NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ
    1. หน้าแรก
    2. NCSA_THAICERT
    3. กระทู้
    • รายละเอียด
    • ติดตาม 0
    • คนติดตาม 3
    • กระทู้ 2,385
    • กระทู้ 2,386
    • ดีที่สุด 0
    • Controversial 0
    • กลุ่ม 2

    โพสต์ถูกสร้างโดย NCSA_THAICERT

    • Microsoft ออกแพตช์กรกฎาคม 2026 แก้ไข 622 ช่องโหว่ และ 2 Zero-Day ที่ถูกใช้โจมตีจริง

      Microsoft ออกแพตช์กรกฎาคม 2026 แก้ไข 622 ช่องโหว่ และ 2 Z.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand ca4c90e4-339e-49ac-9ea4-91f8acac505b-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • F5 ออกแพตช์แก้ช่องโหว่หลายรายการใน NGINX และ BIG-IP เสี่ยง DoS และรันโค้ดบนระบบ

      F5 ออกแพตช์แก้ช่องโหว่ใน NGINX และ BIG-IP เสี่ยง DoS แล.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 12120ecf-1e73-49f3-947f-8da081fc25e6-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • Zoom แจ้งเตือนช่องโหว่ เสี่ยงถูกยึดบัญชีผู้ใช้งานบนระบบปฏิบัติการ Windows

      Zoom แจ้งเตือนช่องโหว่ เสี่ยงถูกยึดบัญชีผู้.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 5a7859bd-399f-440e-908c-5cf14fdcdb6b-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • Cyber Threat Intelligence 17 July 2026

      Industrial Sector

      • Rockwell Automation CompactLogix, ControlLogix, Compact GuardLogix And GuardLogix
        "Successful exploitation of these vulnerabilities could allow an attacker to cause a denial-of-service condition."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-197-06
      • Rockwell Automation Arena
        "Successful exploitation these vulnerabilities could allow an attacker to execute arbitrary code in the context of the current process."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-197-01
      • Rockwell Automation 1756-EN2, 1756-EN3, And 1756-ENBT
        "Successful exploitation of this vulnerability could allow an attacker to cause a denial-of-service condition."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-197-02
      • NASA Core Flight System (cFS) Health & Safety (HS) Application
        "Successful exploitation of this vulnerability could allow an attacker to cause a denial-of-service condition."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-197-03
      • AutomationDirect Productivity Suite
        "Successful exploitation of these vulnerabilities could allow an attacker with local or physical access to cause memory corruption, unintended information disclosure, application instability, or a denial-of-service condition in the affected product."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-197-04
      • Siemens SICAM 8
        "Multiple SICAM 8 products are affected by multiple vulnerabilities that could lead to denial of service, namely: - SICAM A8000 Device firmware - CPCI85 for CP-8031/CP-8050 - SICORE for CP-8010/CP-8012 - SICAM EGS Device firmware - CPCI85 - SICAM S8000 - SICORE Siemens has released new versions for the affected products and recommends to update to the latest versions."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-197-05
      • SALTO ProAccess Space
        "Successful exploitation of this vulnerability allows an authenticated attacker to escalate privileges and access spaces outside their assigned partition, within the same Salto ProAccess Space installation or system. Exploitation requires valid authenticated operator credentials and the partition feature to be enabled; installations without partitioning are not affected."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-197-07
      • Rockwell Automation Flex 5000 Adapter
        "Successful exploitation of this vulnerability could allow an attacker to cause a denial-of-service condition on the affected product."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-197-08
      • Rockwell Automation FactoryTalk DataMosaix
        "Successful exploitation of this vulnerability could allow an authenticated attacker to inject malicious scripts on the server."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-197-09
      • Legacy Systems, Real-World Impacts: The Reality Of OT Security
        "I’m here today to write about one particularly thorny area of operational technology (OT) and security that I run into somewhat routinely. Given my own particular interests as an incorrigible vulnerability-gazer, and my professional role as vice president of security research at runZero, I deal with OT security issues more often than the average bear. I’ve noticed that there’s definitely a vibe of, “IT be like this, but OT be like that” going on in the wider world of vulnerability management. The process of discovering, documenting, and disclosing vulnerabilities all have their own little quirks here in OT-land, so let’s jump into it!"
        https://www.securityweek.com/legacy-systems-real-world-impacts-the-reality-of-ot-security/

      Vulnerabilities

      • Splunk, Zoom Patch Critical Vulnerabilities
        "Splunk and Zoom this week announced patches for multiple vulnerabilities across their products, including several critical and high-severity security defects. Only three of the five advisories that Splunk published address flaws that are specific to its products, while the other two resolve dozens of bugs in third-party components. The Splunk-specific issues include CVE-2026-20296 (a high-severity command safeguards bypass), CVE-2026-20297 (a high-severity path traversal), and CVE-2026-20298 (a medium-severity information disclosure)."
        https://www.securityweek.com/splunk-zoom-patch-critical-vulnerabilities/
      • F5 Patches Multiple NGINX, BIG-IP Vulnerabilities
        "F5 on Wednesday announced an out-of-band security rollout that patches eight vulnerabilities in NGINX and BIG-IP. The most severe flaw is CVE-2026-42533 (CVSS score of 9.2), a critical issue in NGINX Plus and NGINX Open Source that could be exploited via crafted HTTP requests to cause a heap buffer overflow and restart the NGINX worker process. “A vulnerability exists in NGINX Plus and NGINX Open Source when a map directive uses regex matching and a string expression references the map’s regex capture variables before referencing the map output variable. Alternatively, the same result could be achieved by using a non-cacheable variable in a string expression under certain conditions,” F5 explains."
        https://www.securityweek.com/f5-patches-multiple-nginx-big-ip-vulnerabilities/
      • Trend Micro, Tanium, ESET And Tenable Patch Severe Product Vulnerabilities
        "Cybersecurity companies Trend Micro, ESET, Tenable, and Tanium released product updates this month to patch severe vulnerabilities. Tenable told customers this week that it has fixed a critical-severity path traversal in the Tenable Agent. The security hole, tracked as CVE-2026-15265, may allow an attacker to achieve remote code execution. ESET informed customers on Tuesday that it has discovered and patched a high-severity local privilege escalation vulnerability in Inspect Connector for Windows. “On systems with the affected ESET product installed, an attacker could send self-crafted Advanced Local Procedure Call (ALPC) requests to the vulnerable process’ interface,” ESET explained in its advisory. “Without proper authentication or origin validation in place, this message would be accepted and processed, enabling the attacker to access restricted functionality.”"
        https://www.securityweek.com/trend-micro-tanium-eset-and-tenable-patch-severe-product-vulnerabilities/
        https://www.tenable.com/security/tns-2026-18
        https://support.eset.com/en/ca8970-eset-customer-advisory-local-privilege-escalation-via-unauthenticated-alpc-in-eset-inspect-connector-for-windows-fixed
        https://security.tanium.com/TAN-2026-016/
        https://helpcenter.trendlife.com/en-us/article/tmka-12951
      • CISA Adds Three Known Exploited Vulnerabilities To Catalog
        "CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
        CVE-2026-25089 Fortinet FortiSandbox OS Command Injection Vulnerability
        CVE-2026-39808 Fortinet FortiSandbox OS Command Injection Vulnerability
        CVE-2026-58644 Microsoft SharePoint Deserialization of Untrusted Data Vulnerability"
        https://www.cisa.gov/news-events/alerts/2026/07/16/cisa-adds-three-known-exploited-vulnerabilities-catalog
      • Same Subject, Wrong User: A Cross-Issuer Account Takeover In n8n
        "Months ago, we ran Strix against n8n and it came back with an authentication bug in the token-exchange flow. We submitted the finding and forgot about it. Then, a few weeks ago, we learned it had been assigned CVE-2026-59208 (High). Short version: n8n trusts who signed a token when it verifies it — but forgets who signed it when it decides whose account you are. This is a small post about a small diff with a large blast radius."
        https://www.strix.ai/blog/n8n-cross-issuer-account-takeover
        https://thehackernews.com/2026/07/n8n-token-exchange-flaw-could-let.html
      • New Agent Data Injection Attack Can Make AI Agents Misclick Or Run Attacker Commands
        "Ask an AI agent to summarize the reviews on a product page, and a single planted review can make it click "Buy Now" instead. Ask a coding assistant to apply a maintainer's fix from a GitHub thread, and a fake comment can make it run a stranger's command on your computer. Neither trick hijacks the agent's task. Each one just corrupts the facts it trusts and lets it carry on with the job you asked for. That is the shape of a new class of attack laid out in a paper posted July 6 by researchers from Seoul National University, the University of Illinois Urbana-Champaign, and Largosoft."
        https://thehackernews.com/2026/07/new-agent-data-injection-attack-can.html
        https://arxiv.org/abs/2607.05120
      • No Shark Is Safe: Millions Of Shark Vacuums Are Vulnerable To RCE
        "Millions of Shark vacuums are currently vulnerable to remote code execution. This critical vulnerability leaves hackable cameras with wheels inside the homes of Shark vacuum owners. The vulnerability is trivially exploited as demonstrated in the writeup below. Attempts to remediate the issue with Shark have been unsuccessful as they have downplayed the severity and questioned whether "a CVE is appropriate" for the situation (really?)."
        https://tokay0.com/posts/millions-of-shark-vacuums-vulnerable-to-rce.html
        https://thehackernews.com/2026/07/unpatched-shark-vacuum-flaw-could-let.html
      • OpenAI Admits GPT-5.6 Occasionally Deletes Files – But It's An 'honest Mistake'
        "OpenAI has confirmed reports that GPT-5.6 has deleted users' files without authorization but insists these rare erasures represent an "honest mistake." Following the release of OpenAI's GPT‑5.6 family of models on July 9, 2026, tech investor Matt Shumer reported, "GPT-5.6-Sol just accidentally deleted almost ALL of my Mac's files." A few days later, software engineer Bruno Lemos said, "GPT-5.6 Sol just deleted my whole production database. That's it. Not a joke. This had never happened to me before, with any other model, ever. It's not safe.""
        https://www.theregister.com/ai-and-ml/2026/07/16/openai-admits-gpt-56-occasionally-deletes-files-but-its-an-honest-mistake/5274008
      • 7-Zip XZ Decompression Heap-Based Buffer Overflow Remote Code Execution Vulnerability
        "This vulnerability allows remote attackers to execute arbitrary code on affected installations of 7-Zip. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of XZ chunked data. Crafted XZ-compressed data can trigger an overflow of a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process."
        https://www.zerodayinitiative.com/advisories/ZDI-26-444/

      Malware

      • ClickLock Stealer: Paste Once, Lose Everything
        "Malware targeting macOS users are usually considered rare and advanced: the system’s built-in protections like Gatekeeper, TCC, System Integrity Protection, mandatory code signing and lower number of users require higher commitments and bring less profit for the attackers compared to other platforms. Although the macOS threat landscape has grown considerably in recent years, with malware like Atomic Stealer (AMOS), Banshee Stealer, Poseidon, Cuckoo, Cthulhu Stealer and MacStealer, the total number of known macOS malware families remains relatively small in contrast to other systems, which means the discovery of a previously undocumented sample with zero detections is always something worth digging into."
        https://www.group-ib.com/blog/clicklock-stealer-macos-malware/
        https://thehackernews.com/2026/07/new-clicklock-macos-stealer-kills-apps.html
        https://www.bleepingcomputer.com/news/security/new-clicklock-macos-malware-traps-users-into-revealing-login-password/
        https://www.infosecurity-magazine.com/news/clicklock-macos-stealer-clickfix/
        https://www.securityweek.com/clicklock-stealer-bypasses-macos-security-with-social-engineering-process-killing/
        https://www.theregister.com/cyber-crime/2026/07/16/cmon-just-copy-this-text-string-and-paste-it-into-your-macos-terminal-itll-fix-your-computer-honest/5273701
      • UAT-11795 Deploys Novel Starland RAT And Bespoke WLDR C2 Implant In Financially Motivated Campaign
        "Cisco Talos is disclosing UAT-11795, a sophisticated, Russian-speaking, financially motivated adversary that has been conducting a malicious campaign targeting users in the U.S. and Europe since at least June 2025. Talos has discovered that the actor in this campaign delivers a Python-based remote access tool (RAT) that we track as “Starland RAT” and a command-and-control (C2) memory implant known as the “WLDR agent.” The WLDR agent is a sophisticated PowerShell-based C2 memory implant that features encrypted beaconing, task queuing, and a Runspace execution engine for executing additional payloads. UAT-11795 also has CastleStealer and Remcos RAT as alternative payload implants in their arsenal."
        https://blog.talosintelligence.com/uat-11795-deploys-novel-starland-rat-and-bespoke-wldr-c2-implant-in-financially-motivated-campaign/
        https://www.bleepingcomputer.com/news/security/russian-hackers-trojanize-webex-zoom-apps-to-push-starland-malware/
      • Spirals: New Stealthy Ransomware Deployed Against Asian IT Company
        "A previously unseen ransomware family, named Spirals by its operators, was deployed in a double extortion attack against an IT services company in South Asia in June 2026, the Symantec Threat Hunter Team can reveal. The Rust-based payload is either a new ransomware threat or one purpose-built for this attack. The actor behind the attack remains unknown. The attackers moved quickly. Less than 24 hours after the initial breach, the ransomware payload was being pushed to machines on the network. They obtained initial access by compromising an internet-facing IIS web server and uploading an ASP.NET web shell. Over a rapid three-hour interactive session, they established persistent access, uninstalled endpoint security software, dumped the Security Account Manager (SAM) hive, and set up covert remote access before later deploying the payload across the network."
        https://www.security.com/threat-intelligence/ransomware-spirals-extortion
        https://www.bleepingcomputer.com/news/security/new-spirals-ransomware-encrypts-victim-network-in-under-24-hours/
      • Threat Spotlight: How ‘text Salting’ Confuses AI-Powered Email Defenses
        "Traditional spam filters work by scoring emails on the prevalence of unwanted or malicious terms. Hiding large amounts of harmless-looking text inside an email that can only be seen by security tools helps to dilute the concentration of “bad” words. This makes the emails look benign and legitimate, while the recipient sees only the intended phishing content. The techniques used to hide content are known as “text salting.” Over the last year, researchers have seen an escalation in the use of text salting to confuse not just language detection and keyword analysis, but also machine learning models and, increasingly, LLM-based security tools into misclassifying phishing or spam messages as legitimate and allowing them to be delivered to recipients."
        https://blog.barracuda.com/2026/07/16/text-salting-ai-email-security
        https://www.darkreading.com/threat-intelligence/1m-emails-hidden-text-dupe-ai-security-filters
      • The TTF Trap: A Global Campaign Of a Low-Detection Lua Loader
        "Since late March, 2026, we have been observing large-scale campaigns that use a combination of fileless techniques and Lua-based loaders with low detection rates to deploy various malware families, including Agent Tesla, Remcos, XWorm, and Best Private LOGGER. In these attack campaigns, the threat actor impersonates several well-known companies, using the guise of business cooperation to launch phishing attacks. To evade detection, the actor employs multi-layered, highly obfuscated stages, including extensive junk code and an AutoIt/Lua loader masquerading as a TrueType Font (.ttf) file."
        https://www.fortinet.com/blog/threat-research/the-ttf-trap-a-global-campaign-of-a-low-detection-lua-loader
        https://www.infosecurity-magazine.com/news/phishing-lua-loader-truetype-font/
      • HelloNet Campaign — New Malicious Modules Launched Through The ViPNet Update System
        "We discovered a new APT attack using previously unknown tooling, which started at least in May 2026 and remains active at the time of publication. It is notable in that the implants used during it were launched through the ViPNet update system (a software suite for creating secure networks). During our research, we identified attempts of targeted infection of large Russian organizations from the government, energy, transport, education, and logistics sectors, as well as industry. This is not the first time an advanced group has targeted computers connected to ViPNet networks. For example, last year we discovered a complex backdoor mimicking ViPNet updates."
        https://securelist.com/tr/hellonet-vipnet/120700/
      • GoSerpent: a Persistent Threat Evolves With Sophisticated Data Collection And Exfiltration
        "In February 2026 we discovered a set of malicious activities that have been ongoing since late 2025. These activities involved a RAT module written in Go with proxy capabilities, serving as the main stage of the attack. The attack targeted government and diplomatic entities in Southeast Asia and showed a level of sophistication which caught our attention. During the attack, the main malware, dubbed GoSerpent, received an encrypted argument and started communication with a remote server. It was also used to deploy further malicious tools for sensitive data collection and credential dumping on the system."
        https://securelist.com/goserpent-backdoor-in-southeast-asia/120687/
      • TELEPUZ: a Modular MaaS Malware Spreading Via CLICKFIX-VIDAR Chains
        "Elastic Security Labs is tracking an emerging threat named TELEPUZ, which we have discovered spreading widely via a CLICKFIX-VIDAR chain. This malware is in active development and has been operating since late April 2026, according to the infrastructure information we collected. The malware is full-featured, lightweight, and modular. While the number of C2 domains is currently small, the daily volume of builds uploaded to VirusTotal and the rapid pace of updates indicate active development and likely further growth."
        https://www.elastic.co/security-labs/telepuz-maas-malware-clickfix
        https://thehackernews.com/2026/07/new-telepuz-malware-spreads-via.html
      • 20+ Hijacked Government Websites Became
an Attack Channel
        "More than 20 Brazilian government websites were hijacked and turned into malware delivery channels in an active PhantomEnigma campaign uncovered by ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions. The investigation revealed previously undocumented backdoor behavior, hidden infrastructure relationships, and multiple attack arms behind a campaign putting banks and public agencies at risk. By connecting hundreds of seemingly unrelated sandbox sessions, ANY.RUN researchers exposed the operation’s broader scope and showed how trusted .gov.br links and authenticated emails helped the activity remain hidden."
        https://thehackernews.com/2026/07/20-hijacked-government-websites.html
      • Daxin Returns: Stealthy Malware Resurfaces In Taiwan Alongside a New Backdoor
        "More than four years after Symantec first uncovered Backdoor.Daxin, the malware has resurfaced. Symantec's Threat Hunter Team uncovered Daxin in active use on a compromised host in Taiwan in May 2026, long after the tool was last found. Alongside it, our researchers found a previously undocumented backdoor (Backdoor.Stupig) that uses a technically distinctive approach to persistence and pre-authentication code execution. No code-level relationship between the two tools has been established. However, their co-deployment on the same host, complementary functions, and similarities in development practices suggest a link. The two samples also carry compile timestamps a few weeks apart in early 2013. While such timestamps can be edited, it is more likely that both samples were created within a short window of one another, which would be consistent with their use by the same actor."
        https://www.security.com/threat-intelligence/daxin-returns-stupig
        https://thehackernews.com/2026/07/daxin-resurfaces-in-taiwan-alongside.html
      • Sandworm Hackers Have a CAPTCHA Trick For Ukrainians
        "Russian military intelligence hackers have begun using fake CAPTCHA prompts on compromised websites to trick Ukrainian targets into infecting their own computers, researchers have found. In a report published Wednesday, Ukraine's computer emergency response team (CERT-UA) said it observed a shift this spring and summer in how the Kremlin-backed hacking group Sandworm gains initial access to the systems of Ukrainian targets. The agency said the group has increasingly adopted a version of the social engineering technique known as ClickFix. In this case, victims are directed to compromised websites displaying a fake CAPTCHA security check designed to distinguish humans from computers."
        https://therecord.media/ukraine-sandworm-hacks-captcha-powershell

      Breaches/Hacks/Leaks

      • Coca-Cola Says Fairlife Ransomware Attack Halts US Dairy Production
        "The Coca-Cola Company disclosed today that a ransomware attack impacting its Fairlife dairy subsidiary has disrupted operations, temporarily suspending production of Fairlife products across the United States. In a Form 8-K filing with the U.S. Securities and Exchange Commission (SEC), Coca-Cola said Fairlife detected unauthorized access to some of its systems, including its production-related systems, in connection with a ransomware attack. "After detecting the issue, the Company promptly activated its incident response and business continuity protocols," Coca-Cola said in the filing."
        https://www.bleepingcomputer.com/news/security/coca-cola-says-fairlife-ransomware-attack-halts-us-dairy-production/
      • Romania’s Land Registry Hit By Cyber Attack, Data Allegedly For Sale
        "Romania’s National Agency for Cadastre and Land Registration (ANCPI) suffered a major disruption on Tuesday, July 14, when its e-Terra cadastre and land registry app became unavailable to users. What was first declared to be a “major technical incident” has now been confirmed as a cyber attack. While the circumstances are still being investigated by the competent state institutions, ANCPI stated that the data administered through its IT systems has not been compromised as a result of this incident."
        https://www.helpnetsecurity.com/2026/07/16/romania-ancpi-cyber-attack/
      • Cyberattack On Japan's Largest Cold-Chain Operator Disrupts KFC, Supermarket Supplies
        "A cyberattack on Japan's largest refrigerated logistics company has rippled through the country's food supply chain, leaving Kentucky Fried Chicken restaurants short on ingredients and major restaurant chains struggling to keep up with deliveries. Nichirei Logistics Group, which transports frozen and refrigerated food for about 5,000 customers across Japan, said it experienced a system outage on Monday. The company confirmed Thursday that hackers breached its servers. To contain the attack and protect customer data, the company disconnected key systems, bringing parts of its logistics network to a standstill."
        https://therecord.media/cyberattack-japan-nichirei-logistics-impacts-kfc
        https://www.theregister.com/security/2026/07/16/cyberattack-threatens-utterly-critical-infrastructure-in-japan-kfc/5272220
      • Tech Support Scam Caused Massive Data Breach At Australian Airline Qantas
        "Australia’s Privacy Commissioner has revealed a tech support scam was the cause of the massive 2025 data breach at Australian airline Qantas and found the carrier didn’t breach its privacy obligations despite leaking personally identifiable information for 5.7 million customers. The Commissioner reached that conclusion, and a decision not to open a formal privacy probe, in a report published today. Qantas has previously admitted the incident was the result of a social engineering attack on a contact center. The Commissioner’s report goes deeper, explaining a crook who claimed to represent “Qantas IT help” made the call and told a contact center agent to access a CRM system and perform certain actions needed to close a support ticket."
        https://www.theregister.com/cyber-crime/2026/07/16/tech-support-scam-caused-massive-data-breach-at-australian-airline-qantas/5272267
        https://www.oaic.gov.au/privacy/privacy-assessments-and-decisions/privacy-decisions/Investigation-inquiry-reports/report-into-preliminary-inquiries-of-qantas

      General News

      • Scattered Spider Members Behind TfL Hack Get Five Years In Prison
        "Two leading members of the Scattered Spider cybercrime collective were sentenced to five years and six months in prison each for hacking Transport for London (TfL) in 2024. On September 2, 2024, TfL (which provides transportation services to more than 8.4 million Londoners) disclosed that its network was breached in August 2024, with the attack disrupting internal systems and online services. Affected services and platforms included TfL's Dial-a-Ride service, concessionary travel cards, digital payments, and contactless ticketing rollout, as well as the public transportation agency's ability to process refunds. Additionally, 148 systems became inoperable across TfL's network, and all 27,000 TfL employees had to reset their passwords in person after the breach."
        https://www.bleepingcomputer.com/news/security/scattered-spider-members-behind-transport-for-london-hack-get-five-years-in-prison/
        https://www.infosecurity-magazine.com/news/selfish-bravado-behind-tfl/
        https://www.theregister.com/cyber-crime/2026/07/16/brit-scattered-spider-duo-handed-tickets-to-prison-over-transport-for-london-attack/5272446
        https://thehackernews.com/2026/07/two-scattered-spider-hackers-get-55.html
        https://therecord.media/scattered-spider-hackers-tfl-sentenced
        https://hackread.com/two-scattered-spider-members-sentenced-tfl-cyberattack/
        https://www.securityweek.com/two-scattered-spider-hackers-sentenced-to-jail-in-uk/
        https://securityaffairs.com/195501/cyber-crime/two-scattered-spider-members-sentenced-to-prison-over-29-million-tfl-cyberattack.html
        https://www.helpnetsecurity.com/2026/07/16/ransport-for-london-cyberattack-prison-time/
      • The Hunter's Paradox: Is It Time To Embrace Automated Threat Hunting?
        "Should we let AI run our threat hunts? The debate usually splits into two camps. One says, "Yes, obviously! The sheer scale of our security telemetry is impossible for humans to deal with." The other says, "Absolutely not! You can't trust an AI with something this important." The thing is, I think both are wrong, or at least incomplete. I've spent a long time as one of the louder voices saying that hunting is specifically a human-driven process. I created the first widely recognized definition of threat hunting back in 2015, and the version I'd have given you until very recently put a human firmly at the center of it."
        https://blog.talosintelligence.com/the-hunters-paradox-is-it-time-to-embrace-automated-threat-hunting/
      • Agentic AI Is Untamable: Ask The Right Security Questions
        "Agentic security challenges stem from a mindset, not the technology so solving them requires a fundamental shift in how organizations think about control. While agentic systems can save organizations time across several operations, from cybersecurity and software development to customer support, agents also introduce significant risks to the organization. These systems require alarmingly high levels of access to sensitive information, as well as the use of external tools, to complete tasks with little to no human oversight. They constitute yet another attack surface for threat actors to target."
        https://www.darkreading.com/cybersecurity-operations/agentic-ai-untamable-ask-the-right-security-questions
      • Reading Between The Lines Of a Cyber Insurance Policy
        "Enterprises in regulated industries often carry cyber insurance policies because contracts require it or boards ask for documented risk transfer. The global market for these policies reached about $16 billion in premiums in 2024. Coverage has become widespread. Payouts have grown less predictable. The Global Federation of Insurance Associations, which represents insurers accounting for close to 90 percent of premiums worldwide, quantified the cyber protection gap at about $900 billion in a 2023 report, with annual economic losses from cyber incidents exceeding that figure."
        https://www.helpnetsecurity.com/2026/07/16/cyber-insurance-coverage-gap/
      • Companies Keep Getting Breached By Vulnerabilities They Already Knew About
        "Scanning tools have gotten good at their work. Organizations now find more weaknesses across more of their systems than at any earlier point in the industry’s history. A survey from the security firm Vicarius points to a gap that opens after that discovery, in the work of assigning, approving, deploying, and confirming a fix. The company surveyed 300 IT and cybersecurity leaders in the United States and the United Kingdom, at organizations with 500 to 2,000 employees. On average, 58% of remediation activities require direct human intervention. Automated discovery, scanning, and reporting have become common across the sample. The work of deciding what to fix and pushing the change through still runs on people. Only a small share of organizations have removed people from the loop entirely, at 7%, and that pattern held steady across company sizes and industries."
        https://www.helpnetsecurity.com/2026/07/16/ciso-vulnerability-remediation-gap/

      อ้างอิง
      Electronic Transactions Development Agency (ETDA) 3d054581-a441-44d7-805b-bba88a908b8b-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • Cyber Threat Intelligence 16 July 2026

      Industrial Sector

      • ICS Patch Tuesday: Vulnerabilities Fixed By Siemens, Schneider, Rockwell
        "Industrial giants Siemens, Schneider Electric, and Rockwell Automation have published July 2026 Patch Tuesday advisories to inform customers about vulnerabilities found in their ICS products. Siemens published nine new advisories, including six that cover critical vulnerabilities (based on CVSS score). A CVSS score of 10 has been assigned to a token invalidation vulnerability in Opencenter X that allows an attacker to bypass authentication and gain full access to the application. Critical vulnerabilities have also been patched or mitigated by Siemens in Mendix, Sidis Secured SmartPlug, Simatic S7-1500, Cadra, and Desigo CC. The security holes, many of which affect third-party components, can be exploited to launch DoS attacks, execute code, obtain sensitive data, and escalate privileges."
        https://www.securityweek.com/ics-patch-tuesday-vulnerabilities-fixed-by-siemens-schneider-rockwell/

      New Tooling

      • SingGuard-NSFA: Open-Source Guardrails For Agentic AI
        "SingGuard-NSFA is an open-source guardrail framework aimed at operational threats in agent workflows. Four models ship at 0.8B, 2B, 4B, and 9B parameters, all built on Qwen3.5 base backbones. The NSFA risk taxonomy organizes threats along the CIA triad of confidentiality, integrity, and availability. It defines 185 risk variants grouped under a smaller set of top-level domains and mid-level categories, cross-validated against three OWASP guidelines."
        https://www.helpnetsecurity.com/2026/07/15/singguard-nsfa-open-source-agentic-ai-guardrails/
        https://github.com/inclusionAI/SingGuard-NSFA

      Vulnerabilities

      • Zoom Warns Of Critical Account Takeover Vulnerability
        "Zoom is warning of a critical vulnerability in its desktop client and software development kit for Windows that could be exploited by an unauthenticated party to hijack accounts. Discovered internally, the security issue is tracked as CVE-2026-53412 and received a severity score of 9.8 out of 10. In an advisory this week, the messaging platform says that the flaw affects Zoom Workplace for Windows before version 7.0.0, the Windows VDI Client before versions 7.0.10, 6.6.15, and 6.5.18, and the Meeting SDK for Windows before version 7.0.0."
        https://www.bleepingcomputer.com/news/security/zoom-warns-of-critical-account-takeover-vulnerability/
        https://www.zoom.com/en/trust/security-bulletin/zsb-26014/
      • Vulnerabilities Patched By Fortinet, Ivanti, ServiceNow
        "Fortinet, Ivanti, and ServiceNow on Tuesday rolled out patches for 15 vulnerabilities across their products. ServiceNow resolved a critical remote code execution (RCE) flaw in the ServiceNow AI platform that can be exploited without authentication. The bug is tracked as CVE-2026-6875 (CVSS score of 9.5). “ServiceNow addressed this vulnerability by deploying a security update to hosted instances. Relevant security updates have also been provided to ServiceNow self-hosted customers and partners,” the company said. Ivanti released fixes for two security defects in its data aggregation and visualization tool Xtraction, tracked as CVE-2026-14902 and CVE-2026-14903."
        https://www.securityweek.com/vulnerabilities-patched-by-fortinet-ivanti-servicenow/
      • Critical Vulnerabilities Patched With Fresh Chrome 150, Firefox 152 Updates
        "Google and Mozilla have released fresh Chrome 150 and Firefox 152 updates that resolve critical-severity vulnerabilities. Mozilla rolled out Firefox 152.0.6 with patches for two critical security defects, warning that exploit code has been published for both. The bugs are tracked as CVE-2026-15718 and CVE-2026-15719, and are described as an invalid pointer in the ‘JavaScript: WebAssembly’ component and a site isolation issue in the ‘DOM: Navigation’ component."
        https://www.securityweek.com/critical-vulnerabilities-patched-with-fresh-chrome-150-firefox-152-updates/
        https://thehackernews.com/2026/07/firefox-chrome-adobe-and-vmware-updates.html
      • CISA Adds Two Known Exploited Vulnerabilities To Catalog
        "CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
        CVE-2023-4346 KNX Association KNX Protocol Connection Authorization Option 1 Overly Restrictive Account Lockout Mechanism Vulnerability
        CVE-2026-46817 Oracle E-Business Suite Improper Privilege Management Vulnerability"
        https://www.cisa.gov/news-events/alerts/2026/07/15/cisa-adds-two-known-exploited-vulnerabilities-catalog
      • PromptFiction: One-Click Claude Desktop Vulnerability
        "A single click on a trusted-looking link runs an attacker's instructions inside Claude Desktop. No confirmation, no review. Claude Desktop registers a claude:// URL scheme. Click a link that uses it and the app opens, takes a prompt from the link, and submits it. The user never sees the full prompt, and never approves it. We proved it with a decoy ASCII-art tool: the link it hands you carries a request you can read and an instruction you cannot. The same channel can plant a hidden prompt, exfiltrate conversation history, read the file system, or execute code."
        https://www.oasis.security/resources/reports/claude-url-scheme-prompt-injection
        https://pages.oasis.security/rs/106-PZV-596/images/promptfiction-claude-desktop-technical-report.pdf?version=0
        https://www.darkreading.com/vulnerabilities-threats/claude-flaw-malicious-prompts-ai-agents
        https://hackread.com/promptfiction-flaw-auto-prompts-claude-desktop/
      • The Cursor Deeplink Vulnerability That Turns a “review This PR” Click Into Remote Code Execution
        "A crafted cursor:// link installs an attacker-controlled MCP server that executes unsandboxed commands under your account. The install dialog is supposed to be the safeguard, but it doesn’t reliably show the command being approved. The attack comes in two variants. Both hide the real command inside the dialog, one also disguises the link as a routine code review. Cursor’s own triage named the root cause in writing, closed the report as a duplicate, but the latest build is still vulnerable. An attacker, posing as a teammate, sends you a link to review a pull request. You click it, Cursor opens, and a dialog asks you to install an MCP server with a command that looks routine. You approve it the way you approve a dozen prompts a day. The MCP server is attacker-controlled, and it now runs commands as you, with no sandbox between it and your files, your tokens, and your shell."
        https://adversa.ai/blog/cursor-security-deepjack-deeplink-vulnerability-mcp-rce/
        https://www.darkreading.com/application-security/2-click-cursor-exploit-dev-environment-takeover
      • An AI Overthinking Attack Can Tie a Robot Up For Over a Minute
        "Robots that read the world through cameras now lean on large vision-language models to interpret what they see and decide what to do next. These models handle images and text together, so any words that fall inside the camera frame become part of the input. A stop sign, a street name, a sticker on a wall. Researchers at Michigan Technological University have shown that this reading habit opens a door for attackers, and the door leads to a denial-of-service problem that looks nothing like the ones most defenders track."
        https://www.helpnetsecurity.com/2026/07/15/robot-ai-overthinking-attack/
        https://arxiv.org/pdf/2607.01518
      • Researcher Drops New Windows Zero-Day PoC Hours After Microsoft Patch Tuesday
        "Security researcher Chaotic Eclipse (aka Nightmare-Eclipse) has released a new proof-of-concept (PoC) exploit called LegacyHive. It has been described as a Windows User Profile Service arbitrary hive load elevation of privileges vulnerability. The Windows User Profile Service, also referred to as ProfSvc, is a core system component that manages user accounts and environments. "The PoC requires another standard user credential and a third username (which can be an administrator account)," Chaotic Eclipse said. "If the PoC is successful, it will end up mounting the target user hive in the current user classes root.""
        https://thehackernews.com/2026/07/researcher-drops-new-windows-zero-day.html
        https://securityaffairs.com/195418/hacking/chaotic-eclipse-unveils-legacyhive-exploit-affecting-fully-patched-windows-systems.html
        https://www.theregister.com/security/2026/07/15/microsofts-serial-tormentor-drops-legacyhive-0-day/5271723

      Malware

      • Case Study: Distribution Of a CoinMiner Targeting Linux SSH Servers Via Malware Distribution Via Network Transmission
        "The AhnLab SEcurity intelligence Center (ASEC) is monitoring attacks targeting poorly managed Linux servers using multiple honeypots. Recently, ASEC identified cases where malware with propagation capabilities was used to install the XMRig CoinMiner. In these attack cases, malware such as ShellBot, MIG LogCleaner, and XHide were used. The threat actors created and used downloaders and propagation malware written in the Go programming language; they also built and used scripts with Shc (Shell Script Compiler). The same threat actors appear to have been carrying out these attacks since at least 2023."
        https://asec.ahnlab.com/en/94484/
      • Six Minutes To Compromise: How ‘Patriot Bait’ Actor Used AI To Build And Deploy a C&C Botnet
        "TrendAI™ Research obtained and analyzed 200 Gemini CLI session logs from the Russian-speaking threat actor known as “bandcampro” that provided a month-long window (March 19-April 21, 2026) into the actor's daily AI-assisted operations. The logs documented how the threat actor used an AI agent to migrate a command-and-control (C&C) server, and to control a small-scale botnet, among other hacking activities. The actor used Google Gemini CLI to deploy and operate a C&C infrastructure to control eight computers in a dental clinic and access their OpenDental database."
        https://www.trendmicro.com/en_us/research/26/g/actor-behind-patriot-bait-used-ai-to-deploy-c2-botnet.html
        https://www.bleepingcomputer.com/news/security/google-gemini-cli-abused-as-a-hacking-agent-malware-botnet-operator/
      • Coordinated AsyncAPI Supply Chain Attack: Miasma RAT Delivered Via Compromised CI/CD Pipelines In Two Repositories
        "On July 14, 2026 at 07:10 UTC, three packages in the AsyncAPI generator monorepo (@asyncapi/[email protected], @asyncapi/[email protected], and @asyncapi/[email protected]) were published to npm carrying an obfuscated dropper that fires the moment the library is loaded, not on install. The packages were published through the project's own legitimate GitHub Actions release workflow and carry valid npm OIDC provenance attestations, because the attacker didn't steal an npm token: they gained push access to the repository's next branch and let the project's real CI/CD pipeline do the publishing for them."
        https://www.stepsecurity.io/blog/compromised-next-branch-pushes-malicious-asyncapi-generator-generator-helpers-and-generator-components-to-npm
        https://www.ox.security/blog/asyncapi-npm-organization-compromised-2m-weekly-downloads-affected/
        https://safedep.io/asyncapi-generator-supply-chain-attack-miasma-rat/
        https://socket.dev/blog/asyncapi-supply-chain-attack
        https://www.bleepingcomputer.com/news/security/-asyncapi-npm-packages-infected-with-credential-stealing-malware/
        https://thehackernews.com/2026/07/compromised-asyncapi-npm-packages.html
        https://securityaffairs.com/195395/security/asyncapi-npm-supply-chain-attack-malware-injected-into-packages-with-2-million-weekly-downloads.html
      • When Routine Becomes The Threat: The Evolution Of Finance-Themed Phishing
        "Finance-themed phishing campaigns are evolving toward process-oriented messaging tactics, in which email subject lines are utilizing more process-driven language rather than pressure-driven. Threat actors are shifting away from messaging that uses overt emotional urgency and toward ordinary business language that mirrors daily financial workflows. We are seeing these campaigns more frequently, which may indicate a shift towards a more widely adopted approach. This trend also presents detection challenges, making these messages harder to distinguish as they closely resemble legitimate finance-related email correspondences such as invoices, remittance notices, procurement requests, contract revisions, and vendor follow-ups that are likely to bypass AI-based security email gateways (SEGs) and other email security technologies."
        https://cofense.com/blog/when-routine-becomes-the-threat-the-evolution-of-finance-themed-phishing
      • Cyberstalkers Are Exploiting Chrome Sync To Spy On Victims
        "Emma* (not her real name) thought she’d finally found a way out. Late one night, while her partner was asleep, she spent twenty minutes searching for a family lawyer and reading through a domestic abuse support website, careful to close the tabs afterwards. Two days later, her partner brought it up. He knew which website she’d visited and exactly when. Emma had been careful to only ever use her own device, and she hadn’t noticed any new apps appear on her phone. What she didn’t know was that weeks earlier, during a few unattended minutes with her phone, he had opened the Chrome app and quietly signed it into a Google account of his own."
        https://www.certosoftware.com/insights/cyberstalkers-exploiting-chrome-sync-to-spy/
        https://cyberscoop.com/google-chrome-sync-cyberstalking-exploit/
      • The Agentic Attacker: One Objective, One Prompt, Forty Minutes, Domain Admin – Game Over
        "In a controlled enterprise lab, we tested how far an agentic attack stack could go by harnessing a frontier model with an agent platform, MCP-enabled tooling, operational context, and enough autonomy to execute a complete attack path. We demonstrated a complete end-to-end attack chain, from external access to Domain Administrator privileges, using an agentic attack stack in a controlled Active Directory environment. A condensed video demonstration of the successful execution is included as part of this research."
        https://www.catonetworks.com/blog/the-agentic-attacker-one-objective-one-prompt-forty-minutes-domain-admin-game-over/
        https://cyberscoop.com/ai-cybersecurity-harness-autonomous-hacking/
      • SeasonalInvite: New Phishing Campaign Abuses eCards And RMM
        "A phishing campaign we named SeasonalInvite has been deploying and abusing commercial Remote Monitoring and Management (RMM) tools on victims since at least January 2026, using social engineering themes tied to the seasonal calendar. The campaign targets both Windows and macOS users. This investigation confirmed abuse of four RMM tools: ConnectWise ScreenConnect, LogMeIn Resolve, Kaseya, and O&O Syspectr. We identified 959 eCard-themed domains and a Traffic Distribution System (TDS) using 2,658 gate pages to route victims to phishing pages while blocking automated security scanners."
        https://www.forescout.com/blog/seasonalinvite-new-phishing-campaign-abuses-ecards-and-rmm/
        https://www.infosecurity-magazine.com/news/seasonalinvite-phishing-ecards-rmm/
      • OkoBot: New Sophisticated Malware Framework Targets Cryptocurrency Users
        "In January 2026, we identified multiple attacks involving unknown malware that captures the contents of cryptocurrency wallet windows. During the investigation, we reconstructed the complete infection chain, which consisted of four tightly linked stages initiated by the execution of the previously described malicious PowerShell script TookPS. However, this campaign differs from previous activity in that it uses a new framework to deliver all malicious modules and orchestrate them via an SSH tunnel. In total, the framework includes more than 20 malicious payloads and implants, covering a wide variety of functions. At the time of writing, the threat remains active."
        https://securelist.com/okobot-framework-targets-cryptocurrency-wallets/120660/
        https://thehackernews.com/2026/07/okobot-malware-framework-injects-seed.html
      • ClaudeFix: Shared Claude Chats Meet ClickFix
        "ClickFix is a widely employed attack technique, first seen in 2024, where a victim is instructed to paste-and-run instructions on their system to “fix” a problem or install software. The seemingly benign instructions are, in fact, malicious and lead to the deployment of malware onto the victim’s system. Zscaler Threat Hunting has identified recent ClickFix attacks abusing Anthropic’s Claude platform through the use of shareable Claude chats to host these instructions, which marks a shift from typical attacks. As AI platforms have grown in popularity, threat actors have increasingly abused legitimate features such as shareable chats to lend credibility to malicious content. In this blog post, the Zscaler Threat Hunting team examines a MacSync Stealer campaign distributed through shared Claude chats."
        https://www.zscaler.com/blogs/security-research/claudefix-shared-claude-chats-meet-clickfix
      • Bind Link Abuse: One Windows Feature, Many Ways To Blind Your EDR
        "Windows includes a file-system virtualization feature that can redirect one local path to another without modifying the original file or leaving a persistent filesystem artifact. It is implemented by bindflt.sys, the Bind Filter minifilter driver, and used legitimately by Store apps, Windows Sandbox, and Windows containers. Bitdefender Labs documented and named three new techniques that an attacker running as a local administrator can use to blind EDR sensors and bypass built-in Windows defenses such as AMSI and AppLocker."
        https://businessinsights.bitdefender.com/bind-link-abuses-windows-feature-edr-evasion-technique
        https://www.securityweek.com/windows-bind-link-attacks-can-hide-malware-from-edr-tools/
      • TuxBot v3: Inside An IoT Botnet Framework With LLM-Assisted Development
        "We identified a previously undocumented modular internet-of-things (IoT) botnet framework named TuxBot v3 Evolution. The malware authors leveraged an LLM to assist in their code development, yielding mixed results. While the AI complied with their request to generate botnet code, it included a safety disclaimer that the developer failed to remove before shipping. Although the LLM clearly aided in constructing the botnet, several functions in the analyzed samples failed to work correctly. While a manual code review could have easily resolved these errors, the authors neglected this step. However, it is highly likely that corrected, more polished iterations exist, which significantly elevates the potential threat posed by this malware."
        https://unit42.paloaltonetworks.com/tuxbot-v3-evolution-iot-botnet/
        https://thehackernews.com/2026/07/tuxbot-v3-evolution-shows-signs-of-llm.html
      • 'The Bots Are Alive!' Jailbroken Gemini Spun Up New C2 Server For Russian Fraudster In Just 6 Minutes
        "A jailbroken Google Gemini did 90 percent of the work in a credential- and cryptocurrency-stealing spree, including spinning up a new command-and-control (C2) server in just six minutes, according to a TrendAI report shared exclusively with The Register. The human behind the heist – a solo Russian-speaking miscreant known as “bandcampro” – acted as the manager of the cyber-fraud operation, which targeted hardcore Trump supporters and conspiracy theorists."
        https://www.theregister.com/research/2026/07/14/the-bots-are-alive-jailbroken-gemini-spun-up-new-c2-server-for-russian-fraudster-in-just-6-minutes/5270131
      • Clubfoot Wolf Launches Massive Offensive On Russian Businesses
        "In May and June 2026, the Clubfoot Wolf cluster conducted a large‑scale campaign targeting Russian organizations across the following sectors: manufacturing, retail, e‑commerce, agriculture, IT, transportation, healthcare, and science. The primary targets were Russian wholesale distributors of chemical products. The adversary also attacked several organizations in Belarus."
        https://bi.zone/eng/expertise/blog/clubfoot-wolf-massovo-komprometiruet-rossiyskie-kompanii/
      • Suspected Chinese Operators Use Claude Code And DeepSeek To Target Government And Financial Systems Across Four Countries
        "In June 2026, a pivot from known TencShell C2 infrastructure led us to an open directory exposing an active intrusion campaign. TencShell is a Go-based implant derived from the open-source Rshell framework, first documented by Cato CTRL in May 2026 and assessed there as suspected China-linked. The directory held victim source code, custom exploit scripts, operational logs, and cloned login pages, with the attack notes written in Simplified Chinese. What caught our attention was the tooling behind it. Claude Code and DeepSeek-v4-pro ran as working parts of the intrusion, not tools off to the side. They handled reasoning for bypass techniques, reworked exploits after failed attempts, and built the phishing pages used to harvest credentials. That puts this campaign alongside Anthropic's November 2025 disclosure of a China-linked operation that used Claude Code to automate large-scale intrusions."
        https://hunt.io/blog/chinese-operators-claude-deepseek-government-intrusion
      • No Single Pane Of Glass: Anatomy Of An Azure Permission Takeover
        "The Sysdig Threat Research Team (TRT) recently watched as an attacker started with a single leaked service-principal credential and, by the next morning, owned the tenant. This attacker took complete, dual-plane control of the tenant with Global Administrator (GA) ownership of the directory and root-level access over every resource. They planted persistence across dozens of identities and took the keys to the telemetry pipeline that was supposed to be watching them. Stopping this attack was easy. However, analyzing the attack was actually quite complex, and it came down to one question with many answers:"
        https://www.sysdig.com/blog/no-single-pane-of-glass-anatomy-of-an-azure-permission-takeover

      Breaches/Hacks/Leaks

      • Infostealer Malware Triggers Major Database Breach At The Argentine Football Association
        "When the Argentine Football Association (AFA) suffered a significant cyberattack, media outlets were quick to cover the fallout. The breach resulted in sensitive database leaks and unauthorized communications originating from official AFA domains, causing severe reputational and operational damage. The incident was also widely reported on X, including from accounts like Polymarket with tens of thousands of likes."
        https://www.infostealers.com/article/infostealer-malware-triggers-major-database-breach-at-the-argentine-football-association/
        https://www.theregister.com/security/2026/07/13/world-cup-grudge-attackers-may-have-scored-argentine-fa-access-via-year-old-infostealer-infection/5270302

      General News

      • Establishing a Coordinated Vulnerability Disclosure Program To Work With Security Researchers
        "Developed by CISA, the National Security Agency (NSA) and international partners, this joint guidance contains best practices for software manufacturers and online service providers to design and implement a coordinated vulnerability disclosure (CVD) program for working with external security researchers that includes a clear vulnerability disclosure policy (VDP) and process for triaging, remediating and assigning Common Vulnerabilities and Exposures (CVE) identifiers to reported vulnerabilities. The guidance also provides considerations for leveraging third-party intermediaries, like CISA or other national computer security incident response teams, to substitute or supplement a CVD program."
        https://www.cisa.gov/resources-tools/resources/establishing-coordinated-vulnerability-disclosure-program-work-security-researchers
        https://www.cisa.gov/sites/default/files/2026-07/joint-guide-establishing-a-cvd-program-to-work-with-security-researchers_508c.pdf
      • June 2026 Infostealer Trend Report
        "This report summarizes the distribution channels, number of Infostealers, number of detections, and information on companies disguised by new Infostealers collected during June 2026. The collected samples were obtained through an automated data collection system, an email honeypot system, and an automated malware C2 analysis system operated by ASEC (AhnLab SEcurity intelligence Center)."
        https://asec.ahnlab.com/en/94486/
      • Dutch Police Bust Investment Fraud Ring Stealing Over €100 Million
        "The Dutch Police announced the arrest of multiple individuals suspected of being part of an international investment fraud scheme estimated to have tens of thousands of victims. The group is believed to have operated 20 call centers, with more than 700 people posing as financial advisers. Authorities estimate that the criminal organization at one point made more than 100 million euros ($114 million) per month. The call centers were located in different places across multiple countries, and each hosted several teams with distinct roles and targeting focuses."
        https://www.bleepingcomputer.com/news/security/dutch-police-bust-investment-fraud-ring-stealing-over-100-million/
        https://therecord.media/dutch-police-dismantle-global-crypto-investment-scam
      • US Charges Alleged Operators Of Russian Bulletproof Hosting Service
        "U.S. federal prosecutors have unsealed charges against three Russian nationals, accusing them of providing bulletproof hosting (BPH) services to ransomware gangs that caused over $62 million in damages to victims worldwide. BPH providers lease servers that help hinder disruption efforts targeting their malicious activities, including malware delivery, command-and-control operations, phishing attacks, and illicit content hosting. They market themselves as "bulletproof" by ignoring victims' complaints and subsequent law enforcement takedown requests."
        https://www.bleepingcomputer.com/news/security/us-charges-alleged-russian-bulletproof-hosting-service-operators/
        https://www.bankinfosecurity.com/feds-target-widely-used-russian-bulletproof-hosting-services-a-32230
        https://www.securityweek.com/us-charges-russian-individuals-and-firms-for-running-cybercrime-services/
      • The State Of Ransomware 2026: Payments Are Dropping But Encryption Is Climbing
        "This year's data has a few eyebrow-raising departures from the patterns of past State of Ransomware reports. Exploited vulnerabilities lost their three-year grip on the top root-cause spot. Median ransom demands and payments both dropped, yet the average recovery bill still climbed. And small organizations (100-250 employees) are falling further behind their larger peers on the one metric that matters most: stopping the attack before data gets encrypted. The seventh annual Sophos State of Ransomware report is based on a vendor-agnostic survey of 2,158 IT and security leaders whose organizations were hit by ransomware in the last 12 months."
        https://www.sophos.com/en-us/blog/sophos-state-of-ransomware-2026
        https://www.darkreading.com/identity-access-management-security/identity-attacks-overtake-exploits-top-ransomware-cause
        https://www.infosecurity-magazine.com/news/compromised-logins-ransomware-entry/

      อ้างอิง
      Electronic Transactions Development Agency (ETDA) 0f940cfe-606c-472c-ac6d-a3d012ad250a-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • Progress ยืนยันช่องโหว่ Zero-Day ใน ShareFile พร้อมออกแพตช์แก้ไข

      Progress ยืนยันช่องโหว่ Zero-Day ใน ShareFile พร้อมออกแพตช์.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 815f51ab-f04d-475b-8897-0f54d7226399-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • CISA เตือนผู้ดูแลระบบเร่งแพตช์ช่องโหว่ SharePoint Server ที่ถูกใช้โจมตี

      CISA เตือนผู้ดูแลระบบเร่งแพตช์ช่องโหว่ SharePoint Ser.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand db9e6d25-4b92-4e97-864c-0a3c4f501b94-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • SonicWall แจ้งเตือนช่องโหว่ Zero-Day บนอุปกรณ์ SMA1000 แนะผู้ดูแลระบบเร่งอัปเดตแพตช์เพื่อความปลอดภัย

      SonicWall แจ้งเตือนช่องโหว่ Zero-Day บนอุปกรณ์ SMA1000 แนะผ.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 88d0bc81-4a7d-4742-a48f-29d55c066510-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • CISA เผยแพร่คำแนะนำด้านระบบควบคุมอุตสาหกรรม (ICS) จำนวน 5 รายการ

      Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) จำนวน 5 รายการ เมื่อวันที่ 14 กรกฏาคม 2569 เพื่อให้ข้อมูลที่ทันเวลาเกี่ยวกับประเด็นด้านความมั่นคงปลอดภัย ช่องโหว่ และการโจมตีที่เกี่ยวข้องกับระบบ ICS โดยมีรายละเอียดดังนี้

      • ICSA-26-195-01 ABB Advant Master Online Builder
      • ICSA-26-195-02 ABB Ability Edgenius
      • ICSA-26-195-03 ABB T-MAC Plus
      • ICSA-26-195-04 Rockwell Automation 1715 EtherNet/IP Communications Module
      • ICSA-25-352-01 Inductive Automation Ignition (Update A)

      อ้างอิง
      https://www.cisa.gov/news-events/ics-advisories c6e2e267-7840-4c4e-aa21-fd663bcc6015-image.png

      โพสต์ใน OT Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • CISA เพิ่มช่องโหว่ที่ถูกใช้โจมตี 4 รายการลงในแคตตาล็อก

      เมื่อวันที่ 14 กรกฏาคม 2569 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 4 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว มีรายละเอียดดังนี้

      • CVE-2026-15409 SonicWall SMA1000 Appliances Server-Side Request Forgery Vulnerability
      • CVE-2026-15410 SonicWall SMA1000 Appliances Code Injection Vulnerability
      • CVE-2026-56155 Microsoft Active Directory Federation Services Insufficient Granularity of Access Control Vulnerability
      • CVE-2026-56164 Microsoft SharePoint Server Missing Authentication for Critical Function Vulnerability

      อ้างอิง
      https://www.cisa.gov/news-events/alerts/2026/07/14/cisa-adds-four-known-exploited-vulnerabilities-catalog

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 554f257a-9846-40a0-b0e2-2eb315006ebd-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • ETDA Cyber Threat Intelligence 15 July 2026

      Industrial Sector

      • ABB T-MAC Plus
        "ABB became aware of vulnerability in the products versions listed as affected in the advisory. An update is available that resolves the reported vulnerabilities. An attacker who successfully exploited any of these vulnerabilities could potentially compromise the system in different ways."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-195-03
      • Rockwell Automation 1715-AENTR EtherNet/IP Adapter
        "Successful exploitation of this vulnerability could allow an attacker to read or delete files, stop tasks, modify memory, and change I/O states, potentially impacting the confidentiality, integrity, and availability of the device."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-195-04
      • ABB Advant Master Online Builder
        "ABB became aware of vulnerability in the products versions listed as affected in the advisory, where an incorrect version of Online Builder (ONB) was included in the media. An update is available that resolves the vulnerability, see details in Recommended immediate actions."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-195-01
      • ABB Ability Edgenius
        "ABB is aware of public reports of a vulnerability CVE‑2026‑31431 (Copy Fail) in the product versions listed as affected in the advisory. An update is available that resolves a publicly reported vulnerability. CVE‑2026‑31431 (Copy Fail) is a Linux kernel vulnerability that may allow a locally authenticated user or compromised container workload to gain elevated (root) privileges on affected systems. Once root access is obtained, the attacker can effectively gain complete control of the system"
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-195-02

      New Tooling
      Chatto: Open-Source Team Messenger With Privacy At Its Core
      "Teams that want their group chats off commercial platforms have a growing menu of self-hosted options. Chatto joined that group when its developer released the code under an open-source license and posted binaries for anyone to run on their own hardware. The software aims at the same ground as the large team messaging services, and it keeps message data on infrastructure the operator controls. Installation runs through a single executable. An operator drops the binary onto a machine, runs it, and gets a working chat server that serves its own web frontend. Builds exist for Linux on x86_64 and ARM64, macOS, and Windows. A basic setup needs no separate database, and larger deployments scale out with Docker Compose or Kubernetes."
      https://www.helpnetsecurity.com/2026/07/14/chatto-self-hosted-chat-app-privacy/
      https://github.com/chattocorp/chatto

      Vulnerabilities

      • SonicWall Warns Of SMA1000 Flaws Exploited In Zero-Day Attacks, Patch Now
        "SonicWall warns that threat actors have been exploiting two SMA1000 vulnerabilities, tracked as CVE-2026-15409 and CVE-2026-15410, in zero-day attacks and urges customers to install the newly released security updates. CVE-2026-15409 is a critical (CVSS 10.0) server-side request forgery (SSRF) vulnerability in the SMA1000 Appliance Work Place interface that allows a remote, unauthenticated attacker to force an appliance to make requests to unintended locations. CVE-2026-15410 is a high-severity (CVSS 7.2) post-authentication code injection flaw in the SMA1000 Appliance Management Console that could allow a remote authenticated administrator to execute arbitrary operating system commands."
        https://www.bleepingcomputer.com/news/security/sonicwall-warns-of-sma1000-flaws-exploited-in-zero-day-attacks-patch-now/
        https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2026-0008
        https://www.helpnetsecurity.com/2026/07/14/sonicwall-sma-attacks-via-cve-2026-15409-cve-2026-15410/
      • SAP Warns Of Critical Flaws In NetWeaver And Commerce Cloud
        "SAP has addressed 16 vulnerabilities across multiple products as part of its July 2026 security updates, including three critical flaws in NetWeaver, Commerce Cloud, and AppRouter. The first critical issue patched this month is a memory corruption security issue (tracked as CVE-2026-44747) stemming from an out-of-bounds write weakness in the NetWeaver Application Server ABAP (AS ABAP), the runtime environment, application server, and development platform for core SAP enterprise software."
        https://www.bleepingcomputer.com/news/security/sap-warns-of-critical-flaws-in-netweaver-and-commerce-cloud/
        https://support.sap.com/en/my-support/knowledge-base/security-notes-news/july-2026.html
        https://thehackernews.com/2026/07/sap-patches-cvss-99-netweaver-abap-flaw.html
        https://www.securityweek.com/sap-patches-critical-vulnerabilities-in-netweaver-approuter-commerce-cloud/
      • 7 Severe Vulnerabilities Patched In VMware Avi Load Balancer
        "Broadcom announced on Tuesday that new VMware Avi Load Balancer updates patch several critical and high-severity vulnerabilities. VMware Avi Load Balancer is a software-defined platform that provides load balancing, application security, and analytics for applications in hybrid and multi-cloud environments. According to Broadcom, two external researchers recently discovered that the VMware product is affected by seven potentially serious vulnerabilities."
        https://www.securityweek.com/7-severe-vulnerabilities-patched-in-vmware-avi-load-balancer/
        https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37926
      • CISA Urges SharePoint Hardening After New Exploitations
        "CISA is aware of active exploitation of vulnerabilities CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164, enabling cyber threat actors to gain unauthorized access to on-premises SharePoint Server instances. These vulnerabilities affect all supported on-premises SharePoint Server versions (Subscription Edition, 2019, and 2016) and involve establishing remote code execution (RCE) and post-exploitation activities, such as stealing Internet Information Services (IIS) machine keys and performing deserialization techniques, to gain persistence and deploy malware. Organizations should monitor affected SharePoint Servers closely for any signs of exploitation or unusual activity."
        https://www.cisa.gov/news-events/alerts/2026/07/14/cisa-urges-sharepoint-hardening-after-new-exploitations
      • Microsoft July 2026 Patch Tuesday Fixes Massive 570 Flaws, 3 Zero-Days
        "Today is Microsoft's July 2026 Patch Tuesday, and with it comes security updates for a record-breaking 570 flaws, including two zero-day vulnerabilities exploited in attacks and one publicly disclosed. Patch Tuesday addresses 59 "Critical" vulnerabilities, 48 of which are remote code execution, 9 are elevation of privilege, 1 is a security bypass, and 1 is a spoofing."
        https://www.bleepingcomputer.com/news/microsoft/microsoft-july-2026-patch-tuesday-fixes-massive-570-flaws-3-zero-days/
        https://blog.talosintelligence.com/microsoft-patch-tuesday-july-2026/
        https://thehackernews.com/2026/07/microsoft-patches-record-622-flaws.html
        https://www.darkreading.com/vulnerabilities-threats/records-broken-patch-tuesday-raises-triage-stakes
        https://cyberscoop.com/microsoft-patch-tuesday-july-2026/
        https://www.securityweek.com/microsoft-patches-record-622-vulnerabilities-including-two-exploited-zero-days/
        https://securityaffairs.com/195347/security/patch-tuesday-security-updates-for-july-2026-the-largest-update-ever-621-cves-in-one-month.html
      • Adobe Patches Critical ColdFusion Vulnerabilities
        "Adobe on Tuesday rolled out security updates for 12 products to address 88 vulnerabilities, including critical-severity bugs in ColdFusion, Commerce, Experience Manager, and Illustrator. Out of 13 security defects resolved in ColdFusion, eight – CVE-2026-48318, CVE-2026-48322, CVE-2026-48284, CVE-2026-48321, CVE-2026-48325, CVE-2026-48319, CVE-2026-48324, and CVE-2026-48327 – are critical issues that could lead to arbitrary code execution and privilege escalation."
        https://www.securityweek.com/adobe-patches-critical-coldfusion-vulnerabilities/
      • CISA Adds Four Known Exploited Vulnerabilities To Catalog
        "CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
        CVE-2026-15409 SonicWall SMA1000 Appliances Server-Side Request Forgery Vulnerability
        CVE-2026-15410 SonicWall SMA1000 Appliances Code Injection Vulnerability
        CVE-2026-56155 Microsoft Active Directory Federation Services Insufficient Granularity of Access Control Vulnerability
        CVE-2026-56164 Microsoft SharePoint Server Missing Authentication for Critical Function Vulnerability"
        https://www.cisa.gov/news-events/alerts/2026/07/14/cisa-adds-four-known-exploited-vulnerabilities-catalog
      • Progress Confirms ShareFile Zero-Day Flaw Behind Storage Zone Shutdown
        "Progress Software has confirmed that a high-severity zero-day vulnerability is behind the emergency shutdown of ShareFile Storage Zone Controllers last week and has released security updates to patch the flaw. Last week, Progress urged customers using ShareFile Storage Zone Controllers to immediately shut down their Windows servers after receiving a warning of a "credible external security threat." At the time, the company temporarily disabled access to all ShareFile accounts using Storage Zone Controllers while it investigated the incident with cybersecurity experts."
        https://www.bleepingcomputer.com/news/security/progress-confirms-sharefile-zero-day-flaw-behind-storage-zone-shutdown/
      • Cursor 0day: When Full Disclosure Becomes The Only Protection Left
        "Sometimes security research uncovers deeply technical vulnerabilities that require pages of explanation. This isn't one of those cases. This bug is simple. A developer opens a repository in Cursor on Windows, and if that repository contains a malicious git.exe in the project root, Cursor will execute it automatically. There are no clicks, prompts, approval dialogs, or warnings. The result is arbitrary code execution."
        https://mindgard.ai/blog/cursor-0day-when-full-disclosure-becomes-the-only-protection-left
        https://www.darkreading.com/application-security/cursor-ide-malicious-code-poisoned-repos
      • Tego AI Finds Anthropic’s Claude Tag Slack Integration Can Trigger Unauthorized Enterprise Actions
        "Drop a line of text into the right Slack channel and Claude will act on it. It doesn't matter who you are — in the workspace or not, in the channel or not, a human or not. A bot, a webhook, an RSS feed, a scraped web page: if the text contains @Claude, the agent wakes up and starts following instructions, under your organization's own credentials."
        https://www.tego.ai/blog/tego-ai-finds-anthropics-claude-tag-slack-integration-can-trigger-unauthorized-enterprise-actions
      • Forgotten UEFI Shims Undermining Secure Boot
        "ESET researchers identified 11 old and forgotten UEFI shim bootloaders at versions 0.9 and below that can be used to bypass UEFI Secure Boot on any UEFI-based machine that trusts Microsoft’s Microsoft Corporation UEFI CA 2011 third-party UEFI certificate authority (CA) certificate, regardless of the installed operating system (OS). Reported shims can be exploited to execute untrusted code during system boot, enabling attackers to deploy malicious UEFI bootkits (such as Bootkitty, HybridPetya, or BlackLotus) even on systems with UEFI Secure Boot enabled. We reported our findings to CERT/CC in February 2026, and the vulnerable UEFI applications were revoked on Microsoft’s June 9th, 2026 Patch Tuesday."
        https://www.welivesecurity.com/en/eset-research/forgotten-uefi-shims-undermining-secure-boot/
        https://thehackernews.com/2026/07/11-old-microsoft-signed-linux-uefi.html
        https://www.helpnetsecurity.com/2026/07/14/eset-uefi-secure-boot-bypass/
      • ClaudeBleed Reopened: Browser Extensions Can Still Push Claude For Chrome To Read Your Gmail
        "We identified two vulnerabilities in Anthropic's Claude for Chrome browser extension that remain unpatched in v1.0.80, eight releases after we reported them to Anthropic in May. The first is a working attack delivered via any browser extension. Any browser extension with a content script on claude.ai can trigger Claude to execute one of nine prompts that read the victim's Gmail, Google Docs, and Calendar, by injecting a DOM element and dispatching a synthetic click. CVSS 7.7 High in default mode (coerced approval), 9.6 Critical when the user has previously enabled "Act without asking" (silent execution)."
        https://www.manifold.security/blog/claude-for-chrome-extension-bypass
        https://thehackernews.com/2026/07/claude-for-chrome-flaw-lets-other.html
        https://www.securityweek.com/unpatched-claude-for-chrome-flaw-lets-extensions-read-gmail-calendar/
      • Study Of 85 Crypto Wallet Extensions Finds Address Leaks And Cross-Site Tracking Risks
        "Researchers at KU Leuven tested 85 of the most popular crypto wallets that run as browser extensions and found that the wallets themselves leak enough to link and track the people using them. The way these wallets talk to websites and blockchain servers can tie a person's separate addresses together and let outsiders follow them from site to site. And on a site that already holds a name or email, the same leaks can put a real name to an "anonymous" crypto identity. This is not a hack. The wallets behave exactly as they were built to. The 85 extensions together have about 35 million users listed on the Chrome Web Store."
        https://thehackernews.com/2026/07/study-of-85-crypto-wallet-extensions.html
        https://arxiv.org/abs/2607.06141

      Malware

      • Malicious GitHub Campaign: Fake “Arctic Wolf” And 290+ Brand-Impersonation Repositories Deliver BoryptGrab-Lineage Infostealer
        "Since 26 June 2026, an unattributed threat actor has published at least 292 deceptive brand-impersonation GitHub pages and .github repositories that mimic legitimate software and trusted security tooling vendors, including a fake Arctic Wolf GitHub page. Each repository hosts a marketing-styled README document, with a concealed download link that routes victims to a malicious “secure download” page. The payload is a pure smash-and-grab in-memory infostealer, with a 41-entry cryptocurrency wallet path table and 19+ targeted browser names for broad, financially driven credential collection. Stolen data is packaged into a ZIP archive and exfiltrated to a C2 with an IP residing in Russia, on a hosting provider repeatedly associated with malware operations."
        https://arcticwolf.com/resources/blog/fake-github-repositories-deliver-boryptgrab-lineage-infostealer/
        https://www.bleepingcomputer.com/news/security/nearly-300-github-repos-pose-as-legit-software-to-push-malware/
      • LastPass, Bitwarden Users Targeted With Fake Security Alerts
        "LastPass is warning users about an ongoing phishing campaign that is using fake security notices to direct them to fraudulent websites. The phishing emails are crafted to resemble legitimate corporate communications, notifying recipients of updated security policies and directing them to a landing page that impersonates DocuSign and claiming to provide a document for review. LastPass emphasizes that its systems have not been compromised and that the phishing emails did not originate from its infrastructure, despite the attackers using domains designed to appear as legitimate company services."
        https://www.bleepingcomputer.com/news/security/lastpass-bitwarden-users-targeted-with-fake-security-alerts/
      • The Jalisco Toolkit And AI-Powered Phishing Surge
        "ReliaQuest recently identified two phishing toolkits, “Jalisco” and “OmegaLord”—named in their own command-and-control (C2) panels—while investigating phishing campaigns targeting Microsoft 365 environments. Their discovery reflects a broader shift: An expanding ecosystem of purpose-built tools and AI-powered phishing-as-a-service (PhaaS) kits is lowering the barrier to sophisticated phishing campaigns that bypass MFA, putting techniques that once required significant skill within reach of threat actors of any level."
        https://reliaquest.com/blog/threat-spotlight-jalisco-toolkit-and-ai-powered-phishing-surge
        https://www.bleepingcomputer.com/news/security/new-phishing-kits-target-microsoft-365-accounts-evade-mfa/
        https://www.bankinfosecurity.com/phishing-toolkits-harvest-entra-tokens-in-real-time-a-32220
      • Report: Accelerating ClickFix Attacks Evade Antivirus And EDR Defenses
        "ReversingLabs (RL), the trusted name in file and software security, today published new threat intelligence research on ClickFix, a fast-growing social engineering technique that tricks users into infecting their own computers. The research is detailed in a new report, “Copy, Paste, Compromise: The Tale of ClickFix” by RL researcher Toni Dujmović and the RL threat intelligence team."
        https://www.reversinglabs.com/press-releases/clickfix-attacks-evade-antivirus-and-edr
        https://www.darkreading.com/cyberattacks-data-breaches/clickfixs-ecosystem-demands-new-defense
      • The Scam Will Go On: Beware Of Fake Offers For Celine Dion Concert Tickets
        "The return of a global icon like Celine Dion to the stage is more than just another concert, for fans, it is a once in a lifetime historic return. But where there is massive demand and widespread excitement, fraudsters see a golden opportunity. In this research, Group-IB discovered a sophisticated multi-layered scam scheme targeting fans eager to secure their tickets for Celine Dion’s upcoming French tour. Group-IB analysts tracked a coordinated effort that blends high-pressure social engineering with technical digital manipulation. From scammers directly embedding themselves into online fanbase communities, to a network of professional fraudulent websites, built on the looks of official ticketing platforms, the “game” is played to perfection."
        https://www.group-ib.com/blog/fake-concert-ticket-scam-celine-dion/
      • Upwind Finds Coordinated Supply Chain Campaign Compromising Multiple AsyncAPI Npm Packages
        "Software supply chains have become an increasingly attractive target for attackers because a single compromise can ripple across countless development environments. Instead of breaking into individual organizations, threat actors are increasingly seeking access to the trusted infrastructure used to distribute software, allowing malicious code to spread through legitimate channels. New research from Upwind offers another example of that shift. The cloud security company disclosed findings from an investigation into a coordinated attack that affected multiple official AsyncAPI npm packages, revealing compromises across repositories and publishing pipelines rather than a single isolated package."
        https://hackread.com/upwind-supply-chain-compromise-asyncapi-npm-packages/
      • Warning: Scammers Are Using FaceTime To Empty Bank Accounts
        "Apple is urging users to treat any suspicious FaceTime call or message as untrusted, especially if it involves payments, refunds, password resets, or requests for personal information. This warning appears in a broader Apple support article about scams that target iPhone and iPad users through social engineering. Apple says attackers may contact people by phone calls, FaceTime, text messages, or emails while pretending to represent a trusted organization."
        https://www.malwarebytes.com/blog/news/2026/07/warning-scammers-are-using-facetime-to-empty-bank-accounts
      • LabubaRAT: A Rust Based Remote Access Tool Masquerading As NVIDIA Software
        "Blackpoint’s Adversary Pursuit Group (APG) discovered a previously undocumented malware sample that we are tracking as LabubaRAT, a Rust based remote access tool masquerading as NVIDIA software. The executable, nvidia-sysruntime.exe, used NVIDIA themed metadata and runtime naming, but its internal behavior showed a configurable implant built to register infected systems, receive operator tasking, execute commands, transfer files, capture screenshots, and proxy traffic."
        https://blackpointcyber.com/blog/labubarat-a-rust-based-remote-access-tool-masquerading-as-nvidia-software/
        https://thehackernews.com/2026/07/labubarat-masquerades-as-nvidia.html
      • Lucide Proxy: Turning Student Web Proxies Into DDoS Bots
        "We deobfuscated a massive campaign of 148 npm packages, including ilovefemboys, miguelphonk, and charlie-kirk. Disguised as student web proxies under names like Riverbend Tutoring, these packages hid mutable remote code execution vectors and a high-performance Wisp-compatible WebSocket traffic generator. They were designed to silently enlist visiting browsers into distributed denial-of-service botnets while generating aggressive popunder advertising revenue."
        https://research.jfrog.com/post/lucide-proxy-npm-malware-campaign/
        https://thehackernews.com/2026/07/148-npm-packages-disguised-as-student.html
      • Defending SaaS-Based Applications Against ShinyHunters OAuth Abuse
        "In a series of campaigns observed between mid-2025 and mid-2026, Microsoft identified threat actor activity with overlapping tradecraft commonly associated with ShinyHunters, including voice phishing (vishing) and supply chain compromise, to target customer SaaS-based applications such as Salesforce instances. The threat actors abused trusted OAuth relationships for unauthorized access, data exfiltration, and persistence. Two primary intrusion paths were observed including vishing techniques targeting OAuth consent and supply chain compromise through trusted workflows and integrations such as Salesloft and Gainsight. Abuse of these access paths led to inherited user and application privileges, allowing successful enumeration and querying of customer relationship management (CRM) records while evading conventional authentication detections."
        https://www.microsoft.com/en-us/security/blog/2026/07/13/defending-saas-based-applications-against-shinyhunters-oauth-abuse/
        https://thehackernews.com/2026/07/microsoft-maps-year-long-shinyhunters.html
      • Not Every Fox Is Silver: Inside An AtlasRAT Loader Chain
        "Public analyses of AtlasRAT are limited, and this report documents a four-stage loader chain and RAT capabilities not previously described in existing public reports. The chain operates entirely through memory execution throughout all stages, minimizing disk activity."
        https://asec.ahnlab.com/en/94479/

      Breaches/Hacks/Leaks

      • Synopsys Finds No Evidence Of Data Breach Amid Bosch Hack Claims
        "Silicon-to-systems design firm Synopsys says it has found no evidence of a data breach after a cybercrime group claimed to have hacked its systems and gained access to valuable data belonging to one of its major customers, Bosch. A new ransomware group named D1R in recent days listed Synopsys and Bosch on its Tor-based leak website. The cybercriminals claimed to have exploited a vulnerability in Synopsys’ website to access a corporate client database containing 40,000 entries, and they are threatening to leak the stolen data unless a ransom is paid."
        https://www.securityweek.com/synopsys-finds-no-evidence-of-data-breach-following-bosch-hack-claims/

      General News

      • June 2026 Threat Trend Report On APT Groups
        "The June 2026 Threat Trend Report on APT Groups summarizes the trend of state-sponsored threat groups actively incorporating generative AI, cloud services, OAuth tokens, and commercial MaaS (Malware-as-a-Service) platforms into their attack operations. A key finding is that the scope of attacks has expanded beyond traditional Malware infections to include account and token theft, exploitation of legitimate services, and compromises of supply chains and cloud environments."
        https://asec.ahnlab.com/en/94441/
      • Spanish Police Take Down €140 Million Cyber Fraud Ring, Arrest Four
        "The Spanish Police dismantled a cybercrime and money-laundering organization that made €140 million ($160 million) from investment fraud and business email compromise (BEC) attacks. As part of the law enforcement operation, four people were arrested in Spain, Portugal, and Panama. The police describe the operation as an industrial-level scheme as it involved at least 800 bank accounts, 120 business accounts, and 67 external accomplices who acted as “money mules.”"
        https://www.bleepingcomputer.com/news/security/spanish-police-take-down-140-million-cyber-fraud-ring-arrest-four/
      • 6 GHz Wi-Fi Flaws Could Disrupt Critical Systems
        "The technology keeping 6 GHz Wi-Fi from interfering with critical infrastructure has a number of security issues — and researchers are starting to sound the alarm. Researchers from Pennsylvania State University and Idaho National Laboratory will discuss their findings in a session called "Blind Trust in the 6 GHz Band: Weaponizing Wi-Fi Automated Frequency Coordination (AFC)" at Black Hat USA 2026. Two pieces of technology are at the center of this research: the cutting edge 6 GHz Wi-Fi spectrum and AFC, which regulates the 6 GHz band and keeps its powerful signal from interfering with radio towers, cellular backhaul, and spectrum-adjacent public safety networks."
        https://www.darkreading.com/perimeter/6-ghz-wi-fi-flaws-disrupt-critical-systems
      • Manage Vendor Risk In a Few Practical Steps
        "Third-party information risk reaches beyond cybersecurity. A third-party failure can create operational disruption, privacy impact, regulatory exposure, contractual loss, business interruption, reputational harm, customer impact, uninsured financial loss, and continuity failure. The issue for boards and senior management is exposure: what risk the enterprise carries because information, systems, processes, and dependencies sit outside their control."
        https://www.darkreading.com/cyber-risk/manage-vendor-risk-in-a-few-practical-steps
      • Frontier AI: The Genie's Out Of The Bottle, But Where's The Rulebook?
        "As frontier artificial intelligence (AI) models grow more powerful and unpredictable, three states are racing to rein them in with new disclosure laws. Illinois Gov. JB Pritzker recently signed Senate Bill 315 (SB315), the Artificial Intelligence Safety Measures Act, in an effort to boost reporting requirements for frontier AI models that generate more than $500 million in annual revenue. New York and California also recently enacted similar disclosure laws."
        https://www.darkreading.com/cybersecurity-operations/frontier-ai-genie-out-of-bottle-where-rulebook
      • Context Bombs: Stopping AI Attackers In Their Tracks.
        "AI agents can now run complex cyberattacks on their own: given a foothold, the strongest models can escalate privileges and exfiltrate data within minutes. Canaries - decoy resources we plant to catch intruders - reliably spot these agents in the act, but spotting an attack isn't the same as stopping it. So we tried something more ambitious: a context bomb - a short string, hidden in a canary, that trips an AI agent's safety guardrails and stops it in its tracks."
        https://agentic.tracebit.com/context-bombs/
        https://www.helpnetsecurity.com/2026/07/14/context-bombs-for-defensive-prompt-injection/
      • The Best Defense Against AI Attacks Turns Out To Be a Skeptical Human
        "Analysts across the security industry now run generative AI through their daily work, from log triage to incident write-ups. Active use in cybersecurity strategy reached 78% of practitioners in 2026, up from half the field a year earlier. The 2026 SANS AI Survey, drawn from 536 IT and security professionals, describes what that commitment costs to keep. Reliability trailed adoption over the year. Sixty-three percent of practitioners report significant shortcomings when AI detects or responds to threats, well above the share who said so a year earlier. The failures cluster around false positives, trouble spotting new threats, and confident output that turns out wrong. Teams running AI in production describe this as the routine experience."
        https://www.helpnetsecurity.com/2026/07/14/ai-attacks-skeptical-human/
      • Fake Smart Home Residents Could Stand In For Real Ones In Security Research
        "Smart home security research runs on a scarce ingredient: recordings of how real people use the gadgets in their homes. Getting that data means wiring up someone’s house and watching for months, which is slow, costly, and about as invasive as it sounds. So the datasets stay small and cover a thin slice of how people live. A group from Leipzig University and ipoque, a Rohde & Schwarz company, has a workaround that sounds a little strange at first. Let a language model play the resident. Hand it a persona and a house, let it decide how that person moves through a morning, and have it produce the device commands that follow. Simulate the person, and the lights and locks come along for the ride."
        https://www.helpnetsecurity.com/2026/07/14/iot-smart-home-security-research/
        https://arxiv.org/pdf/2607.08231
      • A Guide To The Convergence Of Electronic Warfare And Cyber Operations
        "Cyberspace is recognized as a critical warfighting domain. Operations in the electromagnetic (EM) spectrum have also long been an important piece of the arsenal. Recent advances in software-defined radio (SDR), radio frequency system on chip (RF SoC), and artificial intelligence (AI) have demonstrated that electronic warfare (EW) techniques can be even more potent and readily available. For example, manipulation of intelligently adaptive radio signals could disable adversaries’ sensors and communication systems. Beyond the boundaries of the battlefield, the Pentagon signaled the need for EM capability in 2020, with the DoD Electromagnetic Spectrum Superiority Strategy and Joint Publication 3-85: Joint Electromagnetic Spectrum Operations."
        https://www.sei.cmu.edu/blog/a-guide-to-the-convergence-of-electronic-warfare-and-cyber-operations/
      • NATO Logistics, Ukrainian Troops Are Top Subjects Of Russian Camera Hacks, Advisory Says
        "Russian state-backed hackers are systematically compromising internet-connected security cameras across Europe and Ukraine to gather intelligence on NATO military logistics and identify Ukrainian troops for battlefield targeting, Dutch intelligence agencies warned. In a public advisory, the Netherlands' General Intelligence and Security Service (AIVD) and Military Intelligence and Security Service (MIVD) said at least one Russian intelligence service has been carrying out cyber-espionage operations against internet-accessible cameras in the Netherlands, other NATO and EU member states and Ukraine."
        https://therecord.media/russian-intelligence-compromising-cameras-nato-ukraine-netherlands
      • Five Charged In NCA Investigation Into Fraud Platform Responsible For Millions Of Scam Calls
        "Five people have been charged as part of a National Crime Agency investigation into Russian Coms, a group which made products used by criminals to defraud victims all over the world. The platform, established in 2020, started as a handset and then moved to a web-based application, with both products being marketed and sold. They allowed criminals to hide their identity by appearing to call from pre-selected numbers. These would often be of financial institutions, telecommunications companies and law enforcement agencies with the aim of stealing funds and personal details from victims."
        https://www.nationalcrimeagency.gov.uk/news/five-charged-in-nca-investigation-into-fraud-platform-responsible-for-millions-of-scam-calls
        https://www.infosecurity-magazine.com/news/five-charged-in-russian-coms-fraud/
        https://www.helpnetsecurity.com/2026/07/14/russian-coms-nca-charges-scam-calls/
      • New Tutorials On Underground Hacking Forums Have Roughly Doubled
        "Underground hacking forums are producing more original tutorials again, with growing attention on financial fraud, particularly the theft and fraudulent use of payment card data, known as carding, and cash-out techniques. Radware analyzed 8,870 tutorial posts published across 24 deep- and dark-web forums between December 2022 and April 2026. After removing reposts, the dataset contained 3,034 unique hacking and fraud guides."
        https://www.helpnetsecurity.com/2026/07/14/underground-hacking-forums-tutorials-research/

      อ้างอิง

      Electronic Transactions Development Agency (ETDA) 8ec5fc99-cdd8-42e2-a6bf-fe526302b02e-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • พบการโจมตี Supply Chain แฝงมัลแวร์ขโมยข้อมูลในแพ็กเกจ npm ของ Jscrambler

      พบการโจมตี Supply Chain แฝงมัลแวร์ขโมยข้อมูลในแพ็.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 73c62533-75ad-42a7-b123-adddc6bb3367-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • Lidl เผยเหตุข้อมูลลูกค้า Online Shop รั่วไหล หลังถูกโจมตี

      Lidl เผยเหตุข้อมูลลูกค้า Online Shop รั่วไหล หลังถูก.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 5c43e9f2-5426-4633-ae72-da471907cd32-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • Google และ Microsoft ถอดส่วนขยาย ModHeader ออกจากระบบ หลังพบโค้ดแฝงดักเก็บข้อมูลประวัติการท่องเว็บ

      Google และ Microsoft ถอดส่วนขยาย ModHeader ออกจากระบบ หลังพ.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand a4dcca12-7980-4f63-8daf-42d650a6256b-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • RedHook มัลแวร์ Android ใช้ Wireless ADB เพื่อควบคุมอุปกรณ์ที่ติดมัลแวร์

      RedHook มัลแวร์ Android ใช้ Wireless ADB เพื่อควบคุมอุปกรณ์ท.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 21c82368-6855-46a6-88d2-25ca72594cf8-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • ตำรวจเนเธอร์แลนด์พบเบาะแสเกี่ยวข้องเหตุแฮก Odido กระทบลูกค้ากว่า 6 ล้านราย

      ตำรวจเนเธอร์แลนด์พบเบาะแสเกี่ยวข้องเหตุ.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 6715a6e7-b810-4a58-ad67-e728729a8778-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • เตือนภัยแคมเปญโจมตีระบบจัดการเนื้อหาเว็บไซต์ (CMS) ทั่วโลก มุ่งเป้าฝัง Webshell เพื่อยึดระบบ

      เตือนภัยแคมเปญโจมตีระบบจัดการเนื้อหาเว็.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand a64cb882-b902-4472-963c-650d1bf4bec9-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • ETDA Cyber Threat Intelligence 14 July 2026

      Vulnerabilities

      • Full Broker Takeover, No Login Required: Miggo Discovers Critical RabbitMQ Vulnerabilities Putting Application Data At Risk
        "Miggo's security team discovered two critical access-control flaws in RabbitMQ: one that leaks the broker's confidential OAuth secret to an unauthenticated attacker in a single request, a direct path to full broker takeover in the configurations that use that secret, and one that lets any logged-in user silently read other tenants' data. Both are now patched."
        https://www.miggo.io/post/full-broker-takeover-no-login-required-miggo-discovers-critical-rabbitmq-vulnerabilities-putting-application-data-at-risk
        https://www.securityweek.com/rabbitmq-vulnerability-threatens-enterprise-systems/
      • CISA Adds One Known Exploited Vulnerability To Catalog
        "CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
        CVE-2008-4128 Cisco IOS Cross-Site Request Forgery Vulnerability"
        https://www.cisa.gov/news-events/alerts/2026/07/13/cisa-adds-one-known-exploited-vulnerability-catalog
        https://securityaffairs.com/195262/security/u-s-cisa-adds-a-cisco-ios-flaw-to-its-known-exploited-vulnerabilities-catalog.html
      • New MemGhost Attack Plants Persistent False Memories In AI Agents Through One Email
        "Give an AI assistant a memory and access to your inbox, and you hand an attacker a way to rewrite what it thinks it knows about you. A single email can trick that agent into saving a false "fact" about the user, hide the change, and quietly steer its answers in later sessions. When it works, the person reads an ordinary-looking reply and never learns their assistant was tampered with. The researchers named the attack stealth memory injection and built a tool that writes the emails automatically. The paper, "When Claws Remember but Do Not Tell," landed on arXiv on 6 July 2026."
        https://thehackernews.com/2026/07/new-memghost-attack-plants-persistent.html
        https://arxiv.org/abs/2607.05189v1

      Malware
      Beware Of Phishing Emails Disguised As Money Transfer Confirmations
      "Recently, the AhnLab SEcurity intelligence Center (ASEC) identified a case of phishing emails that disguise themselves as payment confirmation notices. These emails impersonate employees of a specific company in Korea and trick recipients into opening a malicious XLS file attached to the email, which is disguised as a payment confirmation notice."
      https://asec.ahnlab.com/en/94432/

      • Beware Of Phishing Emails Disguised As Project Proposals
        "The AhnLab SEcurity intelligence Center (ASEC) recently confirmed that phishing emails disguised as project proposals are being circulated. The body of the email pretends to request that the proposal and confirmed delivery schedule be submitted as soon as possible, and prompts the recipient to download the attached compressed file."
        https://asec.ahnlab.com/en/94433/
      • One Misconfigured Server, Three Active Campaigns: Full Exposure Of Three AiTM Phishing Operators
        "On a late April 2026 afternoon, a routine internet scan flagged an open directory on 185.163.204.7: a server located in Budapest, running python3 -m http.server 8080 on a public interface with directory listing enabled. What was exposed was not a misconfigured web root, it was a complete operational snapshot of a live attack platform. Phishing configurations, credential harvesting logs, backup archives, RMM installers, combolists and the operator's own Telegram session files were all publicly accessible. The command that left it open was still sitting in the .bash_history file, readable through the same listing. Behind the open directory was an active threat actor running an Evilginx-based Adversary-in-the-Middle (AiTM) phishing platform and a SimpleHelp remote management console, all on the same host."
        https://blog.lexfo.fr/opendir-to-phishing-operator.html
        https://thehackernews.com/2026/07/misconfigured-server-reveals-three.html
        https://www.infosecurity-magazine.com/news/open-directory-exposes-evilginx/
      • CrashStealer: C++ MacOS Infostealer Posing As Crash Reporter
        "In early May, a suspicious macOS sample uploaded to VirusTotal surfaced through our sample-processing pipeline, and Jamf Threat Labs began tracking it. It impersonated Apple's crash reporting framework and, at that point, looked like an infostealer still in development. By early July we were seeing in-the-wild detections of the payload matching one of our in-house rules, indicating the project had matured from development into active use. We track this malware under the name CrashStealer."
        https://www.jamf.com/blog/crashstealer-macos-infostealer-analysis/
        https://www.bleepingcomputer.com/news/security/new-crashstealer-malware-poses-as-apple-crash-reporting-tool/
        https://thehackernews.com/2026/07/crashstealer-macos-malware-uses.html
      • US And Allies Warn Of Russian Critical Infrastructure Attacks
        "Cybersecurity agencies from the United States and eight other countries have issued a joint warning that Russian state hackers are targeting vulnerable and poorly configured routers to infiltrate critical infrastructure networks. The joint advisory, co-authored by the NSA, FBI, and CISA, along with 15 other agencies from Australia, the United Kingdom, Canada, New Zealand, Estonia, Finland, France, and Italy, attributes the attacks to hackers from the Russian Federal Security Service (FSB) Center 16."
        https://www.bleepingcomputer.com/news/security/us-and-allies-share-defense-tips-against-russian-hackers-targeting-critical-infrastructure/
        https://www.ic3.gov/CSA/2026/260713.pdf
        https://www.darkreading.com/endpoint-security/weak-security-fuel-russian-cyberattacks
        https://cyberscoop.com/russian-fsb-cisco-joint-cybersecurity-advisory/
        https://www.infosecurity-magazine.com/news/russian-state-hackers-vulnerable/
      • Software Developers Are The Target. New Trojan Attacks Supply Chains And Inflicts Multifaceted Damage On Infected PCs
        "A new trojan engaging in supply chain attacks has recently come under the scrutiny of our antivirus laboratory. The malware primarily targets C++ and C# project files. This malicious sample is particularly dangerous as its payload incorporates multiple damaging features, allowing it to steal data, access clipboard content, operate as a backdoor, engage in rogue mining. and also infect other files. First discovered in the last quarter of 2025, the malware has been updated and upgraded by its makers ever since. It mainly spreads over the Internet via infected executable files and Python scripts. The infection process is quite complex, so let’s examine the entire sequence phase by phase."
        https://news.drweb.com/show/?i=15276&lng=en
        https://hackread.com/siggen-backdoor-windows-developers-visual-studio-projects/
      • OAuth Client ID Spoofing: Why Fake Client IDs Are Gaining Traction For Stealthy Enumeration
        "What if attackers could enumerate your entire organization's accounts without generating a single successful sign-in event? The Entra sign‑in logs are a primary telemetry source for identifying malicious authentication activity, including user enumeration, password spraying, and initial access attempts. To evade detection, attackers routinely distribute requests using rotating user agents (as seen in UNK_CustomCloak) and proxy services that cycle source IPs per request. Proofpoint researchers have identified multiple campaigns where attackers extend this evasive tradecraft by spoofing the OAuth client ID (application ID), a globally unique identifier (GUID) assigned to applications. The identifier is passed as client_id in authentication requests and recorded as the application ID in Entra sign-in logs."
        https://www.proofpoint.com/us/blog/threat-insight/oauth-client-id-spoofing-why-fake-client-ids-are-gaining-traction-stealthy
        https://www.infosecurity-magazine.com/news/novel-spoofing-technique-targets/
        https://www.helpnetsecurity.com/2026/07/13/entra-id-oauth-client-id-spoofing/
      • Fake Crypto Gift Card Sites Are Getting Harder To Spot
        "You want to turn some crypto into a gift card. You search, click a promising result, and land on a site that looks polished and legitimate: a dark theme, trust badges, and promises of instant delivery and no ID checks. You wouldn’t think to question it. But a professional-looking website isn’t proof that it’s legitimate."
        https://www.malwarebytes.com/blog/threat-intel/2026/07/fake-crypto-gift-card-sites-are-getting-harder-to-spot
      • Google And Microsoft Pull ModHeader With 1.6 Million Installs After Dormant Collector Found
        "Google and Microsoft have pulled ModHeader, a popular header-editing extension with roughly 1.6 million installs across Chrome and Edge, after researchers found a hidden browsing-history collector built into its official store version. The collector was dormant. An empty allow-list kept it switched off, and no proof has emerged that it ever gathered or sent a single browsing domain. The analysis came from Stripe OLT, a UK security firm, which checked the code against Google's own Web Store signature and confirmed the collector shipped inside the genuine extension, not a counterfeit."
        https://thehackernews.com/2026/07/google-and-microsoft-pull-modheader.html

      Breaches/Hacks/Leaks

      • Centers Laboratory Data Breach Affects 540,000 Individuals
        "Healthcare diagnostics company Centers Laboratory (Centers Lab NJ LLC) has informed the US government that a data breach discovered nearly one year ago affects more than 540,000 individuals. According to a data breach notice posted on its website, the New Jersey-based provider of testing and laboratory services for healthcare organizations discovered an intrusion in its IT environment in August 2025. An investigation showed that threat actors had gained “limited access” to Centers Laboratory systems between August 9 and August 14, exfiltrating personal and protected health information, including names, dates of birth, SSNs, driver’s license or state identification numbers, passport numbers, and health insurance and medical information."
        https://www.securityweek.com/centers-laboratory-data-breach-affects-540000-individuals/
      • Japan's Largest Taxi Operator Shuts Systems After Cyberattack
        "Japan's largest taxi operator, Nihon Kotsu, announced that its systems were compromised in a cyberattack, forcing the company to shut down part of its infrastructure. The incident occurred over the weekend, early Saturday morning, and impacted operations, including the company's taxi dispatch system, which remains offline as of today. Nihon Kotsu is Japan's largest taxi and chauffeur (hire) operator by group revenue, with annual revenue of roughly $1 billion (¥155 billion)."
        https://www.bleepingcomputer.com/news/security/japans-largest-taxi-operator-shuts-systems-after-cyberattack/
      • Lidl Discloses Online Shop Breach After Service Provider Hack
        "German discount supermarket chain Lidl notified customers in Germany, Belgium, and the Netherlands that attackers stole their personal information in a breach at a service provider. Lidl, owned by Schwarz Group, the largest food retailer in Europe, has over 376,000 employees and operates 12,000 stores across Europe and the United States. The discount giant notified affected customers of the incident over email last week and published separate notifications on its support websites in Belgium and the Netherlands."
        https://www.bleepingcomputer.com/news/security/lidl-discloses-online-shop-breach-after-service-provider-hack/
        https://securityaffairs.com/195270/data-breach/lidl-notified-online-shop-customers-in-germany-belgium-and-the-netherlands-of-a-data-breach.html
        https://www.helpnetsecurity.com/2026/07/13/lidl-data-breach-customer-data/
      • Russian Celebrity Journalist Ksenia Sobchak Says Hackers Accessed Telegram Channels Via Email Breach
        "Hackers briefly took control of several Telegram channels belonging to the controversial Russian journalist and media executive Ksenia Sobchak last week, publishing what they claimed were excerpts from her private correspondence. The posts appeared on Sobchak's Telegram channels, Sobchak and Bloody Lady, last week. Her news channel, Caution, News, later said the posts were published by hackers who had compromised the channels."
        https://therecord.media/ksenia-sobchak-russian-hackers-leak

      General News

      • 99.9% Of Fixable AI Vulnerabilities Remain Unpatched
        "Organizations build, deploy, and operate AI in the cloud, but basic cybersecurity hygiene is often sacrificed for speed, according to Orca Security’s 2026 State of AI Security Report. Fifty-six percent of AI adopters have deployed agent frameworks into production, and 51.5% use AI to build custom applications. Orca also found that 81.2% of companies running AI packages have at least one known vulnerability, and 99.9% of AI vulnerability alerts with an available fix remain unpatched. These findings show how quickly AI has become operational infrastructure without a corresponding increase in security maturity."
        https://www.helpnetsecurity.com/2026/07/13/ai-infrastructure-security-risks-report/
      • Enterprises Are Rethinking Where Their AI Applications Run
        "Growing demand for compute capacity, power, cooling and low-latency connectivity is prompting organizations to reassess where AI applications run, according to CoreSite. Public cloud continues to support experimentation and rapid deployment, while colocation is increasingly used for workloads that require predictable performance, dedicated infrastructure or close proximity to cloud services and enterprise data."
        https://www.helpnetsecurity.com/2026/07/13/colocation-for-ai-workloads-report/
      • Why SBOMs, Signing, And Provenance Still Don’t Tell You If Software Is Safe
        "We have made real progress in software supply chain security, improving visibility into software components, authenticity and build integrity. Much of this progress traces back to Executive Order 14028, which pushed agencies, contractors and enterprises to invest in SBOMs, signing and provenance. All of that matters, but it is not enough. The current software trust model still stops short of the question that determines risk at execution: What is this code capable of doing if it runs?"
        https://www.helpnetsecurity.com/2026/07/13/sbom-zero-trust-for-code/
      • Cyber / Russia: Statement By The High Representative On Behalf Of The European Union Denouncing Russia’s Malicious Cyber Ecosystem Targeting The EU, Its Member States And International Partners
        "The EU and its member states denounce Russia’s malicious cyber activities and leveraging of a cyber ecosystem encompassing state and non-state actors, ranging from intelligence services to cybercriminals groups, hacktivists and private companies. Today, we expose the 16th Centre of Russia’s Federal Security Service (FSB) as controlling a variety of cyber threat groups including TURLA. For years, the FSB has conducted a wide range of malicious cyber activities with growing severity affecting the EU, its member states, as well as international partners, notably Ukraine. These activities have included infiltration of governmental networks and sabotage of critical infrastructure."
        https://www.consilium.europa.eu/en/press/press-releases/2026/07/13/cyber-russia-statement-by-the-high-representative-on-behalf-of-the-european-union-denouncing-russia-s-malicious-cyber-ecosystem-targeting-the-eu-its-member-states-and-international-partners/
        https://www.bleepingcomputer.com/news/security/eu-and-uk-hit-russia-with-first-joint-cyber-sanctions-package/
        https://therecord.media/russia-blamed-for-poland-grid-cyberattack-in-joint-uk-eu-sanctions-package
        https://www.bankinfosecurity.com/eu-uk-sanction-russian-nation-state-hackers-a-32213
        https://cyberscoop.com/eu-uk-russian-cyberespionage-sanctions/
        https://www.securityweek.com/eu-targets-russian-intelligence-officers-accused-of-running-a-yearslong-cyber-spying-campaign/
        https://securityaffairs.com/195242/intelligence/eu-targets-fsb-linked-hackers-in-new-sanctions-over-cyber-sabotage.html
        https://www.helpnetsecurity.com/2026/07/13/eu-uk-russia-cyber-activity-sanctions/
      • AI-Generated Code Has Made Security Debt a Governance Problem
        "AI-generated code is part of everyday software development. Developers use it to prototype, refactor, troubleshoot, and move from idea to implementation with less friction than ever before. The productivity gains are undeniable, which means that security leaders now face a hard question: whether their organizations can govern the risk that AI creates at that same speed. That challenge is rooted in scale. AI changes how quickly software can be created, while many application security programs still depend on controls designed for a slower development model."
        https://cyberscoop.com/governing-ai-code-security-risks-op-ed/
      • 'Yellow Teams' Are Defining The Future Of AI Security
        "A small number of engineering teams are developing the defenses that organizations will need against future advanced AI attacks. They're also building the frameworks attackers will utilize to carry out those attacks. In April, Anthropic invited more than 50 organizations to participate in its Project Glasswing initiative to preview Claude Mythos, which the company claimed at the time was the most advanced cybersecurity AI. OpenAI followed suit shortly after, inviting organizations to play with its own GPT 5.5 under the Daybreak program."
        https://www.darkreading.com/cybersecurity-operations/yellow-teams-defining-future-ai-security
      • Hacker Conversations: Jesse McGraw (GhostExodus), From Blackhat Hacker To Redemption
        "Jesse McGraw isn’t a hacker; at least, not by his own definition. He accepts he was a hacker, and a blackhat hacker, and that he still retains the mindset of a hacker. But he is no longer a hacker, he says. He realized he was a hacker while in high school. “My one and only friend was a hacker, and I had never seen anything like what he did.” Before then, McGraw had thought computers were just something used for word processing; a tool that could be used for its intended purpose. Then he saw this person programming in math class."
        https://www.securityweek.com/hacker-conversations-jesse-mcgraw-ghostexodus-from-blackhat-hacker-to-redemption/
      • Treasury Sanctions Malware And Infrastructure Providers Supporting Ransomware Attacks Against Americans
        "Today, the Office of Foreign Assets Control (OFAC) is designating two individuals and one entity enabling ransomware actors’ and other cybercriminals’ malign activities, notably ransomware attacks against Americans. These include First VPN Service (1VPNS), a virtual private network (VPN) provider selling services to ransomware groups, and its administrator, Dmytro Rashevskyi (Rashevskyi). OFAC is also designating Yegeniy Vladimirovich Silayev (Silayev), an individual who sells “cryptors,” which are tools used to disguise ransomware and other malware as safe programs to prevent security systems from detecting or deactivating them. Ransomware groups utilizing these individuals’ services have caused billions of dollars in losses to U.S. businesses and critical infrastructure providers."
        https://home.treasury.gov/news/press-releases/sb0559
        https://therecord.media/first-vpn-administrator-us-sanctions-ransomware-groups
      • AI Security Threats In 2026: Annual Insights From Check Point Research
        "For years, the cyber security industry tracked AI as a force multiplier: something that made existing attack techniques faster, cheaper, and more accessible. That framing was accurate. But the annual AI Security Report 2026 from Check Point Research documents a transition that goes further. AI has crossed from assistant to operator. Where it once helped attackers prepare, it now runs the operation. What follows is a structured review of the report’s key findings, grounded in original incidents and case studies from the past twelve months."
        https://blog.checkpoint.com/ai-security/ai-security-threats-in-2026-insights-from-check-point-research/

      อ้างอิง

      Electronic Transactions Development Agency (ETDA) 68cdc970-377f-4b0d-b739-a36d4d9818e2-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • ETDA Cyber Threat Intelligence 13 July 2026

      Financial Sector

      • Only 28% Of Financial Workforce MFA Is Phishing-Resistant
        "Passwords remain part of many workforce authentication flows in financial organizations, making phishing and credential theft major identity security risks, according to a new Secret Double Octopus report. Banks and financial organizations use a mix of authentication methods, combining phishing-resistant technologies with methods that remain vulnerable to phishing attacks."
        https://www.helpnetsecurity.com/2026/07/10/financial-identity-security-trends-report/
      • Fresh ATM Crypto Software Bugs: Jackpot Or Bust?
        "A researcher has discovered nine vulnerabilities in an ATM and corporate security program. The researcher and major ATM manufacturer Diebold Nixdorf disagree, though, about whether it could allow attackers to steal cash or not. At Black Hat USA 2026, Matt Burch, principal security researcher for Atredis Partners, will present nine new vulnerabilities he discovered in CryptWare CryptoPro Secure Disk. CryptoPro, for short, is a full‑disk encryption (FDE) and pre‑boot authentication solution for Windows that, strangely, is marketed to both corporations generally and ATM manufacturers specifically."
        https://www.darkreading.com/vulnerabilities-threats/atm-crypto-software-bugs-jackpot-bust

      Healthcare Sector

      • Healthcare Ransomware Roundup: H1 2026 Stats On Attacks, Ransoms, And Data Breaches
        "During the first six months of 2026, the healthcare sector suffered an average of 2.3 ransomware attacks per day. Attacks increased by nearly 14 percent when compared to H2 2025, rising from 360 to 410. Of the 410 attacks we recorded in H1 2026, 247 were on hospitals, clinics, and other direct care providers. 163 hit businesses operating within the healthcare sector, such as pharmaceutical/medical manufacturers, medical billing providers, and healthcare tech companies. Attacks on healthcare providers rose just over three percent from H2 2025, but attacks on healthcare businesses rose nearly 35 percent."
        https://www.comparitech.com/news/healthcare-ransomware-roundup-h1-2026-stats-on-attacks-ransoms-and-data-breaches/
        https://www.darkreading.com/threat-intelligence/cybercriminals-healthcare-businesses-attacks-surge

      Industrial Sector

      • OpenPLC v3
        "Successful exploitation of this vulnerability could allow an authenticated attacker to write arbitrary files to the filesystem and escalate this into arbitrary native code execution through the normal OpenPLC program compilation process, potentially resulting in code execution as the OpenPLC runtime user."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-190-01
      • Schneider Electric PowerChute Serial Shutdown
        "Successful exploitation of these vulnerabilities could allow attackers to overwrite critical files, forge or inject malicious log data, gain unauthorized account access, trigger denial‑of‑service conditions, truncate or alter logging information, reset user credentials, or expose sensitive information."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-190-02
      • Schneider Electric Easergy MiCOM Px40 Series
        "Schneider Electric is aware of a vulnerability in its Easergy MiCOM Px40 Series products. The Easergy MiCOM Px40 is a protection relay series for Medium Voltage, High Voltage and Extra High Voltage protection. Failure to apply the mitigations provided below may risk unauthorized exposure of basic device identification through the SNMP protocol."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-190-03

      Vulnerabilities

      • URGENT - Progress Tells ShareFile Customers To Shut Down Storage Zone Controllers Over Security Threat
        "Progress Software has told ShareFile customers to shut down the Windows servers running their Storage Zone Controllers, confirming to The Hacker News that it is responding to a "credible external security threat." The company has temporarily disabled access to the affected accounts, a step it says it took "out of an abundance of caution" while it works with internal and external security experts. It says it has no indication of unauthorized access to any ShareFile accounts or data, and that it notified customers after learning of the threat. What Progress has not said is what the threat is or who is behind it."
        https://thehackernews.com/2026/07/urgent-progress-tells-sharefile.html
        https://www.bleepingcomputer.com/news/security/progress-urges-sharefile-customers-to-shut-down-servers-over-credible-threat/
        https://securityaffairs.com/195194/hacking/progress-told-sharefile-customers-to-pull-the-plug-on-their-servers-heres-what-we-know.html
      • Zimbra Urges Customers To Patch Critical Web Client XSS Flaw
        "The Zimbra security team urged customers to patch a critical vulnerability affecting the Classic Web Client used to access the Zimbra Collaboration suite. Zimbra is a very popular email and collaboration software suite used by hundreds of millions of people, including thousands of businesses and hundreds of government agencies worldwide. Also known as the Classic UI, this Ajax-based webmail interface is faster than Zimbra's modern web client, which requires more resources when loading large email folders. The company released Zimbra 10.1.19 this Tuesday to patch this stored cross-site scripting (XSS) security flaw, which has yet to receive a CVE ID for easy tracking. Attackers can exploit this Classic Web Client security issue through specially crafted emails that execute malicious code when the email is opened."
        https://www.bleepingcomputer.com/news/security/zimbra-urges-customers-to-patch-critical-web-client-xss-flaw/
        https://blog.zimbra.com/2026/07/patch-release-update-zimbra-10-1-19/
        https://thehackernews.com/2026/07/critical-zimbra-flaw-could-let-crafted_0483473395.html
        https://securityaffairs.com/195130/hacking/update-now-critical-zimbra-classic-web-client-flaw-could-expose-mailboxes.html
      • CISA Adds Two Known Exploited Vulnerabilities To Catalog
        "CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
        CVE-2026-48939 iCagenda Unrestricted Upload of File with Dangerous Type Vulnerability
        CVE-2026-56291 Balbooa Forms Unrestricted Upload of File with Dangerous Type Vulnerability"
        https://www.cisa.gov/news-events/alerts/2026/07/10/cisa-adds-two-known-exploited-vulnerabilities-catalog
        https://securityaffairs.com/195164/security/u-s-cisa-adds-icagenda-and-balbooa-forms-flaws-to-its-known-exploited-vulnerabilities-catalog.html
      • Unfit To Boot: Breaking U-Boot's FIT Signature Verification
        "U-Boot is one of the most widely used bootloaders in the world. It runs on a huge variety of hardware, from home routers and smart cameras to the Baseboard Management Controllers (BMCs), which are commonly used to remotely manage servers in large data centres. As a bootloader, its job usually includes initialising the CPU and memory, bringing up the essential peripherals, and finally handing over execution to the next stage of the boot chain."
        https://www.binarly.io/blog/unfit-to-boot-breaking-u-boots-fit-signature-verification
        https://www.bleepingcomputer.com/news/security/new-u-boot-flaws-could-enable-stealthy-firmware-attacks/
        https://thehackernews.com/2026/07/six-new-u-boot-flaws-could-let.html
        https://securityaffairs.com/195150/security/critical-u-boot-bugs-undermine-secure-boot-on-millions-of-devices.html
      • Bypassing Tangem Card Security With a Laser Attack
        "After uncovering a genuine check bypass on the Tangem Android application and a brute-force attack on the card's authentication protocol, the Ledger Donjon turned its attention to the card itself with more advanced tools and sophisticated techniques. What we found is a critical vulnerability that lets an attacker with physical access to a single Tangem card reset its password and steal all associated funds."
        https://donjon.ledger.com/blog/bypassing-tangem-card-security-with-laser-attack/
        https://thehackernews.com/2026/07/laser-attack-resets-tangem-wallet.html
      • I Sent a WhatsApp Message To An AI Agent. It Ran My Code On The Host.
        "There's a particular feeling you get when you watch an AI agent cheerfully execute a payload you just sent it over WhatsApp. It's somewhere between fascination and dread. Like watching someone hold the front door open for a burglar because they said they were from maintenance. Last week, I sent a perfectly normal-looking debugging request to an OpenClaw AI assistant over WhatsApp. Thirty seconds later, I had arbitrary code execution on the host machine. The AI — Claude Sonnet 4, arguably the most safety-aligned model commercially available — didn't just allow it. It helped. It formatted the output nicely and asked if I needed anything else."
        https://medium.com/@chinmohannayak/i-sent-a-whatsapp-message-to-an-ai-agent-it-ran-my-code-on-the-host-adbbcbb0e0ad
        https://thehackernews.com/2026/07/researcher-details-whatsapp-to-host.html
      • XRING: Crashing XQUIC With Spec-Compliant QPACK Instructions
        "During recent research into the different QUIC stacks for our active TLS scanner, JA4Scan, I found a deterministic remote crash in XQUIC, Alibaba's QUIC and HTTP/3 library, dubbed XRING. XQUIC enables HTTP/3 support for Tengine, the Nginx-based web server Alibaba runs across its cloud and CDN infrastructure, including sites like Taobao or AliPay. A remote, unauthenticated client sends spec-compliant HTTP/3 operation traffic and the server process terminates. The crash requires only 260 bytes of client traffic. Every XQUIC version is impacted. There is no patch available."
        https://foxio.io/blog/xring-crashing-xquic-with-spec-compliant-qpack-instructions
        https://thehackernews.com/2026/07/unpatched-xring-flaw-in-xquic-lets.html
      • Study Of 281 Free Android VPN Apps Finds Traffic Leaks, Unencrypted Data, And Tracking
        "Researchers ran 281 of the most popular free VPN apps on the Google Play Store through a new testing system and found that many fail at the basics people install a VPN for, i.e., keeping their traffic private and secure. The apps flagged with at least one problem have been installed more than 2.4 billion times. The problems are basic, not sophisticated. 29 apps let user traffic leak outside the encrypted tunnel, including the DNS lookups that reveal which websites you visit. 61 apps send some data in plain text that anyone watching the traffic on that network can read."
        https://thehackernews.com/2026/07/study-of-281-free-android-vpn-apps.html
      • The ‘Ghost’ In The Database: Recovering Active ADFS Signing Keys Via Machine DPAPI
        "The "Golden SAML" technique, first described by CyberArk researchers in 2017, and further detailed by Mandiant researchers in 2021, remains one of the most effective methods for threat actors to forge identity assertions in the Microsoft ecosystem. By obtaining the private key of an ADFS token-signing certificate, an attacker can authenticate as any user to any SAML-federated application, bypassing multifactor authentication (MFA), conditional access, and all identity-based controls."
        https://cloud.google.com/blog/topics/threat-intelligence/recovering-active-adfs-signing-keys-machine-dpapi
      • We Put The Exploit In a Picture. The AI Code Reviewer Never Opened It.
        "Almost nobody reviews the pull request. We surveyed 6,480 pull requests across the 300 most active public repositories of the last ninety days, and 73% of the ones that got merged reached the default branch with no substantive human review and no bot review at all. The thing filling that gap is a new kind of reviewer: an LLM that reads every diff and comments like a human would. Cursor Bugbot and CodeRabbit are the two with real deployment. Hence, we built a pull request that steals a repository's secrets and walks straight past both of them. The trick is that the malicious instruction is not text. It is a picture."
        https://asset-group.github.io/disclosures/ghostcommit/
        https://www.bleepingcomputer.com/news/security/ghostcommit-hides-prompt-injection-in-images-to-fool-ai-agents-steal-secrets/

      Malware

      • Malicious Go Module Exposes GitHub Malware Lure Network Spanning 222 Repositories
        "Our investigation began with a malicious Go module, github[.]com/kaleidora/dnsub-scanning-tool, that posed as a DNS/subdomain scanner. The module did more than impersonate a developer utility: it exposed a Windows malware-staging chain that used hidden PowerShell execution, public dead-drop resolution, protected archive delivery, and RAT/infostealer deployment. Pivoting from that module revealed the larger finding: a GitHub-based lure network of 222 confirmed repositories across 190 accounts, built to make malicious or deceptive software projects look active, plausible, and recently maintained."
        https://socket.dev/blog/malicious-go-module-exposes-github-malware-lure-network
        https://www.securityweek.com/network-of-200-github-repositories-used-for-malware-infection/
        https://securityaffairs.com/195101/security/222-github-repositories-linked-to-fake-go-package-malware-operation.html
      • One Target, Two Flags | Rival Espionage Actors Converge On Pakistani Law Enforcement
        "Suspected China- and India-nexus threat actors carried out intrusions into several Pakistani law enforcement organizations between 2024 and 2026. Our analysis of C2 netflow data revealed that suspected China- and India-nexus threat actors operating PlugX, ShadowPad, Cobalt Strike, and Remcos infrastructure have converged on this victim class. All of these threat actors were active against Balochistan Police, the principal police force serving the Pakistani province of the same name, at various points between 2024 and 2026."
        https://www.sentinelone.com/labs/one-target-china-india-espionage-converge-on-pakistani-law-enforcement/
        https://therecord.media/china-india-ran-separate-spy-campaigns-against-same-police-force
        https://thehackernews.com/2026/07/hackers-weaponize-balochistan-police.html
        https://www.securityweek.com/china-india-linked-hackers-both-targeted-same-pakistani-police-force/
      • Operation Phnom Penh: Silver Fox Ghost Distributor Targets Specific Victims With MODBEACON Custom Trojan
        ""Silver Fox / UTG-Q-1000" has long been regarded as a byword for low-sophistication, high-activity cybercriminal operations that distribute counterfeit software via SEO channels. However, behind the scenes lies an organizational structure resembling foreign Malware-as-a-Service (MaaS), composed of multiple distributors. These distributors conduct activities across Asia using counterfeit software installers distributed through SEO campaigns, leveraging variants of Ghost and WinOS (ValleyRat) trojan families. In 2025, we countered one such distributor[1], whose remote-control objective was limited to delivering fraud links in IM group chats, with no involvement in information theft or political motives."
        https://ti.qianxin.com/blog/articles/operation-phnom-penh-silverfox-ghost-distributor-targets-specific-victims-with-modbeacon-en/
        https://thehackernews.com/2026/07/new-modbeacon-rat-uses-grpc-streaming.html
      • How WP-SHELLSTORM Exposed 1.4M WordPress Sites
        "Every so often, a threat actor’s mistake hands over the keys to their entire operation. That’s what happened here: a Python SimpleHTTPServer instance, left open for 22 days, exposed the full toolkit, logs, and target lists of a professional, financially motivated cybercrime group. The SOCRadar Threat Intelligence Team found it. What turned up, now tracked as WP-SHELLSTORM, is a modern webshell access-brokerage operation: over 1.4 million targeted domains, 27 CVEs weaponized, more than 5,700 active webshells, and a second, quieter campaign hitting enterprise Java infrastructure that hasn’t surfaced in other public reporting on this actor."
        https://socradar.io/blog/wp-shellstorm-expose-1-4m-wordpress-sites/
        https://thehackernews.com/2026/07/exposed-hacker-server-reveals-wp.html
      • Attackers Exploit 'Ill Bloom' Vulnerability To Drain Over $5 Million From Cryptocurrency Wallets
        "Security firm Coinspect has disclosed a crypto wallet flaw it calls Ill Bloom, and attackers are already using it. The flaw is in how some wallet software generated its recovery phrase, the words that control the money. When that phrase is made with weak randomness, an attacker can work it out and take everything it controls. The firm has confirmed one coordinated sweep on May 27 that drained about $3.1 million from 431 wallets, and it told The Hacker News that a further $2.1 million in USDT was stolen from an exposed wallet afterward, pushing confirmed losses past $5 million."
        https://thehackernews.com/2026/07/attackers-exploit-ill-bloom.html
      • No Manners Here: The Ruthless Rise Of The Gentlemen Ransomware
        "The Gentlemen (aka Storm-2697) is a Ransomware-as-a-Service (RaaS) program active since at least July 2025. Public reporting indicates that the operators were likely active months earlier as an affiliate (known as ArmCorp) of Qilin RaaS, which Unit 42 tracks as Spikey Scorpius. Their ransomware variants are written in both C and Go programming languages, enabling the threat actors to spread their encryptors across different operating systems and virtual infrastructure. Figure 1 below illustrates the desktop wallpaper used by the ransomware after deployment."
        https://unit42.paloaltonetworks.com/the-gentlemen-ransomware/
      • Deadlock Ransomware Group
        "DeadLock is a financially motivated ransomware group that emerged in mid-July 2025. The group employs double extortion tactics, demanding ransom payments in cryptocurrencies while threatening to sell stolen data on underground markets. They utilize innovative techniques, such as blockchain smart contracts, to manage their command-and-control infrastructure, enhancing their evasion capabilities."
        https://socradar.io/free-tools/ransomware-intelligence/groups/deadlock
      • Jscrambler Npm Package Publishes Malicious Preinstall Binary
        "On July 11, 2026, version 8.14.0 of jscrambler was published to npm carrying a malicious preinstall hook that drops and executes a platform-specific native binary on Linux, Windows, and macOS. jscrambler is the official CLI client for the Jscrambler Code Integrity API, a commercial JavaScript obfuscation and web-app protection service, with a clean version history dating back to 0.1.0. The compromised release was flagged by StepSecurity's AI Release Analyzer with a suspicion score of 0 (the maximum suspicion rating) on publish."
        https://www.stepsecurity.io/blog/jscrambler-npm-package-publishes-malicious-preinstall-binary
        https://safedep.io/jscrambler-npm-supply-chain-compromise/
        https://thehackernews.com/2026/07/compromised-jscrambler-8140-npm-release.html

      Breaches/Hacks/Leaks

      • Police Suspects Dutch Hackers Were Involved In Odido Breach
        "The Dutch National Police (Politie) says it has found "strong indications" that Dutch hackers have been involved in a February breach at the telecommunications provider Odido. "This includes a telephone conversation that was made with Odido customer service shortly before the hack. In this conversation, a Dutch-speaking man posed as Odido's IT employee. The company was then misled through phishing, after which the data theft took place," the police said in a Thursday press release."
        https://www.bleepingcomputer.com/news/security/police-suspects-dutch-hackers-were-involved-in-odido-breach/
        https://therecord.media/dutch-police-suspect-dutch-accomplice-in-odido-cyberattack
      • Fashion Mart Miinto Unzips Breach Details, Warns Shoppers To Watch For Phisherfolk
        "Danish ecommerce company Miinto admitted an intruder has been looking at its order data, according to emails it sent to customers this week. The emails, seen by The Register, do not comment on the scale of the data accessed by the perp or how exactly the breach occurred, although UK-based customers of the Copenhagen-HQ'd biz have received them. “We are writing to let you know about a security incident that may have affected some of the personal data associated with a purchase you made on Miinto,” the email states."
        https://www.theregister.com/security/2026/07/10/miinto-fesses-up-to-breach-says-customers-open-to-phishing/5269891

      General News

      • The Open Source Library Holding Up Your Stack Might Have One Maintainer
        "Every serious software product runs on code that someone else wrote and released for free. A web service leans on a cryptography library, a data pipeline pulls in a parser, and a mobile app ships a handful of small utilities that one person maintains in spare time. All of it carries the same label. A new paper argues that the single label hides differences large enough to change how each piece behaves once it lands in production. Researchers sorted open source software into fourteen sub-genres, each defined by who starts and sustains a project and to what end. Their review screened close to four thousand unique papers drawn from two scholarly indexes. The result is a typology, along with an argument that the kind of project a study samples sets how far its conclusions travel."
        https://www.helpnetsecurity.com/2026/07/10/open-source-software-library-types/
        https://arxiv.org/pdf/2607.01750
      • Most Data Brokers Won’t Tell You What Happened To Your Deletion Request
        "Data brokers collect personal details on most adults in the United States and sell them to buyers that include employers, landlords, insurance companies, and government agencies. California gives residents a way to push back. You can ask a broker to delete your records, or to stop selling and sharing them. A team at UC Irvine decided to find out what happens when someone sends those requests to the whole California registry. The answer gives consumers little comfort. The researchers sent deletion and opt-out requests to every reachable broker on California’s public list in the fall of 2025. That worked out to 322 deletion requests and close to 360 opt-out requests. To keep real people out of the mix, they built two made-up identities, one for each request type, each with a working email address and a plausible California address."
        https://www.helpnetsecurity.com/2026/07/10/trouble-with-data-broker-deletion-requests/
        https://arxiv.org/pdf/2607.04552
      • Evolving Windows Vulnerability Management To Meet The Speed Of AI-Powered Discovery
        "Windows has adapted to emerging threats for decades, all while operating at unparalleled scale. It’s our responsibility to bring clarity, transparency and sustained investment so customers understand what is happening, what Microsoft is doing and how they can reduce their exposure. The pace of vulnerability discovery is changing with advances in AI making it possible to find more issues, faster, across more code, with new mechanisms that can accelerate both discovery and analysis. The fastest way to reduce customer exposure is to find issues before attackers can use them. Windows is expanding its ability across the platform to find issues earlier, accelerate the engineering work to fix them, strengthen validation and deliver timely, high-quality updates that keep customers protected."
        https://blogs.windows.com/windowsexperience/2026/07/09/evolving-windows-vulnerability-management-to-meet-the-speed-of-ai-powered-discovery/
        https://www.theregister.com/security/2026/07/10/microsoft-warns-customers-ai-will-mean-busier-patch-tuesdays/5269618
        https://www.infosecurity-magazine.com/news/microsoft-increase-number-security/
      • Armenian National Extradited To The United States Pleads Guilty To Ransomware Extortion Conspiracy
        "An Armenian national extradited from Ukraine to the United States pleaded guilty yesterday for his role in Ryuk ransomware attacks and an extortion conspiracy targeting companies throughout the United States, including a technology company operating in Oregon. Karen Serobovich Vardanyan, 34, pleaded guilty to conspiracy and computer fraud."
        https://www.justice.gov/usao-or/pr/armenian-national-extradited-united-states-pleads-guilty-ransomware-extortion-conspiracy
        https://www.bleepingcomputer.com/news/security/ryuk-ransomware-member-pleads-guilty-in-the-us-faces-15-years-in-prison/
        https://therecord.media/ryuk-operator-pleads-guilty-alphv-conspirator-sentenced
        https://cyberscoop.com/karen-vardanyan-armenian-ryuk-ransomware-guilty/
        https://securityaffairs.com/195216/uncategorized/ryuk-ransomware-member-pleads-guilty-over-attacks-on-u-s-organizations.html
      • Man Serving Federal Prison Sentence Charged With Theft Of Forfeited Cryptocurrency
        "Rossen G. Iossifov, 53, a Bulgarian national, made an initial appearance in federal court in the Eastern District of Kentucky yesterday on charges of the destruction or removal of property to prevent seizure, aiding and abetting, and conspiracy to commit money laundering. The charges stem from Iossifov’s alleged role in the unauthorized withdrawal and transfer of approximately $290,000 in cryptocurrency that had been seized and forfeited by the United States."
        https://www.justice.gov/opa/pr/man-serving-federal-prison-sentence-charged-theft-forfeited-cryptocurrency
        https://www.bleepingcomputer.com/news/security/money-launderer-accused-of-stealing-seized-crypto-while-in-prison/
      • Lessons From CISA’s Cyber Incident
        "Sharing experiences from incident response activities help other organizations learn from such experiences and enables them to take necessary precautions to prevent similar incidents from happening in their environments. For years, CISA has said this type of information exchange is critical to identifying trends and contributing to broader national awareness. Now, it is our turn. On Friday, May 15, CISA began an internal incident response when an investigative reporter inquired about internal CISA Amazon AWS GovCloud Keys and other information being made available in a public repository. The reporter received this information from a security researcher whose company continuously scans public code repositories."
        https://www.cisa.gov/news-events/news/lessons-cisas-cyber-incident
        https://www.infosecurity-magazine.com/news/cisa-incident-response-exposed-aws/
      • When Cyberattacks Turn Physical: Threats Of Violence In Digital Extortion
        "Cyberattacks have always had real‑world consequences. A ransomware incident can halt production, delay patient care or shut down public services. But until recently, most attacks relied strictly on digital leverage: encrypt data, threaten to leak it and demand payment. Threat intelligence and industry reporting now point to a clear shift toward hybrid attacks that combine cyber intrusion, psychological pressure and real-world intimidation. In practical terms, attackers are no longer satisfied with controlling systems. They are increasingly trying to control outcomes and influence decisions and behavior by introducing fear that extends beyond the network."
        https://blog.barracuda.com/2026/07/09/cyberattacks-physical-threats-ransomware-trend
      • Ransomware Never Stopped: Over 9,000 Confirmed Attacks Since 2018
        "Ransomnews has independently confirmed 9,291 ransomware attacks worldwide between January 2018 and July 2026, tracking incidents only when verified through victim disclosures, regulatory filings, official statements, or credible press reporting. Leak-site listings alone don’t qualify, operators inflate, duplicate, and occasionally fabricate claims. The result is a dataset that’s smaller than what most ransomware statistics cite, and more defensible. “Confirmed ransomware attacks have run at roughly 1,400 to 1,550 per year since 2023, after a visible dip in 2022. The 2020 to 2021 surge, the 2022 trough (which coincided with the Conti shutdown and the Russia-Ukraine war reshuffling the ecosystem), and the post-2023 plateau are all visible in the yearly series. The current year always shows a partial count.” reads the Ransomnews ‘s report."
        https://securityaffairs.com/195117/cyber-crime/ransomware-never-stopped-over-9000-confirmed-attacks-since-2018.html

      อ้างอิง

      Electronic Transactions Development Agency (ETDA) 19eb53a0-3599-46c5-a7a9-0537ec9ea7f8-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • ETDA Cyber Threat Intelligence 10 July 2026

      Vulnerabilities

      • Chrome 150 Update Patches 27 Vulnerabilities
        "Google on Wednesday announced a Chrome 150 security update that resolves 27 vulnerabilities, including two critical-severity flaws. The two critical bugs are use-after-free issues in Chrome’s Ozone and Views components. Both were found by Google last month. The Chrome refresh resolves a total of 13 use-after-free defects, including 10 high-severity and one medium-severity weakness."
        https://www.securityweek.com/chrome-150-update-patches-27-vulnerabilities/
      • Microsoft Patches RoguePlanet Defender Zero-Day Vulnerability
        "Microsoft has released a security patch to address a Defender zero-day vulnerability known as "RoguePlanet," disclosed after the June 2026 Patch Tuesday. The flaw (tracked as CVE-2026-50656) was disclosed by a security researcher using the "Nightmare Eclipse" handle as part of an ongoing dispute with Microsoft over the company's bug bounty and vulnerability disclosure practices. They also shared a proof-of-concept exploit in a self-hosted Git repository, claiming that Microsoft had previously removed their repos hosting exploits on GitHub and GitLab."
        https://www.bleepingcomputer.com/news/microsoft/microsoft-patches-rogueplanet-defender-zero-day-vulnerability/
        https://thehackernews.com/2026/07/microsoft-patches-rogueplanet-defender.html
        https://www.darkreading.com/vulnerabilities-threats/microsoft-rogueplanet-zero-day-threat
        https://www.malwarebytes.com/blog/news/2026/07/microsoft-fixes-rogueplanet-zero-day-in-defender
        https://www.securityweek.com/microsoft-patches-defender-rogueplanet-vulnerability/
        https://securityaffairs.com/195016/security/microsoft-fixed-defender-flaw-rogueplanet-cve-2026-50656.html
        https://www.theregister.com/security/2026/07/09/microsoft-closes-book-on-nightmare-eclipses-rogueplanet-zero-day/5269280
        https://www.helpnetsecurity.com/2026/07/09/microsoft-releases-fix-for-rogueplanet-defender-flaw-cve-2026-50656/
      • WolfSSL, GeoVision, VTK Vulnerabilities
        "Cisco Talos’ Vulnerability Discovery & Research team recently disclosed three vulnerabilities in WolfSSF, fourteen in GeoVision, and one vulnerability in VTK-DICOM. The vulnerabilities mentioned in this blog post have been patched by their respective vendors, in adherence to Cisco’s third-party vulnerability disclosure policy."
        https://blog.talosintelligence.com/wolfssl-vulnerabilities/
      • Palo Alto Networks Patches 13 Vulnerabilities
        "Palo Alto Networks on Wednesday published advisories describing more than a dozen vulnerabilities affecting its products. The new advisories cover 13 vulnerabilities specific to Palo Alto Networks products, as well as more than 500 flaws patched recently by Google in Chromium, which the cybersecurity giant uses for its Prisma browser. The most severe of the newly patched vulnerabilities is CVE-2026-0288. Assigned high severity and highest urgency ratings, the CVE covers multiple buffer overflows in the PAN-OS software, which powers Palo Alto’s firewalls."
        https://www.securityweek.com/palo-alto-networks-patches-13-vulnerabilities/

      Malware

      • RedHook Returns With a Dangerous Upgrade
        "RedHook is an Android Remote Access Trojan (RAT) that has re-emerged with significant improvements. While retaining core RAT functionalities, such as screen streaming and keylogging, the latest iterations demonstrate a sophisticated shift toward privilege abuse. This analysis details how RedHook abuses Android’s ADB Wireless Debugging features to autonomously obtain shell-level access (uid 2000). Also, by examining the malware’s persistence stack and its expanded command-and-control capabilities, this report provides technical insights into this evolving mobile threat. RedHook was first documented by Cyble researchers in July 2025."
        https://www.group-ib.com/blog/redhook-android-rat-upgraded/
      • How The Reddit And Discord False Report Scam Steals Accounts
        "A stranger messages you on Reddit. They say someone reported them, and the reporting account looks a lot like yours. Was it you? It wasn’t. That’s not really the point of the message. This version relies entirely on social engineering. There is no malware and no malicious links. It starts with a conversation, but the goal is to trick you into handing over a login or verification code so the scammer can access your Reddit account."
        https://www.malwarebytes.com/blog/threat-intel/2026/07/how-the-reddit-and-discord-false-report-scam-steals-accounts
        https://www.helpnetsecurity.com/2026/07/09/reddit-false-report-scam-direct-message/
      • Fake Installers, Fake Reviews, Fake Services – Real Proxies, Real Victims
        "Residential proxies are one of the hottest topics in cybersecurity today. Turns out, they are often not in residences, and they facilitate a wide range of criminal activity. In the simplest terms, a little piece of software in a TV, digital picture frame, or your phone might enable a company to sell access to your device’s bandwidth to their own customers. Those companies—proxy providers—often have affiliate programs where they pay for installation of the software. Sound familiar? It’s the same model as the advertising networks we often write about. Residential proxies are yet another tangled ecosystem full of buyers and sellers, with players in every shade of grey. This blog tells the story of a bad actor who operates an end-to-end malicious proxy business grounded in a collection of clever lookalike domains."
        https://www.infoblox.com/blog/threat-intelligence/fake-installers-fake-reviews-fake-services-real-proxies-real-victims/
        https://thehackernews.com/2026/07/fake-7-zip-installers-turn-devices-into.html
        https://securityaffairs.com/194990/malware/fake-vpn-and-7-zip-apps-turn-victims-into-residential-proxy-nodes.html
      • Compromised Injective SDK Npm Package Exfiltrates Wallet Keys And Mnemonics
        "Socket detected a malicious @injectivelabs/[email protected] release published to npm with fake telemetry functionality that exfiltrates wallet private keys and mnemonic phrases. The affected package is part of the Injective Labs TypeScript SDK and receives roughly 50,000 weekly downloads, making the incident significant for developers and applications that handle Injective wallet workflows."
        https://socket.dev/blog/compromised-injective-sdk-npm-package
        https://www.ox.security/blog/injectivelabs-npm-package-hijacked-impacting-87-dependent-packages/
        http://www.stepsecurity.io/blog/injective-npm-supply-chain-attack-18-packages-backdoored-to-steal-crypto-wallet-keys
        https://www.bleepingcomputer.com/news/security/injective-sdk-on-npm-infected-with-cryptocurrency-wallet-stealer/
      • Helix, a New Name In The Data Extortion Ecosystem?
        "ReliaQuest has identified a data extortion group operating under the name "Helix." However, the playbook it runs and the identity gaps it exploits extend well beyond the group itself. Helix uses vishing to initiate contact—we've even seen the group spoof a target's direct manager by name on caller ID. Device code phishing then sidesteps Conditional Access policies, and automated tools enumerate and mass-download SharePoint libraries before bulk exfiltration triggers an alert. ReliaQuest has confirmed shared infrastructure across attacks on multiple targets, including a phishing domain with target-specific subdomains, suggesting a widespread campaign."
        https://reliaquest.com/blog/threat-spotlight-helix-new-name-in-data-extortion-ecosystem
        https://www.bleepingcomputer.com/news/security/new-helix-vishing-group-emerges-in-sharepoint-data-theft-attacks/
      • Inside Forg365: A Telegram-Distributed Sneaky 2FA-Style PhaaS Targeting Microsoft 365
        "Forg365 is a mature Microsoft 365-focused phishing-as-a-service platform that combines device-auth phishing, AiTM delivery, AntiBot evasion, campaign delivery, session persistence, AI-assisted lure creation, and post-compromise mailbox operations inside a commercial operator ecosystem."
        https://zerobec.com/blog/inside-forg365-telegram-distributed-sneaky2fa-style-phaas
        https://www.bleepingcomputer.com/news/security/new-forg365-phishing-platform-uses-ai-to-target-microsoft-365-accounts/
      • When AI Infrastructure Becomes Part Of The Attack Surface
        "Darktrace investigated a compromised AI gateway connected to Amazon Bedrock services that was later observed communicating with cryptomining infrastructure. The incident highlights how AI gateways are becoming part of the enterprise attack surface and demonstrates the importance of behavioral analysis, cloud visibility, and securing AI infrastructure alongside identities and workloads."
        https://www.darktrace.com/blog/when-ai-infrastructure-becomes-part-of-the-attack-surface
        https://www.darkreading.com/cyber-risk/ai-gateways-keys-kingdom
        https://hackread.com/ai-gateway-amazon-bedrock-hijacked-cryptomining/
      • GodDamn Ransomware: Latest Beast Rebrand Uses Malicious Driver To Disable Defenses
        "Analysis of a recent GodDamn ransomware attack indicates that this seemingly new ransomware is in fact the latest rebrand of the Beast ransomware, which in itself was a rebrand of the Monster ransomware, which was first seen in 2022. The Symantec Threat Hunter Team tracks the developer behind these ransomware families as Hyadina."
        https://www.security.com/blog-post/goddamn-ransomware-beast-rebrand
        https://thehackernews.com/2026/07/goddamn-ransomware-uses-poisonx-driver.html
        https://www.darkreading.com/cyberattacks-data-breaches/goddamn-ransomware-byovd-smite-companies
        https://securityaffairs.com/195042/malware/goddamn-ransomware-uses-poisonx-to-blind-security-software.html
      • GigaWiper: Anatomy Of a Destructive Backdoor Assembled From Multiple Malware
        "In October 2025, Microsoft Threat Intelligence identified destructive wiping activity and uncovered a sophisticated Go programming language (Golang)-based backdoor we now track as GigaWiper, a versatile implant that combines robust command-and-control (C2) capabilities with multiple destructive payloads, including disk wiping, fake ransomware, and system-level sabotage. GigaWiper is particularly notable for its makeup. It’s not a single, purpose-built tool, but an amalgamation of separate malware families that were folded into GigaWiper as on-demand backdoor commands, giving threat actors the flexibility to choose their mode of destruction:"
        https://www.microsoft.com/en-us/security/blog/2026/07/09/gigawiper-anatomy-of-a-destructive-backdoor-assembled-from-multiple-malware/
        https://thehackernews.com/2026/07/new-gigawiper-windows-backdoor-bundles.html
        https://hackread.com/microsoft-gigawiper-backdoor-destroy-windows-pcs/
      • Analyzing AI-Augmented Network Enumeration
        "We recently came across an incident in early June where a threat actor used a vibe-coded PowerShell script for Active Directory (AD) enumeration. The script looked for the Domain Controller (DC) and mapped users, computers, and domains, before creating a directory and exporting out a number of files, and finally creating AD_Report.html to measure the success of the enumeration attempt. AI-assisted tradecraft continues to change the threat landscape. Defenders should focus on the fundamental behaviors of the attack lifecycle, because while AI can change the code syntax, it can't easily change the underlying parts of an attack, like enumeration."
        https://www.huntress.com/blog/ai-coded-malware-vibe-coding-active-directory
        https://www.infosecurity-magazine.com/news/vibe-coded-malware-ai-powershell/
      • Coordinated GitHub API Enumeration And Access Token Abuse
        "Datadog Security Research is tracking several overlapping campaigns that systematically enumerate corporate GitHub organizations, repositories, and user accounts through the GitHub API. Operators rely on automated scraping tooling with custom or legitimate-sounding user agents, leveraging GitHub "ghost" accounts that are often years old, or compromised OAuth tokens and personal access tokens (PATs) from legitimate users. Most requests target public data, making it look like ordinary API traffic. In some cases, the activity escalated past public information enumeration, appearing to successfully clone private repositories."
        https://securitylabs.datadoghq.com/articles/coordinated-github-api-enumeration/
        https://thehackernews.com/2026/07/dormant-github-accounts-help-attackers.html
      • From Invoice To AnyDesk: Uncovering a Phishing Campaign Targeting Russian Aerospace Organizations
        "The Seqrite Threat Research Team identified a targeted spear-phishing campaign disguised as a legitimate business invoice. The phishing email impersonates a legitimate Russian research institute associated with aerospace and aviation systems and is delivered using a spoofed domain designed to mimic the organization. The malicious email contains a password-protected attachment that ultimately deploys additional payloads on the victim’s system. Analysis indicates that the threat actor’s primary objective is to establish persistent remote access by silently configuring AnyDesk for unattended access, exfiltrating AnyDesk configuration data to an attacker-controlled email account and implementing persistence mechanisms to retain long-term control of the compromised host."
        https://www.seqrite.com/blog/from-invoice-to-anydesk-uncovering-a-phishing-campaign-targeting-russian-aerospace-organizations/
      • CrowdStrike Uncovers New Prompt Injection Techniques
        "Prompt injection is among the defining security challenges of the AI era. As organizations move from chatbots to AI agents, adversaries are finding more ways to manipulate the language, context, and data these systems trust. With the rise of powerful AI agents that can crawl webpages, access file stores, and even write shell commands, indirect prompt injection has emerged as a critical threat vector. Adversaries can hide these attacks in the data consumed by these agents and then hijack their capabilities to cause further damage."
        https://www.crowdstrike.com/en-us/blog/crowdstrike-uncovers-new-prompt-injection-techniques/
      • Large-Scale Exploitation Campaign Targeting Website Content Management Systems (CMS)
        "A large-scale exploitation campaign is targeting various vulnerabilities in content management systems (CMS) globally, including in Australia, with many small to medium sized Australian businesses impacted. As part of this campaign, malicious cyber actors are actively scanning websites for opportunities to deploy webshells, leveraging various vulnerabilities affecting CMS software and plugins. These vulnerabilities primarily allow unauthenticated file upload, remote code execution, server side request forgery or deserialisation."
        https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/large-scale-exploitation-campaign-targeting-website-content-management-systems-cms

      Breaches/Hacks/Leaks

      • AssuranceAmerica Data Breach Exposes Records Of 6.9 Million Drivers
        "American insurance company AssuranceAmerica has disclosed a data breach impacting nearly 7 million drivers after attackers gained access to its systems earlier this year. AssuranceAmerica operates through a network of over 9,500 independent agents and provides auto, renters, and commercial auto insurance coverage across 14 U.S. states. While the company has yet to publish a press release regarding the incident, it revealed in a filing with Maine's Office of the Attorney General that the data breach has exposed the information of 6,998,886 people."
        https://www.bleepingcomputer.com/news/security/assuranceamerica-data-breach-exposes-records-of-69-million-drivers/
        https://www.malwarebytes.com/blog/data-breaches/2026/07/6-9-million-drivers-license-numbers-stolen-from-assuranceamerica
        https://securityaffairs.com/195027/data-breach/assuranceamerica-breach-exposes-7-million-drivers-licenses-after-employee-account-hack.html

      General News

      • Q2 2026 Statistical Report On Malware Targeting Windows Web Servers
        "In the second quarter of 2026, the AhnLab SEcurity intelligence Center (ASEC) compiled an analysis of the current attack status for poorly managed Windows web servers and classified the malware used in these attacks. The targets were Internet Information Services (IIS) web servers and Apache Tomcat web servers running in Windows environments."
        https://asec.ahnlab.com/en/94398/
      • Statistical Report On Malware Targeting Linux SSH Servers In The Second Quarter Of 2026
        "In the second quarter of 2026, the AhnLab SEcurity intelligence Center (ASEC) collected and analyzed attack logs targeting poorly managed Linux SSH servers through honeypots. The scope of the analysis covers attack sources that progressed to executing actual malware installation commands, as well as statistics on the malware used in those attacks."
        https://asec.ahnlab.com/en/94396/
      • Statistical Report On Malware Targeting Windows Database Servers In The Second Quarter Of 2026
        "The AhnLab SEcurity intelligence Center (ASEC) analyzed attack logs from the second quarter of 2026 targeting MS-SQL server and MySQL server installations on Windows. This report summarizes the damage status, attack status, and the classification of the malware and tools used in the attacks."
        https://asec.ahnlab.com/en/94397/
      • Inside The Underground Economy: 5 Dark Web Trends Shaping The 2026 Threat Landscape
        "The dark web is no longer just a hidden marketplace for stolen credentials; it has grown far beyond that point and now affects nearly every phase of the cyberattack lifecycle. Markets that once traded only compromised accounts now also sell ransomware services, initial network access, exploit kits, phishing infrastructure, and even AI-powered attack tools. What used to be a place for selling stolen data has become the operational backbone of modern cybercrime."
        https://cyble.com/blog/dark-web-trends-2026-cyber-threat-landscape/
      • Messaging Fraud Trends Point To Smarter Attacks, Stronger Blocking
        "Fraudsters spent 2025 investing in scale. New routes, new tools, and higher message volumes moved through the SMS, voice, and chat channels that businesses rely on to reach customers. Money follows that activity. The Communications Fraud Control Association puts global telecom fraud losses at around 42 billion dollars for the year, several billion higher than its estimate for the prior year. Blocked volumes rose alongside the threat. Infobip, a communications platform that handles billions of interactions each month, reports that blocked messages grew 77% between 2024 and 2025. This means attackers pushed more traffic, and detection systems caught a wider range of it. Some markets also show better outcomes as detection infrastructure matured, a sign that defenses are catching up in places where they had lagged."
        https://www.helpnetsecurity.com/2026/07/09/infobip-messaging-fraud-trends/
      • A Single Malware File Can Outweigh An Entire AI Dataset
        "Antivirus vendors and security startups keep shipping AI features that promise to read malware the way a seasoned analyst would. The results inside security teams tell a quieter story. A new paper argues that static analysis of software, the job of deciding whether a program is malicious by examining its contents on disk, remains one of the hardest places to make generative AI work. The scale of the problem explains much of the difficulty. Standard datasets in other fields look small next to a single security sample. ImageNet, the benchmark that helped launch deep learning in computer vision, fits in about 17 GB once its images are resized down, and it holds more than a million of them. Routine static analysis means processing single files that outweigh entire datasets from other research areas."
        https://www.helpnetsecurity.com/2026/07/09/research-ai-in-cybersecurity/
        https://arxiv.org/pdf/2606.28929
      • Over 5,800 Arrests, USD 293 Million Intercepted In Global Fraud Bust
        "A global anti-fraud operation involving 97 countries and territories has led to the arrest of 5,811 individuals and the interception of USD 293 million in illicit assets. Operation First Light 2026 (15 Jan 2026 – 30 April 2026), coordinated by INTERPOL, focused on combatting social engineering scams and associated money laundering activities. Social engineering is a broad term that refers to techniques that exploit a person’s trust to obtain money or confidential information. This type of fraud can include business email compromise, sextortion, as well as romance, impersonation or investment scams."
        https://www.interpol.int/News-and-Events/News/2026/Over-5-800-arrests-USD-293-million-intercepted-in-global-fraud-bust
        https://www.bleepingcomputer.com/news/security/police-arrests-5-800-suspects-in-global-anti-fraud-crackdown/
        https://cyberscoop.com/interpol-cybercrime-crackdown-operation-first-light/
        https://www.infosecurity-magazine.com/news/china-interpol-cybercrime-crackdown/
        https://securityaffairs.com/195056/security/interpol-operation-first-light-nets-5811-arrests-and-seizes-293-million.html
        https://www.helpnetsecurity.com/2026/07/09/interpol-fraud-bust-social-engineering-scams/
      • Friendly Fire: Hijacking Defensive Cyber AI Agents For Remote Code Execution
        "We are revealing a proof-of-concept exploit that enables remote code execution in Anthropic’s Claude Code CLI (with Claude Sonnet 4.6 & 5, Opus 4.8) and OpenAI’s Codex CLI (with GPT-5.5) when employed to defensively assess the security of an open-source or third-party library. Our attack only requires an out-of-the-box configuration of Claude Code in “auto-mode” or Codex in “auto-review” and leverages prompt injections disseminated across a library’s source code that target AI-enabled cyber defense without the need for hooks, skills, plugins, MCP servers, or configuration files as an injection vector. As such, we warn against the recent initiatives that mandate the acceleration of AI-enabled defensive tools without consideration of the substantial and unmitigated risks associated with the deployment of defensive AI, especially in the context of safety-critical infrastructure—where AI is most urgently being considered for deployment."
        https://ainowinstitute.org/publications/friendly-fire-exploit-brief
        https://thehackernews.com/2026/07/friendly-fire-ai-agents-built-to-catch.html
      • A New Ransomware Leader Emerges As June 2026 Attack Volumes Climb Worldwide
        "June reversed the brief calm of May. Organizations faced an average of 2,270 weekly cyber attacks, a 10% rise from the previous month and a 17% increase compared with June last year. What makes this month notable is not just the size of the jump but its reach. Rather than one region or sector absorbing the bulk of the growth, the increase showed up almost everywhere at once, suggesting attackers spread their effort wider rather than concentrating it."
        https://blog.checkpoint.com/research/a-new-ransomware-leader-emerges-as-june-2026-attack-volumes-climb-worldwide/
      • AI Agents Are a New Kind Of Identity & Most Organizations Aren't Ready
        "I recently read an opinion piece on TechTarget by Todd Thiemann, a principal analyst at Omdia, on identity security for AI agents. It is one of the clearest things I have read on this topic, but it also made me think about something that I want to dig into further because it's the most important factor in enterprise security right now, and it's not getting the attention it deserves: the development environment. Thiemann makes a point that I have been making for a while now, and it's worth repeating loudly: AI agents are not just another type of non-human identity. They are fundamentally different. If you're still treating them like a service account or an API token, you are already behind."
        https://www.darkreading.com/identity-access-management-security/ai-agents-new-kind-identity-most-organizations-not-ready
      • Iran's Cyber Crosshairs Focus Beyond Critical Infrastructure
        "For many CISOs, the headlines detailing Iranian-linked strikes on water utilities and power grids trigger a dangerous sense of immunity: "I'm not a utility; I'm not a target." There is a comforting, yet flawed, assumption that these operations are merely geopolitical theater confined to the high-stakes arena of critical infrastructure. But in the modern threat landscape, obscurity is not a defense, and "non-critical" status is not a shield. If your organization has a digital heartbeat and an Internet-facing vulnerability, you're already at risk from multiple potential threats, whether you realize it or not."
        https://www.darkreading.com/cyber-risk/iran-cyber-crosshairs-beyond-critical-infrastructure
      • As Global Conflicts Go Digital, Businesses Need Wartime Gameplans
        "Intellect Services could hardly be less interesting. A midsized, family-owned business in Ukraine that sold tax software. Its owners really can't be faulted for not anticipating that they might one day be a huge pawn in a regional cyberwar. To Russian foreign military intelligence, Intellect Services was totally interesting. The company's platform, M.E.Doc, was ubiquitous across Ukrainian businesses. Compromising M.E.Doc they could, in effect, impact most of the country's economy. And like other midsize businesses, the company wasn't likely to have any kind of exceptional cybersecurity defenses getting in Russia's way."
        https://www.darkreading.com/cybersecurity-operations/businesses-wartime-cybersecurity-gameplans
      • 78% Of CISOs Say C-Level Do Not Fully Understand Employee-Driven Cyber Risk
        "More than three quarters of CISOs across Europe say C-level senior decision-makers do not fully understand the cyber risk posed by employees, according to new research, at a time when AI is making human-targeted attacks more sophisticated, scalable, convincing and increasingly frequent. The survey of 200 CISOs across the UK, France, Germany and Sweden, carried out by MetaCompliance, the human cyber risk management company, reveals a growing disconnect between the risks organisations face at the human layer and the level of senior understanding, alignment and support needed to manage them effectively."
        https://www.metacompliance.com/company-news/78-of-cisos-say-c-level-do-not-fully-understand-employee-driven-cyber-risk
        https://www.infosecurity-magazine.com/news/cisos-fear-execs-dont-understand/
      • ENISA’s View On Cybersecurity In The Frontier AI Era
        "This publication provides national competent authorities in Member States and EU policymakers, defenders, and service providers with an initial set of recommendations to support them in their respective roles towards developing the necessary operational capabilities to face machine-speed threats. The recommendations are not an all-inclusive checklist. ENISA aims to further refine and expand these recommendations in close cooperation with Member States and EUIBAs and will align these to upcoming European Commission Action Plan."
        https://www.enisa.europa.eu/publications/enisas-view-on-cybersecurity-in-the-frontier-ai-era
        https://www.enisa.europa.eu/sites/default/files/2026-07/ENISA view on cybersecurity in the frontier AI era_en_0.pdf
      • Florida Ransomware Negotiator Who Extorted And Attacked Multiple U.S. Victims Sentenced To Prison
        "Angelo Martino, 41, of Land O’Lakes, Florida, formerly employed as a ransomware negotiator, was sentenced today to 70 months for his role in conspiring with Blackcat/ALPHV (BlackCat) actors to extort multiple victims, as well as conspiring with other former cybersecurity professionals to attack additional victims in 2023. “Angelo Martino’s victims shared heartbreaking accounts of how their businesses were nearly destroyed, while the people they hired to help them instead betrayed them to ransomware gangs,” said Assistant Attorney General A. Tysen Duva of the Justice Department’s Criminal Division."
        https://www.justice.gov/opa/pr/florida-ransomware-negotiator-who-extorted-and-attacked-multiple-us-victims-sentenced-prison
        https://cyberscoop.com/digitalmint-ransomware-negotiator-angelo-martino-sentenced/
      • June 2026 Dark Web Breach Incident Trend Report
        "The June 2026 Dark Web Breach Incident Trend Report is based on major data breach cases posted on the deep web and dark web forums. Due to the nature of some sources, it was difficult to fully verify the accuracy of certain information, so the report includes content that requires further verification."
        https://asec.ahnlab.com/en/94411/
      • June 2026 Dark Web Issue Trend Report
        "The June 2026 Dark Web Issue Trend Report summarizes major issues that occurred on the deep web and dark web. Due to the nature of the sources, it is sometimes difficult to fully verify the accuracy of certain information, and this is noted accordingly."
        https://asec.ahnlab.com/en/94416/
      • June 2026 Dark Web Threat Actor Trend Report
        "The June 2026 Dark Web Threat Actor Trend Report focuses on trends among threat actors—including hacktivists—operating on the deep web and dark web. It is noted that the accuracy of some information could not be verified."
        https://asec.ahnlab.com/en/94417/

      อ้างอิง

      Electronic Transactions Development Agency (ETDA) 6b3b3c38-8813-4563-9263-cb10c24b1944-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT