โพสต์ถูกสร้างโดย NCSA_THAICERT

1. รายละเอียดช่องโหว่

• ช่องโหว่ CVE-2026-20700 ช่องโหว่ด้านความปลอดภัยที่พบในระบบปฏิบัติการของ Apple เป็นช่องโหว่ประเภทการรันโค้ดโดยไม่ได้รับอนุญาต (Arbitrary Code Execution) ที่เกิดขึ้นใน dyld (Dynamic Link Editor) ช่องโหว่นี้ส่งผลกระทบต่อหลายแพลตฟอร์ม ได้แก่ ได้แก่ iOS, iPadOS, macOS, tvOS, watchOS และ visionOS หากผู้โจมตีทำการเขียนข้อมูลลงในหน่วยความจำ (memory write) ได้สำเร็จ อาจทำให้รันโค้ดอันตรายบนอุปกรณ์ที่ได้รับผลกระทบ และนำไปสู่การควบคุมอุปกรณ์ การเข้าถึงหรือเปิดเผยข้อมูลสำคัญ รวมถึงการติดตั้งมัลแวร์โดยไม่ได้รับอนุญาต

2. อุปกรณ์ที่ได้รับผลกระทบ

   • iPhone 11 และรุ่นใหม่กว่า
   • iPad Pro 12.9 นิ้ว (รุ่นที่ 3 ขึ้นไป)
   • iPad Pro 11 นิ้ว (รุ่นที่ 1 ขึ้นไป)
   • iPad Air (รุ่นที่ 3 ขึ้นไป)
   • iPad รุ่นที่ 8 ขึ้นไป
   • iPad mini รุ่นที่ 5 ขึ้นไป
   • Mac ที่ใช้ระบบปฏิบัติการ macOS Tahoe

3. แนวทางป้องกันและแก้ไข
   3.1 อัปเดตระบบปฏิบัติการให้เป็นเวอร์ชันที่ Apple ออกแพตช์แก้ไขแล้ว
   3.2 เปิดใช้งาน Automatic Updates เพื่อป้องกันความเสี่ยง
   3.3 สำหรับองค์กร ให้ดำเนินการตรวจสอบ Asset Inventory เพื่อระบุอุปกรณ์ที่ยังไม่ได้อัปเดต, ใช้ MDM (Mobile Device Management) บังคับอัปเดตแพตช์ รวมถึงตรวจสอบ Log และระบบ EDR ว่ามีพฤติกรรมต้องสงสัยหรือไม่

4. มาตรการชั่วคราว (กรณียังไม่สามารถอัปเดตได้ทันที)
   4.1 จำกัดการเข้าถึงเว็บไซต์หรือเนื้อหาที่ไม่เชื่อถือ
   4.2 ใช้งานผ่านบัญชีสิทธิ์ปกติ โดยหลีกเลี่ยงการใช้งานด้วยบัญชีผู้ดูแลระบบ เพื่อลดผลกระทบหากถูกโจมตี
   4.3 เปิดใช้งานระบบป้องกันเพิ่มเติม เช่น Firewall, Gatekeeper / XProtect (macOS) และ Lockdown Mode (กรณีผู้ใช้งานที่มีความเสี่ยงสูง)

5. แหล่งอ้างอิง
   5.1 https://dg.th/cwmjghxfau
   5.2 https://dg.th/t9yh48ld20
   5.3 https://dg.th/zflytxwpcg

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Healthcare Sector

• A New Data Theft Gang For The Health Sector To Lose Sleep Over
  "A new cybercriminal gang appears to be targeting the healthcare industry, a sector with a reputation for paying extortionists rather than risk harm to patients. Since first surfacing on the darkweb in recent weeks, the Insomnia data theft group has chalked up 18 alleged victims on its data leak site. More than half have ties to healthcare. Among the victims listed on Insomnia's data leak site as of Wednesday, most are healthcare providers, or companies that are involved with work concerning healthcare issues, including two law firms that handle medical malpractice cases and one manufacturer of surgical and medical gear."
  https://www.bankinfosecurity.com/new-data-theft-gang-for-health-sector-to-lose-sleep-over-a-30735

Industrial Sector

• ICS Patch Tuesday: Vulnerabilities Addressed By Siemens, Schneider, Aveva, Phoenix Contact
  "Industrial giants Siemens, Schneider Electric, Aveva, and Phoenix Contact have published Patch Tuesday advisories informing customers about vulnerabilities found in their ICS/OT products. Siemens has published eight new advisories. The company has released patches and mitigations for high-severity issues in Desigo CC, Sentron Powermanager, Simcenter Femap and Nastran, NX, Sinec NMS, Solid Edge, and Polarion products. A medium-severity flaw has been found in Siveillance Video Management Servers. Exploitation of the vulnerabilities can lead to unauthorized access, XSS, DoS, code execution, and privilege escalation."
  https://www.securityweek.com/ics-patch-tuesday-vulnerabilities-addressed-by-siemens-schneider-aveva-phoenix-contact/

Vulnerabilities

• 800,000 WordPress Sites Affected By Arbitrary File Upload Vulnerability In WPvivid Backup WordPress Plugin
  "On January 12th, 2026, we received a submission for an Arbitrary File Upload vulnerability in WPvivid Backup, a WordPress plugin with more than 800,000 active installations. This vulnerability can be used by unauthenticated attackers to upload arbitrary files to a vulnerable site and achieve remote code execution, which is typically leveraged for a complete site takeover. Please note that this vulnerability only critically affects users who have a generated key in the plugin settings to allow another site to send a backup to their site. This feature is disabled by default, and the key expiration can only be set to a maximum of 24 hours."
  https://www.wordfence.com/blog/2026/02/800000-wordpress-sites-affected-by-arbitrary-file-upload-vulnerability-in-wpvivid-backup-wordpress-plugin/
• Fortinet Patches High-Severity Vulnerabilities
  "Fortinet on Tuesday published eight advisories describing security defects addressed in FortiAuthenticator, FortiClient for Windows, FortiGate, FortiOS, and FortiSandbox, including two high-severity issues. The most severe of these is CVE-2025-52436, an XSS bug in FortiSandbox that could be exploited via crafted requests to execute commands without authentication. Next in line is CVE-2026-22153, an authentication bypass in FortiOS that can be exploited under certain configurations to bypass LDAP authentication of Agentless VPN or FSSO policy."
  https://www.securityweek.com/fortinet-patches-high-severity-vulnerabilities/
• CISA Adds Six Known Exploited Vulnerabilities To Catalog
  "CISA has added six new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2026-21510 Microsoft Windows Shell Protection Mechanism Failure Vulnerability
  CVE-2026-21513 Microsoft MSHTML Framework Security Feature Bypass Vulnerability
  CVE-2026-21514 Microsoft Office Word Reliance on Untrusted Inputs in a Security Decision Vulnerability
  CVE-2026-21519 Microsoft Windows Type Confusion Vulnerability
  CVE-2026-21525 Microsoft Windows NULL Pointer Dereference Vulnerability
  CVE-2026-21533 Windows Remote Desktop Services Elevation of Privilege Vulnerability"
  https://www.cisa.gov/news-events/alerts/2026/02/10/cisa-adds-six-known-exploited-vulnerabilities-catalog
  https://securityaffairs.com/187855/security/u-s-cisa-adds-microsoft-office-and-microsoft-windows-flaws-to-its-known-exploited-vulnerabilities-catalog.html
• Chipmaker Patch Tuesday: Over 80 Vulnerabilities Addressed By Intel And AMD
  "Intel and AMD’s February 2026 Patch Tuesday advisories address more than 80 vulnerabilities found recently in their products. Intel has published 18 new advisories covering more than 30 vulnerabilities. Four advisories have an overall severity rating of high. One of these advisories describes TDX vulnerabilities discovered in collaboration with Google, including a flaw that could lead to full compromise."
  https://www.securityweek.com/chipmaker-patch-tuesday-over-80-vulnerabilities-addressed-by-intel-and-amd/
• Safeguarding Foundational Technologies: How Intel And Google Collaborate To Strengthen Intel TDX
  "Foundational technologies demand an uncompromising approach to security, due to their critical role in safeguarding root of trust. For Confidential Computing technologies such as Intel Trust Domain Extensions (Intel TDX), the goal is to protect sensitive workloads, even against compromised hypervisors or malicious insiders for billions of users. Intel TDX achieves this through the enablement of Confidential Virtual Machines (CVMs) — also known as Trust Domains (TDs) — that provide strong hardware-enforced confidentiality and integrity guarantees in multi-tenant and cloud environments."
  https://www.intel.com/content/www/us/en/security/security-practices/blogs/google-collaboration-strengthen-intel-tdx.html
  https://services.google.com/fh/files/misc/intel_tdx_1.5-full_report.pdf
  https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01397.html
  https://www.securityweek.com/google-intel-security-audit-reveals-severe-tdx-vulnerability-allowing-full-compromise/
• Apple Fixes Zero-Day Flaw Used In 'extremely Sophisticated' Attacks
  "Apple has released security updates to fix a zero-day vulnerability that was exploited in an "extremely sophisticated attack" targeting specific individuals. Tracked as CVE-2026-20700, the flaw is an arbitrary code execution vulnerability in dyld, the Dynamic Link Editor used by Apple operating systems, including iOS, iPadOS, macOS, tvOS, watchOS, and visionOS. Apple's security bulletin warns that an attacker with memory write capability may be able to execute arbitrary code on affected devices."
  https://www.bleepingcomputer.com/news/security/apple-fixes-zero-day-flaw-used-in-extremely-sophisticated-attacks/
  https://support.apple.com/en-us/126347

Malware

• AgreeToSteal: The First Malicious Outlook Add-In Leads To 4,000 Stolen Credentials
  "This is the first known malicious Microsoft Outlook add-in detected in the wild. But the developer who built it isn't the attacker. In 2022, a developer built a meeting scheduling tool called AgreeTo and published it to the Microsoft Office Add-in Store. It worked. People liked it. Then the developer moved on, and the project died. The add-in stayed listed in Microsoft's store. The URL it pointed to - hosted on Vercel - became claimable. An attacker claimed it, deployed a phishing kit, and Microsoft's own infrastructure started serving it inside Outlook's sidebar. By gaining access to the attacker's exfiltration channel, we were able to recover the full scope of the operation: over 4,000 stolen Microsoft account credentials, credit card numbers, and banking security answers. The attacker was actively testing stolen credentials yesterday. The infrastructure is live as you read this."
  https://www.koi.ai/blog/agreetosteal-the-first-malicious-outlook-add-in-leads-to-4-000-stolen-credentials
  https://www.bleepingcomputer.com/news/security/microsoft-store-outlook-add-in-hijacked-to-steal-4-000-microsoft-accounts/
  https://thehackernews.com/2026/02/first-malicious-outlook-add-in-found.html
• Employee Monitoring And SimpleHelp Software Abused In Ransomware Operations
  "Net Monitor for Employees Professional is a commercial workforce monitoring tool developed by NetworkLookout. Marketed for employee productivity tracking, the software provides capabilities that extend well beyond passive screen monitoring, including reverse shell connections, remote desktop control, file management, and the ability to customize service and process names during installation. These features, while designed for legitimate administrative use, make it an attractive tool for threat actors seeking to blend into enterprise environments without deploying traditional malware."
  https://www.huntress.com/blog/employee-monitoring-simplehelp-abused-in-ransomware-operations
  https://www.bleepingcomputer.com/news/security/crazy-ransomware-gang-abuses-employee-monitoring-tool-in-attacks/
• LummaStealer Is Getting a Second Life Alongside CastleLoader
  "Bitdefender researchers have discovered a surge in LummaStealer activity, showing how one of the world's most prolific information-stealing malware operations managed to survive despite being almost brought down by law enforcement less than a year ago. LummaStealer is a highly scalable information-stealing threat with a long history, having operated under a malware-as-a-service model since it appeared on the scene in late 2022. The threat quickly evolved into one of the most widely deployed infostealers worldwide, supported by a large affiliate ecosystem and a constantly adapting delivery infrastructure."
  https://www.bitdefender.com/en-us/blog/labs/lummastealer-second-life-castleloader
  https://www.bleepingcomputer.com/news/security/lummastealer-infections-surge-after-castleloader-malware-campaigns/
• AI/LLM-Generated Malware Used To Exploit React2Shell
  "Darktrace identified an AI/LLM generated malware sample exploiting the React2Shell vulnerability within its Cloudypots environment. The incident shows how LLM‑assisted development enables low‑skill attackers to rapidly create effective exploitation tools. This analysis outlines the attack chain, AI‑generated payload, and the growing defensive challenges posed by accessible, AI‑enabled cyber threats."
  https://www.darktrace.com/blog/ai-llm-generated-malware-used-to-exploit-react2shell
  https://www.bankinfosecurity.com/ai-generated-malware-exploits-react2shell-for-tiny-profit-a-30734
• Mispadu Phishing Malware Baseline: Delivery Chains, Capabilities, And Common Campaigns
  "Mispadu is a long-standing Banking Trojan that has only continued to grow in popularity since its first observation in 2019. Although originally appearing in small numbers, at the time of this analysis Mispadu is the top Latin American Banking Trojan that Cofense sees. Current campaigns are seen on a weekly basis, with initial phishing emails bypassing multiple Secure Email Gateways (SEGs) to reach the inboxes of employees across the world. The most popular targeted countries continue to be Latin American, specifically Mexico and Brazil, however some instances of recipients in Europe have also been seen. The most common delivery method continues to be attached PDFs that lead to a chain of scripts before Mispadu is run using legitimate files."
  https://cofense.com/blog/mispadu-phishing-malware-baseline
• Sleeper Shells: How Attackers Are Planting Dormant Backdoors In Ivanti EPMM
  "Exploitation of Ivanti Endpoint Manager Mobile (EPMM) has been relentless since vulnerability disclosure. That’s not necessarily news. Major institutions - governments included - have already been compromised through this vector, and we’re tracking another exploitation wave as it develops. On February 4th, 2026, a coordinated campaign started across our telemetry with a differing pattern to previous mass exploitation. Rather than the smash-and-grab post-exploitation you’d expect - dropping traditional webshells, running recon and enumeration commands - this operator did something more deliberate, uploading a payload, confirming it landed, and leaving. No commands were executed, the implant was simply left in place."
  https://defusedcyber.com/ivanti-epmm-sleeper-shells-403jsp
  https://www.helpnetsecurity.com/2026/02/11/ivanti-epmm-sleeper-webshell/
• The Game Is Over: When “free” Comes At Too High a Price. What We Know About RenEngine
  "We often describe cases of malware distribution under the guise of game cheats and pirated software. Sometimes such methods are used to spread complex malware that employs advanced techniques and sophisticated infection chains. In February 2026, researchers from Howler Cell announced the discovery of a mass campaign distributing pirated games infected with a previously unknown family of malware. It turned out to be a loader called RenEngine, which was delivered to the device using a modified version of a Ren’Py engine-based game launcher. Kaspersky solutions detect the RenEngine loader as Trojan.Python.Agent.nb and HEUR:Trojan.Python.Agent.gen."
  https://securelist.com/renengine-campaign-with-hijackloader-lumma-and-acr-stealer/118891/
• Spying Chrome Extensions: 287 Extensions Spying On 37M Users
  "We built an automated scanning pipeline that runs Chrome inside a Docker container, routes all traffic through a man‑in‑the‑middle (MITM) proxy, and watches for outbound requests that correlate with the length of the URLs we feed it. Using a leakage metric we flagged 287 Chrome extensions that exfiltrate browsing history. Those extensions collectively have ~37.4 M installations – roughly 1 % of the global Chrome user base. The actors behind the leaks span the spectrum: Similarweb, Curly Doggo, Offidocs, chinese actors, many smaller obscure data‑brokers, and a mysterious “Big Star Labs” that appears to be an extended arm of Similarweb."
  https://github.com/qcontinuum1/spying-extensions
  https://www.theregister.com/2026/02/11/security_researcher_287_chrome_extensions_data_leak/
• When Paychecks Become The Prize: A Deeper Look At The Rise Of Direct Deposit Attacks
  "Ransomware may dominate headlines, but some of the most effective modern attacks don’t rely on malware at all. Instead, attackers are exploiting identity workflows, trusted access paths, and payroll self-service features to quietly steal money — one paycheck at a time. ARC Labs recently investigated an attack where an adversary redirected an employee’s salary by modifying direct deposit information in a payroll platform after compromising the user’s identity account. The attack was technically simple, operationally precise, and deliberately low-noise. This is not an anomaly. It’s a sign of where financially motivated attacks are heading."
  https://binarydefense.com/resources/blog/when-paychecks-become-the-prize-a-deeper-look-at-the-rise-of-direct-deposit-attacks
  https://www.theregister.com/2026/02/11/payroll_pirates_business_social_engineering/
• Nation-State Actors Exploit Notepad++ Supply Chain
  "Between June and December 2025, the official hosting infrastructure for the text editor Notepad++ was compromised by a state-sponsored threat group known as Lotus Blossom. The attackers breached the shared hosting provider’s environment. This allowed the attackers to intercept and redirect traffic destined for the Notepad++ update server. This infrastructure-level hijack enabled the attackers to selectively target specific users. The targets were primarily located in Southeast Asia across government, telecommunications and critical infrastructure sectors. Attackers served these targets malicious update manifests instead of legitimate software updates."
  https://unit42.paloaltonetworks.com/notepad-infrastructure-compromise/
• Silent Push Traffic Origin Data Combined With Residential Proxy Data Uncovers Suspicious Chinese VPN
  "Silent Push’s Traffic Origin exposes insights that help identify a threat actor’s true country of origin—visibility that’s otherwise inaccessible to defenders. We use a proprietary global observation network to analyze traffic signals, enabling the platform to identify the countries associated with an IP address. This reveals the traffic’s true physical origin, not just where the proxy server sits. Offering critical enrichment capabilities that businesses can use to immediately unmask global threat actors, Traffic Origin shines a light on malicious behaviors, including North Korean IT workers attempting to obtain fraudulent employment while using residential proxies to conceal their actual physical location. Customers can also use Traffic Origin to automatically assess employee logins and identify when an IP address is masking traffic from an unexpected location or country of concern."
  https://www.silentpush.com/blog/traffic-origin-chinese-vpn/
• DKIM Replay Attacks Exposed: How Cybercriminals Abuse Apple And PayPal Invoice Emails
  "Cybercriminals no longer rely on obvious phishing tricks or poorly forged emails. Instead, they increasingly abuse trusted platforms, legitimate workflows and small gaps in widely used security controls. By manipulating everyday business processes that users already trust, threat actors turn reputable infrastructure into an unwitting delivery mechanism for scams, making malicious messages far harder to spot and far more likely to succeed."
  https://www.kaseya.com/blog/dkim-replay-attacks-apple-paypal-invoice-abuse/

Breaches/Hacks/Leaks

• Georgia Healthcare Company Data Breach Impacts More Than 620,000
  "A cyberattack last year on a prominent Georgia-based healthcare company leaked the sensitive information of 626,540 people, according to a new filing with the U.S. Department of Health and Human Services. ApolloMD notified customers of a data breach in September but provided federal regulators with the full number of victims on Tuesday. The company is a medical group that provides multispecialty physician services to more than 100 hospitals. They have more than 125 practices across 18 states and treat about 4 million patients each year. The company told victims in September about the breach, and said an investigation revealed hackers were in ApolloMD’s IT environment between May 22 and May 23."
  https://therecord.media/georgia-healthcare-company-data-breach-impacts-620000

General News

• Police Arrest Seller Of JokerOTP MFA Passcode Capturing Tool
  "The Netherlands Police have arrested a a 21-year-old man from Dordrecht, suspected of selling access to the JokerOTP phishing automation tool that can intercept one-time passwords (OTP) for hijacking accounts. The suspect is the third one arrested after authorities after a three-year investigation that led to dismantling the JokerOTP phishing-as-a-service (PhaaS) operation in April 2025. At the time, authorities arrested the developer of the platform, and in August, a co-developer who used the aliases 'spit' and 'defone123'."
  https://www.bleepingcomputer.com/news/security/police-arrest-seller-of-jokerotp-mfa-passcode-capturing-tool/
• Should CISOs Plan For Government As An Adversary?
  "Security leaders have been encouraged to view governments as partners for most of the past three decades. Regulators set the rules, law enforcement responds when incidents occur, and national cyber agencies provide guidance, indicators and frameworks. The underlying assumption has been that public authorities, while sometimes slow or clumsy, are broadly aligned with organizational interests. That assumption is becoming less reliable. This is not a political argument. It is a risk management one. When you strip away ideology and focus purely on threat modeling, there are credible scenarios where state actors control, influence or disrupt the very infrastructure your organization depends on. For CISOs, especially those operating across borders, that reality deserves sober consideration."
  https://www.bankinfosecurity.com/blogs/should-cisos-plan-for-government-as-adversary-p-4041
• SMS & OTP Bombing Campaigns: Evolving API Abuse Targeting Multiple Regions
  "Cyble Research and Intelligence Labs (CRIL) identified sustained development activity surrounding SMS, OTP, and voice-bombing campaigns, with evidence of technical evolution observed through late 2025 and continuing into 2026. Analysis of multiple development artifacts reveals progressive expansion in regional targeting, automation sophistication, and attack vector diversity. Recent activity observed through September and October 2025, combined with new application releases in January 2026, indicates ongoing campaign persistence. The campaigns demonstrate technical maturation from basic terminal implementations to cross-platform desktop applications with automated distribution mechanisms and advanced evasion capabilities."
  https://cyble.com/blog/sms-otp-bombing-campaign-targeting-multiple-regions/
• How To Stay On Top Of Future Threats With a Cutting-Edge SOC
  "The security operations center is a critical business function that must continually evolve to keep pace with new cybersecurity threats. CISOs remain under tight cost pressure, so they must be highly focused on transforming the SOC to meet their organization's future needs. One thing is certain: the capabilities of today’s SOC will not be fit-for-purpose in five or even three years' time. SOC transformation is complex, and artificial intelligence and people strategies are crucial."
  https://www.darkreading.com/cybersecurity-operations/stay-top-future-threats-cutting-edge-soc
• AI Rising: Do We Know Enough About The Data Populating It?
  "It certainly is clear that there are (considerable) business benefits to be unlocked through the use of AI. It can undeniably have a beneficial impact by automating rudimentary or labor-intensive tasks, cutting costs, boosting efficiency, enhancing decision-making through powerful data analysis, and so on. It can lead to improved customer experiences, increased innovation, better risk management, and a stronger competitive edge across various functions such as sales, marketing, and operations. All good so far. But how is this improved landscape to be achieved? The answer, fundamentally, is data."
  https://www.darkreading.com/data-privacy/do-we-know-enough-about-data-populating-ai
• Asia Fumbles With Throttling Back Telnet Traffic In Region
  "Many devices and consumer-grade routers in the Asia-Pacific region continue to use the insecure Telnet protocol, despite a recent critical vulnerability and the general insecurity of the protocol overall, underscoring the risks posed to organizations by the outdated technology. The problems persist despite recent curtailing of Telnet traffic by Internet backbone providers. In three hours on Jan. 14, Telnet traffic across the globe dropped from about 65,000 sessions per hour to 11,000 sessions per hour, an 83% decline in average traffic, according to data provided by GreyNoise, a threat intelligence firm. Yet, firms in the Asia-Pacific region saw some of the smallest decreases, suggesting that Asian network providers failed to — or decided not to — block the risky protocol, says Bob Rudis, vice president of data science at GreyNoise."
  https://www.darkreading.com/threat-intelligence/asia-fumbles-telnet-threat-traffic
  https://www.labs.greynoise.io/grimoire/2026-02-10-telnet-falls-silent/
  https://www.theregister.com/2026/02/11/were_telcos_tipped_off_to/
• Manipulating AI Memory For Profit: The Rise Of AI Recommendation Poisoning
  "That helpful “Summarize with AI” button? It might be secretly manipulating what your AI recommends. Microsoft security researchers have discovered a growing trend of AI memory poisoning attacks used for promotional purposes, a technique we call AI Recommendation Poisoning. Companies are embedding hidden instructions in “Summarize with AI” buttons that, when clicked, attempt to inject persistence commands into an AI assistant’s memory via URL prompt parameters (MITRE ATLAS AML.T0080, AML.T0051)."
  https://www.microsoft.com/en-us/security/blog/2026/02/10/ai-recommendation-poisoning/
  https://www.helpnetsecurity.com/2026/02/11/ai-recommendation-memory-poisoning-attacks/
  https://www.theregister.com/2026/02/12/microsoft_ai_recommendation_poisoning/
• Security Teams Are Paying For Sprawl In More Ways Than One
  "Most enterprises run security programs across sprawling environments that include mobile devices, SaaS applications, cloud infrastructure, and telecom networks. Spend control in these areas often sits outside the security organization, even when the operational consequences land directly on security teams. Tangoe’s 2026 Trends & Savings Recommendations Report connects these cost domains to recurring governance failures that create risk exposure across identity, endpoint management, and infrastructure visibility."
  https://www.helpnetsecurity.com/2026/02/11/security-teams-ai-driven-it-spend/
• Vulnerability Forecast 2026: The Year Ahead
  "Happy New Year 2026! As we turn the page on another year and raise our glasses to new beginnings, we at FIRST have been busy doing what we do best: thinking quantitatively about what lies ahead. And our forecast for 2026 is both sobering and, we hope, useful. Our prediction: 2026 will be the year we cross 50,000 published CVEs. In fact, our median forecast sits at approximately 59,000 vulnerabilities for the year—a number that should give pause to anyone responsible for patch management, detection engineering, or coordinated vulnerability disclosure."
  https://www.first.org/blog/20260211-vulnerability-forecast-2026
  https://www.infosecurity-magazine.com/news/first-forecasts-record-50000-cve/
• Spam And Phishing In 2025
  "In 2025, online streaming services remained a primary theme for phishing sites within the entertainment sector, typically by offering early access to major premieres ahead of their official release dates. Alongside these, there was a notable increase in phishing pages mimicking ticket aggregation platforms for live events. Cybercriminals lured users with offers of free tickets to see popular artists on pages that mirrored the branding of major ticket distributors. To participate in these “promotions”, victims were required to pay a nominal processing or ticket-shipping fee. Naturally, after paying the fee, the users never received any tickets."
  https://securelist.com/spam-and-phishing-report-2025/118785/
• Security In The Dark: Recognizing The Signs Of Hidden Information
  "As humans, we don’t always make the right decisions, of course. When we do, it’s generally because we are basing those decisions on accurate data. Simply put, sound decisions require deducing the correct conclusions from an accurate data set. Further, the more complete the data set we are analyzing, the better chance we have of arriving at the right decision. Nowhere is this more pertinent than in the security field. When we look to properly assess, prioritize, and mitigate risk, we need the most accurate and complete data we can get. When we don’t have that, we end up doing a lot of guess work, and that can have disastrous consequences for the organization’s security posture."
  https://www.securityweek.com/security-in-the-dark-recognizing-the-signs-of-hidden-information/
• Hacker Conversations: Professional Hacker Douglas Day
  "Douglas Day is a member of the Hacker Advisory Board at HackerOne and a full-time professional hacker. His membership of the Hacker Advisory Board is voluntary and unpaid, but more than 95% of his income comes from bug bounty hacking. The rest comes from the occasional contracted pen testing and red teaming. “I didn’t always consider myself a professional hacker, but I have always been a hacker. Now I’m both a hacker and a professional hacker.”"
  https://www.securityweek.com/hacker-conversations-professional-hacker-douglas-day/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

เมื่อวันที่ 10 กุมภาพันธ์ 2026 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 6 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว ดังนี้

• CVE-2026-21510 Microsoft Windows Shell Protection Mechanism Failure Vulnerability
• CVE-2026-21513 Microsoft MSHTML Framework Security Feature Bypass Vulnerability
• CVE-2026-21514 Microsoft Office Word Reliance on Untrusted Inputs in a Security Decision Vulnerability
• CVE-2026-21519 Microsoft Windows Type Confusion Vulnerability
• CVE-2026-21525 Microsoft Windows NULL Pointer Dereference Vulnerability
• CVE-2026-21533 Windows Remote Desktop Services Elevation of Privilege Vulnerability
  ทั้งนี้ คำสั่ง BOD 22-01 ของ CISA กำหนดให้มี แคตตาล็อก Known Exploited Vulnerabilities (KEV) เพื่อรวบรวมช่องโหว่ (CVEs) ที่มีความเสี่ยงสูงและถูกใช้งานโจมตีจริง หน่วยงาน Federal Civilian Executive Branch (FCEB) ต้องดำเนินการแก้ไขช่องโหว่ที่ระบุภายในเวลาที่กำหนด เพื่อปกป้องเครือข่ายจากภัยคุกคาม

ทาง CISA จะปรับปรุงและเพิ่มช่องโหว่ใหม่เข้าสู่แคตตาล็อก KEV อย่างต่อเนื่อง เพื่อให้ครอบคลุมความเสี่ยงที่ตรวจพบจริงในปัจจุบันและอนาคต

อ้างอิง
https://www.cisa.gov/news-events/alerts/2026/02/10/cisa-adds-six-known-exploited-vulnerabilities-catalog
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) จำนวน 5 รายการ เมื่อวันที่ 10 กุมภาพันธ์ 2569 เพื่อให้ข้อมูลที่ทันเวลาเกี่ยวกับประเด็นด้านความมั่นคงปลอดภัย ช่องโหว่ และการโจมตีที่เกี่ยวข้องกับระบบ ICS โดยมีรายละเอียดดังนี้

• ICSA-26-041-01 Yokogawa FAST/TOOLS
• ICSA-26-041-02 ZLAN Information Technology Co. ZLAN5143D
• ICSA-26-041-03 AVEVA PI Data Archive
• ICSA-26-041-04 AVEVA PI to CONNECT Agent
• ICSMA-26-041-01 ZOLL ePCR IOS Mobile Application

CISA แนะนำให้ผู้ใช้งานและผู้ดูแลระบบ ตรวจสอบคำแนะนำ ICS ที่เผยแพร่ล่าสุด เพื่อศึกษารายละเอียดทางเทคนิคและแนวทางการลดความเสี่ยง (mitigations)

อ้างอิง
https://www.cisa.gov/news-events/ics-advisories
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Industrial Sector

• Poland Energy Sector Cyber Incident Highlights OT And ICS Security Gaps
  "In December 2025, a malicious cyber actor(s) targeted and compromised operational technology (OT) and industrial control systems (ICS) in Poland’s Energy Sector—specifically renewable energy plants, a combined heat and power plant, and a manufacturing sector company—in a cyber incident. The malicious cyber activity highlights the need for critical infrastructure entities with vulnerable edge devices to act now to strengthen their cybersecurity posture against cyber threat activities targeting OT and ICS."
  https://www.cisa.gov/news-events/alerts/2026/02/10/poland-energy-sector-cyber-incident-highlights-ot-and-ics-security-gaps
  https://cyberscoop.com/cisa-warning-russian-cyberattack-poland-power-grid/
• OT Attacks Get Scary With 'Living-Off-The-Plant' Techniques
  "Operational technology (OT) cyberattacks in recent years have been relatively tame, thanks to attackers' ignorance of bespoke and legacy systems. But there are early indications that attackers are growing more interested in and accustomed to dealing with industrial machines, and that they might be on the precipice of causing much more serious damage to them. A decade ago, it might have seemed like the world was entering a new, more dangerous era of cyberattacks. Russia hacked Ukraine's power grid. Israel and the United States sabotaged an Iranian nuclear facility. Attackers were targeting dams, and manufacturing plants. This was cyberactivity with real-world, sometimes life-threatening consequences."
  https://www.darkreading.com/ics-ot-security/ot-attacks-living-off-the-plant

New Tooling

• Meet Quantickle: I Needed a New Tool To Visually Represent And Connect Disparate Sorts Of Threat Research Data, So I Vibe-Coded One
  "For some time, I have wanted a simple, browser-based network graphing tool that could truly handle the complexities of threat research. This is the reality of threat intelligence: while some data is standardized, the most critical leads are often 'weird and off-the-wall'. These one-to-many relationships are exactly where Excel fails, yet they are where graphs excel. Because existing commercial software is often too rigid to allow for major changes or true customization, I was left with a gap in my toolkit. So, I set out to build the solution myself."
  https://www.rsaconference.com/library/blog/meet-quantickle
  https://github.com/RSAC-Labs/Quantickle
  https://www.securityweek.com/rsac-releases-quantickle-open-source-threat-intelligence-visualization-tool/

Vulnerabilities

• SAP Patches Critical CRM, S/4HANA, NetWeaver Vulnerabilities
  "SAP on Tuesday announced the release of 27 new and updated security notes, including two that address critical-severity vulnerabilities. The first critical security note released on SAP’s February 2026 security patch day addresses CVE-2026-0488 (CVSS score of 9.9), a code injection bug in CRM and S/4HANA. Impacting the Scripting Editor component of the applications, the flaw can be exploited by authenticated attackers to execute arbitrary SQL statements."
  https://www.securityweek.com/sap-patches-critical-crm-s-4hana-netweaver-vulnerabilities/
• Microsoft February 2026 Patch Tuesday Fixes 6 Zero-Days, 58 Flaws
  "Today is Microsoft's February 2026 Patch Tuesday with security updates for 58 flaws, including 6 actively exploited and three publicly disclosed zero-day vulnerabilities. This Patch Tuesday also addresses five "Critical" vulnerabilities, 3 of which are elevation of privileges flaws and 2 information disclosure flaws."
  https://www.bleepingcomputer.com/news/microsoft/microsoft-february-2026-patch-tuesday-fixes-6-zero-days-58-flaws/
  https://www.darkreading.com/vulnerabilities-threats/microsoft-fixes-6-actively-exploited-zero-days
  https://blog.talosintelligence.com/microsoft-patch-tuesday-february-2026/
  https://cyberscoop.com/microsoft-patch-tuesday-february-2026/
  https://securityaffairs.com/187848/uncategorized/microsoft-patch-tuesday-security-updates-for-february-2026-fix-six-actively-exploited-zero-days.html
  https://www.securityweek.com/6-actively-exploited-zero-days-patched-by-microsoft-with-february-2026-updates/
  https://www.theregister.com/2026/02/10/microsofts_valentines_gift_to_admins/
• Patch Tuesday: Adobe Fixes 44 Vulnerabilities In Creative Apps
  "Adobe’s February 2026 Patch Tuesday updates address a total of 44 vulnerabilities discovered by external security researchers in the company’s products. The software giant has published nine new advisories announcing patches for Audition, After Effects, InDesign Desktop, Substance 3D Designer, Substance 3D Stager, Substance 3D Modeler, Bridge, Lightroom Classic, and the DNG SDK. The company has assigned a critical severity rating to over two dozen vulnerabilities that can be exploited for arbitrary code execution, but they are all rated high based on their CVSS scores."
  https://www.securityweek.com/patch-tuesday-adobe-fixes-44-vulnerabilities-in-creative-apps/
• Security Advisory EPM February 2026 For EPM 2024
  "Ivanti has released updates for Ivanti Endpoint Manager which addresses one high severity vulnerability and one medium severity vulnerability. Successful exploitation could allow a remote authenticated attacker to leak arbitrary data or compromise user sessions. Additionally, 11 medium severity vulnerabilities previously disclosed in October 2025 have been resolved with this update. We are not aware of any customers being exploited by these vulnerabilities at the time of disclosure."
  https://hub.ivanti.com/s/article/Security-Advisory-EPM-February-2026-for-EPM-2024?language=en_US

Malware

• Old-School IRC, New Victims: Inside The Newly Discovered SSHStalker Linux Botnet
  "Flare’s research team has uncovered a previously undocumented Linux botnet operation we’re calling SSHStalker. To the best of our knowledge, no other research team has reported on this threat actor. Our SSH honeypot captured multiple attacks over two months, revealing a sophisticated operation that blends 2009-era Internet Relay Chat (IRC) botnet tactics with modern mass-compromise automation."
  https://flare.io/learn/resources/blog/old-school-irc-new-victims-inside-the-newly-discovered-sshstalker-linux-botnet
  https://www.bleepingcomputer.com/news/security/new-linux-botnet-sshstalker-uses-old-school-irc-for-c2-comms/
  https://www.securityweek.com/new-sshstalker-linux-botnet-uses-old-techniques/
• Breaking Down ZeroDayRAT - New Spyware Targeting Android And iOS
  "We recently identified a new mobile spyware platform called ZeroDayRAT being sold openly via Telegram (with activity first observed February 2nd). The developer runs dedicated channels for sales, customer support, and regular updates, giving buyers a single point of access to a fully operational spyware panel. From that panel, an operator gains full remote control over a user’s Android or iOS device, with support spanning Android 5 through 16 and iOS up to 26, including the iPhone 17 Pro. No technical expertise is required. The platform goes beyond typical data collection into real-time surveillance and direct financial theft."
  https://iverify.io/blog/breaking-down-zerodayrat---new-spyware-targeting-android-and-ios
  https://www.bleepingcomputer.com/news/security/zerodayrat-malware-grants-full-access-to-android-ios-devices/
  https://www.darkreading.com/threat-intelligence/zerodayrat-brings-commercial-spyware-to-mass-market
  https://www.infosecurity-magazine.com/news/zerodayrat-mobile-spyware-android/
  https://www.securityweek.com/new-zerodayrat-spyware-kit-enables-total-compromise-of-ios-android-devices/
  https://securityaffairs.com/187820/malware/zerodayrat-spyware-grants-attackers-total-access-to-mobile-devices.html
• Beyond The Battlefield: Threats To The Defense Industrial Base
  "In modern warfare, the front lines are no longer confined to the battlefield; they extend directly into the servers and supply chains of the industry that safeguards the nation. Today, the defense sector faces a relentless barrage of cyber operations conducted by state-sponsored actors and criminal groups alike. In recent years, Google Threat Intelligence Group (GTIG) has observed several distinct areas of focus in adversarial targeting of the defense industrial base (DIB)."
  https://cloud.google.com/blog/topics/threat-intelligence/threats-to-defense-industrial-base
  https://www.bankinfosecurity.com/google-warns-relentless-cyber-siege-on-defense-industry-a-30729
• Deep Dive Into New XWorm Campaign Utilizing Multiple-Themed Phishing Emails
  "FortiGuard Labs recently captured a phishing campaign in the wild delivering a new variant of XWorm. XWorm is a multi-functional Remote Access Trojan (RAT) first identified in 2022 that remains actively distributed, including through Telegram-based marketplaces. Once deployed, it provides attackers with full remote control of compromised Windows systems. This campaign relies on multiple phishing emails that use social engineering to persuade recipients to open a malicious attachment. The following analysis details these phishing lures and shows how the attached Excel file exploits CVE-2018-0802 to download and execute an HTA file on the victim’s device."
  https://www.fortinet.com/blog/threat-research/deep-dive-into-new-xworm-campaign-utilizing-multiple-themed-phishing-emails
• Threat Actors Exploit Social Causes To Manipulate User Behavior
  "Mimecast Threat Research Team has identified threat actors weaponizing social causes, specifically Pride Month and diversity initiatives, to manipulate organizations into hasty actions. These campaigns deliberately misuse legitimate organizational values to generate the urgency attackers need for successful credential theft. This tactic is particularly effective because it exploits genuine organizational commitment to diversity and inclusion. Whether recipients support or oppose the initiative, attackers count on either reaction driving engagement with malicious links without sufficient scrutiny."
  https://www.mimecast.com/threat-intelligence-hub/exploiting-diversity-values/
  https://hackread.com/pride-month-phishing-employees-trusted-email-services/
• Espionage Without Noise: Understanding APT36’s Enduring Campaigns
  "Critical infrastructure all over the world is under threat from highly organized, state-sponsored “espionage ecosystems”. These loosely knit but well-resourced organizations are deploying a variety of tools aimed both at disrupting essential services and gathering intelligence. Some work by launching dedicated denial of service (DDoS) attacks against transport and communications hubs as well as commercial supply chains. Others are seeking geopolitical, military or economic advantage, adept at mining for sensitive information and skilled at bypassing traditional security measures. Everything is a target and nowhere is safe."
  https://www.aryaka.com/blog/espionage-without-noise-apt36-enduring-campaigns/
  https://www.securityweek.com/rats-in-the-machine-inside-a-pakistan-linked-three-pronged-cyber-assault-on-india/
• DPRK Operatives Impersonate Professionals On LinkedIn To Infiltrate Companies
  "The information technology (IT) workers associated with the Democratic People's Republic of Korea (DPRK) are now applying to remote positions using real LinkedIn accounts of individuals they're impersonating, marking a new escalation of the fraudulent scheme. "These profiles often have verified workplace emails and identity badges, which DPRK operatives hope will make their fraudulent applications appear legitimate," Security Alliance (SEAL) said in a series of posts on X."
  https://thehackernews.com/2026/02/dprk-operatives-impersonate.html
• Data Exfil From Agents In Messaging Apps
  "Communicating with AI agents (like OpenClaw) via messaging apps (like Slack and Telegram) has become much more popular. But it can expose users to a largely unrecognized LLM-specific data exfiltration risk, because these apps support ‘link previews’ as a feature. With previews enabled, user data can be exfiltrated automatically after receiving a malicious link in an LLM-generated message -- whereas without previews, the user would typically have to click the malicious link to exfiltrate data. For example, OpenClaw via Telegram is exposed by default. Test any agent / communication app pairing below!"
  https://www.promptarmor.com/resources/llm-data-exfiltration-via-url-previews-(with-openclaw-example-and-test)
  https://www.theregister.com/2026/02/10/ai_agents_messaging_apps_data_leak/
• A Peek Into Muddled Libra’s Operational Playbook
  "During a September 2025 incident response investigation, Unit 42 discovered a rogue virtual machine (VM) which we believe with high confidence to be used by the cybercrime group Muddled Libra (aka Scattered Spider, UNC3944). The contents of this rogue VM and activity from the attack provide valuable insight into the operational playbook of this threat actor. Muddled Libra created the VM after the group successfully gained unauthorized access to the target's VMware vSphere environment."
  https://unit42.paloaltonetworks.com/muddled-libra-ops-playbook/
• New Threat Actor, UAT-9921, Leverages VoidLink Framework In Campaigns
  "VoidLink is a new modular framework that targets Linux based systems. Modular frameworks are prevalent on the landscape today with the likes of Cobalt Strike, Manjusaka, Alchimist, and SuperShell among the many operating today. This framework is yet another implant management framework denoting a consistent and concerning evolution with shorter development cycles. Cisco Talos is tracking the threat actor first seen to be using the VoidLink framework as UAT-9921. This threat actor seems to have been active since 2019, although they have not necessarily used VoidLink over the duration of their activity. UAT-9921 uses compromised hosts to install VoidLink command and control (C2) which are then used to launch scanning activities both internal and external to the network."
  https://blog.talosintelligence.com/voidlink/

Breaches/Hacks/Leaks

• Volvo Group North America Customer Data Exposed In Conduent Hack
  "Volvo Group North America disclosed that it suffered an indirect data breach stemming from the compromise of IT systems at American business services giant Conduent, of which Volvo is a customer. Volvo Group North America is the Swedish multinational's operating arm in the United States, Canada, and Mexico. It focuses on manufacturing commercial vehicles and heavy equipment, including trucks, buses, construction equipment, engines, and industrial power systems. Mack Trucks, a very popular brand in the U.S., is one of its subsidiaries. Volvo Group is not the same as Volvo Cars, and does not manufacture passenger cars."
  https://www.bleepingcomputer.com/news/security/volvo-group-north-america-customer-data-exposed-in-conduent-hack/
  https://www.theregister.com/2026/02/10/conduent_volvo_breach/
• Billing Services Firm Notifying Medical Lab Patients Of Hack
  "A revenue cycle management software firm is notifying patients of several related medical diagnostic laboratories that hackers stole their sensitive information, including diagnoses and medical treatments, in a November hack. Ransomware gang Everest Group claimed to be behind the incident, publishing stolen data on its leak website. Catalyst RCM, which is headquartered in Texas, is sending breach notification letters to an undisclosed number patients of at least three of its diagnostic laboratory clients."
  https://www.bankinfosecurity.com/billing-services-firm-notifying-medical-lab-patients-hack-a-30727

General News

• Man Sentenced To 20 Years In Prison For Role In $73 Million Global Cryptocurrency Investment Scam
  "A dual national of China and St. Kitts and Nevis was sentenced in absentia today in the Central District of California to the statutory maximum of 20 years in prison and three years of supervised release for his role in an international cryptocurrency investment conspiracy carried out from scam centers in the Kingdom of Cambodia. The defendant, Daren Li, 42, is a fugitive after cutting off his ankle electronic monitoring device and absconding in December 2025."
  https://www.justice.gov/opa/pr/man-sentenced-20-years-prison-role-73-million-global-cryptocurrency-investment-scam
  https://www.bleepingcomputer.com/news/security/fugitive-behind-73m-pig-butchering-scheme-gets-20-years-in-prison/
  https://therecord.media/chinese-crypto-scammer-sentenced-after-fleeing-us
• Global Cyber Attacks Rise In January 2026 Amid Increasing Ransomware Activity And Expanding GenAI Risks
  "In January 2026, the global volume of cyber attacks continued its steady escalation. Organizations worldwide experienced an average of 2,090 cyber‑attacks per organization per week, marking a 3% increase from December and a 17% rise compared to January 2025. This growth reflects a landscape increasingly shaped by the expansion of ransomware activity and mounting data‑exposure risks driven by widespread GenAI adoption. Check Point Research data shows that January’s upward trajectory underscores a persistent and evolving cyber threat environment — one defined by fast‑moving ransomware operations and intensifying GenAI‑related risks."
  https://blog.checkpoint.com/research/global-cyber-attacks-rise-in-january-2026-amid-increasing-ransomware-activity-and-expanding-genai-risks/
• What Organizations Need To Change When Managing Printers
  "QUESTION: Managed printers are still unprotected. What needs to change at the leadership level to effectively secure printers? Jim LaRoe, CEO of Smyphion: Managed is not the same as protected. When most enterprises "manage" their printers, they focus on uptime and the cost of toner, paper, and repairs. That's not security. Not protection. Printers often make up 20% to 30% of an organization's endpoints. They receive, transmit, process, and store the most sensitive data and are the softest path to compromise — because no one owns their protection. Here's the uncomfortable truth: The leadership challenge precedes the technical challenge."
  https://www.darkreading.com/cybersecurity-operations/what-organizations-need-to-change-when-managing-printers
• What Happens When Cybersecurity Knowledge Walks Out The Door
  "In this Help Net Security interview, Andrew Northern, Principal Security Researcher at Censys, explains why mentorship matters and what organizations risk losing when senior staff disengage. He argues that institutional memory and judgment under pressure are difficult to rebuild once they disappear. Northern also pushes back on the idea that mentoring makes someone replaceable, saying it can strengthen both the mentor and the team. He discusses how mentorship can tie directly to measurable security outcomes, including faster incident response. He also outlines where organizations are lowering technical expectations through tool-first training and over-reliance on automation. Finally, he explains which foundational skills early-career defenders still need, even as security environments become more automated."
  https://www.helpnetsecurity.com/2026/02/10/andrew-northern-censys-cybersecurity-mentorship/
• NCSC Issues Warning Over “Severe” Cyber-Attacks Targeting Critical National Infrastructure
  "The National Cyber Security Centre (NCSC) has issued an alert to critical national infrastructure (CNI) providers, urging them to act now to protect against “severe” cyber threats. The alert comes following coordinated cyber-attacks which targeted Poland’s energy infrastructure with malware in December. Jonathan Ellison, director for national resilience at the NCSC, has urged CNI operators that they must act now to ensure they can respond to any similar campaigns targeting UK critical infrastructure. “Cyber-attacks disrupting everyday essential services may sound far-fetched, but we know it’s not,” he wrote in a LinkedIn post."
  https://www.infosecurity-magazine.com/news/ncsc-warning-severe-cyberattacks/
• From Ransomware To Residency: Inside The Rise Of The Digital Parasite
  "Are ransomware and encryption still the defining signals of modern cyberattacks, or has the industry been too fixated on noise while missing a more dangerous shift happening quietly all around them? According to Picus Labs’ new Red Report 2026, which analyzed over 1.1 million malicious files and mapped 15.5 million adversarial actions observed across 2025, attackers are no longer optimizing for disruption. Instead, their goal is now long-term, invisible access."
  https://thehackernews.com/2026/02/from-ransomware-to-residency-inside.html
  https://www.infosecurity-magazine.com/news/digital-parasite-attackers-stealth/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

Vulnerabilities

• BeyondTrust Warns Of Critical RCE Flaw In Remote Support Software
  "BeyondTrust warned customers to patch a critical security flaw in its Remote Support (RS) and Privileged Remote Access (PRA) software that could allow unauthenticated attackers to execute arbitrary code remotely. Tracked as CVE-2026-1731, this pre-authentication remote code execution vulnerability stems from an OS command injection weakness discovered by Harsh Jaiswal and the Hacktron AI team, and it affects BeyondTrust Remote Support 25.3.1 or earlier and Privileged Remote Access 24.3.4 or earlier. Threat actors with no privileges can exploit it through maliciously crafted client requests in low-complexity attacks that don't require user interaction."
  https://www.bleepingcomputer.com/news/security/beyondtrust-warns-of-critical-rce-flaw-in-remote-support-software/
  https://www.beyondtrust.com/trust-center/security-advisories/bt26-02
  https://thehackernews.com/2026/02/beyondtrust-fixes-critical-pre-auth-rce.html
  https://securityaffairs.com/187776/security/beyondtrust-fixes-critical-pre-auth-bug-allowing-remote-code-execution.html
  https://www.helpnetsecurity.com/2026/02/09/beyondtrust-remote-access-vulnerability-cve-2026-1731/
• Claude Desktop Extensions Exposes Over 10,000 Users To Remote Code Execution Vulnerability
  "LayerX discovered a zero-click remote code execution (RCE) vulnerability in Claude Desktop Extensions (DXT), in which a single Google Calendar event can silently compromise a system running Claude Desktop Extensions. The flaw impacts more than 10,000 active users and 50 DXT extensions. Unlike traditional browser extensions, Claude Desktop Extensions run unsandboxed with full system privileges. As a result, Claude can autonomously chain low-risk connectors (e.g., Google Calendar) to high-risk local executors, without user awareness or consent. If exploited by a bad actor, even a benign prompt (“take care of it”), coupled with a maliciously worded calendar event, is sufficient to trigger arbitrary local code execution that compromises the entire system."
  https://layerxsecurity.com/blog/claude-desktop-extensions-rce/
  https://www.infosecurity-magazine.com/news/zeroclick-flaw-claude-dxt/
• Critical Fortinet FortiClientEMS Flaw Allows Remote Code Execution
  "Fortinet issued an urgent advisory to address a critical FortiClientEMS vulnerability, tracked as CVE-2026-21643 (CVSS score of 9.1). The vulnerability is an improper neutralization of special elements used in an SQL Command (‘SQL Injection’) issue in FortiClientEMS. An unauthenticated attacker can trigger the flaw to execute unauthorized code or commands via specifically crafted HTTP requests. “An improper neutralization of special elements used in an SQL Command (‘SQL Injection’) vulnerability [CWE-89] in FortiClientEMS may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.” reads the advisory."
  https://securityaffairs.com/187787/security/critical-fortinet-forticlientems-flaw-allows-remote-code-execution.html
  https://fortiguard.fortinet.com/psirt/FG-IR-25-1142

Malware

• Active Exploitation Of SolarWinds Web Help Desk
  "On February 7, 2026, Huntress SOC analyst Dipo Rodipe investigated a case of SolarWinds Web Help Desk exploitation, in which the threat actor rapidly deployed Zoho Meetings and Cloudflare tunnels for persistence, as well as Velociraptor for means of command and control. This intrusion stemmed from the many recently disclosed vulnerabilities affecting SolarWinds WHD. The most critical vulnerabilities grant an adversary arbitrary code execution via untrusted deserialization -- CVE-2025-40551 was recently added to CISA’s Known Exploited Vulnerabilities database, and CVE-2025-26399 was just recently discussed by Microsoft and other vendors who have also observed active in-the-wild exploitation."
  https://www.huntress.com/blog/active-exploitation-solarwinds-web-help-desk-cve-2025-26399
  https://www.bleepingcomputer.com/news/security/threat-actors-exploit-solarwinds-wdh-flaws-to-deploy-velociraptor/
  https://thehackernews.com/2026/02/solarwinds-web-help-desk-exploited-for.html
  https://www.securityweek.com/recent-solarwinds-flaws-potentially-exploited-as-zero-days/
  https://securityaffairs.com/187761/security/attackers-abuse-solarwinds-web-help-desk-to-install-zoho-agents-and-velociraptor.html
  https://www.theregister.com/2026/02/09/solarwinds_mystery_whd_attack/
• Largest Multi-Agency Cyber Operation Mounted To Counter Threat Posed By Advanced Persistent Threat (APT) Actor UNC3886 To Singapore’s Telecommunications Sector
  "On 18 July 2025, Coordinating Minister for National Security Mr K Shanmugam shared that Advanced Persistent Threat (APT) actor UNC3886 had been detected attacking our critical infrastructure. No further details were shared then, to preserve operational security. Over the past months, our investigations have indicated that UNC3886 had launched a deliberate, targeted, and well-planned campaign against Singapore’s telecommunications sector. All four of Singapore’s major telecommunications operators (“telcos”) – M1, SIMBA Telecom, Singtel and StarHub – have been the target of attacks."
  https://www.csa.gov.sg/news-events/press-releases/largest-multi-agency-cyber-operation-mounted-to-counter-threat-posed-by-advanced-persistent-threat--apt--actor-unc3886-to-singapore-s-telecommunications-sector/
  https://www.bleepingcomputer.com/news/security/chinese-cyberspies-breach-singapores-four-largest-telcos/
  https://thehackernews.com/2026/02/china-linked-unc3886-targets-singapore.html
  https://therecord.media/singapore-attributes-telecoms-hacks-unc3886
• Storm-2603 Exploits CVE-2026-23760 To Stage Warlock Ransomware
  "ReliaQuest has identified active exploitation of a vulnerability in SmarterTools SmarterMail email server software (CVE-2026-23760), attributed with moderate-to-high confidence to “Storm-2603.” This appears to be the first observed exploitation linking the China-based actor to the vulnerability as an entry point for its “Warlock” ransomware operations. While this vulnerability allows attackers to bypass authentication and reset administrator passwords, Storm-2603 chains this access with the software’s built-in “Volume Mount” feature to gain full system control. Upon entry, the group installs Velociraptor, a legitimate digital forensics tool it has used in previous campaigns, to maintain access and set the stage for ransomware."
  https://reliaquest.com/blog/threat-spotlight-storm-2603-exploits-CVE-2026-23760-to-stage-warlock-ransomware/
  https://www.bleepingcomputer.com/news/security/hackers-breach-smartertools-network-using-flaw-in-its-own-software/
  https://www.darkreading.com/application-security/warlock-gang-breaches-smartertools-smartermail-bugs
  https://www.securityweek.com/smartertools-hit-by-ransomware-via-vulnerability-in-its-own-product/
  https://www.helpnetsecurity.com/2026/02/09/smartertools-breach-smartermail-vulnerability/
• Threat Alert: TeamPCP, An Emerging Force In The Cloud Native And Ransomware Landscape
  "TeamPCP (a.k.a. PCPcat, ShellForce, and DeadCatx3) launched a massive campaign in December 2025 targeting cloud native environments as part of a worm-driven operation that systematically abused exposed Docker APIs, Kubernetes clusters, Ray dashboards, Redis servers, and the React2Shell vulnerability. The operation’s goals were to build a distributed proxy and scanning infrastructure at scale, then compromise servers to exfiltrate data, deploy ransomware, conduct extortion, and mine cryptocurrency."
  https://flare.io/learn/resources/blog/teampcp-cloud-native-ransomware
  https://thehackernews.com/2026/02/teampcp-worm-exploits-cloud.html
  https://www.darkreading.com/cloud-security/teampcp-cloud-infrastructure-crime-bots
• Reynolds: Defense Evasion Capability Embedded In Ransomware Payload
  "A recent Reynolds ransomware campaign was notable because the ransomware contained a bring-your-own-vulnerable-driver (BYOVD) defense evasion component embedded within the ransomware payload itself. Normally the BYOVD defense evasion component of an attack would involve a distinct tool that would be deployed on the system prior to the ransomware payload in order to disable security software. However, in this attack, the vulnerable driver (an NsecSoft NSecKrnl driver) was bundled with the ransomware itself."
  https://www.security.com/threat-intelligence/black-basta-ransomware-byovd
  https://www.darkreading.com/threat-intelligence/black-basta-bundles-byovd-ransomware-payload
• Phorpiex Phishing Campaign Delivers GLOBAL GROUP Ransomware
  "We recently observed a high-volume Phorpiex campaign delivered through phishing emails with the subject "Your Document.” It’s a subject line that’s been heavily used in largescale campaigns throughout 2024 and 2025. The phishing email includes a seemingly harmless attachment that is in fact a weaponised Windows Shortcut (.lnk) file. This malicious shortcut highlights how attackers continue to exploit everyday file types to gain an initial foothold in a victim’s system. By combining social engineering, stealthy execution, and LivingofftheLand (LotL) techniques, the file silently retrieves and launches a second stage payload raising suspicion."
  https://www.forcepoint.com/blog/x-labs/phorpiex-global-group-ransomware-lnk-phishing
  https://hackread.com/hackers-global-group-ransomware-offline-phishing-emails/
• VoidLink: Dissecting An AI-Generated C2 Implant
  "VoidLink is a Linux C2 framework capable of generating implant binaries for deployment across cloud and enterprise environments. This analysis focuses on the implant “the agent component” which is designed for long-term access, credential theft, and data exfiltration. Our analysis found strong indicators that the implant was built using an LLM coding agent. Structured “Phase X:” labels, verbose debug logging, and documentation patterns left in the production binary point to automated code generation with minimal human review."
  https://www.ontinue.com/resource/voidlink-dissecting-an-ai-generated-c2-implant/
  https://www.infosecurity-magazine.com/news/voidlink-malware-multi-cloud-ai/
• Fake 7-Zip Downloads Are Turning Home PCs Into Proxy Nodes
  "A convincing lookalike of the popular 7-Zip archiver site has been serving a trojanized installer that silently converts victims’ machines into residential proxy nodes—and it has been hiding in plain sight for some time. A PC builder recently turned to Reddit’s r/pcmasterrace community in a panic after realizing they had downloaded 7‑Zip from the wrong website. Following a YouTube tutorial for a new build, they were instructed to download 7‑Zip from 7zip[.]com, unaware that the legitimate project is hosted exclusively at 7-zip.org."
  https://www.malwarebytes.com/blog/threat-intel/2026/02/fake-7-zip-downloads-are-turning-home-pcs-into-proxy-nodes
• Technical Analysis Of GuLoader Obfuscation Techniques
  "GuLoader (also known as CloudEye) is a highly obfuscated malware family that was first observed in December 2019. It serves primarily as a downloader for Remote Access Trojans (RATs) and information stealers, which are delivered to compromised systems. The threat actors that distribute GuLoader often host malware on legitimate platforms including Google Drive and OneDrive to evade reputation-based detection. In this blog post, Zscaler ThreatLabz explores the anti-analysis techniques that GuLoader employs including polymorphic code to dynamically construct constant and string values, as well as complex exception-based control flow obfuscation."
  https://www.zscaler.com/blogs/security-research/technical-analysis-guloader-obfuscation-techniques
• Leaked Technical Documents Show China Rehearsing Cyberattacks On Neighbors’ Critical Infrastructure
  "China appears to be using a secret training platform to rehearse cyberattacks against the critical infrastructure of its closest neighbors, according to a cache of leaked technical documents reviewed by Recorded Future News. Beijing has long been accused of running extensive offensive cyber campaigns by Western officials and cybersecurity researchers, with those allegations usually based on intelligence assessments and technical forensics obtained following a hack. The leaked materials, which include source code, training information and software assets, provide rare documentary insight into the preparation that could support such attacks before they take place."
  https://therecord.media/leaked-china-documents-show-testing-cyber-neighbors
• Killings, Torturing, And Smuggling: How An Infostealer Exposed An ISIS Cell’s XMPP Network
  "A compromised machine in Lebanon – most likely belonging to a person named قسورة (Qasura), a local ISIS cell commander – contained explosive synthesis manuals, jihadist propaganda, and locally stored XMPP chat logs that should have been encrypted. The chats reveal Qasura receiving direct instructions from Syria-based operatives, coordinating IED attacks that killed security personnel, requesting religious permission for torture, managing cross-border smuggling routes, handling money transfers through Turkey and Syria, and shipping detonator components across the region. Through this single compromised machine, we were able to map the entire cell hierarchy from local commander to senior leadership."
  https://www.infostealers.com/article/killings-torturing-and-smuggling-how-an-infostealer-exposed-an-isis-cells-xmpp-network/
• UNC1069 Targets Cryptocurrency Sector With New Tooling And AI-Enabled Social Engineering
  "North Korean threat actors continue to evolve their tradecraft to target the cryptocurrency and decentralized finance (DeFi) verticals. Mandiant recently investigated an intrusion targeting a FinTech entity within this sector, attributed to UNC1069, a financially motivated threat actor active since at least 2018. This investigation revealed a tailored intrusion resulting in the deployment of seven unique malware families, including a new set of tooling designed to capture host and victim data: SILENCELIFT, DEEPBREATH and CHROMEPUSH. The intrusion relied on a social engineering scheme involving a compromised Telegram account, a fake Zoom meeting, a ClickFix infection vector, and reported usage of AI-generated video to deceive the victim."
  https://cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering

Breaches/Hacks/Leaks

• Fallout From Latest Ivanti Zero-Days Spreads To Nearly 100 Victims
  "Ivanti customers, including major government agencies, face mounting pressure as attackers expand their scope of targets to exploit a pair of vulnerabilities the vendor disclosed late January after in-the-wild attacks already occurred. The Netherlands’ Dutch Data Protection Authority and the Council for the Judiciary confirmed both agencies were impacted by attacks linked to the Ivanti Endpoint Manager Mobile (EPMM) zero-day vulnerabilities, according to a notice sent to the country’s parliament Friday. The European Commission also said it found evidence of a cyberattack on its “central infrastructure managing mobile devices,” but it did not identify the vendor in a statement Thursday."
  https://cyberscoop.com/ivanti-zero-day-vulnerabilities-netherlands-european-commission-shadowserver/
  https://ec.europa.eu/commission/presscorner/detail/en/ip_26_342
  https://www.bankinfosecurity.com/ivanti-zero-days-likely-deployed-in-eu-dutch-hacks-a-30717
  https://www.bleepingcomputer.com/news/security/european-commission-discloses-breach-that-exposed-staff-data/
  https://therecord.media/eu-dutch-government-announce-hacks-ivanti-zero-days
  https://hackread.com/cyber-attack-european-commission-staff-mobile-systems/
  https://www.securityweek.com/european-commission-investigating-cyberattack/
  https://securityaffairs.com/187768/data-breach/european-commission-probes-cyberattack-on-mobile-device-management-system.html
  https://www.theregister.com/2026/02/09/dutch_data_protection_ivanti/
  https://www.theregister.com/2026/02/09/european_commission_phone_breach/
  https://www.helpnetsecurity.com/2026/02/09/european-commission-ivanti-epmm-vulnerabilities/
• AI Chat App Leak Exposes 300 Million Messages Tied To 25 Million Users
  "An independent security researcher uncovered a major data breach affecting Chat & Ask AI, one of the most popular AI chat apps on Google Play and Apple App Store, with more than 50 million users. The researcher claims to have accessed 300 million messages from over 25 million users due to an exposed database. These messages reportedly included, among other things, discussions of illegal activities and requests for suicide assistance."
  https://www.malwarebytes.com/blog/news/2026/02/ai-chat-app-leak-exposes-300-million-messages-tied-to-25-million-users
• Senegal Confirms Breach Of National ID Card Department After Ransomware Claims
  "A cybersecurity incident affecting the government of Senegal has forced the closure of an office tasked with managing sensitive information, including national ID cards, passports and other biometric data. The Directorate of File Automation (DAF) sent out a notice last week warning the country’s 19.5 million residents that a cyberattack had forced the government to temporarily suspend the office’s operations."
  https://therecord.media/senegal-breach-national-id-agency

General News

• United Airlines CISO On Building Resilience When Disruption Is Inevitable
  "Aviation runs on complex digital systems built for stability, safety, and long lifecycles. That reality creates a unique cybersecurity challenge for airlines, where disruption can quickly become an operational and public trust crisis. In this Help Net Security interview, Deneen DeFiore, VP and CISO at United Airlines, explains how the company approaches modernization without compromising safety-critical environments, why resilience and continuity matter as much as prevention, and how the airline manages risk across an interconnected ecosystem of vendors, partners, and infrastructure providers. DeFiore also shares how cross-functional collaboration shapes incident response when the stakes include passengers in the air."
  https://www.helpnetsecurity.com/2026/02/09/deneen-defiore-united-airlines-aviation-cybersecurity-strategy/
• AI Agents Behave Like Users, But Don’t Follow The Same Rules
  "Security and governance approaches to autonomous AI agents rely on static credentials, inconsistent controls, and limited visibility. Securing these agents requires the same rigor and traceability applied to human users, according to Cloud Security Alliance’s Securing Autonomous AI Agents report. Autonomous AI agents act on behalf of humans, accessing data and making decisions with business impact. Organizations are deploying them across production environments, pilots, tests, and broader AI or automation initiatives. As a result, agents operate across multiple environments, expanding the agentic workforce without corresponding governance and IAM controls."
  https://www.helpnetsecurity.com/2026/02/09/securing-autonomous-ai-agents-rules/
• Social Media Platforms Earn Billions From Scam Ads
  "Social media sites received nearly £3.8bn ($5.2bn) in revenue from malicious ads in Europe in 2025, off the back of almost one trillion impressions, according to Juniper Research. The analyst used publicly available data to study ads on Facebook, Instagram, TikTok, Snapchat, X (formerly Twitter) and LinkedIn, across 11 European markets including the UK. It defined a scam ad as a “deceptive paid post that misleads users into giving money, personal information, or account access by falsely advertising products, services, or investment opportunities.”"
  https://www.infosecurity-magazine.com/news/social-media-platforms-billions/
  https://www.juniperresearch.com/resources/free-research/protecting-users-from-scam-ads-a-call-for-social-media-platform-accountability/
• Beyond The Hype: Moltbot’s Real Risk Is Exposed Infrastructure, Not AI Superintelligence
  "Over the past several days, OpenClaw (formerly known as Clawdbot and and Moltbot) has drawn intense attention across social media and headlines. Much of that attention has focused on speculation about artificial general intelligence (AGI) and the Singularity or autonomous AI agents operating without human control. Some posts focus on the OpenClaw agents interacting on Moltbook, a supposed social media network for agents, where they claim to have created their own religion and plans to revolt. That framing misses the real issue. The SecurityScorecard STRIKE Threat Intelligence Team is releasing research today that shows that the actual risk behind OpenClaw is access and exposed infrastructure. Our live reconnaissance data reveals tens of thousands of internet-facing OpenClaw deployments, many running vulnerable versions, many already correlated with prior breaches. Some users are configuring bots with personal names and company names, revealing who is using these tools."
  https://securityscorecard.com/blog/beyond-the-hype-moltbots-real-risk-is-exposed-infrastructure-not-ai-superintelligence/
  https://www.theregister.com/2026/02/09/openclaw_instances_exposed_vibe_code/
  https://www.infosecurity-magazine.com/news/researchers-40000-exposed-openclaw/
• Why Zero-Day Downstream Mass Data Extortion Campaigns Are Losing Their Bite
  "Q4 of 2025 was marked by the latest large-scale data theft campaign by the CL0P ransomware gang, this time exploiting a zero-day vulnerability in Oracle E-Business Suite (EBS). The campaign came from a playbook CL0P pioneered nearly five years ago. The strategy involves: purchase a zero-day exploit of a widely used enterprise file transfer or data storage appliance, compromise as many instances as possible before detection, exfiltrate as much data as possible from as many downstream customers as possible, and finally monetize at scale the attack through extortion of each unique downstream party. This strategy does not involve the encryption of the target assets. Often the entire attack chain occurs outside of the victim’s network. This was the 5th campaign where CL0P followed this playbook, and the financial outcome for CL0P tells an interesting story about the current state of cyber extortion."
  https://www.coveware.com/blog/2026/2/3/mass-data-exfiltration-campaigns-lose-their-edge-in-q4-2025
  https://www.securityweek.com/ransomware-groups-may-pivot-back-to-encryption-as-data-theft-tactics-falter/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

New Tooling

• Data Tool To Triage Exploited Vulnerabilities Can Make KEV More Useful
  "All software vulnerabilities are not the same. Faced with a quickly growing number of vulnerabilities — more than 48,100 in 2025, up 21% from the previous year — IT and security teams are searching for ways to prioritize which issues need patching and which can be put off for another day. While a variety of approaches exist, including the Exploit Prediction Scoring System (EPSS) and the Likely Exploited Vulnerabilities (LEV) equation, many companies rely on the Known Exploited Vulnerabilities (KEV) Catalog published by the US Cyber and Infrastructure Security Agency (CISA) for a short list of high-impact issues that need immediate attention."
  https://www.darkreading.com/threat-intelligence/data-tool-triage-exploited-vulnerabilities-make-kev-catalog-more-useful
  https://github.com/runZeroInc/kev-collider-data/
• New Tool Blocks Imposter Attacks Disguised As Safe Commands
  "A new open-source and cross-platform tool called Tirith can detect homoglyph attacks over command-line environments by analyzing URLs in typed commands and stopping their execution. Available on GitHub and also as an npm package, the tool works by hooking into the user’s shell (zsh, bash, fish, PowerShell) and inspecting every command the user pastes for execution."
  https://www.bleepingcomputer.com/news/security/new-tool-blocks-imposter-attacks-disguised-as-safe-commands/
  http://github.com/sheeki03/tirith

Vulnerabilities

• Nearly 5 Million Web Servers Found Exposing Git Metadata – Study Reveals Widespread Risk Of Code And Credential Leaks
  "Git has been the most widely used version control system among developers worldwide to coordinate coding projects ever since its founding by Linus Torvalds. However, its public nature also makes it a treasure trove for misuse. Publicly accessible .git folders keep surfacing across the internet and can turn even minor software deployment mistakes into potentially catastrophic security incidents with just a few clicks. A 2026 internet-wide data study conducted by the Mysterium VPN research team found that 4,964,815 IP addresses – essentially, 5 million web servers – had their Git repository metadata accessible."
  https://www.mysteriumvpn.com/blog/news/git-metadata-leak
  https://securityaffairs.com/187674/security/nearly-5-million-web-servers-found-exposing-git-metadata-study-reveals-widespread-risk-of-code-and-credential-leaks.html'
• CISA Adds Two Known Exploited Vulnerabilities To Catalog
  "CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
• CVE-2025-11953 React Native Community CLI OS Command Injection Vulnerability
  CVE-2026-24423 SmarterTools SmarterMail Missing Authentication for Critical Function Vulnerability"
  https://www.cisa.gov/news-events/alerts/2026/02/05/cisa-adds-two-known-exploited-vulnerabilities-catalog
  https://www.bleepingcomputer.com/news/security/cisa-warns-of-smartermail-rce-flaw-used-in-ransomware-attacks/
  https://securityaffairs.com/187675/security/u-s-cisa-adds-smartertools-smartermail-and-react-native-community-cli-flaws-to-its-known-exploited-vulnerabilities-catalog.html
  https://www.securityweek.com/critical-smartermail-vulnerability-exploited-in-ransomware-attacks/
  https://www.helpnetsecurity.com/2026/02/06/ransomware-smartermail-cve-2026-24423/

Malware

• Malicious dYdX Packages Published To Npm And PyPI After Maintainer Compromise
  "Socket's Threat Research Team discovered a supply chain attack targeting the dYdX protocol package across npm and PyPI ecosystems. The dYdX protocol is a decentralized exchange for cryptocurrency derivatives trading. The @dydxprotocol/v4-client-js (npm) and dydx-v4-client (PyPI) packages provide developers with tools to interact with the dYdX v4 protocol, including transaction signing, order placement, and wallet management. Applications using these packages handle sensitive cryptocurrency operations."
  https://socket.dev/blog/malicious-dydx-packages-published-to-npm-and-pypi
  https://thehackernews.com/2026/02/compromised-dydx-npm-and-pypi-packages.html
• How 0apt Is Using Random Noise To Fake a Ransomware Empire
  "When the group calling itself 0apt surfaced on the dark web earlier this month, the numbers were a gut punch. Usually, a new ransomware operation builds its name slowly, one victim at a time. 0apt took a shortcut by posting a list of 190 companies all at once: a hit list that covered almost every major industry. But as we started checking the group's claims, we found something strange. While the group initially populated its site with a string of low-tier, nameless "garbage" companies, it has recently pivoted to a much more dangerous game. The list now features some of the world’s most recognizable corporate titans, from medical technology leaders to defense contractors."
  https://databreach.com/news/44-how-0apt-is-using-random-noise-to-fake-a-ransomware-empire
  https://socradar.io/blog/dark-web-profile-0apt-ransomware/
• Germany Warns Of Signal Account Hijacking Targeting Senior Figures
  "Germany's domestic intelligence agency is warning of suspected state-sponsored threat actors targeting high-ranking individuals in phishing attacks via messaging apps like Signal. The attacks combine social engineering with legitimate features to steal data from politicians, military officers, diplomats, and investigative journalists in Germany and across Europe. The security advisory is based on intelligence collected by the Federal Office for the Protection of the Constitution (BfV) and the Federal Office for Information Security (BSI)."
  https://www.bleepingcomputer.com/news/security/germany-warns-of-signal-account-hijacking-targeting-senior-figures/
  https://thehackernews.com/2026/02/german-agencies-warn-of-signal-phishing.html
  https://www.helpnetsecurity.com/2026/02/06/state-linked-phishing-europe-journalists-signal/
• Helpful Skills Or Hidden Payloads? Bitdefender Labs Dives Deep Into The OpenClaw Malicious Skill Trap
  "With hundreds of malicious OpenClaw skills blending in among legitimate ones, manually reviewing every script or command isn’t realistic — especially when skills are designed to look helpful and familiar. That’s why Bitdefender offers a free AI Skills Checker, designed to help people quickly assess whether an AI skill might be risky before they install or run it."
  https://www.bitdefender.com/en-us/blog/labs/helpful-skills-or-hidden-payloads-bitdefender-labs-dives-deep-into-the-openclaw-malicious-skill-trap
  https://hackread.com/openclaw-add-ons-crypto-theft-macos-malware/
• Norwegian Intelligence Discloses Country Hit By Salt Typhoon Campaign
  "Norway’s domestic security agency confirmed Friday that the Chinese state-sponsored espionage campaign tracked as Salt Typhoon compromised network devices in Norwegian organizations. The disclosure was made in the Norwegian Police Security Service’s (PST) annual threat assessment for 2026. The agency’s director general, Beate Gangås, said Norway was “facing its most serious security situation since World War II,” citing pressure from multiple foreign intelligence services."
  https://therecord.media/norawy-intelligence-discloses-salt-typhoon-attacks
• Brew Hijack: Serving Malware Over Homebrew’s Core Tap
  "Most of the time, when you install software, you don’t think twice about it. The files get downloaded over HTTPS. The checksums are verified. Everything’s secure - or at least, that’s the assumption. And thank god for that. If every download could be intercepted, or every binary replaced without warning, the internet would be a minefield. But what if both protections were missing? What if the download was served over plain HTTP, and the installer wasn’t even validated after the fact? Come on - it's 2026! That can’t still happen in a widely used package manager. r..right?"
  https://www.koi.ai/blog/brew-hijack-serving-malware
• New Clickfix Variant ‘CrashFix’ Deploying Python Remote Access Trojan
  "In January 2026, Microsoft Defender Experts identified a new evolution in the ongoing ClickFix campaign. This updated tactic deliberately crashes victims’ browsers and then attempts to lure users into executing malicious commands under the pretext of restoring normal functionality. This variant represents a notable escalation in ClickFix tradecraft, combining user disruption with social engineering to increase execution success while reducing reliance on traditional exploit techniques. The newly observed behavior has been designated CrashFix, reflecting a broader rise in browser‑based social engineering combined with living‑off‑the‑land binaries and Python‑based payload delivery."
  https://www.microsoft.com/en-us/security/blog/2026/02/05/clickfix-variant-crashfix-deploying-python-rat-trojan/
• Tenant From Hell: Prometei's Unauthorized Stay In Your Windows Server
  "In January 2026, eSentire's Threat Response Unit (TRU) detected a malicious command attempting to deploy Prometei on a Windows Server belonging to a customer in the Construction industry. Prometei is a botnet suspected to be of Russian origin and has been active since 2016. It features extensive capabilities, including remote control functionality, credential harvesting, crypto-mining (Monero), lateral movement, Command and Control (C2) over both the clearweb and TOR network, and self-preservation measures that harden compromised systems against other threat actors, to maintain exclusive access."
  https://www.esentire.com/blog/tenant-from-hell-prometeis-unauthorized-stay-in-your-windows-server
  https://hackread.com/uk-construction-firm-prometei-botnet-windows-server/

Breaches/Hacks/Leaks

• Flickr Discloses Potential Data Breach Exposing Users' Names, Emails
  "Photo-sharing platform Flickr is notifying users of a potential data breach after a vulnerability at a third-party email service provider exposed their real names, email addresses, IP addresses, and account activity. Founded in 2004, Flickr is one of the world's largest photography communities and sharing sites, hosting over 28 billion photos and videos. The company says it has 35 million monthly users and 800 million monthly page views."
  https://www.bleepingcomputer.com/news/security/flickr-discloses-potential-data-breach-exposing-users-names-emails/
  https://www.securityweek.com/flickr-security-incident-tied-to-third-party-email-system/
  https://hackread.com/flickr-data-breach-external-partner-security-flaw/
  https://www.theregister.com/2026/02/06/flickr_emails_users_about_data_breach/
  https://securityaffairs.com/187753/data-breach/flickr-moves-to-contain-data-exposure-warns-users-of-phishing.html
• Payments Platform BridgePay Confirms Ransomware Attack Behind Outage
  "A major U.S. payment gateway and solutions provider says a ransomware attack has knocked key systems offline, triggering a widespread outage affecting multiple services. The incident began on Friday and quickly escalated into a nationwide disruption across BridgePay's platform."
  https://www.bleepingcomputer.com/news/security/payments-platform-bridgepay-confirms-ransomware-attack-behind-outage/
• A Technical And Ethical Post-Mortem Of The Feb 2026 Harvard University ShinyHunters Data Breach
  "On February 4, 2026, the cybersecurity landscape of higher education was fundamentally altered. A breach attributed to the cybercriminal syndicate ShinyHunters – operating as part of the “Scattered LAPSUS$ Hunters” collective – exposed approximately 115,000 sensitive records from Harvard University’s Alumni Affairs and Development (AAD) department. This incident is not merely a leak of names; it is a collapse of institutional data sovereignty. It exposes the private lives, financial liquidity, and intimate institutional strategies governing the world’s most influential academic donor base. The following analysis decomposes the technical origins of the breach and the problematic nature of the exposed “human infrastructure.”"
  https://www.infostealers.com/article/a-technical-and-ethical-post-mortem-of-the-feb-2026-harvard-university-shinyhunters-data-breach/

General News

• Mobile Privacy Audits Are Getting Harder
  "Mobile apps routinely collect and transmit personal data in ways that are difficult for users, developers, and regulators to verify. Permissions can reveal what an app can access, and privacy policies can claim what an app should do, yet neither reliably shows what data is actually collected and where it is sent during real use."
  https://www.helpnetsecurity.com/2026/02/06/mopri-mobile-app-privacy-analysis/
• Living Off The AI: The Next Evolution Of Attacker Tradecraft
  "For years, defenders have battled “living off the land” attacks—where adversaries progress using the tools already present on compromised systems (PowerShell, WMI, and the like). Then came “living off the cloud,” as threat actors hid in plain sight behind ubiquitous cloud services for malware delivery and data exfiltration. We’re now entering the next phase: living off the AI. Organizations are rapidly adopting AI assistants, agents, and the emerging Model Context Protocol (MCP) ecosystem to stay competitive. Attackers have noticed. Let’s look at how different MCPs and AI agents can be targeted and how, in practice, enterprise AI becomes part of the attacker’s playbook. (MCP is an open source framework for LLMs and AI agents to securely connect with external systems.)"
  https://www.securityweek.com/living-off-the-ai-the-next-evolution-of-attacker-tradecraft/
• Why Automation Alone Misses AI-Generated Phishing
  "Phishing has evolved far beyond the crude, mass-produced scams most security teams were trained to recognize. Phishing has evolved far beyond the crude, mass-produced scams most security teams were trained to recognize. What was once defined by obvious deception is now driven by high-quality, adaptive, and highly realistic attacks that are increasingly generated with AI and delivered at an unprecedented scale."
  https://cofense.com/blog/why-automation-alone-misses-ai-generated-phishing
• Introducing Encrypt It Already
  "Today, we’re launching Encrypt It Already, our push to get companies to offer stronger privacy protections to our data and communications by implementing end-to-end encryption. If that name sounds a little familiar, it’s because this is a spiritual successor to our 2019 campaign, Fix It Already, a campaign where we pushed companies to fix longstanding issues."
  https://www.eff.org/deeplinks/2026/01/introducing-encrypt-it-already
  https://www.darkreading.com/cloud-security/encrypt-it-already-pushes-big-tech-e2e-encryption
• Shai-Hulud: The Hidden Cost Of Supply Chain Attacks
  "A slew of malware attacks against open source software components have compromised thousands of software packages and repositories, but the practical damage these attacks have caused organizations is harder to quantify. The longer term and indirect costs of these attacks may prove most significant for organizations. Open source components and software have long been a well-established source of threat activity. The widespread use combined with the broad variance in how well-supported different projects are — in part thanks to the community maintenance inherent to many of them — means severe vulnerabilities (and threat campaigns) can sometimes slip through the cracks. The devastating Log4Shell vulnerability from 2021 comes to mind, as does the more recent React2Shell from late last year."
  https://www.darkreading.com/application-security/shai-hulud-hidden-cost-supply-chain-attacks
• OpenClaw's Gregarious Insecurities Make Safe Usage Difficult
  "OpenClaw, the open source agentic AI assistant available from GitHub, continues to attract a growing following. Like many tech-savvy workers, Dane Sherrets, a staff innovation architect at HackerOne, decided to try out the software. He installed it on a virtual private server, gave the collection of programs and agents its own Slack channel, and limited its access to any personal data. Even with limited access, OpenClaw impressed: When Sherrets reserved a virtual phone number for the AI assistant and gave it an API key with the instructions to develop a capability to make phone calls, it did."
  https://www.darkreading.com/application-security/openclaw-insecurities-safe-usage-difficult
• Novel Technique To Detect Cloud Threat Actor Operations
  "Cloud-based alerting systems often struggle to distinguish between normal cloud activity and targeted malicious operations by known threat actors. The difficulty doesn’t lie in an inability to identify complex alerting operations across thousands of cloud resources or in a failure to follow identity resources, the problem lies in the accurate detection of known persistent threat actor group techniques specifically within cloud environments."
  https://unit42.paloaltonetworks.com/tracking-threat-groups-through-cloud-logging/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

ตรวจสอบและแก้ไขด่วน! พบช่องโหว่ระดับวิกฤตบนแพลตฟอร์ม n8n อาจถูกใช้เพื่อรันคำสั่งบนระบบ หากผู้โจมตีสามารถเข้าถึงบัญชีผู้ใช้งานที่มีสิทธิ์สร้างหรือแก้ไข Workflow
หากไม่ดำเนินการแก้ไข ช่องโหว่นี้อาจส่งผลให้ระบบมีความเสี่ยงต่อการถูกเข้าถึงหรือควบคุมโดยไม่ได้รับอนุญาต

รายละเอียดช่องโหว่
• CVE-2026-25049 เป็นช่องโหว่ระดับความรุนแรงวิกฤต CVSS Score 9.4 คะแนน ช่องโหว่นี้เกิดจากข้อบกพร่องในกระบวนการประมวลผลคำสั่งหรือเงื่อนไข (expression) ภายใน Workflow ของ n8n ซึ่งอาจถูกใช้เพื่อเรียกใช้งานคำสั่งระบบบนเครื่องโฮสต์ที่ให้บริการ n8n ได้ โดยผู้ใช้งานที่ผ่านการยืนยันตัวตนและมีสิทธิ์ในการสร้างหรือแก้ไข Workflow สามารถสร้างคำสั่งหรือเงื่อนไขที่ถูกออกแบบมาเป็นพิเศษ (crafted expressions) ภายใน Workflow ส่งผลให้สามารถเรียกใช้งานคำสั่งระบบบนเครื่องโฮสต์ที่ให้บริการ n8n ได้
• การโจมตีที่สำเร็จอาจส่งผลให้ผู้โจมตีสามารถเข้าถึงข้อมูล เปลี่ยนแปลงค่าระบบ หรือทำให้ระบบไม่สามารถให้บริการได้

ผลิตภัณฑ์และเวอร์ชันที่ได้รับผลกระทบ
• n8n เวอร์ชัน 1.x ที่ต่ำกว่าเวอร์ชัน 1.123.17
• n8n เวอร์ชัน 2.x ที่ต่ำกว่าเวอร์ชัน 2.5.2

️ ThaiCERT ขอแนะนำให้หน่วยงานที่ใช้งานเวอร์ชันที่ได้รับผลกระทบ เร่งดำเนินการตรวจสอบและแก้ไขทันที

แนวทางการตรวจสอบและการป้องกัน

1. แนวทางการตรวจสอบ
   • ตรวจสอบเวอร์ชันของ n8n ที่ใช้งานอยู่
   • ตรวจสอบบัญชีผู้ใช้งานที่มีสิทธิ์สร้างหรือแก้ไข Workflow
   • ตรวจสอบ Workflow ที่มีการใช้ คำสั่งหรือเงื่อนไขการประมวลผลข้อมูล (expression) ที่ผิดปกติ

2. แนวทางการป้องกัน
   อัปเดต n8n เป็นเวอร์ชันที่ได้รับการแก้ไขแล้ว
   • สำหรับระบบที่ยังใช้ n8n เวอร์ชัน 1.x สามารถอัปเดตเป็นเวอร์ชันตั้งแต่ 1.123.17 หรือ ใหม่กว่า
   • สำหรับระบบที่ยังใช้ n8n เวอร์ชัน 2.x สามารถอัปเดตเป็นเวอร์ชันตั้งแต่ 2.5.2 หรือ ใหม่กว่า
   • จำกัดสิทธิ์ผู้ใช้งานที่สามารถสร้างหรือแก้ไข Workflow ให้เฉพาะผู้ใช้งานที่เชื่อถือได้เท่านั้น
   • ติดตั้งระบบ n8n ในสภาพแวดล้อมที่มีการกำหนดสิทธิ์ของระบบปฏิบัติการและเครือข่ายอย่างเหมาะสม เพื่อลดผลกระทบในกรณีถูกโจมตี

3. มาตรการชั่วคราว (กรณียังไม่สามารถอัปเดตได้ทันที)
   • จำกัดสิทธิ์การสร้างและแก้ไข Workflow เฉพาะผู้ใช้งานที่จำเป็น
   • ติดตั้ง n8n ในสภาพแวดล้อมที่มีการจำกัดสิทธิ์ในระดับระบบปฏิบัติการ
   หมายเหตุ: มาตรการดังกล่าวเป็นเพียงการลดความเสี่ยงชั่วคราว ไม่สามารถแก้ไขช่องโหว่ได้อย่างสมบูรณ์
   อ้างอิง
   https://dg.th/7wyi4sqn6h
   https://dg.th/nom3jy2rlp

ThaiCERT ขอแนะนำให้ผู้ใช้งานและผู้ดูแลระบบที่ใช้งานผลิตภัณฑ์ดังกล่าว ดำเนินการตรวจสอบและอัปเดตเป็นเวอร์ชันล่าสุดทันที เพื่อลดความเสี่ยงจากการโจมตีและป้องกันความเสียหายที่อาจเกิดขึ้น