabilities
  "Google on Thursday rolled out a Chrome 149 update that resolves 28 critical and high-severity vulnerabilities. The update patches five critical-severity bugs: use-after-free issues in Core, DigitalCredentials, and WebMIDI, an insufficient validation of untrusted input flaw in Accessibility, and a heap buffer overflow defect in GPU. The remaining 23 vulnerabilities are high-severity flaws: nine use-after-free, four insufficient validation of untrusted input, three inappropriate implementation, two insufficient policy enforcement, two out-of-bounds read, an out-of-bounds write, a race condition, and a heap buffer overflow."
  https://www.securityweek.com/chrome-149-update-patches-28-vulnerabilities/
• CISA Adds One Known Exploited Vulnerability To Catalog
  "CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2026-35273 Oracle PeopleSoft Enterprise PeopleTools Missing Authentication for Critical Function Vulnerability"
  https://www.cisa.gov/news-events/alerts/2026/06/12/cisa-adds-one-known-exploited-vulnerability-catalog
  https://securityaffairs.com/193574/security/u-s-cisa-adds-oracle-peoplesoft-enterprise-peopletools-flaw-to-its-known-exploited-vulnerabilities-catalog.html
• Marking Your Own Homework (Check Point Remote Access VPN IKEv1 Authentication Bypass CVE-2026-50751)
  "It is yet another day in this parallel universe of security, where the devices we bolt onto the edge of our networks to keep the bad people out are, with remarkable consistency, the exact thing that let the bad people in. While we’ve seemingly had a breather from traditional SSL VPN exploitation season (you know, the one where every edge appliance vendor takes it in turns to have a very bad week), it’s now time to pull up a chair and welcome ourselves back to another group therapy session."
  https://labs.watchtowr.com/marking-your-own-homework-check-point-remote-access-vpn-ikev1-authentication-bypass-cve-2026-50751/
  https://www.helpnetsecurity.com/2026/06/12/cve-2026-50751-poc-exploit/
• Microsoft Has Mostly Repaired Flaw In Surface Hardware That Allowed Unprotected Devices To Be Bricked By a Single Packet
  "For the past 90 days, Microsoft has been quietly patching a firmware flaw in Surface devices that allowed the hardware to be bricked with a single packet, though only for those who have disabled Secure Core and Secure Boot. And the company's Copilot AI software inadvertently helped identify the faulty firmware. According to Jack Darcy, a security researcher based in Australia, his instance of Microsoft Copilot stumbled across the bug after being asked to adjust the screen backlighting on a Surface device. The Copilot-conjured Python script ended up rendering the researcher's laptop inoperable by overwriting the embedded controller firmware."
  https://www.theregister.com/security/2026/06/12/microsoft-has-mostly-repaired-flaw-in-surface-hardware-that-allowed-unprotected-devices-to-be-bricked-by-a-single-packet/5253895
• 21,786 Home Cameras, No Password, No Warning
  "In May 2026, Mysterium VPN queried a public internet-wide device index to count every camera and recorder that answers the open internet. They found more than three million reachable devices. Of those, 21,786 were streaming live video to anyone who pointed a browser at them, with no login, no challenge, and no warning to the person on the other side of the lens. That number is a floor, not a ceiling. Two brands dominate the internet-reachable camera market: Hikvision and Dahua together account for most of the three million. But the headline figure isn’t about them."
  https://securityaffairs.com/193536/hacking/21786-home-cameras-no-password-no-warning.html

Malware

• Over 400 Arch Linux Packages Compromised To Push Rootkit, Infostealer
  "More than 400 packages in the Arch User Repository (AUR) are distributing a Linux rootkit and infostealer malware targeting credentials and access tokens. A report from the open-source intelligence community Independent Federated Intelligence Network (IFIN) notes that a new maintainer is spoofing a trusted publisher on the AUR platform to push infected packages. The Arch Linux distribution is popular among power users and developers, using the AUR catalog to provide the latest versions for installed software, drivers, and the kernel."
  https://www.bleepingcomputer.com/news/security/over-400-arch-linux-packages-compromised-to-push-rootkit-infostealer/
  https://discourse.ifin.network/t/400-aur-packages-compromised-with-infostealer-and-rootkit/577
  https://thehackernews.com/2026/06/over-400-arch-linux-aur-packages.html
• Borrowed Trust – Systematic Exploitation Of Abandoned Cloud DNS Delegations To Serve Thai Gambling SEO Content
  "Cyble Research & Intelligence Labs (CRIL) has identified an active SEO poisoning campaign exploiting abandoned cloud DNS zone delegations to serve Thai-language gambling content under the domain authority of reputed enterprise organizations. The campaign has compromised 163 organizations across 30+ countries, spanning federal government agencies, national healthcare systems, financial institutions, critical infrastructure operators, and major universities."
  https://cyble.com/blog/borrowed-trust-cloud-dns-takeover-thai-gambling-seo-poisoning/
• Atomic Arch: Attackers Hijack Trusted AUR Packages To Deliver Rootkit-Like Malware
  "Sonatype researchers uncovered Atomic Arch, a new campaign targeting orphaned packages in the Arch User Repository in which attackers take over legitimate, abandoned AUR projects and modify PKGBUILDS to install a malicious npm package during installation. This is especially concerning because the trusted package itself may not look obviously malicious. The attack hides behind build instructions, downstream dependencies, and existing developer trust."
  https://www.sonatype.com/blog/atomic-arch-npm-campaign-adds-malicious-dependency
  https://thehackernews.com/2026/06/400-arch-linux-aur-packages-hijacked-to.html
  https://hackread.com/atomic-arch-hijacks-linux-aur-packages-malware/
• Velvet Ant’s Operation Highland: How a China-Nexus Actor Infiltrated An Internal Network Undetected
  "When Sygnia’s IR team began reconstructing the intrusion that would become known as Operation Highland, the earliest forensic artifacts dated back to 2016. What they uncovered was not a recent breach but a near-decade of undetected presence inside an internal network – a network the attacker had no direct path into, and reached anyway. Velvet Ant is a China-nexus threat actor Sygnia has tracked across multiple investigations. This is not an isolated campaign. In earlier research, we documented the group abusing F5 BIG-IP appliances and legacy Windows infrastructure to maintain long-term persistence. More recently, we reported on their exploitation of CVE-2024-20399, a zero-day in Cisco NX-OS, to deploy a hybrid backdoor (VELVETSHELL) directly on Cisco Nexus switches, and published a detailed advisory with detection and prevention guidance. The pattern across all these investigations is consistent: Velvet Ant escalates when detected, pivots to less-monitored infrastructure, and rebuilds persistence from a new vantage point."
  https://www.sygnia.co/blog/operation-highland-velvet-ant/
  https://thehackernews.com/2026/06/china-linked-hackers-backdoored-linux.html
  https://www.bleepingcomputer.com/news/security/chinese-hackers-hijack-auth-flow-spy-on-isolated-network-for-a-decade/
• LABScon25 Replay | Gamaredon x Turla: Unveiling a 2025 Espionage Alliance Targeting Ukraine
  "In this LABScon 25 presentation, ESET researchers Matthieu Faou and Zoltán Rusnák present the first technical evidence that Gamaredon actively facilitated Turla’s access to high-value Ukrainian targets in Ukraine. Across incidents observed between February and June 2025, Gamaredon tooling, including PteroGraphin and PteroOdd, was used to deploy Turla’s Kazuar backdoor and, in at least one case, restore Turla’s access after the group appeared to have lost its foothold."
  https://www.sentinelone.com/labs/labscon25-replay-gamaredon-x-turla-unveiling-a-2025-espionage-alliance-targeting-ukraine/
• Shai-Hulud Campaign Evolution: Miasma, Hades, And AI Scanner Evasion
  "Since Zscaler ThreatLabz published its analysis of Shai-Hulud V2 in November 2025, the campaign has continued to evolve in ways that distinguish it from more typical software supply chain attacks. Over the last six months, the activity expanded beyond npm into the Python Package Index (PyPI), shifted from maintainer-focused compromise to CI/CD abuse, undermined trust in Supply-chain Levels for Software Artifacts (SLSA) provenance and OpenID Connect (OIDC)-based publishing workflows without breaking their underlying cryptographic guarantees, extended execution into IDE configuration files, and introduced prompt injection designed to evade AI-based security scanners."
  https://www.zscaler.com/blogs/security-research/shai-hulud-campaign-evolution-miasma-hades-and-ai-scanner-evasion

Breaches/Hacks/Leaks

• Pharma Giant Novo Nordisk Discloses Breach Of Clinical Trials Data
  "Danish pharmaceutical giant Novo Nordisk, the world's largest producer of insulin, disclosed a data breach affecting patient information from some clinical trials. Founded in 1923, Novo Nordisk now employs around 67,900 people across 80 offices worldwide and is the maker of viral GLP-1 receptor agonist drugs Wegovy and Ozempic. The company revealed on Thursday that attackers gained access to its internal IT systems and data related to patients participating in some clinical trials, including their patient IDs (random alphanumeric strings) and information on trial participation, sex, year of birth, biomarkers, health/immunogenicity data, and lifestyle factors (e.g., smoking, alcohol use, BMI)."
  https://www.bleepingcomputer.com/news/security/pharmaceutical-giant-novo-nordisk-discloses-security-breach/
  https://www.theregister.com/security/2026/06/12/novo-nordisk-says-hackers-stole-clinical-trial-data/5254812
  https://www.bankinfosecurity.com/ozempic-drug-maker-loses-clinical-trial-data-in-hack-a-31962
• Over 73,000 French Govt Employees Affected In Tchap Messenger Breach
  "The French government revealed that a recent breach of its Tchap encrypted messaging platform affects the accounts of over 73,000 employees in the French public sector. DINUM, the French government's digital affairs directorate, disclosed on Monday that a threat actor gained access to the Tchap platform using a compromised user account and notified France's data protection authority (CNIL) due to the potential exposure of personal data shared by some users. While it initially shared almost no details about what was exposed and how many people were affected by this breach, the DINUM disclosed in a subsequent update that the attackers may have accessed information shared by around 9% of all registered users on the platform."
  https://www.bleepingcomputer.com/news/security/french-govt-says-tchap-breach-affected-over-73-000-accounts/
• Iranian Cyber Group Handala Claims Cal Water Hack
  "The Iran-linked threat actor Handala this week boasted to have hacked California Water Service (Cal Water), and published 5 gigabytes of data allegedly stolen from the US water utility. In a post on their blog, the hacking group said the intrusion was retaliation for recent US actions in Iran and claimed they had the ability to disrupt water access but chose not to. While the level of access Handala had has not been confirmed, threat intelligence company Dataminr says the threat actor likely hacked into Cal Water’s RTKBase instance, a GNSS base station platform, and then moved laterally to a billing system."
  https://www.securityweek.com/iranian-cyber-group-handala-claims-cal-water-hack/
  https://securityaffairs.com/193565/uncategorized/iran-linked-handala-breached-a-california-water-utility-it-could-have-done-worse-and-it-knows-that.html

General News

• Ukrainian National Pleads Guilty To Role In Conti Ransomware Operation
  "A Ukrainian national extradited from Ireland to the United States last year has pleaded guilty to conspiracy charges tied to the Conti ransomware operation. The U.S. Department of Justice announced Thursday that 44-year-old Oleksii Oleksiyovych Lytvynenko pleaded guilty to conspiracy to commit wire fraud for his role in Conti ransomware attacks conducted between 2021 and 2022. According to prosecutors, Lytvynenko and his co-conspirators deployed Conti ransomware on victim networks in the United States and abroad, stealing data and encrypting devices to extort Bitcoin ransom payments."
  https://www.bleepingcomputer.com/news/security/ukrainian-national-pleads-guilty-to-role-in-conti-ransomware-operation/
  https://cyberscoop.com/conti-ransomware-member-ukrainian-lytvynenko-guilty/
  https://hackread.com/extradited-ukrainian-admits-conti-ransomware-attacks/
  https://securityaffairs.com/193590/uncategorized/ukrainian-extradited-from-ireland-pleads-guilty-over-role-in-conti-ransomware-scheme.html
• Google Sues Chinese Phishing Service Over Gemini Abuse
  "Google has sued a Chinese phishing-as-a-service provider Friday for providing tools and crash courses for using the company's artificial intelligence product to create more than a million scam websites. The cybercrime group used Google's AI coding agent Gemini to refine and customize phishing sites so they look as real as the original, tricking victims to input their credit card information, account credentials and other personal data, the company said."
  https://www.bankinfosecurity.com/google-sues-chinese-phishing-service-over-gemini-abuse-a-31957
  https://www.helpnetsecurity.com/2026/06/12/google-china-based-cybercrime-network-lawsuit/
• How To Use NIST And ISO Frameworks To Govern AI Agents
  "Security leaders no longer need convincing that AI agents introduce risk. What’s missing is how to govern them once they move into production and begin operating autonomously across enterprise environments. AI agents already read sensitive documents, invoke internal APIs, trigger workflows, and make decisions that still require human judgment. From a security perspective, the most important shift is not their intelligence, but their behavior and intent, since they carry delegated authority, operate autonomously, and often hold more access than the humans they support."
  https://www.helpnetsecurity.com/2026/06/12/nist-iso-frameworks-govern-ai-agents/
• The Assembly Line Behind 1.5 Million Malicious Domains
  "Attackers registered roughly 1.5 million malicious domains during the first five months of 2026. The registration patterns resemble industrial output. Most of the domains were created by attackers, put to use within weeks, and concentrated among a small set of registrars, top-level domains, and hosting providers. New research examined more than 1.5 million unique domains flagged on VirusTotal between January and May 2026. Each domain was flagged by at least five independent VirusTotal scanning engines and first appeared on the platform during the study window. The detections were combined with WHOIS registration records, passive DNS resolution data, and the Tranco popularity ranking of well-known sites."
  https://www.helpnetsecurity.com/2026/06/12/malicious-domain-registration-research/
  https://arxiv.org/pdf/2606.11111
• AI Sovereignty Makes Data Centers Strategic Targets For Cyber Operations
  "Data centers built for frontier AI draw hundreds of megawatts of electricity and large volumes of cooling water from fixed locations with known addresses. Each one concentrates tens of thousands of graphics processors, liquid cooling systems, and high-density power equipment inside a single building. This physical footprint turns a nation’s AI capability into something an adversary can locate, measure, and degrade."
  https://www.helpnetsecurity.com/2026/06/12/ai-sovereignty-data-centers/
  https://arxiv.org/pdf/2606.07245
• Over 80% Of Sports Organizations Targeted By Hackers In The Last Year
  "Over 80% of professional sports organizations were targeted by cyber-attacks during the last year and over half of them were hit more than once, researchers have warned. In a report published on June 11, the day the FIFA World Cup 2026 kicked off, figures from Darktrace revealed that 84% of sports organizations – including teams, venues and event bodies – were targeted by cyber-attacks during the last year. And for most of them, facing a cyber-attack was not a one-off event: 57% experienced multiple cyder incidents in the 12-month period."
  https://www.infosecurity-magazine.com/news/sports-organizations-targeted-by/
• How We're Combatting AI Scams With Security, Legislation And More
  "You’ve seen the texts: fake package alerts, urgent bank warnings, panicked messages about your compromised account. Behind them is an AI-powered cybercrime network built to steal your passwords and credit cards. Today, we’re fighting back. We’re filing a lawsuit to dismantle their infrastructure, coordinating with the FBI who will be taking law enforcement actions, and will continue to work with AT&T, T-Mobile and Verizon to block these texts before they reach you. Litigation alone won’t end this. So Google is also advocating for federal legislation to make these protections permanent."
  https://blog.google/innovation-and-ai/technology/safety-security/combatting-ai-scams/
  https://thehackernews.com/2026/06/google-sues-chinese-smishing-network.html
  https://www.theregister.com/security/2026/06/12/google-fires-sueball-at-alleged-chinese-phishers-over-ai-powered-fraud-ops/5254841
  https://cyberscoop.com/outsider-cybercrime-network-takedown-china-fbi-google-lumen/
• Statement On The US Government Directive To Suspend Access To Fable 5 And Mythos 5
  "The US government, citing national security authorities, has issued an export control directive to suspend all access to Fable 5 and Mythos 5 by any foreign national, whether inside or outside the United States, including foreign national Anthropic employees. The net effect of this order is that we must abruptly disable Fable 5 and Mythos 5 for all our customers to ensure compliance. Access to all other Anthropic models will not be affected."
  https://www.anthropic.com/news/fable-mythos-access
  https://www.bleepingcomputer.com/news/security/us-gov-asks-anthropic-to-ban-foreign-national-access-to-fable-mythos/
  https://thehackernews.com/2026/06/us-orders-anthropic-to-suspend-fable-5.html
  https://www.bankinfosecurity.com/us-pulls-plug-on-anthropics-top-ai-models-a-31964
  https://cyberscoop.com/us-government-anthropic-fable-5-mythos-5-export-controls/
  https://www.securityweek.com/anthropic-says-it-has-taken-its-latest-ai-models-offline-to-comply-with-new-export-controls/
  https://securityaffairs.com/193579/ai/washington-pulled-the-plug-on-anthropic-fable-5-and-mythos-5-models.html
• Tracing Digital Intent: New MacOS Tahoe 26 Artifact Discovered
  "Forensic examiners are constantly hunting for data that reveals not just what happened on a system, but the user's intent behind it. With the release of macOS Tahoe 26, a new artifact has surfaced that provides exactly this level of granularity. We have identified a new Biome stream, App.MenuItem, which logs specific menu selections made by users across the operating system. This artifact offers a step-by-step record of user actions — from compressing files to emptying the trash — providing critical context for user activity across the operating system. This blog outlines where to find this artifact, how to process it and what stories the data can tell."
  https://unit42.paloaltonetworks.com/new-macos-artifact-discovered/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) จำนวน 7 รายการ เมื่อวันที่ 11 มิถุนายน 2569 เพื่อให้ข้อมูลที่ทันเวลาเกี่ยวกับประเด็นด้านความมั่นคงปลอดภัย ช่องโหว่ และการโจมตีที่เกี่ยวข้องกับระบบ ICS โดยมีรายละเอียดดังนี้

• ICSA-26-160-01 Schneider Electric Modicon Network Managed Switches
• ICSA-26-160-02 Siemens KACO Blueplanet Inverters
• ICSA-26-160-03 Schneider Electric EcoStruxure Panel Server
• ICSA-24-135-04 Mitsubishi Electric Multiple FA Engineering Software Products (Update F)
• ICSA-24-326-03 Schneider Electric Modicon M340, MC80, and Momentum Unity M1E & EcoStruxure (Update A)
• ICSA-25-035-06 Schneider Electric Modicon M340 and BMXNOE0100/0110, BMXNOR0200H (Update B)
• ICSA-25-254-09 Schneider Electric Modicon M340, BMXNOE0100, and BMXNOE0110 (Update A)

อ้างอิง
https://www.cisa.gov/news-events/ics-advisories

Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) จำนวน 4 รายการ เมื่อวันที่ 11 มิถุนายน 2569 เพื่อให้ข้อมูลที่ทันเวลาเกี่ยวกับประเด็นด้านความมั่นคงปลอดภัย ช่องโหว่ และการโจมตีที่เกี่ยวข้องกับระบบ ICS โดยมีรายละเอียดดังนี้

• ICSA-26-162-01 Yarbo Android/iOS Mobile Application and Cloud Infrastructure
• ICSA-26-162-02 Naxclow IoT Platform
• ICSA-26-162-03 Brickcom Cameras
• ICSA-25-070-01 Schneider Electric Uni-Telway Driver (Update D)**

อ้างอิง
https://www.cisa.gov/news-events/ics-advisories

เมื่อวันที่ 11 มิถุนายน 2569 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 1 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว มีรายละเอียดดังนี้

• CVE-2026-10520 Ivanti Sentry OS Command Injection Vulnerability

ทาง CISA จะปรับปรุงและเพิ่มช่องโหว่ใหม่เข้าสู่แคตตาล็อก KEV อย่างต่อเนื่อง เพื่อให้ครอบคลุมความเสี่ยงที่ตรวจพบจริงในปัจจุบันและอนาคต

อ้างอิง
https://www.cisa.gov/news-events/alerts/2026/06/11/cisa-adds-one-known-exploited-vulnerability-catalog
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

เมื่อวันที่ 10 มิถุนายน 2569 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 3 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว มีรายละเอียดดังนี้

• **CVE-2026-7473 Arista Extensible Operating System Incomplete Comparison with Missing Factors Vulnerability
• CVE-2026-11645 Google Chromium V8 Out-of-Bounds Read and Write Vulnerability
• CVE-2026-20245 Cisco Catalyst SD-WAN Manager Improper Encoding or Escaping of Output Vulnerabilityทาง CISA**

ทาง CISA จะปรับปรุงและเพิ่มช่องโหว่ใหม่เข้าสู่แคตตาล็อก KEV อย่างต่อเนื่อง เพื่อให้ครอบคลุมความเสี่ยงที่ตรวจพบจริงในปัจจุบันและอนาคต

อ้างอิง
https://www.cisa.gov/news-events/alerts/2026/06/09/cisa-adds-three-known-exploited-vulnerabilities-catalog
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Industrial Sector

• Yarbo Android/iOS Mobile Application And Cloud Infrastructure
  "Successful exploitation of these vulnerabilities could allow an attacker to obtain hard-coded credentials, gain access to telemetry data, and potentially send operational commands to the robot fleet."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-162-01
  Naxclow IoT Platform
  "Successful exploitation of these vulnerabilities could allow an attacker to impersonate devices, intercept or manipulate communications, harvest sensitive credentials at scale, or gain unauthorized access."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-162-02
• Brickcom Cameras
  "Successful exploitation of these vulnerabilities could allow a remote unauthenticated attacker to gain unauthorized access to live video feeds, retrieve sensitive visual information from affected premises, and obtain administrative control of the device."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-162-03
• Segmentation Works For OT If Operators Are Paying Attention
  "Separating systems to limit the damage in a cyber attack is still considered the way to secure industrial technology, but it remains a difficult goal. Segmentation only works to secure operational technology (OT) environments if operators know what threats and risks to look for, and in most cases, key concerns are overlooked. Not only does OT help power critical infrastructure sectors, but it’s increasingly converging with IT environments as well. However, security continues to lag despite its critical role across industries."
  https://www.darkreading.com/cybersecurity-operations/segmentation-works-for-ot-if-operators-are-paying-attention

Vulnerabilities

• Oracle Mitigates PeopleSoft Zero-Day Exploited In Data Theft Attacks
  "Oracle is warning about a critical PeopleSoft Suite zero-day vulnerability tracked as CVE-2026-35273 that allows unauthenticated remote code execution, with the flaw actively exploited in ShinyHunter data theft attacks. The flaw is within Oracle PeopleSoft PeopleTools and has a CVSS base score of 9.8. "This Security Alert addresses vulnerability CVE-2026-35273 in Oracle PeopleSoft PeopleTools. Oracle PeopleSoft Enterprise Applications customers may also be affected by this vulnerability," reads a new Oracle advisory."
  https://www.bleepingcomputer.com/news/security/oracle-mitigates-peoplesoft-zero-day-exploited-in-data-theft-attacks/
  https://thehackernews.com/2026/06/shinyhunters-exploits-oracle-peoplesoft.html
  https://www.securityweek.com/oracle-addresses-peoplesoft-vulnerability-amid-reports-of-zero-day-attacks/
  https://www.helpnetsecurity.com/2026/06/11/oracle-peoplesoft-under-attack-cve-2026-35273/
• Max Severity Ivanti Sentry Vulnerability Now Exploited In Attacks
  "Attackers are now targeting a recently patched maximum-severity flaw in Ivanti Sentry, enabling them to execute code with root privileges on Internet-exposed secure mobile gateways. Formerly known as MobileIron Sentry, the Ivanti Sentry security gateway appliance secures traffic between back-end corporate systems and remote mobile devices. Tracked as CVE-2026-10520, the maximum-severity vulnerability stems from an OS command injection weakness and was patched by Ivanti on Tuesday with the release of Sentry versions R10.5.2, R10.6.2, and R10.7.1."
  https://www.bleepingcomputer.com/news/security/max-severity-ivanti-sentry-vulnerability-now-exploited-in-attacks/
  https://www.darkreading.com/vulnerabilities-threats/max-severity-ivanti-sentry-flaw-exploited-24-hours
  https://securityaffairs.com/193530/uncategorized/cve-2026-10520-exploited-ivanti-sentry-gateways-compromised-shortly-after-patch-release.html
• Splunk, Palo Alto Networks Patch Severe Vulnerabilities
  "Splunk and Palo Alto Networks on Wednesday rolled out patches for multiple vulnerabilities across their product portfolios, including critical and high-severity bugs. Palo Alto Networks drew attention to a high-severity security flaw in the Cortex XSOAR and Cortex XSIAM platforms that could allow attackers to access and modify restricted resources. Tracked as CVE-2026-0274, the issue is described as the improper validation of credentials in the CommvaultSecurityIQ integration of the affected products and does not require a special configuration to be triggered."
  https://www.securityweek.com/splunk-palo-alto-networks-patch-severe-vulnerabilities/
• CISA Adds One Known Exploited Vulnerability To Catalog
  "CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2026-10520 Ivanti Sentry OS Command Injection Vulnerability"
  https://www.cisa.gov/news-events/alerts/2026/06/11/cisa-adds-one-known-exploited-vulnerability-catalog
  https://www.bleepingcomputer.com/news/security/cisa-tells-govt-agencies-to-patch-critical-exploited-flaws-in-3-days/
• New GreatXML Exploit Bypasses Windows BitLocker Via Recovery Partition XML Files
  "Security researcher Chaotic Eclipse (aka Nightmare-Eclipse and MSNightmare) has released a new Windows BitLocker bypass dubbed GreatXML, a day after they published an exploit for Microsoft Defender. "This was an accidental discovery, it took a total of 4 hours to find this," the researcher said in a post on Blogger. "If you ever attempted to use Windows Defender Offline Scan, you're automatically vulnerable to a BitLocker bypass. I'm unsure if you can still trigger the bug without ever using the offline scan feature, because you can definitely.""
  https://thehackernews.com/2026/06/new-greatxml-exploit-bypasses-windows.html
  https://deadeclipse666.blogspot.com/2026/06/greatxml-bitlocker-that-seems-to-only.html
  https://www.securityweek.com/greatxml-zero-day-exploit-bypasses-bitlocker/
  https://securityaffairs.com/193516/security/chaotic-eclipse-strikes-again-new-zero-day-unlocks-bitlocker-in-four-hours-of-research.html
  https://www.theregister.com/security/2026/06/11/nightmare-eclipse-drops-claimed-bitlocker-bypass-for-microsoft-windows/5254371
• CVE-2026-30612: A Vulnerability In Time4Popcorn (PopcornTime)
  "Time4Popcorn is a fork of Popcorn Time, a popular download application. This fork is also distributed under the name ‘Popcorn Time’. Since early 2025, a new project started using the PopCorn Time name and is building a legal alternative, this research does not apply to that software. The Windows, Mac and Android versions of this software, contain a vulnerable update component. The updater connects to its update servers over an insecure channel. An attacker that is able to manipulate this traffic can offer his own update. On Windows and Mac, this update occurs in the background without user interaction and will run with full privileges (NT AUTHORITY\SYSTEM or root). On Android, the user is prompted to install an attacker-supplied APK file."
  https://research.eye.security/cve-2026-30612-a-vulnerability-in-time4popcorn-popcorntime/

Malware

• Threat Actors Weaponize AI Hype To Deliver AsyncRAT
  "As AI adoption continues to grow, threat actors have wasted no time exploiting the trend. FortiGuard Labs recently observed a campaign delivering malicious files disguised as AI-related documents, with titles such as "AI-Ready PostgreSQL 18: Building Intelligent Data Systems" and " A Guide for Thinking Marketers in the Age of AI." These lures are designed to target users actively seeking AI-related learning resources. The attack chain behind these files is remarkably complex, using multiple staged scripts to hide activity before ultimately deploying AutoHotkey-based loaders that reflectively inject a .NET remote access trojan and AsynRAT into memory for command-and-control communication and follow-on execution."
  https://www.fortinet.com/blog/threat-research/threat-actors-weaponize-ai-hype-to-deliver-asyncrat
  https://www.infosecurity-magazine.com/news/fake-ai-guides-dev-tools-spread/
  https://hackread.com/hackers-fake-claude-code-guide-ai-pdfs-asyncrat/
• Sniper’s Nest: From Brand Impersonation To Browser Hijacking And CPA Fraud
  "During an investigation into phishing activity targeting users across the Middle East and North Africa (MENA), Group-IB analysts identified multiple fraudulent Facebook accounts impersonating politicians, public figures, and trusted organizations. These accounts promoted fake offers, including free mobile internet packages, financial compensation, and government subsidy programs. Victims were encouraged to click embedded links to claim the advertised benefits, but were instead redirected through a chain of intermediary websites that ultimately led to phishing and traffic monetization infrastructure."
  https://www.group-ib.com/blog/inside-sniperdz-phaas-ecosystem/
  https://www.infosecurity-magazine.com/news/interpol-dismantles-sniperdz/
  https://hackread.com/authorities-dismantle-sniperdz-phishing-network/
• A Fake Bug Report Hijacks Your AI Coding Agent – And Nothing Catches It.
  "Tenet Threat Labs has demonstrated a new class of attack “Agentjacking” that hijacks AI coding agents into running attacker-controlled code on a developer’s machine, triggered by a single fake error report and invisible to every security control. Using only public Sentry APIs, breaching nothing, we found 2,388 organizations exposed, saw 100+ agents act on injected errors in controlled testing, with confirmed agent execution at organizations spanning from Fortune 500 enterprise down to independent developers."
  https://tenetsecurity.ai/blog/agentjacking-coding-agents-with-fake-sentry-errors/
  https://www.infosecurity-magazine.com/news/agentjacking-attacks-hijack-ai/
• Inside OnyxC2: The New Stealer Targeting 210 Apps
  "A new stealer called OnyxC2 surfaced on a cybercrime network in early 2026, sold as a complete product: a web panel, a payload builder, tiered pricing, and refunds if a build gets caught. For $250 a month, operators get a kit that harvests browser credentials, password managers, two-factor authentication (2FA), and crypto wallets across roughly 210 applications and extensions, then ships it all back over an encrypted channel."
  https://www.blackfog.com/inside-onyxc2-the-new-stealer-targeting-210-apps/
  https://www.securityweek.com/onyxc2-stealer-offers-cybercriminals-enterprise-grade-theft-for-250-a-month/
  https://securityaffairs.com/193523/malware/onyxc2-malware-as-a-service-offers-enterprise-grade-data-theft.html
• Inside The Phantom Mantis Operation
  "Phantom Mantis , initially known as ArmCorp, is a financially motivated threat group active since March 2025. The group conducts intrusions for extortion and is led by a Russian-speaking criminal tracked as LARVA-368 . For about four months, Phantom Mantis operated as an affiliate group conducting double-extortion attacks, leveraging resources from various Ransomware-as-a-Service (RaaS) operations, including Tenacious Mantis (a.k.a. LockBit) and in particular Pestilent Mantis (a.k.a. Qilin)."
  https://catalyst.prodaft.com/public/report/inside-the-phantom-mantis-operation/overview
  https://thehackernews.com/2026/06/the-gentlemen-ransomware-claims-478.html
• OceanLotus: From External Espionage To Domestic Targeting
  "Our tracking of OceanLotus activities from 2024–2026 reveals a shift in operational focus. During this period, the Vietnam-aligned OceanLotus adopted a more selective approach to external operations while placing increasing emphasis on domestic espionage. We identified two distinct campaigns involving the SPECTRALVIPER backdoor: a supply-chain attack targeting stock investors in Vietnam and a prolonged espionage operation against a Vietnamese infrastructure and transport construction company. Whether the shift represents a temporary adjustment or a long-term strategic change remains unclear; however, this 15-year-old APT group continues to demonstrate aggressive tactics and a level of craftiness in its tooling."
  https://www.welivesecurity.com/en/eset-research/oceanlotus-external-espionage-domestic-targeting/
  https://thehackernews.com/2026/06/oceanlotus-hits-vietnam-investors-with.html
• ShinyHunters Targets Education Sector With Oracle PeopleSoft Exploit
  "Mandiant and Google Threat Intelligence Group (GTIG) have identified an active compromise and extortion campaign attributed to UNC6240 (ShinyHunters) targeting Oracle PeopleSoft application infrastructure. The activity was observed between May 27, 2026, and June 9, 2026 and is consistent with the exploitation of CVE-2026-35273, a critical remote code execution vulnerability (CVSS 9.8) in the Environment Management component. The exploitation of this vulnerability directly aligns with the observed targeting of Environment Management Hub (PSEMHUB) endpoints. Because this activity predates Oracle's June 10, 2026 advisory, the vulnerability was exploited as a zero-day."
  https://cloud.google.com/blog/topics/threat-intelligence/shinyhunters-targets-education-sector-oracle-exploit
  https://www.theregister.com/cyber-crime/2026/06/11/shinyhunters-claims-oracle-peoplesoft-0-day-hit-100-orgs/5254443

Breaches/Hacks/Leaks

• Japanese Energy Firm Loses Drive With Data Of 10.9 Million Clients
  "Kyushu Electric Power Co., Inc. has disclosed a physical security incident that affects private data of more than 10 million customers. In an official announcement, the company explains that the IT staff regularly performs backups to manage server storage. Due to capacity constraints, on April 27 an external storage device was used for the task. The drive was then stored in a server room cabinet protected by multiple physical security layers. On May 26, when IT staff went to retrieve it, they found the cabinet had been left unlocked and the driver was missing."
  https://www.bleepingcomputer.com/news/security/japanese-energy-firm-loses-drive-with-data-of-109-million-clients/
• Nottingham University Data Breach Affects Over 450,000 Students
  "The University of Nottingham confirmed on Wednesday that a hacking group gained access to its student records system in a breach affecting both current students and alums. Nottingham University is a public research university with 7,000 staff and over 46,000 students, ranking in the Top 20 in the United Kingdom and the Top 100 worldwide. The university told BleepingComputer in an emailed statement that the incident exposed a "significant amount of data," and that the breach has been reported to the UK's Information Commissioner's Office."
  https://www.bleepingcomputer.com/news/security/nottingham-university-data-breach-affects-over-450-000-students/
  https://therecord.media/university-of-nottingham-cyber-incident-shiny-hunters
  https://hackread.com/shinyhunters-university-of-nottingham-student-data-leak/
  https://www.securityweek.com/university-of-nottingham-confirms-breach-after-hackers-leak-data/
• British High School Sends Students Home Following Cyberattack
  "The majority of students at a high school in Buckinghamshire, England, were sent home for the second day in a row on Thursday after what the headteacher told parents was “a cybersecurity incident affecting our ICT systems.” Great Marlow School, which has 1,428 pupils according to the Department for Education (DfE), said it was set to remain closed while it works with specialist IT and cybersecurity professionals to resolve the issue."
  https://therecord.media/british-school-sends-students-home-cyberattack
• Nearly a Million Passports And Photo IDs Were Left Unprotected On The Public Internet
  "Typing a few letters and numbers into my web browser, I find myself gaping at the identity documents of complete strangers. The passport of a young woman from Germany. The passport of a man from Spain with glasses resting on his head. The front and back of another man’s driver’s license, a stereotypically goofy expression on his face. They were all sitting unprotected at public URLs, with no password or access control of any sort. If I sent you a link, you could have looked at someone’s passport."
  https://www.theverge.com/tech/947157/passports-data-breach-cannabis-club-systems-nefos-puffpal
  https://github.com/xn0tsa/because-i-got-high

General News

• Ransomware Gangs Cut Off From EUR 336 Million ‘AudiA6’ Crypto Laundering Pipeline
  "An international law enforcement operation has dismantled one of the cryptocurrency laundering services most trusted by ransomware gangs and cybercriminal networks, cutting off a key financial pipeline used to wash hundreds of millions in illicit profits. The service, known as ‘AudiA6’, is suspected of laundering more than EUR 336 million between 2022 and 2025. Investigators believe the platform became a central hub for ransomware actors and cybercriminals seeking to cash out stolen digital assets while hiding the money trail from authorities."
  https://www.europol.europa.eu/media-press/newsroom/news/ransomware-gangs-cut-eur-336-million-audia6-crypto-laundering-pipeline
  https://www.bleepingcomputer.com/news/legal/authorities-dismantle-audia6-ransomware-crypto-laundering-service/
• When Your AI Agent’s Memory Becomes a Security Liability
  "Check Point Research discovered how a single overlooked API in LangGraph, one of the world’s most widely used AI agent frameworks, can hand an attacker complete control of your AI infrastructure. LangGraph is not a niche tool. With close to 46.5 million downloads last month alone, it powers AI agents across thousands of production environments, from customer support automation to internal enterprise workflows. That kind of adoption means any security issue in it is worth paying close attention to."
  https://blog.checkpoint.com/research/when-your-ai-agents-memory-becomes-a-security-liability/
  https://research.checkpoint.com/2026/from-sqli-to-rce-exploiting-langgraphs-checkpointer/
• The Hidden Security Risks Of Poor Software Testing
  "A system does not need to be attacked by an advanced hacker to fail. One overlooked flaw in the code, one outdated dependency, or one rushed release can give attackers the access they need, especially after the exploitation of AI in cybercrime. Companies can spend heavily on antivirus software, firewalls, endpoint tools, and multi-factor authentication. Those controls matter, but they cannot fully protect a product that was released with avoidable security flaws. Once vulnerable code reaches production, attackers have a real target."
  https://hackread.com/the-hidden-security-risks-of-poor-software-testing/
• 9 Out Of 10 People Can No Longer Distinguish Real From AI-Generated Content
  "Online fraud is becoming harder to distinguish from legitimate activity as AI-generated messages, voices, photos, reviews, and identities become more convincing. Nearly nine in ten adults say they can no longer tell what is real from AI-generated content, according to the latest Malwarebytes survey. The share increased from 66% in 2025 to 85% in 2026. The survey covered 1,500 adults aged 18 and older in the United States, the UK, Austria, Germany, and Switzerland."
  https://www.helpnetsecurity.com/2026/06/11/ai-scams-deepfakes-survey/
• Threat Actors Are Recruiting The People Who Hold Cloud Logins
  "Companies keep most of their data and applications in cloud platforms that anyone can reach with the right login. That setup turns each employee holding those credentials into a security variable, and members of the cybercrime underground have built methods to reach those people. Intel 471 tracked this activity into 2026 and sorted insider risk into three categories that cloud-reliant organizations contend with."
  https://www.helpnetsecurity.com/2026/06/11/report-cloud-insider-threats/
• Prompt Injection Still Drives Most Agentic AI Security Failures In Production
  "A backdoor sat on PyPI for three hours in March 2026. Nearly 47,000 downloads occurred during the window. The compromised package, LiteLLM, serves as the language-model gateway for CrewAI, DSPy, Microsoft GraphRAG, and dozens of other AI agent frameworks. Anyone pulling an update during that window pulled in an autonomous attack bot named hackerbot-claw along with it."
  https://www.helpnetsecurity.com/2026/06/11/owasp-prompt-injection-ai-security-failures/
• ISC2 Research: How Enterprises Use Training To Strengthen Cybersecurity Teams
  "Cybersecurity professionals face a constantly evolving landscape of threats, new technologies and changing organizational priorities. To stay on top of – and indeed ahead – of these needs, maintaining and developing relevant skills is an essential requirement. However, with many new and emerging cybersecurity skills in short supply, training and development remain among the most pressing challenges for employers and professionals alike. A new research report from ISC2, How Enterprises are Strengthening Their Cybersecurity Teams Through Training, examines how enterprise organizations (5,000+ employees) across Canada, Germany, India, Japan, the U.K. and the U.S. approach security team training."
  https://www.isc2.org/Insights/2026/06/enterprise-training-trends
  https://edge.sitecorecloud.io/internationf173-xmc4e73-prodbc0f-9660/media/Project/ISC2/Main/Media/Research/ISC2_Enterprise_Training_Trends_Research_Report_2026.pdf
  https://www.infosecurity-magazine.com/news/cybersecurity-training-time/
• Extortion-Only Attacks Increase, With Data Theft Dominating Ransomware Claims
  "Insurance experts have urged organizations to reduce their exposure to extortion-only attacks and better manage the consequences when they occur, after revealing a surge in this category of threats. Insurer Resilience said in a new report that 65% of extortion-related claims it handled in the second half of 2025 did not involve data encryption. That’s up from 49% in the first half of the year. By the end of 2025, only 13% of attacks relied on encryption alone, while data theft – on its own or combined with encryption – accounted for 87% of ransomware claims, it noted."
  https://www.infosecurity-magazine.com/news/extortion-only-attacks-surge/
• Alert Fatigue Is Becoming a Security Threat Of Its Own
  "Alert fatigue and its related effects on SOC efficiency are self-evident problems. Less obvious and more complex are the cause, effect and possible solutions to these problems. SOC analysts are inundated with a huge and continuous volume of alerts generated by security tools. Each alert is often meaningless absent correlation with other alerts. But finding relationships is time-consuming, and even if found, might be irrelevant to business security. Much of the alert volume is simply noise, but attempting correlation to find true positive alerts (signals) from the huge number of false positives (noise) is difficult, boring, and often pointless."
  https://www.securityweek.com/alert-fatigue-is-becoming-a-security-threat-of-its-own/
• The Defender's Playbook For LLM-Powered Vulnerability Discovery
  "My last article on how attackers will behave showed what they’ll do once LLMs flood the system with new Common Vulnerabilities and Exposures (CVEs). This essay looks at what defenders could do in response. Some moves are obvious. Others break norms and carry risk. We group by the four vendor types from that article, then list every move with its trade-offs."
  https://blog.barracuda.com/2026/06/11/defenders-playbook-llm-vulnerability-discovery
• Hacker Linked To Void Blizzard Faces Charges Over Cyberespionage Campaign
  "A Russian national with suspected links to the Void Blizzard hacking group appeared in U.S. federal court this week on charges of supporting a Kremlin-linked cyberespionage campaign that targeted U.S. companies, according to media reports. Denis Obrezko, 36, made his initial appearance in federal court in Boston on Tuesday after being transferred to U.S. custody from Thailand, where he was arrested last November."
  https://therecord.media/hacker-linked-to-void-blizzard-faces-charges
  https://cyberscoop.com/russian-national-charged-void-blizzard-cyber-espionage/
• What Makes Or Breaks Cyber-Readiness For SMBs
  "Cybersecurity has a familiar way of saying the storm will come: “a breach is a matter of when, not if.” While the industry’s sternest maxim has probably never been more true, it sometimes feels as though it’s also lost some of its edge over the years. Eveveryone agrees that there could be a ‘cloud on the horizon,’ but will they also hurry to draft or review their IT contingency plan or commit to a level of operational pain that their company can endure while under attack?"
  https://www.welivesecurity.com/en/business-security/smb-cyber-readiness-what-makes-breaks-it/
• CrowdStrike 2026 Technology Threat Landscape Report: China’s Ambitions Fuel Attacks
  "The technology sector has, for the past several years, been the most targeted industry among eCrime and state-sponsored adversaries whose motivations span financial gain, long-term intelligence collection, and industrial espionage. Modern tech companies are building the world’s most valuable and targeted assets. Their cutting-edge innovations, now including AI, represent competitive advantage and heightened risk. Adversaries are taking aim, and defenders that understand them are best equipped to stop them."
  https://www.crowdstrike.com/en-us/blog/crowdstrike-2026-technology-threat-landscape-report/
• Shadowserver Report Provides Cybersecurity Insights And Recommendations For ECOWAS Member States In West Africa
  "In recent years, West African nations have experienced a rapid digital transformation that has helped spur economic growth and development. Yet, this transformation has also brought to light many institutional and operational cybersecurity deficiencies that make the region an attractive and vulnerable target of cyber threat actors. West Africa has experienced an alarming increase in cyberattacks in recent years, with cybercrime accounting for more than 30-percent of all reported crime in the region."
  https://www.shadowserver.org/news/shadowserver-report-provides-cybersecurity-insights-and-recommendations-for-ecowas-member-states-in-west-africa/
  https://www.shadowserver.org/wp-content/uploads/2026/06/SSF001-ECOWAS-Report-ENG-FINAL.pdf

อ้างอิง
Electronic Transactions Development Agency (ETDA)

Industrial Sector

• ICS Patch Tuesday: Vulnerabilities Fixed By Siemens, Schneider, Phoenix Contact
  "ICS Patch Tuesday advisories were published this month by Siemens, Schneider Electric, and Phoenix Contact. Siemens published only four new advisories. In Sinec INS, the industrial giant fixed authenticated command execution, information disclosure, privilege escalation, and password exposure flaws. The company also addressed a DoS and potential code execution issue in Siprotec 5, and a sensitive information exposure weakness in WinCC Certificate Manager."
  https://www.securityweek.com/ics-patch-tuesday-vulnerabilities-fixed-by-siemens-schneider-phoenix-contact/
• Attacking UPS Network Cards To Take Down Data Centers
  "Team82 has uncovered two serious vulnerabilities in Vertiv’s uninterruptible power supply (UPS) network cards that enable authentication bypass to the control interface of the UPS, denial of service, and potentially code execution. UPS devices come in all sizes, from units as small as a laptop to as big as a six-door closet. They serve the same purpose: keeping critical equipment running in the event of a power outage. During an outage, a UPS switches to its internal battery, preventing sudden shutdowns. Data centers, for example, rely on them to keep servers, routers, and control systems stable and protected from power spikes or drops, keeping devices online or shutting them down safely."
  https://claroty.com/team82/research/attacking-ups-network-cards-to-take-down-data-centers
  https://www.securityweek.com/critical-hvac-and-ups-vulnerabilities-could-let-hackers-disrupt-data-centers/

Vulnerabilities

• Ivanti: Max Severity Sentry Flaw Allows Code Execution As Root
  "Security software company Ivanti has released patches to address two critical vulnerabilities in its Sentry secure mobile gateway solution, including a maximum-severity flaw that enables remote attackers to execute code with root privileges. Formerly known as MobileIron Sentry, Ivanti Sentry is a security gateway appliance that secures traffic between back-end corporate systems and remote mobile devices. Tracked as CVE-2026-10520, the maximum-severity vulnerability stems from an OS command injection weakness. The second Sentry security flaw patched on Tuesday (tracked as CVE-2026-10523) is a critical authentication bypass that can be exploited remotely by unauthenticated attackers to create rogue administrative accounts and gain full administrative access."
  https://www.bleepingcomputer.com/news/security/new-max-severity-ivanti-sentry-flaw-allows-code-execution-as-root/
  https://nvd.nist.gov/vuln/detail/CVE-2026-10520
  https://www.theregister.com/patches/2026/06/10/ivanti-urges-sentry-users-to-patch-two-critical-bugs/5253428
  https://www.helpnetsecurity.com/2026/06/10/ivanti-sentry-cve-2026-10520-cve-2026-10523/
• Critical Vulnerabilities Patched In Fortinet, Ivanti Products
  "Fortinet and Ivanti on Tuesday rolled out fixes for multiple vulnerabilities in their products, including critical-severity OS command injection flaws. Fortinet published three advisories describing security defects in FortiSandbox, FortiOS, FortiProxy, and FortiPortal. The most severe of the three bugs is CVE-2026-25089 (CVSS score of 9.8), an OS command injection issue impacting FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS WEB UI."
  https://www.securityweek.com/critical-vulnerabilities-patched-in-fortinet-ivanti-products/
  https://thehackernews.com/2026/06/ivanti-fortinet-and-sap-release-patches.html
• Langflow - Path Traversal Arbitrary File Write Via Upload_user_file
  "The 'POST /api/v2/files' endpoint does not sanitize the 'filename' parameter from the multipart form data, allowing an attacker to write files to arbitrary locations on the filesystem using path traversal sequences ('../')."
  https://www.tenable.com/security/research/tra-2026-26
  https://thehackernews.com/2026/06/unpatched-langflow-flaw-cve-2026-5027.html
  https://www.bleepingcomputer.com/news/security/path-traversal-flaw-in-ai-dev-platform-langflow-exploited-in-attacks/
• Cyera Research Uncovers Six Protobuf.js Vulnerabilities Impacting The Backbone Of Data And AI Systems
  "Cyera researchers discovered and helped remediate six vulnerabilities in protobuf.js, including flaws that could lead to remote code execution (RCE) and denial-of-service (DoS) attacks. If you're wondering why this matters, that's a fair question. Most of us rarely interact directly with protobuf.js. However, it is the most widely used JavaScript runtime for Protocol Buffers, a serialization format that powers communication across millions of applications, databases, cloud-native services, and AI systems. The package alone is downloaded more than 50 million times per week, with true adoption likely far higher due to its widespread inclusion as a dependency in countless software projects."
  https://www.cyera.com/blog/cyera-research-uncovers-six-protobuf-js-vulnerabilities-impacting-the-backbone-of-data-and-ai-systems
  https://www.cyera.com/research/proto6-the-schema-was-not-supposed-to-run
  https://thehackernews.com/2026/06/six-proto6-vulnerabilities-in.html
• Microsoft Patches Exchange Server Zero-Day Exploited In Attacks
  "Microsoft has patched an actively exploited Exchange Server vulnerability that allows threat actors to execute arbitrary JavaScript code in cross-site scripting (XSS) attacks targeting Outlook Web Access users. This high-severity spoofing vulnerability (CVE-2026-42897) affects Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition (SE) software and can be exploited by remote attackers with no privileges."
  https://www.bleepingcomputer.com/news/microsoft/microsoft-patches-exchange-server-zero-day-exploited-in-attacks/
• Microsoft Patches YellowKey, GreenPlasma, MiniPlasma Zero-Days
  "On Tuesday, Microsoft patched two zero-day vulnerabilities that let attackers gain SYSTEM privileges on fully patched Windows systems, and a third one that grants access to BitLocker-protected drives. All three security flaws were disclosed last month by a security researcher using the "Nightmare Eclipse" handle in protest over how the Microsoft Security Response Center (MSRC) handles the disclosure process."
  https://www.bleepingcomputer.com/news/microsoft/microsoft-patches-yellowkey-greenplasma-miniplasma-zero-days/

Malware

• Expanded JDY IoT And SOHO Botnet Enables Rapid Vulnerability Exploitation
  "Black Lotus Labs recently identified a significant resurgence of the JDY botnet, a covert reconnaissance network tied to China-nexus threat activity. In this report, we examine how the botnet has expanded its footprint, diversified its device base and enabled rapid vulnerability targeting, giving defenders important insight into how modern reconnaissance supports subsequent exploitation."
  https://www.lumen.com/blog/en-us/expanded-jdy-iot-and-soho-botnet-enables-rapid-vulnerability-exploitation
  https://www.bleepingcomputer.com/news/security/china-linked-jdy-botnet-expands-targeting-of-us-military-networks/
  https://thehackernews.com/2026/06/china-linked-jdy-botnet-expands-to-1500.html
  https://www.theregister.com/security/2026/06/11/china-linked-operators-revive-botnet-stir-ai-datacenter-debate/5253873
• SilabRAT, What’s Your Power?
  "By this point, the security community has analyzed countless Remote Access Trojans (RATs), so one might ask: Who needs another RAT analysis? Rather than simply cataloging another piece of malware, this still provides an opportunity to shed educational light on how attacker tooling continues to evolve. While reputable RAT families remain popular among adversaries, some have begun searching for alternatives. Well-known RATs are heavily monitored, and therefore easily classified or detected by modern security solutions. As a result, attackers frequently experiment with newer, less common tools in an effort to evade detection and extend operational longevity. In this blog, we deep-dive into SilabRAT and look at some of its interesting capabilities."
  https://www.group-ib.com/blog/silabrat-hijackloader-trojan-malware/
  https://www.infosecurity-magazine.com/news/silabrat-trojan-session-hijacking/
• Phishing Attacks Leverage TikTok, Instagram Reels
  "Short-form videos on social media apps are currently being leveraged by threat actors as a phishing vector, utilizing tutorial style content with the promise of free premium software to lure victims onto malicious sites. This is an important threat to be cognizant of, as the videos can trick users into directly downloading malware. In order to best defend organizations, steps can be taken to mitigate the risks associated with these videos, both in user training and technical guardrails."
  https://www.reversinglabs.com/blog/social-media-attacks-phishing
  https://www.infosecurity-magazine.com/news/fake-software-videos-tiktok-vidar/
  https://hackread.com/scammers-tiktok-instagram-reels-vidar-infostealer/
  https://www.malwarebytes.com/blog/news/2026/06/free-spotify-premium-hacks-on-social-media-are-spreading-infostealers
• New Browser-In-The-Browser Phishing Uses Fake Login Popups To Steal Microsoft 365 Credentials
  "A new Browser-in-the-Browser (BitB) phishing campaign is targeting Microsoft 365 users with fake login popups designed to closely mimic legitimate browser authentication windows, according to Palo Alto Networks Unit 42. The attack relies on a fake browser window embedded within a webpage. Victims who click a Microsoft sign-in button are presented with what appears to be a standard authentication prompt, complete with a spoofed Microsoft OAuth URL and a login form."
  https://www.helpnetsecurity.com/2026/06/10/browser-in-the-browser-phishing-microsoft-365-users/
  https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2026-06-08-Browser-In-The-Browser-Pishing-Campaign.txt
• FIFA World Cup 2026 Scams Are Already Active: Fake Domains, Phishing Sites, And How To Stay Safe
  "The FIFA World Cup 2026 kicks off on June 11, and the world’s biggest sporting event is drawing more than just fans — it is already attracting a wave of cybercriminals targeting ticket buyers, job seekers, streaming viewers, and corporate brands alike. The FBI has issued a formal Public Service Announcement warning that threat actors are creating fraudulent versions of FIFA-affiliated websites to steal personal information, conduct financial fraud, and sell fake products and services. Cyble researchers independently analyzed the domains flagged by the FBI and confirmed that many remained active and operational at the time of publishing this report."
  https://cyble.com/blog/fifa-world-cup-2026-scams/

Breaches/Hacks/Leaks

• Oracle PeopleSoft Servers Hacked In ShinyHunters Data Theft Attacks
  "Oracle PeopleSoft servers are being targeted in ongoing data theft attacks by the ShinyHunters extortion gang, which claims to have stolen data from over 100 organizations. PeopleSoft is an enterprise business software suite used by large organizations to manage business operations such as human resources, payroll, finance, supply chain management, procurement, and student administration. Yesterday, BleepingComputer learned of widespread data theft attacks targeting both cloud and on-premises Oracle PeopleSoft customer instances.These customers were receiving extortion demands that were signed by the ShinyHunters extortion gang."
  https://www.bleepingcomputer.com/news/security/oracle-peoplesoft-servers-hacked-in-shinyhunters-data-theft-attacks/
• Cyberattack Shuts Down Major Australian Sugar Mills, Disrupting Harvest
  "A cyberattack has disrupted sugar production in one of Australia's largest cane-growing regions, forcing two major sugar mills to shut down and bringing harvesting operations to a halt. Mackay Sugar, Australia's second-largest sugar producer, said on Wednesday that it was responding to a cybersecurity incident affecting parts of its operations and had engaged cybersecurity experts and local authorities to investigate the attack and restore its systems safely."
  https://therecord.media/cyberattack-shuts-down-major-australian-sugar-producer

General News

• AI Agents Are Becoming Enterprise Workers. Who Secures Them?
  "A sales operations team builds an AI agent to help manage renewal requests. On the surface, the workflow looks ordinary. The agent reads inbound customer emails, checks the account record in the CRM, looks up contract terms, drafts a response, updates the opportunity stage, and creates a follow-up task. No one has set out to build a sentient machine in a basement. They are just trying to remove friction from a familiar business process. Underneath that ordinary workflow, something important has changed."
  https://blog.checkpoint.com/ai-security/ai-agents-are-becoming-enterprise-workers/
• Patch Smarter, Not Harder
  "Artificial intelligence is assisting both researchers and adversaries in identifying flaws in software, vastly increasing the pace at which new vulnerabilities are discovered. Defenders are already struggling to keep up. Per Verizon’s 2026 Data Breach Investigations Report, only 26% of vulnerabilities on CISA’s Known Exploited Vulnerabilities (KEV) Catalog were fully remediated by organizations in 2025, a drop from the previous year’s 38%. The median time for full resolution rose to 43 days. Defenders need greater clarity and speed to patch systems in today’s threat landscape. We must flip the script on patching prioritization: patch smarter, not harder."
  https://www.cisa.gov/news-events/news/patch-smarter-not-harder
  https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk
  https://www.darkreading.com/cyber-risk/cisa-rewrites-federal-patching-requirements-ai-threat-era
  https://therecord.media/cisa-to-require-federal-agencies-to-patch-3-days
  https://cyberscoop.com/cisa-vulnerability-remediation-directive-bod-26-04/
• AI Risk Worries Insurers And Businesses Alike
  "The insurance industry is undergoing a major shift as businesses look to quickly adopt artificial intelligence (AI) while seeking insurance policies to manage potential risks — especially those posed by agentic AI systems that could cause significant damage before being caught by human-in-the-loop processes. The current risk is small as companies test potential ways to integrate AI into their operations. But some insurers are already taking steps to exclude AI-caused damage from their more traditional insurance policies, leaving the risk to be absorbed by cyber insurance policies or tech errors-and-omissions (E&O) coverage. Others have already created explicit policies to protect against AI risks, even if the current market for insuring against AI risk is tiny."
  https://www.darkreading.com/cyber-risk/ai-risk-worries-insurers-businesses-alike
• The Invisible Battlefield: How Cyberwar Is Reshaping Everyday Life
  "Chris Inglis, First US National Cyber Director, Semperis Strategic Adviser: For much of my career, battlefields were tangible places, deserts, cities, mountains, and oceans you could see and touch. You could point to the terrain, define the front line, and distinguish between the fight abroad and life at home. Today, one of the most consequential battlefields of all is almost entirely invisible. It is cyberspace — ambient, persistent, and woven into nearly every part of modern life."
  https://www.darkreading.com/endpoint-security/invisible-battlefield-cyber-war-reshaping-everyday-life
• AI Slop Will Kill Cybersecurity Storytelling If We Let It
  "One of the most valuable lessons I learned about cybersecurity storytelling came more than 20 years ago, and it didn't come from a press relations or marketing guru. It came from Rhonda Maclean, one of the industry's first female Fortune 500 CISOs (roles included Boeing, Bank of America, and Barclays) and the keynote speaker at the inaugural Executive Women's Forum conference in 2003. Given how few women were at her level at the time, I expected her talk to be about female empowerment."
  https://www.darkreading.com/cyber-risk/ai-slop-kill-cybersecurity-storytelling-we-let-it
  Justice Department, FBI Disable 13 Websites Backed By Suspected Chinese Agents That Sought Sensitive U.S. * Information From Security Clearance Holders
  "Thirteen internet domains used to target U.S. persons, including current and former security clearance holders with access to classified and sensitive U.S. government information, were seized today by federal authorities. “These domain seizures offer a glimpse at how foreign actors can use promises of easy money to lure Americans into revealing sensitive or classified information that they are duty‑bound to protect,” said Assistant Attorney General for National Security John A. Eisenberg. “Anyone approached online with offers of easy income for vague ‘consulting’ work should treat those overtures with extreme caution and remain vigilant for warning signs of malicious targeting.”"
  https://www.justice.gov/opa/pr/justice-department-fbi-disable-13-websites-backed-suspected-chinese-agents-sought-sensitive
  https://hackread.com/fbi-seizes-china-fake-consulting-sites-us-clearance/
• Every Set Of AI Guardrails Can Be Broken By The Right Prompt
  "Companies that build AI systems wrap them in guardrails meant to block harmful output, including deepfakes, malware, and instructions for making biological weapons or illicit drugs. When a user prompts the system for such content, the guardrails are designed to flag the request and refuse. A new mathematical proof sets a limit on how secure those guardrails can ever be. Apostol Vassilev, a senior scientist at the National Institute of Standards and Technology, published the proof in the peer-reviewed journal IEEE Security & Privacy. It demonstrates that for any finite set of guardrails, some prompt exists that gets the AI to disregard them. Finding that prompt is the only requirement."
  https://www.helpnetsecurity.com/2026/06/10/broken-ai-guardrails-research/
  https://ieeexplore.ieee.org/document/11475847
• The Security In Smartphones Is Helping Send Them To Landfills
  "Billions of working smartphones reach the end of their service lives each year and move into drawers, recycling streams, and waste piles. The WEEE Forum estimated that 5.3 billion mobile phones became electronic waste in 2022. Many of these devices still function. The average smartphone stays in use for about three years, and owners often replace handsets that retain enough computing power for other jobs. A team at the Université Libre de Bruxelles examined a barrier to giving those devices a second life. The barrier comes from the security hardware that protects phones during their first life. Secure boot, Trusted Execution Environments, and fused cryptographic keys guard user data and system integrity. These same mechanisms tie a device to its original maker and resist the changes that reuse requires."
  https://www.helpnetsecurity.com/2026/06/10/secure-smartphone-reuse-landfills/
• Scams Now Operate Like Real Businesses With Budgets And Targets
  "Social media has overtaken email as a primary attack vector, showing changes in how people consume information and interact online, according to Bitdefender’s Global Scam Intelligence Report 2026. Fraud campaigns use advertisements, sponsored content, impersonation pages, and direct messages to reach users. One in seven consumers fell victim to a scam during the past year. Scam operations resemble organized businesses, with structured workflows, dedicated personnel, and tactics designed to exploit trust through familiar brands, platforms, and communication channels."
  https://www.helpnetsecurity.com/2026/06/10/bitdefender-global-scam-trends-report/
• Identity Theft Is Turning Into a Chain Reaction For Victims
  "For a growing number of victims, identity theft no longer ends with a fraudulent charge or a compromised account. More than one in four people who contacted the Identity Theft Resource Center during the reporting period were dealing with multiple identity-related incidents, according to the organization’s 2026 Trends in Identity Report. The report is based on data from 6,188 individuals who sought assistance between April 2025 and March 2026."
  https://www.helpnetsecurity.com/2026/06/10/identity-theft-incidents-itrc-report/
• Cybersecurity Software Fails To Detect Fifth Of Brower-Based Phishing Attacks
  "Cybersecurity software regularly fails to detect and prevent the cyber-attacks they are designed to protect organizations from, especially within the bowser layer, research by Menlo Security has warned. Published on June 9, Menlo Security's 2026 Browser Threat Report found that one in five phishing attacks which target the enterprise browser users go completely undetected by the tools which are supposed to protect the network and its users from attacks. Based on platform telemetry across millions of active browser sessions in enterprise customer environments between January 1 and March 31 2026, the research warned that threat actors are gaining entry to enterprise environments through the browser session layer."
  https://www.infosecurity-magazine.com/news/cybersecurity-fails-to-detect/
  https://www.menlosecurity.com/resources/2026-state-of-browser-security-threat-report
• Over a Quarter Of Identity Crime Victims Hit By Multiple Incidents, ITRC Data Shows
  "Identity crime experts have warned of “multi-layered crises” after revealing that many victims dealt with two or more incidents over the past year. The findings come from US non-profit the Identity Theft Resource Center (ITRC), which analyzed data from over 6000 reports submitted to it between April 1 2025 and March 31 2026. Its 2026 Trends in Identity Report revealed that nearly 26% of victims managed two or more concurrent identity crime incidents, up from 24% the previous year. ITRC chief operating and programs officer, Mona Terry, said that identity crimes are becoming increasingly complex."
  https://www.infosecurity-magazine.com/news/quarter-identity-crime-victims/
• One Click To Compromise: ThreatLabz 2026 Phishing And Initial Access Report
  "AI is accelerating the enterprise, but it is also raising the cost of a single user mistake. Phishing remains one of the easiest on-ramps for attackers, with campaigns that look routine, move fast, and convert clicks into access. Identity has also become the real perimeter, and attackers are looking for the fastest path through it. That means more reconnaissance to find exposed entry points, more credential validation to test what will work, and more abuse of encrypted channels to blend into normal traffic."
  https://www.zscaler.com/blogs/security-research/one-click-compromise-threatlabz-2026-phishing-and-initial-access-report
• Infostealers Turn Millions Of Devices Into Credential Theft Machines
  "Hackers no longer force open the side-window when infostealers can give them a key to the front door. Infostealers have become the primary source of stolen credentials for attackers. Using these credentials is now a favored route for bad actors to access a target effectively as an invited guest. It is quicker, easier, less visible and more effective than forcing an entry. More than 11.1 million devices were infected with infostealers in 2025, reports Flashpoint. More than 3.3 billion credentials, browser artifacts, session information and other forms of identity are now circulating in illicit marketplaces. These don’t simply provide entry to a target, they often provide authorized access to valuable data undisturbed by security defenses within the target."
  https://www.securityweek.com/infostealers-turn-millions-of-devices-into-credential-theft-machines/
  https://flashpoint.io/resources/e-book/2026-guide-to-infostealers/
• Cybercriminals: The 'auditors' You Never Hired
  "There’s one cognitive bias that we humans are prone to, and it lies at the centre of some of the challenges that cybersecurity professionals face every day. It’s known as the normalcy bias – what Dr. Lauren Braithwaite defines as “our tendency to underestimate the possibility of disaster and believe that life will continue as normal, even in the face of significant threats or crises.” It's why people hesitate after fire alarms go off or delay reacting in other unfolding situations because things still appear manageable."
  https://www.welivesecurity.com/en/business-security/cybercriminals-auditors-never-hired/
• Chinese, N. Korean Threat Groups Build On Asia-Pacific Success
  "Cyber-threat groups linked to North Korea and China continue to target financial firms and cryptocurrency assets in the Asia-Pacific region, but face increasing headwinds as national governments collaborate more closely with each other and private industry to seize cryptocurrency accounts linked to illegal activity. In its recent 2026 Financial Services Threat Landscape Report, CrowdStrike noted that six of the nine major threat groups targeting financial services in Q1 2026 are linked to China and North Korea, while at least 78 organizations in the Asia-Pacific and Oceania regions were targeted by cybercriminals groups' data-leak-and-ransom operations."
  https://www.darkreading.com/cyberattacks-data-breaches/chinese-korean-threat-groups-asia-pacific-success
• GenAI Is Both Hunter And Hunted At Pwn2Own Berlin 2026
  "Pwn2Own has unequivocally arrived in the generative AI (GenAI) age. TrendAI Research has a full report on the event that took place at OffensiveCon 2026, but I also had the privilege of participating in the disclosure process for some of the artificial intelligence (AI) targets. Obviously, I cannot discuss the details of the actual bugs until the disclosure period is over, but I have some general observations to make."
  https://www.trendmicro.com/en_us/research/26/f/pwn2own-genai.html

อ้างอิง
Electronic Transactions Development Agency (ETDA)

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand