สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 
โพสต์ถูกสร้างโดย NCSA_THAICERT
-
Google ออกแพตช์แก้ช่องโหว่ Android 124 รายการ รวมถึง CVE-2025-48595 ที่อาจถูกใช้โจมตีแบบเจาะจงเป้าหมายโพสต์ใน Cyber Security News
-
GoDaddy พบมัลแวร์บนเว็บไซต์ WordPress เกือบ 2,000 แห่ง ใช้ Steam เป็นโครงสร้าง Command-and-Controlโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
OpenAI ประกาศอัปเดตระบบ GPT-5.5 พร้อมเตรียมยกเลิกการใช้งานโมเดลรุ่นเก่าโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Cyber Threat Intelligence 03 June 2026โพสต์ใน Cyber Security News
Vulnerabilities
- Unauthenticated Privilege Escalation Vulnerability Patched In Kirki WordPress Plugin
"On May 4th, 2026, we received a submission for an Unauthenticated Privilege Escalation vulnerability in the Kirki WordPress plugin. Although the plugin has more than 500,000 active installations, we estimate that only around 150,000 sites are using a vulnerable version, as the issue was introduced in the 6.0 major release. This vulnerability makes it possible for unauthenticated attackers to take over arbitrary user accounts on the site, including administrator accounts, by leveraging the plugin’s password reset functionality to have the password reset link delivered to an attacker-controlled email address."
https://www.wordfence.com/blog/2026/06/unauthenticated-privilege-escalation-vulnerability-patched-in-kirki-wordpress-plugin/
https://www.bleepingcomputer.com/news/security/critical-kirki-flaw-exploited-to-hijack-wordpress-admin-accounts/ - Google Fixes One Actively Exploited Android Zero-Day, 124 Flaws
"Google has released the June 2026 Android security patches to address 124 vulnerabilities, including one zero-day flaw exploited in targeted attacks. Local attackers can exploit the actively abused high-severity Android Framework vulnerability (tracked as CVE-2025-48595) to gain code execution and escalate privileges on devices running Android 14 or later. "There are indications that CVE-2025-48595 may be under limited, targeted exploitation," the company said on Monday in its March 2025 Android Security Bulletin."
https://www.bleepingcomputer.com/news/security/google-fixes-one-actively-exploited-android-zero-day-124-flaws/
https://thehackernews.com/2026/06/google-june-2026-android-update-patches.html
https://www.securityweek.com/android-update-patches-exploited-zero-day-123-other-vulnerabilities/
https://www.helpnetsecurity.com/2026/06/02/android-vulnerability-exploited-cve-2025-48595/ - CVE-2026-0826: Critical Unauthenticated Stack Buffer Overflow In HP Poly VVX And Trio VoIP Phones (FIXED)
"Rapid7 Labs conducted a zero-day research project against an HP Poly VVX 450 Voice over Internet Protocol (VoIP) phone. This research resulted in the discovery of a critical unauthenticated stack-based buffer overflow vulnerability, CVE-2026-0826. A remote attacker can leverage CVE-2026-0826 to achieve unauthenticated remote code execution (RCE) with root privileges on a target device. The vulnerability is present in the device's parsing of Session Description Protocol (SDP) attributes for Interactive Connectivity Establishment (ICE). The ICE feature, which is not enabled by default, must be enabled for the device to be exploitable by a remote attacker."
https://www.rapid7.com/blog/post/ve-cve-2026-0826-critical-unauthenticated-stack-buffer-overflow-hp-poly-vvx-trio-voip-phones-fixed/
https://www.securityweek.com/critical-vulnerability-in-hp-voip-phones-enables-enterprise-network-breaches/ - CISA Adds Two Known Exploited Vulnerabilities To Catalog
"CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2022-0492 Linux Kernel Improper Authentication Vulnerability
CVE-2025-48595 Android Framework Integer Overflow Vulnerability"
https://www.cisa.gov/news-events/alerts/2026/06/02/cisa-adds-two-known-exploited-vulnerabilities-catalog - FlagLeft: We Found A Forgotten Flag That Turned Microsoft 365 Apps Into a Silent Account Takeover Pipeline For Billions Of Users
"Our research found that any app installed on the same Android device could silently access a Microsoft 365 account’s token. It could then act as the signed-in account (read email, open files, access documents, send messages, view calendars), without the user’s knowledge. The issue has been patched, but if you use Microsoft 365 apps on Android, update them now. If your organization manages Android devices, make sure Word, PowerPoint, Excel, Microsoft 365 Copilot, Microsoft Loop, and OneNote are on patched versions."
https://enclave.ai/blog/flagleft-microsoft-365-android-forgotten-flag-account-takeover
https://www.securityweek.com/exclusive-how-one-line-of-code-put-billions-of-microsoft-android-app-downloads-at-risk/
Malware
- Crypto Guest At Dawn Endpoint (Midnight) Ransomware Analysis
"EndPoint is a ransomware variant formerly known as Midnight, which is believed to be built on the Babuk ransomware framework. It targets not only Windows environments, but also ESXi and NAS environments, and uses a double extortion method that combines file encryption with Data exfiltration threats. Since the Babuk source code leak, several derivative ransomware have emerged, and EndPoint is one of them. infected files are given the .endpoint extension, and the ransom note includes a uTox ID to contact the victim. in the past, the [email protected] account in the ransom note impersonated the director of the East Asia Institute, which has been identified as being used by North Korea-linked threat actors since 2024."
https://asec.ahnlab.com/en/93932/ - Game Over: WeedHack – The Rise Of Minecraft Malware-As-a-Service Campaigns
"Minecraft is a 2011 sandbox game developed and published by Mojang Studios. It is the best-selling video game in the world and has sold over 350 million copies worldwide. Its popularity has spanned over a decade due to its versatile gameplay, offering multiple game modes, including one of the most memorable Story Mode in gaming history. It allows players to create and host multiplayer servers with a variety of gameplay options and offers a wide range of custom launchers, game mods, and cheats to choose from."
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/weedhack-minecraft-malware-as-a-service-campaign-research/
https://www.bleepingcomputer.com/news/security/over-116-000-mincraft-systems-infected-in-weedhack-malware-campaign/ - Pointing a Cursor At Evading Detection
"Sophos X-Ops analysts observed a threat actor using artificial intelligence (AI) technologies to test endpoint detection and response (EDR) evasion tactics in a “red team” post-exploitation framework. The activity was detected when an anomalous endpoint registered within a customer tenant triggered alerts for payloads originating from C:\Users\User\Documents\test. Multiple files in this directory were malicious and indicative of a broader attack framework focused on evading detection:"
https://www.sophos.com/en-us/blog/pointing-a-cursor-at-evading-detection
https://www.bleepingcomputer.com/news/security/ai-built-ransomware-toolkit-automates-edr-evasion-ad-discovery/
https://www.infosecurity-magazine.com/news/ai-edr-evasion-tooling/
https://www.helpnetsecurity.com/2026/06/02/ai-agents-edr-evasion-techniques/ - Instagram Users Locked Out After Meta AI Abused To Steal Accounts
"Multiple Instagram users had their accounts hijacked after attackers convinced Meta’s AI-powered support tools that they were the legitimate owners. In many cases, impacted users are unable to recover access due to the platform's use of automated assistance that involves only AI/chatbot loops and no human support agents. On Monday, multiple holders of rare and high-value accounts reported suddenly losing access to their accounts, claiming that their identities had been verified via facial scans and that they had enabled safeguards such as two-factor authentication (2FA)."
https://www.bleepingcomputer.com/news/security/instagram-users-locked-out-after-meta-ai-abused-to-steal-accounts/
https://hackread.com/hackers-abuse-meta-ai-bot-hijack-instagram-accounts/
https://www.securityweek.com/meta-ai-hands-over-high-profile-instagram-accounts-to-hackers/
https://securityaffairs.com/193034/hacking/instagram-account-hijacks-expose-the-security-risks-of-ai-powered-support.html - From Token Bingo To MAX Takeover: Kali365 Operator Expands Operation Across Microsoft Outlook, Okta, Xerox DocuShare, And Other Services
"In our previous post, Token Bingo: Don’t Let Your Code Be the Winner, we documented Kali365, a phishing-as-a-service (PhaaS) kit abusing Microsoft’s OAuth 2.0 device authorization flow to steal Entra ID tokens. In this follow-up report, we track the same operator into new territory as they expand their operation and infrastructure. Our latest findings include: The operator’s full panel infrastructure, including a live command-and-control (C2) panel for token capture status. A phishing page impersonating MAX Messenger, Russia’s state-backed national messenger, used to take over MAX accounts via a fake “prize-claim” attack flow."
https://arcticwolf.com/resources/blog/kali365-expands-into-aws-microsoft-okta-xerox-max-messenger/
https://www.darkreading.com/cyber-risk/fbi-flagged-phishing-kit-kali365-expands-its-reach - These Convincing Copyright Notices Are Designed To Steal Google Logins
"A new scam is targeting people who publish Chrome extensions. The scam arrives as an official-looking “copyright removal request” claiming your extension is about to be removed from the Chrome Web Store and that you have 48 hours to appeal. It even looks personalized. After you enter your extension’s ID to “verify” it, the page pulls in your extension’s real name and icon. But it’s all part of a phishing attack designed to steal your Google username and password. If attackers gain access to a developer account, they may be able to take over the extension, access developer resources, or potentially push malicious updates to users."
https://www.malwarebytes.com/blog/threat-intel/2026/06/these-convincing-copyright-notices-are-designed-to-steal-google-logins - Russia Claims Foreign Spy Agencies Hacked Officials' Phones
"Russia's domestic security agency on Tuesday accused foreign intelligence services of conducting an espionage operation against senior Russian officials, alleging that spies used the infrastructure and capabilities of major international technology companies to secretly collect sensitive government information. In a statement, Russia's Federal Security Service (FSB) said it had uncovered what it described as a "large-scale operation" involving malicious software installed on the mobile devices of senior Russian officials. The agency alleged the malware was used to extract data, intercept communications and conduct covert audio and video surveillance."
https://therecord.media/russia-claims-foreign-spy-agencies-hacked-gov-officials
https://www.theregister.com/security/2026/06/02/russian-spy-agency-says-foreign-spies-turned-officials-smartphones-into-surveillance-devices/5250099 - Operation FlutterBridge: MacOS Malvertising Campaign Spreads New FlutterShell Backdoor
"We are tracking an increasingly widespread malvertising campaign targeting macOS. This campaign appears to be the next stage of a previous campaign known as JSCoreRunner, which was first identified in August 2025. In recent months, the financially-motivated attackers behind these campaigns transitioned from delivering standard adware, to delivering adware with full backdoor capabilities. We designate this campaign Operation FlutterBridge, and we call the payload that it delivers FlutterShell. Built using the Flutter framework, FlutterShell infects targets with adware via malicious desktop applications. In addition to its adware functionality, the payload possesses backdoor capabilities, including shell command execution and file system manipulation."
https://unit42.paloaltonetworks.com/flutterbridge-new-fluttershell-backdoor/
Breaches/Hacks/Leaks
- 'Dumbass' Criminal Breaks The 'first Rule Of Ransomware Club'
"Even ransomware cartels make mistakes, and in this case, it was a biggie that could have landed the responsible crim in a Russian gulag: accidentally infecting a company located in a Commonwealth of Independent States country. In what threat-hunter Dominic Alvieri deemed the ransom “dumbass of the day,” Nova, the affiliate program for ransomware crew RAlord, on Tuesday issued an apology to Eriell Group, a major oilfield services company with headquarters in Uzbekistan and a corporate office in Moscow. Apparently, Eriell contacted Nova and notified the ransomware operators about an affiliate's mess-up."
https://www.theregister.com/cyber-crime/2026/06/02/dumbass-criminal-breaks-the-first-rule-of-ransomware-club/5250380
General News
- The Meta AI Account Recovery Incident Wasn’t Just a Chatbot Problem
"When people hear about hackers “asking an AI chatbot” to help them take over Instagram accounts, the instinctive reaction is to file it under prompt injection, jailbreaks, or “the model got tricked.” That may be the wrong lesson. According to reporting from 404 Media, hackers claimed they used Meta’s AI support chatbot to gain access to high-profile Instagram accounts by asking it to change the email address associated with the target account. The reported incidents coincided with several high-profile account takeovers, including accounts linked to the Obama White House, Sephora, and the Chief Master Sergeant of the Space Force."
https://blog.checkpoint.com/ai-security/the-meta-ai-account-recovery-incident-wasnt-just-a-chatbot-problem/ - Why Traditional Phishing “Red Flags” Fail Against AI-Generated Attacks
"For years, phishing awareness was taught through a simple lens: look for bad grammar, suspicious links, generic greetings, and urgent requests. That advice is not wrong. It is just no longer enough. Today’s phishing attacks are increasingly built to avoid those classic tells. Threat actors use AI to generate emails that are grammatically correct, contextually relevant, and tailored to specific people, roles, and organizations. Instead of sending one sloppy template, they can create endless variations that look legitimate on the surface. That shift breaks one of the oldest assumptions in phishing defense: that malicious emails will usually look suspicious."
https://cofense.com/blog/why-traditional-phishing-red-flags”-fail-against-ai-generated-attacks - Zoom CISO: AI As Security Enabler, Not Role-Replacer
"In an era where artificial intelligence is reshaping the cybersecurity landscape at unprecedented speed, Sandra McLeod, CISO at Zoom, offers a compelling perspective on the future of digital defense. With years of security experience spanning from penetration testing at Cisco to leading security initiatives at one of the world's most widely used communication platforms, McLeod brings a unique technical foundation to her leadership role. Her journey to the CISO position reflects the evolving nature of cybersecurity leadership itself."
https://www.darkreading.com/cybersecurity-operations/zoom-ciso-ai-security-enabler-role-replacer - Securing AI Agents Before They Go Rogue Is Next To Impossible
"Agentic AI adoption is in full swing, but unfortunately for enterprises, completely securing these agents might not be feasible. That's according to Dennis Xu, research vice president at Gartner, who spoke about the dangers of rogue AI agents during the Gartner Security & Risk Management Summit on Monday. "There's a lot of them coming at us — whether we like it or not, whether we know it or not," he said during his presentation."
https://www.darkreading.com/cyber-risk/securing-ai-agents-rogue - Zero Trust Physical Security Needs Trust Decisions At The Edge
"In this interview with Help Net Security, Chuck Davis, VP, Global Information Security at Hikvision, explains how zero trust applies to physical security systems like cameras and door controllers. He breaks down how to make trust decisions at the edge without recreating old perimeter assumptions, why these devices should be treated as IT assets, and what the Mirai botnet taught the industry. Davis also covers posture assessment for devices that cannot run standard agents, and how to manage device identity and revoke trust across tens of thousands of endpoints during a live incident."
https://www.helpnetsecurity.com/2026/06/02/chuck-davis-hikvision-zero-trust-physical-security/ - This AI Model Backdoor Attack Stays Hidden Until You Customize The Model
"Most teams that deploy AI start with a backbone model. They download a large pre-trained system, adapt it to a specific task, and put it into production. The download step carries a security question: the origin of the model. A research team built an attack called BadBone. It plants a backdoor inside a backbone model. Downstream tasks that adapt the model inherit the backdoor. The name points at the target. Corrupt the skeleton, and systems built on top of it carry the flaw."
https://www.helpnetsecurity.com/2026/06/02/ai-model-backdoor-attack-research/
https://arxiv.org/pdf/2605.31246 - Wardriving Assessment Across Mexico: Preparing For The 2026 World Cup
"Mexico is one of the host countries for the 2026 FIFA World Cup, with matches to be played in three major cities: Mexico City, Monterrey, and Guadalajara. These locations are expected to see a large influx of international visitors, increasing the potential security risks. Many of those risks arise from users connecting to public wireless networks. To better understand the wireless environments that visitors may encounter, we at Kaspersky GReAT conducted a wardriving assessment in the three host cities. The aim of the study was to analyze characteristics, deployment patterns, security configurations and potential exposure risks of public Wi-Fi infrastructure in urban wireless environments."
https://securelist.com/wardriving-assessment-in-mexico-fifa-world-cup-2026/119996/ - Two New Reports Offer Competing Explanations For Cybersecurity’s Growing Crisis
"Two reports offer differing viewpoints. One suggests a failure of tools to provide what security teams really need. The other suggests the tools exist but are not properly managed. The industrialization of cybercrime threatens to overwhelm cyber defense. It’s a process that started before the arrival of ChatGPT, was supercharged by the age of AI, and is now typified as the post-Mythos era. It’s a time when defenders must improve their performance or cede the battleground to the adversary. Applications are the battlefield. The speed, scale and sophistication of AI-assisted attacks is difficult to contain."
https://www.securityweek.com/two-new-reports-offer-competing-explanations-for-cybersecuritys-growing-crisis/ - The Zero-Knowledge Threat Actor And The End Of Responsible Disclosure
"One of the most dangerous outcomes of the rise of AI in cybersecurity is the rise of the zero-knowledge threat actor. A threat actor who has negligible technical expertise but enough malicious intent. This actor can leverage AI, turn limited skills into usable offensive capability via generating malicious code, exploiting vulnerabilities, shaping attack steps and guiding execution. AI has not changed the traditional objectives of cybercrime: stealing credentials, exploiting vulnerabilities, gaining privileged access, stealing sensitive data, disrupting operations, and impacting business continuity. What has changed is the speed of discovery, the democratization of capability, and the acceleration of attacks."
https://www.securityweek.com/the-zero-knowledge-threat-actor-and-the-end-of-responsible-disclosure/ - ENISA NIS360 2026: Progress Across The Board, But The Sectors That Matter Most Are Still Falling Short
"ENISA has published its third annual NIS360 report, assessing the cybersecurity maturity and criticality of all sectors covered by the NIS2 directive. The headline finding is that things are improving across the board. The more important finding is that the improvement is uneven, slow where it matters most, and being outpaced by a threat landscape that’s getting harder faster than defenses are getting better. Banking, electricity, and telecommunications remain the most mature and most critical sectors, as they have been since the assessment began. Three sectors moved up into the high maturity band for the first time: trust services, aviation, and financial market infrastructures. Four more strengthened their position within the moderate band: gas, road, maritime, and health."
https://securityaffairs.com/193002/reports/enisa-nis360-2026-progress-across-the-board-but-the-sectors-that-matter-most-are-still-falling-short.html
https://www.enisa.europa.eu/enisa-nis360-2026
อ้างอิง
Electronic Transactions Development Agency (ETDA)
- Unauthenticated Privilege Escalation Vulnerability Patched In Kirki WordPress Plugin
-
🛑 ด่วน! แจ้งเตือนช่องโหว่ร้ายแรงใน Langflow 🛑โพสต์ใน Cyber Security News
ศูนย์ประสานการรักษาความมั่นคงปลอดภัยระบบคอมพิวเตอร์แห่งชาติ (ThaiCERT) ได้ติดตามสถานการณ์ภัยคุกคามทางไซเบอร์ และพบประกาศด้านความปลอดภัยจาก Cyber Security Agency of Singapore (CSA) เกี่ยวกับช่องโหว่ร้ายแรง CVE-2025-34291 ใน Langflow ซึ่งเป็นแพลตฟอร์มสำหรับสร้างและใช้งาน AI-powered agents และ workflows โดย CSA ระบุว่าช่องโหว่นี้ถูกค้นพบตั้งแต่เดือนธันวาคม 2025 และขณะนี้มีการนำไปใช้โจมตีจริงแล้ว ผู้ใช้งานและผู้ดูแลระบบที่ใช้งาน Langflow เวอร์ชันที่ได้รับผลกระทบควรอัปเดตเป็นเวอร์ชันล่าสุดโดยทันที [1]
-
รายละเอียดช่องโหว่
CVE-2025-34291 - Langflow Origin Validation Error Vulnerability / Account Takeover and Remote Code Execution (RCE) (CVSS v3.1: 8.8 )[2] ช่องโหว่นี้เกิดจากข้อผิดพลาดด้านการตรวจสอบ Origin รวมถึงการตั้งค่า CORS ที่เปิดกว้างเกินไป เช่น การอนุญาต allow_origins='*' พร้อมกับ allow_credentials=True ร่วมกับ refresh token cookie ที่กำหนดเป็น SameSite=None ทำให้เว็บไซต์ที่ผู้โจมตีควบคุมสามารถส่งคำขอข้าม Origin พร้อมข้อมูลรับรองของผู้ใช้งานได้ในบางเงื่อนไข หากโจมตีสำเร็จ ผู้ไม่หวังดีอาจได้รับ access token / refresh token ของ session ผู้ใช้งาน และนำ token ดังกล่าวไปเข้าถึง endpoint ที่ต้องยืนยันตัวตน รวมถึงฟังก์ชันที่เกี่ยวข้องกับการรันโค้ดใน Langflow ส่งผลให้สามารถสั่งรันโค้ดยึดครองบัญชีผู้ใช้งาน และอาจนำไปสู่การยึดครองระบบได้ทั้งหมด -
ผลิตภัณฑ์ที่ได้รับผลกระทบ[3]
Langflow เวอร์ชัน 1.6.9 และเวอร์ชันก่อนหน้า -
แนวทางการแก้ไข
3.1 ผู้ใช้งานและผู้ดูแลระบบที่ใช้งาน Langflow เวอร์ชัน 1.6.9 หรือต่ำกว่า ควรอัปเดตเป็นเวอร์ชันล่าสุดโดยทันที ตามคำแนะนำของ CSA
3.2 ตรวจสอบระบบที่ติดตั้ง Langflow ทั้งหมด โดยเฉพาะระบบที่เปิดให้เข้าถึงผ่านอินเทอร์เน็ต หรือระบบที่มีผู้ใช้งานหลายบัญชี
3.3 หลังอัปเดต ควรตรวจสอบการตั้งค่า CORS และการจัดการ cookie/session ให้สอดคล้องกับแนวทางความปลอดภัย โดยหลีกเลี่ยงการอนุญาต Origin แบบกว้างเกินความจำเป็น
3.4 พิจารณาเพิกถอนหรือหมุนเวียน token, API key, credential, secret และค่าเชื่อมต่อสำคัญที่จัดเก็บหรือใช้งานผ่าน Langflow หากสงสัยว่าระบบเคยถูกเข้าถึงโดยไม่ได้รับอนุญาต -
แนวทางลดความเสี่ยง
4.1 จำกัดการเข้าถึง Langflow จากอินเทอร์เน็ตเท่าที่จำเป็น และควรให้เข้าถึงผ่าน VPN, Zero Trust Access, reverse proxy หรือเครือข่ายภายในที่ควบคุมได้
4.2 ตรวจสอบ log และพฤติกรรมผิดปกติที่เกี่ยวข้องกับการขอ refresh token, การใช้งาน session ที่ผิดปกติ, การเรียกใช้งาน endpoint สำคัญ และการรันโค้ดภายใน Langflow
4.3 ตรวจสอบบัญชีผู้ใช้งานใน Langflow ว่ามีการสร้างบัญชีใหม่ เปลี่ยนสิทธิ์ หรือมี activity ที่ไม่สอดคล้องกับการใช้งานปกติหรือไม่
4.4 หากยังไม่สามารถอัปเดตได้ทันที ให้จำกัดสิทธิ์การใช้งาน Langflow เฉพาะผู้ใช้ที่จำเป็น ปิดการเข้าถึงจากเครือข่ายภายนอก และเพิ่มการตรวจจับผ่าน WAF / reverse proxy / SIEM
4.5 แจ้งเตือนผู้ใช้งานไม่ให้เปิดลิงก์หรือเว็บไซต์ที่ไม่น่าเชื่อถือในขณะที่ยังมี session ใช้งาน Langflow อยู่ เนื่องจากลักษณะช่องโหว่เกี่ยวข้องกับการส่งคำขอข้าม Origin ผ่าน browser session ของผู้ใช้งาน
4.6 ผู้ดูแลระบบควรติดตามประกาศจาก CSA, GitHub Advisory, NVD และผู้พัฒนา Langflow อย่างใกล้ชิด เพื่อรับทราบคำแนะนำด้านแพตช์และมาตรการบรรเทาผลกระทบล่าสุด
แหล่งอ้างอิง
[1] https://dg.th/bdesg19iwx
[2] https://dg.th/x4f3ez7wdb
[3] https://dg.th/qi4hezjfgo
-
-
เตือนช่องโหว่ Windows Netlogon ถูกใช้โจมตีจริง ผู้ดูแลระบบควรเร่งติดตั้งแพตช์โพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
ShinyHunters เผยแพร่ข้อมูลที่อ้างว่าขโมยจาก Charter Communications อาจกระทบลูกค้ากว่า 5 ล้านรายโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
ช่องโหว่ระดับวิกฤตในปลั๊กอิน WP Maps Pro บน WordPress สามารถสร้างบัญชีผู้ดูแลระบบได้โดยไม่ได้รับอนุญาตโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
พบช่องโหว่ใน Windows Netlogon ถูกนำมาใช้โจมตีจริงแล้ว ควรเร่งติดตั้งแพตช์ทันทีโพสต์ใน Cyber Security News
ศูนย์ประสานการรักษาความมั่นคงปลอดภัยระบบคอมพิวเตอร์แห่งชาติ (ThaiCERT) ได้ติดตามสถานการณ์ข่าวสารภัยคุกคามทางไซเบอร์ พบรายงานผู้ไม่หวังดีกำลังใช้ช่องโหว่ระดับวิกฤต หมายเลข CVE-2026-41089 ใน Windows Netlogon ทำการโจมตีระบบอย่างต่อเนื่อง (Active Exploitation) เหตุการณ์นี้ส่งผลให้เกิดความเสี่ยงขั้นสูง เนื่องจากผู้โจมตีสามารถยึดครองระบบ Active Directory ได้ทั้งหมดโดยไม่ต้องมีรหัสผ่าน ผลกระทบโดยตรงจะเกิดกับทุกองค์กรที่มีการใช้งาน Windows Server เป็น Domain Controller และยังไม่ได้ทำการอัปเดตแพตช์รักษาความปลอดภัย [1]
- รายละเอียดของภัยคุกคาม [2]
ช่องโหว่ CVE-2026-41089 มีระดับความรุนแรงตามมาตรฐาน CVSS v3.1 ที่คะแนน 9.8 ซึ่งเป็นช่องโหว่ Remote Code Execution (RCE) ที่เกิดจากข้อผิดพลาดประเภทหน่วยความจำล้น (Stack-based Buffer Overflow) ในบริการ Netlogon ซึ่งทำหน้าที่สำคัญในการพิสูจน์ตัวตนและการสื่อสารระหว่างเครื่องลูกข่ายกับ Domain Controller ภายในระบบ Active Directory ขององค์กร
ทั้งนี้ หน่วยงานสามารถตรวจสอบข้อมูลเพิ่มเติมได้ที่ https://dg.th/x7al8id2ft
-
พฤติกรรมการโจมตี
ผู้โจมตีสามารถเจาะระบบได้โดยการส่งคำขอเครือข่ายที่ถูกสร้างขึ้นมาเป็นพิเศษ (Specially Crafted Network Request)ไปยังบริการ Netlogon บนระบบ Windows Server ที่ทำหน้าที่เป็น Domain Controller เพื่อกระตุ้นให้เกิดข้อผิดพลาดในการประมวลผลข้อมูล ส่งผลให้เกิดช่องโหว่ประเภท Buffer Overflow ภายในหน่วยความจำของระบบ โดยไม่ต้องใช้บัญชีผู้ใช้งานหรือสิทธิ์การเข้าถึงใด ๆ ภายในระบบ หากเจาะระบบสำเร็จ ผู้โจมตีจะสามารถสั่งรันโค้ดอัตรายที่สร้างขึ้นเอง (Arbitrary Code Execution) ด้วยสิทธิ์ของระบบบน Domain Controller ส่งผลให้สามารถเข้าควบคุมโดเมน ยกระดับสิทธิ์บัญชีผู้ใช้งาน ขโมยหรือทำลายข้อมูลสำคัญ รวมถึงสามารถติดตั้งมัลแวร์ เพื่อขยายผลการโจมตีไปยังระบบอื่น ๆ ภายในเครือข่ายขององค์กรได้ -
ผลกระทบที่อาจเกิดขึ้น
3.1 ผู้โจมตีสามารถรันคำสั่งหรือโปรแกรมบนเครื่อง Domain Controller ได้
3.2 ได้รับสิทธิ์ระดับ SYSTEM ซึ่งเป็นสิทธิ์สูงสุดของระบบปฏิบัติการ Windows Server
3.3 เข้าถึง แก้ไข หรือทำลายข้อมูลสำคัญขององค์กร
3.4 ยึดครอง Active Directory และบัญชีผู้ใช้งานภายในโดเมน
3.5 ติดตั้งมัลแวร์ หรือ Backdoor เพิ่มเติม -
แนวทางการป้องกันและลดความเสี่ยง
4.1 ติดตั้งแพตช์ความปลอดภัยจาก Microsoft
4.2 ตรวจสอบ Domain Controller ภายในองค์กร
4.3 จำกัดการเข้าถึงบริการ Netlogon
5.มาตรการชั่วคราวหากยังไม่สามารถแก้ไขได้ทันที
5.1 จำกัดการเข้าถึง Domain Controller เช่น ปิดกั้นการเข้าถึงจากเครือข่ายที่ไม่เกี่ยวข้อง เป็นต้น
5.2 แยก Domain Controller ออกจากเครือข่ายผู้ใช้งานทั่วไป
5.3 จำกัดการสื่อสารระหว่าง VLAN หรือ Security Zone เฉพาะที่จำเป็น
5.4 จำกัดและตรวจสอบบัญชีสิทธิ์สูง เช่น ลดจำนวนผู้ใช้งานที่มีสิทธิ์ระดับสูงให้น้อยที่สุด, เปิดใช้งาน Multi-Factor Authentication (MFA) เป็นต้น
แหล่งอ้างอิง
[1] https://dg.th/h6439ag50y
[2] https://dg.th/e7op9w6z8k - รายละเอียดของภัยคุกคาม [2]
-
CISA เผยแพร่คำแนะนำด้านระบบควบคุมอุตสาหกรรม (ICS) จำนวน 11 รายการโพสต์ใน OT Cyber Security News
Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) จำนวน 11 รายการ เมื่อวันที่ 28 พฤษภาคม 2569 เพื่อให้ข้อมูลที่ทันเวลาเกี่ยวกับประเด็นด้านความมั่นคงปลอดภัย ช่องโหว่ และการโจมตีที่เกี่ยวข้องกับระบบ ICS โดยมีรายละเอียดดังนี้
- ICSA-26-148-01 MacGregor Voyage Data Recorder (VDR) G4e
- ICSA-26-148-02 Jinan USR IOT Technology Limited (PUSR) USR-W610 RS232/485 to Wi-Fi/Ethernet Converter
- ICSA-26-148-03 ABB EIBPORT
- ICSA-26-148-04 ABB Busch-Welcome 2 Wire Door Opener Actuator
- ICSA-26-148-05 CP Plus 8 Ch. Network Video Recorder
- ICSA-26-148-06 KMW CCTV Security Cameras
- ICSA-26-148-07 Schnieider Electric EcoStruxure Machine Expert HVAC
- ICSA-26-148-08 XCharge C6
- ICSMA-26-148-01 Fourth Frontier Frontier X Mobile Application, Frontier X2
- ICSA-20-212-04 Mitsubishi Electric Factory Automation Engineering Products (Update L)
- ICSA-26-146-03 ABB Ability Zenon Remote Transport Vulnerability (Update A)
CISA แนะนำให้ผู้ใช้งานและผู้ดูแลระบบ ตรวจสอบคำแนะนำ ICS ที่เผยแพร่ล่าสุด เพื่อศึกษารายละเอียดทางเทคนิคและแนวทางการลดความเสี่ยง (mitigations)
-
CISA เพิ่มช่องโหว่ที่ถูกใช้โจมตี 1 รายการลงในแคตตาล็อกโพสต์ใน Cyber Security News
เมื่อวันที่ 1 มิถุนายน 2569 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 1 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว มีรายละเอียดดังนี้
- CVE-2024-21182 Oracle WebLogic Server Unspecified Vulnerability
ทาง CISA จะปรับปรุงและเพิ่มช่องโหว่ใหม่เข้าสู่แคตตาล็อก KEV อย่างต่อเนื่อง เพื่อให้ครอบคลุมความเสี่ยงที่ตรวจพบจริงในปัจจุบันและอนาคต
อ้างอิง
https://www.cisa.gov/news-events/alerts/2026/06/01/cisa-adds-one-known-exploited-vulnerability-catalog
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
🛑 ด่วน พบเว็บไซต์ปลอมแอบอ้างเป็น ChatGPT หลอกดาวน์โหลดมัลแวร์ขโมยข้อมูลบน Windows และ macOS 🛑โพสต์ใน Cyber Security News
ศูนย์ประสานการรักษาความมั่นคงปลอดภัยระบบคอมพิวเตอร์แห่งชาติ (ThaiCERT) ได้ติดตามสถานการณ์ข่าวสารภัยคุกคามทางไซเบอร์ พบแคมเปญหลอกลวงผ่านเว็บไซต์ปลอมที่แอบอ้างเป็นหน้าดาวน์โหลด ChatGPT ของ OpenAI โดยใช้โดเมน openew[.]app เพื่อหลอกให้ผู้ใช้งานดาวน์โหลดไฟล์ติดตั้งปลอมสำหรับ Windows และ macOS หากผู้ใช้งานติดตั้งไฟล์ดังกล่าว อุปกรณ์อาจติดมัลแวร์ที่สามารถข้อมูลสำคัญ เช่น รหัสผ่าน ข้อมูลเบราว์เซอร์ cookies session ข้อมูลกระเป๋าเงินคริปโทเคอร์เรนซี และข้อมูลอื่น ๆ ได้ [1]
-
รายละเอียดภัยคุกคาม
ผู้ไม่ประสงค์ดีได้สร้างเว็บไซต์ปลอมโดยใช้โดเมน openew[.]app ซึ่งมีการออกแบบหน้าตาและปุ่มดาวน์โหลดให้คล้ายคลึงกับหน้าเว็บไซต์ทางการของ OpenAI นอกจากนี้ยังมีการใช้โปรโตคอลความปลอดภัย (HTTPS) เพื่อให้เบราว์เซอร์แสดงสัญลักษณ์รูปแม่กุญแจ แต่ความจริงแล้วเว็บไซต์ดังกล่าวเป็นเว็บไซต์ที่ไม่ปลอดภัย เป้าหมายของแคมเปญนี้คือการใช้ความนิยมของ ChatGPT และพฤติกรรมผู้ใช้งานที่ค้นหาคำว่า “ChatGPT download” ผ่าน search engine โฆษณา หรือแหล่งที่ไม่เป็นทางการ เพื่อหลอกให้ดาวน์โหลดมัลแวร์ -
ลักษณะการโจมตี
2.1 การโจมตีบนระบบปฏิบัติการ Windows มัลแวร์จะแฝงมาในรูปแบบไฟล์ติดตั้ง (Chat_GPT.exe) เมื่อถูกเรียกใช้งาน มัลแวร์จะสร้างไฟล์และเปิดใช้งานโปรแกรมจัดการคำสั่ง (PowerShell) เพื่อประมวลผลคำสั่งอันตรายโดยตรงผ่านช่องทางป้อนข้อมูลมาตรฐาน (Standard Input) เทคนิคนี้ช่วยให้มัลแวร์สามารถหลบเลี่ยงระบบตรวจจับความปลอดภัย (Evasion Technique) ได้ดีขึ้น เนื่องจากไม่มีการบันทึกไฟล์คำสั่งลงบนหน่วยความจำหรือฮาร์ดดิสก์โดยตรง
2.2 การโจมตีบนระบบปฏิบัติการ macOS ผู้ใช้งานจะได้รับไฟล์ดิสก์อิมเมจ (ChatGpt.dmg) ซึ่งภายในบรรจุมัลแวร์ขโมยข้อมูลสายพันธุ์ Odyssey Stealer (พัฒนาต่อยอดจากมัลแวร์ Atomic Stealer หรือ AMOS) โดยมัลแวร์ตัวนี้จะแสดงหน้าต่างแจ้งเตือนปลอม (Fake Prompt) เพื่อหลอกให้เหยื่อกรอกรหัสผ่านของระบบ จากนั้นจะนำไปใช้เข้าถึงระบบจัดการรหัสผ่าน (Keychain) คุกกี้ (Cookies) ข้อมูลการเข้าสู่ระบบที่บันทึกไว้ (Saved Logins) รวมถึงข้อมูลจากเว็บเบราว์เซอร์ และแอปพลิเคชันสนทนา นอกจากนี้ มัลแวร์ยังพุ่งเป้าไปที่การสแกนหาและสับเปลี่ยนแอปพลิเคชันกระเป๋าเงินคริปโทเคอร์เรนซีด้วยแอปพลิเคชันที่ถูกดัดแปลงฝังมัลแวร์ (Trojanized Application) เพื่อโอนย้ายสินทรัพย์ดิจิทัลของเหยื่ออีกด้วย -
แนวทางการป้องกัน
3.1 ดาวน์โหลด ChatGPT จากเว็บไซต์ทางการของ OpenAI เท่านั้น ได้แก่ https://openai.com/chatgpt/desktop/ หรือ https://openai.com/chatgpt/download/
3.2 หลีกเลี่ยงการดาวน์โหลด ChatGPT จากโฆษณา search engine เว็บไซต์ mirror ลิงก์ใน social media ลิงก์ใน Discord Telegram หรือเว็บไซต์ที่มีชื่อโดเมนใกล้เคียงกับของจริง
3.3 ตรวจสอบ URL ให้ถูกต้องก่อนดาวน์โหลดทุกครั้ง โดยสัญลักษณ์กุญแจ HTTPS ไม่ได้ยืนยันว่าเว็บไซต์เป็นของผู้ให้บริการตัวจริง
3.4 ผู้ดูแลระบบควรบล็อกโดเมนและ IP address ที่เกี่ยวข้องกับแคมเปญนี้บน DNS filtering, proxy, firewall, EDR หรือระบบ secure web gateway -
Indicators of Compromise (IOCs)
4.1 Domain- openew[.]app
4.2 IP Address - 188[.]137[.]246[.]189
- 192[.]253[.]248[.]181
- 172[.]94[.]9[.]250
4.3 File Name - Chat_GPT.exe
- ChatGpt.dmg
4.4 SHA-256 - c9e0e6985dca3a179c9bdea4e7b38f7dc57fe00ecedc2fd634256fc53bf2de2d
- c0919e1999eaee67e67aeda0287722775afb04e9a9a0f727928b4d11265fb70b
![openew[.]app.png](/assets/uploads/files/1780391504476-openew.app-resized.png)
- openew[.]app
-
แหล่งอ้างอิง
[1] https://dg.th/6m71oegluf
-
-
พบผู้โจมตีใช้ LLM Agent ช่วยเจาะระบบผ่านช่องโหว่ Marimo CVE-2026-39987โพสต์ใน Cyber Security News
ศูนย์ประสานการรักษาความมั่นคงปลอดภัยระบบคอมพิวเตอร์แห่งชาติ (ThaiCERT) ได้ติดตามสถานการณ์ข่าวสารภัยคุกคามทางไซเบอร์ พบรายงานผู้โจมตีใช้ Large Language Model Agent หรือ LLM Agent เพื่อช่วยดำเนินการหลังจากเจาะระบบผ่านช่องโหว่ใน Marimo ซึ่งเป็นเครื่องมือสำหรับสร้าง Python Notebook และ Interactive Application โดยรายงานระบุว่าผู้โจมตีได้ใช้ประโยชน์จากช่องโหว่ CVE-2026-39987 เพื่อเข้าถึง Marimo instance ที่เปิดให้เข้าถึงจากอินเทอร์เน็ต จากนั้นใช้ LLM Agent ช่วยดำเนินกิจกรรมหลังการเจาะระบบ เช่น สำรวจสภาพแวดล้อม ค้นหาข้อมูลสำคัญ ขโมย Cloud Credentials ดึง SSH Private Key จาก AWS Secrets Manager และนำข้อมูลฐานข้อมูล PostgreSQL ออกไปจากระบบ จึงขอให้ผู้ดูแลระบบที่ใช้งาน Marimo หรือบริการลักษณะเดียวกัน ตรวจสอบการตั้งค่าและอัปเดตระบบทันที[1]
-
รายละเอียดช่องโหว่[2]
ช่องโหว่ CVE-2026-39987 ( มีคะแนน cvss v 3.1 : 9.8 ) เป็นช่องโหว่ที่ส่งผลกระทบต่อ Marimo โดยผู้โจมตีสามารถใช้ประโยชน์จากช่องโหว่ดังกล่าวเพื่อเข้าถึงระบบ Marimo ที่เปิดให้ใช้งานจากอินเทอร์เน็ต โดยเฉพาะระบบที่มีการตั้งค่าไม่ปลอดภัยหรือยังไม่ได้รับการอัปเดตแก้ไข หลังจากผู้โจมตีสามารถเข้าถึงระบบได้สำเร็จ พบว่าไม่ได้หยุดอยู่เพียงการเข้าถึงเบื้องต้น แต่มีการใช้ LLM Agent เข้ามาช่วยวิเคราะห์สภาพแวดล้อมของระบบ ค้นหาข้อมูลสำคัญ และเลือกใช้คำสั่งที่เหมาะสมสำหรับดำเนินการโจมตีต่อไป ซึ่งแสดงให้เห็นว่าเทคโนโลยี AI อาจถูกนำมาใช้เพื่อเพิ่มความรวดเร็วและความแม่นยำในขั้นตอนหลังการเจาะระบบ โดยกิจกรรมที่พบ ได้แก่ การค้นหา Credentials ภายในระบบ การใช้ AWS Access Key เพื่อเรียกใช้งาน AWS API การเข้าถึง AWS Secrets Manager เพื่อดึง SSH Private Key รวมถึงการนำข้อมูลจากฐานข้อมูล PostgreSQL ออกไปภายนอกระบบ -
ระบบที่อาจได้รับผลกระทบ[3]
2.1 Marimo เวอร์ชัน 0.20.4 และต่ำกว่า
2.2 Marimo instance ที่เปิดให้เข้าถึงจากอินเทอร์เน็ต โดยเฉพาะการใช้งานแบบ editable notebook
2.3 ระบบที่เปิดใช้งาน Marimo ด้วย --host 0.0.0.0 ในโหมด edit และไม่มีการควบคุมการเข้าถึงที่เหมาะสม
2.4 ระบบที่ใช้การยืนยันตัวตนภายในของ Marimo เพียงอย่างเดียว โดยไม่มี authentication proxy หรือ network access control เพิ่มเติม
2.5 ระบบที่มีการจัดเก็บ Cloud Credentials, AWS Access Key, SSH Key หรือ Secret ต่าง ๆ ไว้ในสภาพแวดล้อมที่เข้าถึงได้จากแอปพลิเคชัน
2.6 ระบบ Cloud ที่มีการกำหนดสิทธิ์ IAM กว้างเกินความจำเป็น
2.7 ระบบ Notebook หรือ Development Environment ที่เปิดใช้งานแบบ Public โดยไม่มีการควบคุมการเข้าถึงที่เหมาะสม -
แนวทางการแก้ไข
3.1 อัปเดต Marimo เป็นเวอร์ชัน 0.23.0 หรือใหม่กว่า ซึ่งเป็นเวอร์ชันที่มีการแก้ไขช่องโหว่ดังกล่าวแล้ว
3.2 ตรวจสอบว่าไม่มี Marimo instance หรือบริการ Notebook ที่เปิดสู่ Public Internet โดยไม่จำเป็น
3.3 จำกัดการเข้าถึงระบบผ่าน VPN, Internal Network, Authentication Proxy หรือ IP Address ที่เชื่อถือได้เท่านั้น
3.4 ตรวจสอบและหมุนเวียน Cloud Credentials, AWS Access Key, SSH Key และ Secret ที่อาจถูกเข้าถึง
3.5 ตรวจสอบ AWS CloudTrail, Secrets Manager Access Log และ Log ที่เกี่ยวข้อง เพื่อค้นหาการเข้าถึงที่ผิดปกติ
3.6 ปรับสิทธิ์ IAM ให้เป็นไปตามหลัก Least Privilege โดยให้สิทธิ์เท่าที่จำเป็นต่อการใช้งาน
3.7 ตรวจสอบฐานข้อมูล PostgreSQL และระบบจัดเก็บข้อมูลอื่น ๆ ว่ามีการเข้าถึงหรือถ่ายโอนข้อมูลผิดปกติหรือไม่ -
มาตรการชั่วคราวหากยังไม่สามารถแก้ไขได้ทันที
4.1 ปิดการเข้าถึง Marimo จากอินเทอร์เน็ตภายนอกชั่วคราว
4.2 จำกัดการเข้าถึงเฉพาะเครือข่ายภายใน, VPN หรือ IP Address ที่เชื่อถือได้
4.3 ปิดหรือจำกัดการใช้งาน Terminal WebSocket หากไม่จำเป็นต่อการใช้งาน
4.4 เพิกถอนหรือเปลี่ยน Cloud Credentials, AWS Access Key, SSH Key และ Secret ที่อาจเกี่ยวข้องทันที
4.5 ตรวจสอบ Secret ที่จัดเก็บในระบบ Cloud และยกเลิก Secret ที่ไม่จำเป็น
4.6 เพิ่มการเฝ้าระวัง Log ของระบบ Cloud, Notebook Server, WebSocket และฐานข้อมูล
4.7 สำรองข้อมูลสำคัญ และตรวจสอบความถูกต้องของ Backup
แหล่งอ้างอิง
[1] https://dg.th/rxg573pjsm
[2] https://dg.th/quln4dzmwx
[3] https://dg.th/s3b1ocmf7v
-
-
Cyber Threat Intelligence 02 June 2026โพสต์ใน Cyber Security News
New Tooling
- NVIDIA Goes Open Source With a Big Batch Of Physical AI Agent Tools
"NVIDIA just dropped a big batch of open-source “physical AI” skills and tools, and they’re designed to make a roboticist’s life a whole lot easier. The idea? Take the messy, complicated work behind robots, self-driving cars, vision AI, and industrial digital twins, and break it into bite-sized tasks that AI agents can actually run themselves. These skills ship as part of the NVIDIA Agent Toolkit, and here’s what makes them handy: they let AI agents tap directly into NVIDIA’s own libraries, models, and frameworks. That means agents can help speed up the whole pipeline, from generating data and running simulations to training models, evaluating results, and finally deploying everything that powers robots, autonomous vehicles, factories, and labs."
https://www.helpnetsecurity.com/2026/06/01/nvidia-open-source-physical-ai-skills/
https://github.com/NVIDIA/skills
https://skills.sh/ - OWASP Agent Memory Guard: Stop AI Agents From Being Weaponized Through Their Own Memory
"AI agents keep memory across sessions. Conversation history, vector stores, scratchpads, and RAG indexes persist between runs, and anything written into that store becomes a privileged input the agent reads back later. An attacker who plants text in the wrong field can override an agent’s instructions, pull out user data, or steer future tool calls, and the effect survives across sessions because the memory does. Agent Memory Guard is an open-source runtime defense layer that sits between an agent and its memory store, screening every read and write through a pipeline of detectors and a YAML policy. The project is the OWASP reference implementation for ASI06, Memory Poisoning, one entry in the OWASP Top 10 for Agentic Applications."
https://www.helpnetsecurity.com/2026/06/01/owasp-agent-memory-guard/
https://github.com/OWASP/www-project-agent-memory-guard
Vulnerabilities
- Critical Windows Netlogon RCE Flaw Now Exploited In Attacks
"The Centre for Cybersecurity Belgium (CCB), the country's national authority for cybersecurity, warned on Friday that threat actors are now exploiting a recently patched critical Windows Netlogon vulnerability in attacks. Netlogon is a remote procedure call (RPC) interface and a core Microsoft Windows Server background service that authenticates services and users on Windows domain-based networks. Microsoft patched this vulnerability (CVE-2026-41089) during the May 2026 Patch Tuesday, describing it as a stack-based buffer overflow in Windows Netlogon that allows attackers without privileges to gain remote code execution on targeted domain controllers."
https://www.bleepingcomputer.com/news/microsoft/critical-windows-netlogon-remote-code-execution-flaw-now-exploited-in-attacks/
https://www.securityweek.com/critical-windows-netlogon-vulnerability-in-attackers-crosshairs/
https://www.helpnetsecurity.com/2026/06/01/windows-netlogon-rce-exploited-cve-2026-41089/ - CISA Adds One Known Exploited Vulnerability To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2024-21182 Oracle WebLogic Server Unspecified Vulnerability"
https://www.cisa.gov/news-events/alerts/2026/06/01/cisa-adds-one-known-exploited-vulnerability-catalog
Malware
- Red Hat Npm Packages Compromised To Spread a Credential-Stealing Worm
"On June 1, 2026, we detected multiple official packages from the @redhat-cloud-services scope on npm were compromised with a credential-stealing worm. In total, 96 versions across 32 packages have been compromised, cumulatively downloaded 116,991 times per week. The malware appears similar to the Mini Shai-Hulud malware that was recently open-sourced by TeamPCP. Since the tooling was made publicly available, other threat actors now have access to the same techniques and can replicate or adapt them. The packages were published via GitHub Actions OIDC, indicating the CI/CD pipeline was compromised rather than an npm token. If you have installed any affected package versions since June 1, 2026, treat all CI secrets, cloud credentials, SSH keys, and npm tokens as compromised and rotate them immediately."
https://www.aikido.dev/blog/red-hat-npm-packages-compromised-credential-stealing-worm
https://www.ox.security/blog/new-npm-supply-chain-attack-redhat-cloud-services-compromised/
https://socket.dev/blog/mini-shai-hulud-campaign-hits-red-hat-cloud-services-npm-packages
https://www.bleepingcomputer.com/news/security/red-hat-npm-packages-compromised-to-steal-developer-credentials/
https://thehackernews.com/2026/06/miasma-supply-chain-attack-compromises.html
https://www.theregister.com/security/2026/06/01/shai-hulud-malware-infects-red-hat-npm-packages-downloaded-80k-times-weekly/5249803 - The Server Seizure That Affects Also Iran’s Cyber Operations
"On May 22, 2026, Dutch financial-crime investigators walked into data centers in Dronten and Schiphol-Rijk and seized approximately 800 servers. The target was WorkTitans B.V., a hosting provider that, on the surface, looked like any other internet infrastructure company. What investigators uncovered, however, was something far more significant: a ghost operation built on sanctioned infrastructure, quietly serving as the backbone for some of Iran’s most active cyber espionage campaigns."
https://blog.checkpoint.com/security/the-server-seizure-that-affects-also-irans-cyber-operations/ - Cryptocurrency Scams: The 10 Most Common Types And How They Work
"A crypto scam is a type of fraud that exploits the unique characteristics of cryptocurrency, such as its decentralized and pseudonymous nature, as well as the irreversible nature of crypto transactions, to steal funds from victims. Crypto scams are expected to cost victims an estimated $17 billion in 2025, driven by AI-enabled fraud, industrialized scam operations, and new impersonation tactics. Financial institutions sit on the front lines of this exposure because stolen funds flow through their platforms before reaching attacker-controlled wallets."
https://www.group-ib.com/blog/cryptocurrency-scams/ - Containers On Fire: From Container Escapes To Supply Chain Attacks
"Modern infrastructures universally rely on containerization to deploy applications, scale services, and build cloud platforms. The use of Docker, Kubernetes, and similar technologies has become the corporate standard for efficient automation. However, as containers grow in popularity, so does the interest of malicious actors — a trend we actively track in our research into advanced cyberthreats. For instance, in one of its recent attacks, the APT group TeamPCP compromised Checkmarx KICS across multiple attack chains for different vectors. This included poisoning a Docker Hub repository to later steal Kubernetes secrets and other sensitive data. The tainted images distributed a stealer that was loaded during the KICS scanning process."
https://securelist.com/container-attack-vectors/120010/ - The 2026 U.S. Midterms Have a Cyber Problem, But It’s Not At The Ballot Box
"As the U.S. approaches the 2026 elections in November, the greatest threat to voting integrity will likely not be from hackers targeting voting machines or altering ballots, but from a growing war over reality itself. Voter influence operations are increasingly focused on manipulating the information environment surrounding voters, flooding social media and search results with misleading narratives and fake content, and impersonated news sources designed to erode trust in what people see and hear online. Sophisticated operators have already cloned major media brands like Reuters, The Washington Post, and Fox News using look-alike domains that can fool even attentive readers at a glance. In this new era of AI-powered disinformation, the goal is often not to change vote counts directly, but to convince voters that truth itself is difficult to verify."
https://blog.checkpoint.com/exposure-management/the-2026-u-s-midterms-have-a-cyber-problem-but-its-not-at-the-ballot-box/
https://checkpoint.cyberint.com/hubfs/2026 U.S. Midterm Election Threat Outlook.pdf
https://cyberscoop.com/2026-election-cyber-threats-campaign-systems/
https://www.theregister.com/security/2026/06/01/5k-election-domains-registered-ahead-of-us-midterms/5249764 - Meet DriveSurge: A New Threat Actor Using ClickFix And Fake Update Drive-By Attacks In Thousands Of Compromised Sites
"What makes DriveSurge notable isn’t just the volume of its activity; it’s the sophistication of its infrastructure, the breadth of its targets, and the fact that it has been operating largely undetected until now. Its primary weapon is a technique known as a Traffic Distribution System (TDS), and it specifically uses an open-source variant called zTDS, which has been in use since at least 2015, and is publicly available at ztds[.]info. Using zTDS, DriveSurge hijacks thousands of legitimate, high-reputation websites and silently redirects visitors to malware, unbeknownst to the sites’ owners or their visitors. Based on our research, we suspect DriveSurge uses a Pay-Per-Install (PPI) model, where it is paid each time a victim’s device is successfully infected, with those leads then sold downstream to other threat actors."
https://www.silentpush.com/blog/drivesurge/
https://www.bleepingcomputer.com/news/security/hackers-hijack-thousands-of-sites-for-clickfix-and-fakeupdate-attacks/ - Dashlane Password Manager Users Locked Out By Brute Force Attacks
"Multiple Dashlane users have been locked out of their accounts following brute-force attacks that attempted logins from distant locations and unknown devices. In a statement to BleepingComputer, the password management service confirmed that the suspensions were part of an automated security response designed to protect against account hijacking. “We can confirm that certain Dashlane user accounts were targeted in a brute force attack by an external party, resulting in the suspension of those accounts as part of Dashlane’s built-in security controls. The affected accounts have now been unsuspended,” stated Jordan Fylolenko, Dashlane Senior Director of Corporate Communications."
https://www.bleepingcomputer.com/news/security/dashlane-password-manager-users-locked-out-by-brute-force-attacks/
https://status.dashlane.com/pages/5aabcb89fccc4b04d3774443
https://www.theregister.com/security/2026/06/01/password-manager-dashlane-suspends-customer-accounts-amid-brute-force-attacks/5248991
https://www.helpnetsecurity.com/2026/06/01/dashlane-brute-force-attack-user-accounts/ - Malware Targeting WordPress Abuses Steam Community Profiles For Command & Control Operations
"GoDaddy Security researchers have identified malware that uses Steam Community profile comments to host encoded command and control data, hiding malicious infrastructure behind Valve's legitimate platform. The malware employs invisible Unicode characters to conceal payloads within Steam profile comments, enabling steganographic data encoding that evades traditional text-based detection methods. Technical implementation includes AES-256-CTR encryption with PBKDF2 key derivation and HMAC authentication to protect command and control communications."
https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles
https://www.bleepingcomputer.com/news/security/wordpress-malware-campaign-hides-payloads-in-steam-profiles/ - FSB’s Matryoshka #1/3 – Gamaredon’s Gifts That Keeps Unpacking – GammaPhish And GammaWorm
"Sekoia.io’s Threat Detection & Research (TDR) team closely monitors the activities of Russian Advanced Persistent Threats (APT). In late December 2025, we deployed an opportunistic YARA rule designed to uncover novel initial access vectors. By January 2026, this rule had generated a dozen hits, prompting an in-depth investigation. While we successfully identified the early stages of a Gamaredon infection chain, unknown restrictions prevented us from fully detonating the sequence to observe the final payloads. To overcome this, we collaborated with a trusted partner who provided over 70 artifacts retrieved directly from compromised hosts. These artifacts not only corroborated the initial attack stages we observed in December but also contained several distinct malware families historically attributed to Gamaredon: a worm, loaders and a stealer, widely tracked by the community as Pteranodon, GammaLoad, and GammaSteel."
https://blog.sekoia.io/fsbs-matryoshka-1-3-gamaredons-gifts-that-keeps-unpacking-gammaphish-and-gammaworm/
https://www.infosecurity-magazine.com/news/gamaredon-worm-ntfs-data-streams/ - Fake BlueWallet Steals Passwords, Accounts, And Crypto From Macs
"A fake website impersonating BlueWallet (a real Bitcoin wallet) is targeting Mac users with a simple but effective attack. BlueWallet itself has not been compromised. Instead, cybercriminals have stolen the name and branding of the legitimate Bitcoin wallet to make a malicious download appear trustworthy. If you went looking for a cryptocurrency wallet and landed on one of these fake BlueWallet download pages, the site tried to trick you into opening a downloaded file in a built-in macOS tool and pressing “Run.”"
https://www.malwarebytes.com/blog/threat-intel/2026/06/fake-bluewallet-steals-passwords-accounts-and-crypto-from-macs - Operation Dragon Weave : Uncovering a China-Linked Campaign Targeting Czech Republic And Taiwan Using Azure Cloud C2
"The Seqrite APT Team has been actively tracking threats across the globe. During our recent analysis, we identified a spearphishing campaign targeting officials and citizens in the Czech Republic and Taiwan. We observed a single lure document along with multiple supporting artifacts that strongly suggest the campaign is specifically targeting these regions, as the files closely mimic official communications. The attack begins with a ZIP attachment. When extracted, the archive contains multiple files that appear legitimate but are actually part of a structured infection chain designed to execute malicious payloads in the background."
https://www.seqrite.com/blog/operation-dragon-weave-uncovering-a-china-linked-campaign-targeting-czech-republic-and-taiwan-using-azure-cloud-c2/
https://thehackernews.com/2026/06/china-aligned-groups-ramp-up-attacks.html - Operation XENOFISCAL: SideCopy Deploying Persistent XenoRAT Targeting The MoF, Afghanistan
"Seqrite Labs has been actively monitoring spear phishing campaigns across the globe and has a well-established history of tracking the SideCopy APT cluster — a Pakistan-linked threat group operating under the broader Transparent Tribe / APT36 umbrella. In continuation of that tracking effort, we identified a targeted campaign directed at the Ministry of Finance, Afghanistan, with TTPs that overlap with SideCopy at medium-to-high confidence. The campaign opens with a spear phishing delivery — a ZIP archive containing a malicious LNK file bearing a carefully crafted Pashto-language filename:"
https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/
https://therecord.media/afghan-officials-targeted-by-sidecopy - Unknown Hacker Group Targeted Russian Maritime Universities, Diplomats For Nearly Two Years
"A previously unknown hacking group has spent nearly two years quietly targeting Russian maritime universities, energy facilities, diplomatic missions and government agencies, according to new research. The campaign, which researchers at Russian cybersecurity firm Kaspersky said dates back to at least 2024, remained undetected for years and featured long periods of inactivity that helped conceal the group's operations. Kaspersky said the hackers would sometimes go dormant for three to four months before launching bursts of activity that included up to 10 attacks in a single month. The company did not describe what post-compromise activity was observed after these attacks."
https://therecord.media/unknown-hacking-group-targeting-russia-for-nearly-two-years
Breaches/Hacks/Leaks
- GTA Cheat Service Atlas Menu Hacked As Attacker Alleges Screenshot Spying
"Grand Theft Auto cheat users have discovered that even the people selling ways around the rules struggle to follow some basic security ones. According to breach notification site Have I Been Pwned, the operators of Atlas Menu, a cheat service for Grand Theft Auto V and Counter-Strike 2, suffered a data breach in May that exposed information belonging to tens of thousands of users after an attacker allegedly gained access to the service's systems and dumped its database online. The breach exposed 64,000 unique email addresses, according to HIBP. The leaked data also included usernames, IP addresses, support tickets, and passwords stored as bcrypt hashes."
https://www.theregister.com/security/2026/06/01/gta-cheat-service-atlas-menu-hacked-as-attacker-alleges-screenshot-spying/5249192
General News
- Data Discovery Gaps That Catch Enterprises Off Guard
"In this interview with Help Net Security, Avani Desai, CEO at Schellman, talks about the gap between what organizations think they know about their data and what discovery scans turn up. She shares stories of shadow data in abandoned cloud storage, post-merger surprises where duplicated datasets slowed integration, and why synthetic data is overmarketed while confidential computing stays underappreciated. Desai also explains why smaller companies often beat large enterprises on compliance, and the one question that gets executives to admit their data map is out of date."
https://www.helpnetsecurity.com/2026/06/01/avani-desai-schellman-data-discovery-gaps/ - EU Organizations Buckle Under Rising Compliance Pressure
"Cybersecurity governance in the EU is shifting under expanding frameworks such as NIS2 and DORA, while AI raises new questions for security teams. What the future brings is hard to predict, and organizations must find a way to cope. Antonija Vojnović, Governance, Risk and Compliance Department Manager at Span, spoke with Help Net Security at the Span Cyber Security Arena conference about how these regulatory frameworks are shaping compliance priorities and day-to-day decision-making."
https://www.helpnetsecurity.com/2026/06/01/antonija-vojnovic-span-cybersecurity-governance-challenges/ - Spain Arrests Doxer Leaking Sensitive Data Of Govt Employees
"The Spanish National Police has arrested an individual for leaking sensitive information related to members of various key state organizations, including the National Cybersecurity Institute (INCIBE). According to authorities, the individual is responsible for a massive leak of personal data, which carried national security risks because of the people exposed. The police notes that the published data was from the State Attorney General's Office, INCIBE, the National Police, the Civil Guard, and the National Security Council, all critical entities in the country."
https://www.bleepingcomputer.com/news/security/spain-arrests-doxer-leaking-sensitive-data-of-govt-employees/ - Inspector General Finds NIST Mistakes Have Made Vulnerability Database Ineffective
"A key cybersecurity vulnerability database run by the National Institute of Standards and Technology (NIST) has been crippled by mismanagement and other strategic failings, leading to an extreme backlog, according to a new internal watchdog report. NIST’s National Vulnerability Database (NVD) backlog mushroomed from 13,000 unprocessed security vulnerabilities in February 2024 to more than 27,000 by the end of 2025, “undermining the NVD’s utility and public trust,” according to a report published by the inspector general of the Department of Commerce Tuesday. The NVD is a critical tool that industry and government cybersecurity workers use to prioritize which cybersecurity vulnerabilities need to be addressed in what order. The worsening backlog first became a serious issue in February 2024 when NIST stopped paying the contractors who process the security flaws."
https://therecord.media/nist-mistakes-vulnerability-database-inspector-general
https://www.oig.doc.gov/wp-content/OIGPublications/OIG-26-020-I-SECURED.pdf
https://www.helpnetsecurity.com/2026/06/01/nist-nvd-management-problems/ - Microsoft Says It Will Not Pursue Security Researchers After Zero-Day Backlash
"Microsoft said Monday it has “no intention to pursue action” against security researchers who uncover vulnerabilities and publish their findings, days after an official blog post sparked a backlash from the security community. The post had condemned a recent series of uncoordinated Windows zero-day releases as “never justifiable” and said the company's Digital Crimes Unit would “continue bringing cases against” those enabling criminal actors. While Microsoft stopped short of naming or directly threatening Nightmare Eclipse — the pseudonymous researcher behind the disclosures — the disclosures themselves were described as having created “unnecessary risk,” and Microsoft’s language was perceived as a threat."
https://therecord.media/microsoft-says-it-will-not-pursue-security-researchers-disclosure
https://www.darkreading.com/application-security/microsoft-zero-day-legal-threats-backlash - Ransomware Runs Office Hours: What 16,699 Leak Posts Reveal
"We pulled every ransomware leak-site post we could observe over the past 24 months. The corpus came in at 16,699 distinct victim listings from 200 groups. We then asked the obvious question almost nobody answers with real data: when does ransomware actually fire? The picture is clean. Ransomware runs on office hours. 84% of leak posts land Monday through Friday. Half of all activity happens in just 8 UTC hours, centred on the European afternoon and US morning. October is open season every year. And the operator population is still growing, not consolidating."
https://ransomnews.com/ransomware-office-hours-timing-2026/
https://securityaffairs.com/192969/cyber-crime/ransomware-operators-keep-business-hours-the-data-proves-it.html
อ้างอิง
Electronic Transactions Development Agency (ETDA)
- NVIDIA Goes Open Source With a Big Batch Of Physical AI Agent Tools
-
Cyber Threat Intelligence 01 June 2026โพสต์ใน Cyber Security News
Vulnerabilities
- 1-Click RCE In Flowise (CVE-2026-40933): When Is Stdio MCP Actually a Vulnerability?
"Security researchers at Obsidian Security discovered a one-click RCE in Flowise (CVE-2026-40933), an open-source platform for building LLM workflows and AI agents with over 52k GitHub stars. An attacker can fully compromise a server by convincing an authorized user to import a crafted chatflow. Import alone is enough to trigger arbitrary server-side code execution."
https://www.obsidiansecurity.com/blog/when-is-stdio-mcp-actually-a-vulnerability
https://www.securityweek.com/exploit-code-published-for-critical-flowise-rce-vulnerability/ - 15,000 WordPress Sites Affected By Administrator Account Creation Vulnerability In WP Maps Pro WordPress Plugin
"On March 24th, 2026, we received a submission for an Unauthenticated Administrator Account Creation vulnerability in WP Maps Pro, a WordPress plugin with more than 15,000 sales. This vulnerability makes it possible for unauthenticated attackers to create new administrator accounts on the affected sites, leading to complete site takeover."
https://www.wordfence.com/blog/2026/05/15000-wordpress-sites-affected-by-administrator-account-creation-vulnerability-in-wp-maps-pro-wordpress-plugin/
https://www.bleepingcomputer.com/news/security/wp-maps-pro-bug-exploited-to-create-admin-accounts-on-wordpress-sites/ - Oracle Critical Security Patch Update Advisory - May 2026
"A Critical Security Patch Update (CSPU) provides targeted, high-priority security fixes in a smaller, more focused format, making them easier to apply with minimal disruption. Critical Security Patch Updates complement Oracle’s existing quarterly cumulative Critical Patch Updates (CPUs). These patches address vulnerabilities in Oracle code and in third party components included in Oracle products. Prior Critical Patch Update and Critical Security Patch Update advisories should be reviewed for information regarding earlier published security patches. Refer to Critical Patch Updates, Critical Security Patch Updates, Security Alerts and Bulletins for information about Oracle Security advisories."
https://www.oracle.com/security-alerts/cspumay2026.html - Chrome 148 Update Patches 151 Vulnerabilities
"Google this week released a fresh Chrome 148 update that resolves 151 vulnerabilities, including 22 critical-severity flaws. Based on the paid bug bounties, the most severe of the resolved bugs are CVE-2026-9872 (out-of-bounds write issue in GPU) and CVE-2026-9873 (use-after-free weakness in Network), each earning the reporting researchers a $43,000 reward. Three other critical security defects were also reported by external researchers: CVE-2026-9874 (use-after-free in Dawn), CVE-2026-9875 (out-of-bounds read in WebGL), and CVE-2026-9876 (use-after-free in WebGL)."
https://www.securityweek.com/chrome-148-update-patches-151-vulnerabilities/ - Rapid7 Observed Exploitation Of PAN-OS GlobalProtect Authentication Bypass Vulnerability (CVE-2026-0257)
"On May 13, 2026, Palo Alto Networks published a security advisory for CVE-2026-0257, a medium severity authentication bypass affecting PAN-OS and Prisma Access when a specific configuration is present. Successful exploitation of this vulnerability allows a remote unauthenticated attacker to successfully establish a VPN connection through the GlobalProtect gateway of an affected appliance. Rapid7 MDR identified successful exploitation across numerous customers, however we did not observe any indication of successful lateral movement from the devices. The earliest date for observed exploitation was May 17, 2026. As of May 29, 2026, this vulnerability has been added to the CISA KEV."
https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/
https://www.bleepingcomputer.com/news/security/palo-alto-globalprotect-vpn-auth-bypass-flaw-now-exploited-in-attacks/
https://thehackernews.com/2026/05/pan-os-globalprotect-authentication.html
https://securityaffairs.com/192933/security/cve-2026-0257-rapid7-caught-attackers-abusing-forged-vpn-cookies-against-multiple-customers.html - CISA Adds One Known Exploited Vulnerability To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2026-0257 Palo Alto Networks PAN-OS Authentication Bypass Vulnerability"
https://www.cisa.gov/news-events/alerts/2026/05/29/cisa-adds-one-known-exploited-vulnerability-catalog - CIFSwitch: a Non-Universal Linux Local Root Vulnerability
"In Getting LLMs Drunk to Find Remote Linux Kernel OOB Writes (and More), I’d mentioned how improving LLMs’ ability to compose existing knowledge is a promising avenue for unlocking “creative” – or at least non-trivial – vulnerability findings. Incidentally, among the latest slew of Linux LPEs, CopyFail stood out for – among other things – exquisitely composing several logic bugs, serving as a reminder of the massive potential value of the approach. Unfortunately, training a capable looped transformer to improve compositionality was a non-starter, so I started looking for harness-level improvements instead."
https://heyitsas.im/posts/cifswitch/
https://www.bleepingcomputer.com/news/security/new-cifswitch-linux-flaw-gives-root-on-multiple-distributions/
Malware
- LLMShare: How Attackers Are Turning AI Chatbot Pages Into Malware Delivery Platforms
"Shared conversations on AI chatbot platforms have become the latest delivery mechanism for malware campaigns targeting macOS and Windows users. Attackers create content on platforms like ChatGPT and Claude that appears to offer installation guidance or service updates, then drive traffic to it via search engine results in the form of malvertising and SEO poisoning. The content lives on chatgpt.com or claude.ai — domains that users and security tools trust implicitly — so the attack bypasses URL reputation checks before the victim even reaches the malicious payload."
https://pushsecurity.com/blog/llmshare-malvertising-campaign
https://www.bleepingcomputer.com/news/security/chatgpt-share-links-abused-to-host-fake-outage-pages-to-deliver-malware/ - Dutch Govt Disrupts Malware Botnet With 17 Million Infected Devices
"Dutch authorities have taken offline a massive botnet of 17 million devices and seized more than 200 servers at a local provider that supported the operation. The action was carried out following an investigation from the Police in collaboration with the country's cybersecurity agency, the National Cyber Security Centre (NCSC). According to the authorities, the seized servers controlled "computers, tablets, and smartphones to carry out cyberattacks.""
https://www.bleepingcomputer.com/news/security/dutch-govt-disrupts-malware-botnet-with-17-million-infected-devices/
https://thehackernews.com/2026/05/dutch-authorities-dismantle-botnet.html
https://www.helpnetsecurity.com/2026/05/29/dutch-police-disrupts-botnet-composed-of-17-million-devices/
https://www.theregister.com/security/2026/05/29/dutch-cops-liberate-17m-devices-from-botnets-clutches/5248312
https://securityaffairs.com/192890/malware/botnet-of-17-million-devices-dismantled-in-the-netherlands.html - 'The Com' Cyberattacks Support Violence & Sexploitation
"Organizations that don't secure their cloud environments and software-as-a-service (SaaS) platforms are inadvertently funding violent crime and the exploitation of minors. An analysis this week from Flashpoint of the disturbing cybercriminal group known as The Com confirms that as major Russian groups have splintered and withered away in recent years, the new class of predominantly North American cybercriminal groups that has emerged all trace back in one way or another to the same source. Sometimes these threat groups go by different names: ShinyHunters, Lapsus$, or Scattered Spider. As previously reported, sometimes they combine into a single, inelegant unit — "Scattered Lapsus$ Hunters" — betraying that they in fact come from the same place."
https://www.darkreading.com/threat-intelligence/the-com-cyberattacks-violence-sexploitation - Signal Users Targeted In Backup-Stealing Phishing Attacks
"A new phishing campaign is targeting Signal users by attempting to steal their backup recovery keys to access encrypted message archives. The attack is initiated by a text message pretending to come from Signal Support."
https://www.malwarebytes.com/blog/news/2026/05/signal-users-targeted-in-backup-stealing-phishing-attacks
https://securityaffairs.com/192899/security/signal-phishing-campaign-targets-journalists-and-activists-to-steal-backup-recovery-keys.html - ChatGPhish: The Page Is The Payload
"In our previous research on Copilot prompt injection, we looked at a phishing primitive hiding inside email summaries. The setup was simple: an attacker-controlled email contained text that looked like instructions to the model. When a user asked Copilot to summarize that email, the assistant could be steered into producing attacker-shaped output inside a trusted Microsoft surface. The risk was not the email alone. The risk was the trust transfer from raw email content into polished AI output. This research takes that same class of problem into another dimension. Different product. Different LLM surface. Different delivery primitive. This time, the primitive is not the email. It is the browser."
https://permiso.io/blog/chatgpt-markdown-rendering-vulnerability
https://thehackernews.com/2026/05/chatgphish-vulnerability-turns-chatgpt.html
https://www.theregister.com/research/2026/05/29/chatgpt-prompt-injection-turns-web-pages-into-phishing-lures/5248137 - AI Agent At The Wheel: How An Attacker Used LLMs To Move From a CVE To An Internal Database In 4 Pivots
"On May 10, 2026, the Sysdig Threat Research Team (TRT) observed an intrusion driven by a large language model (LLM) agent in its post-exploitation phase. The attacker compromised an internet-reachable marimo notebook via CVE-2026-39987, extracted two cloud credentials from the compromised host, replayed them through a fanned-out egress pool to retrieve an SSH private key from AWS Secrets Manager, and used that key to drive eight short SSH sessions against a downstream SSH bastion server. The bastion phase exfiltrated the schema and full contents of an internal PostgreSQL database in under two minutes."
https://www.sysdig.com/blog/ai-agent-at-the-wheel-how-an-attacker-used-llms-to-move-from-a-cve-to-an-internal-database-in-4-pivots
https://thehackernews.com/2026/05/attackers-use-llm-agent-for-post.html - Malicious NuGet Package Impersonates Sicoob SDK To Exfiltrate Banking Certificates And Passwords
"We analyzed a Sicoob-branded NuGet package, Sicoob.Sdk, that claimed to be an official C# SDK for Sicoob API integrations. Sicoob, formally the Sistema de Cooperativas de Crédito do Brasil, is one of Brazil’s largest cooperative financial systems, offering banking and financial services through credit cooperatives, digital channels, and thousands of physical service points nationwide. Public sources describe Sicoob as serving millions of cooperative members across Brazil, with Fitch reporting 9 million members, 328 single cooperatives, and 5,219 service points."
https://socket.dev/blog/malicious-nuget-package-impersonates-sicoob-sdk
https://thehackernews.com/2026/05/malicious-sicoob-nuget-steals-banking.html - Kimsuky's Advanced Attack Techniques: JSONPing, Webex Spoofing, And a New HttpSpy Variant
"This report details how Kimsuky targeted South Korean military and enterprises through April 2026, combining tailored social engineering with a revamped HttpSpy execution chain. Our analysis of the Webex-spoofing case revealed the full execution chain of the final payload, an HttpSpy variant. Unlike previous versions of HttpSpy that operated as a single binary, this variant splits the installation process into three stages. In the Zsecurity software-spoofing case, we were only able to recover artifacts up to the downloader stage; however, we attributed both campaigns to the same threat actor based on shared RC4 keys, infrastructure, and code patterns."
https://www.enki.co.kr/en/media-center/blog/kimsuky-s-advanced-attack-techniques-jsonping-webex-spoofing-and-a-new-httpspy-variant
https://thehackernews.com/2026/05/kimsuky-deploys-httpspy-expands-arsenal.html - Typosquatted Npm Packages Used To Steal Cloud And CI/CD Secrets
"Microsoft has identified an active supply chain attack targeting the npm package ecosystem. On May 28, 2026, a single threat actor operating under the newly created maintainer alias vpmdhaj (a39155771@gmail[.]com) published 14 malicious packages within a four-hour window. The packages typosquat well-known OpenSearch, ElasticSearch, DevOps, and environment-configuration libraries, and several spoof the upstream OpenSearch project’s repository URL in their package.json to appear legitimate. Once installed, the packages harvest AWS credentials, HashiCorp Vault tokens, and CI/CD pipeline secrets from the host environment."
https://www.microsoft.com/en-us/security/blog/2026/05/28/typosquatted-npm-packages-used-steal-cloud-ci-cd-secrets/
https://www.theregister.com/security/2026/05/29/14-malicious-npm-packages-impersonated-opensearch-elasticsearch-libraries/5248792 - Bad Ads, Worse Binaries: Fake Claude Code Installer Drops Infostealer
"A first-time builder searched for "Claude Code install" because they finally believed they could build something. Claude Code has put software development within reach of people who never thought it possible. A small business owner who wants to automate their invoicing. A teacher building a custom grading tool. An entrepreneur who has an app idea and, for the first time, has a realistic path to shipping it. The barrier that kept non-technical people out of software creation for decades is collapsing fast, and Claude Code is at the center of that shift. That enthusiasm is exactly what this campaign exploits."
https://www.cyderes.com/howler-cell/fake-claude-code-installer-infostealer
https://hackread.com/fake-anthropic-sites-fileless-infostealer-claude-code-users/ - Legitimate-Looking Codex Remote UI Secretly Steals Your AI Tokens
"There's a new playbook in the supply chain threat landscape, where an someone builds something genuinely useful, growing a real user base. But all while stealing credentials. codexui-android is a remote web UI for OpenAI Codex. Real GitHub repo. Active development. Polished enough to get 27.000 weekly downloads. And for the past month, every single invocation has been quietly exfiltrating your Codex authentication tokens to an attacker-controlled server. It's a functional tool that developers actually wanted rather than a typosquat or throwaway package. That's what makes it dangerous."
https://www.aikido.dev/blog/codex-remote-ui-steals-ai-tokens
https://hackread.com/codex-ui-tool-secretly-stole-openai-refresh-tokens/
Breaches/Hacks/Leaks
- Charter Communications Data Breach Affects 4.9 Million Accounts
"The ShinyHunters extortion gang stole personal information from 4.9 million accounts after hacking the U.S. telecom giant Charter Communications in early April, according to data breach notification service Have I Been Pwned. Charter has over 92,000 employees and provides internet, mobile, video, and voice services to more than 32 million customers and over 57 million homes in 41 states across the U.S. through its Spectrum brand. The company confirmed the breach earlier this week, saying that the attackers did not steal sensitive personal customer information and that it had alerted authorities about the incident."
https://www.bleepingcomputer.com/news/security/charter-communications-data-breach-affects-49-million-accounts/
https://haveibeenpwned.com/Breach/Charter
https://www.securityweek.com/charter-communications-data-breach-could-impact-nearly-5-million/
https://securityaffairs.com/192907/uncategorized/shinyhunters-leaks-charter-communications-data-potentially-impacting-5-million-customers.html
https://www.theregister.com/cyber-crime/2026/05/29/shinyhunters-adds-charter-to-trophy-shelf-after-49m-customer-records-leak/5248281
General News
- From $5 Attacks To Botnet-Powered Platforms: Inside The DDoS-As-a- Service Market
"You have probably experienced the following scenario yourself. A website suddenly stops loading, a login page times out, or an online service becomes unreachable at the worst possible moment. Sometimes the cause is not an internal outage, but a Distributed Denial-of-Service (DDoS) attack designed to overwhelm the service from the outside. DDoS attacks have long been one of the simplest ways to disrupt an online service:flooding it with enough traffic, exhausting its infrastructure, and making it unreachable without breaking into the target’s systems. Now more than ever DDoS is being packaged, branded, and sold with the language of a mature online service, and the impact is well recorded in the real world."
https://www.bleepingcomputer.com/news/security/from-5-attacks-to-botnet-powered-platforms-inside-the-ddos-as-a-service-market/ - Man Sent To Prison For Selling Data Of 7 Millions Elderly Americans
"A North Carolina man was sentenced to more than 10 years in prison for selling the personal information of over 7 million elderly Americans to Jamaican scammers. 57-year-old Troy Murray (who used the Steve Dixon pseudonym) pleaded guilty in January 2026 to one count of conspiracy to commit wire fraud and was sentenced Thursday to 121 months in prison, three years of supervised release, and ordered to forfeit $5,2 million. Prosecutors said that Murray's alias was so widely known among Jamaican scammers that it was referenced in a 2022 song lyric by a Jamaican musical artist."
https://www.bleepingcomputer.com/news/security/man-sent-to-prison-for-selling-data-of-7-millions-elderly-americans/ - Asia's Cyber Insurance Market Shows Signs Of Life
"Relatively few organizations in the Asia-Pacific (APAC) region use cyber insurance, but there is reason to believe that is slowly changing. Cyber insurance is a subset of insurance that has gained popularity in recent years as ransomware attacks became an ever-present threat. Cyber insurance is intended to offset the losses incurred by cyberattacks, including, in some cases, policy holders paying ransoms to cybercriminals."
https://www.darkreading.com/cybersecurity-operations/asias-cyber-insurance-market-signs-of-life - Websites Can Spy On User Activity By Analyzing SSD Behavior
"Websites have spent years collecting information about visitors through browser fingerprinting, tracking scripts, and other techniques designed to identify devices and monitor behavior. Researchers have demonstrated another method that relies on something most users would never expect a website to observe: activity on their SSD (Solid-State Drive), the storage device where applications and files are stored. Dubbed FROST, short for Fingerprinting Remotely using OPFS-based SSD Timing, the technique allows a website to infer information about websites and applications active on a user’s system."
https://www.helpnetsecurity.com/2026/05/29/website-tracking-ssd-activity-research/
https://hannesweissteiner.com/pdfs/frost.pdf - The Behavioral Signals That Sharpen Trojan Malware Detection
"Malware analysts spend a lot of time deciding which signals from a sandbox run are worth keeping. A sample executed in a controlled environment can generate hundreds of measurable attributes covering file structure, registry edits, process behavior, and network traffic. Most of those attributes add noise. A recent study works through this problem in detail, and the part that earns attention from working defenders is the feature selection, not the deep learning model attached to it."
https://www.helpnetsecurity.com/2026/05/29/trojan-malware-detection-research/
https://www.mdpi.com/2624-800X/6/3/90 - DIL Observatory: When The World Escalates, The Underground Responds
"Digital Intelligence Lab (DIL) launches an observatory for reading cyber events as what they actually are: signals of a broader social and geopolitical reality. The timing rarely lies, and the connection between real-world events and cyber activity is no longer a theoretical framework. It is a documented pattern, traceable across months and geographies. This new Observatory available for the community extends that work into a broader question: not just what cyber events are happening, but why now, where, and what else is happening around them."
https://securityaffairs.com/192870/security/dil-observatory-when-the-world-escalates-the-underground-responds.html - What Companies Patch, And What They Don’t
"Vulnerability scanners find far more issues than any team can fix. Whatever is still open in the scanner today is, by definition, what’s left after deciding what to fix first, what to live with, and what to monitor. By comparing what’s left to the full list of all published Common Vulnerabilities and Exposures (CVEs), we can work out what customers actually focus on."
https://blog.barracuda.com/2026/05/29/ciso-what-companies-patch - What 2,000 Exposed Vibe-Coded Apps Reveal About The Limits Of Most Security Stacks
"Shadow AI used to mean employees pasting things they shouldn't into ChatGPT. It now means something bigger: employees building full applications with AI, wiring them into production systems, and publishing them on the open internet. Without Security or IT in the loop. The artifact moved from a prompt to a product. The risk surface moved with it. In The Shadow Builders report (get it here), a new category-level investigation covered in May by Axios, WIRED, and VentureBeat, Red Access identified more than 380,000 publicly accessible web assets across the leading vibe-coding platforms."
https://thehackernews.com/2026/05/what-2000-exposed-vibe-coded-apps.html
https://info.redaccess.io/shadow-ai-builders-security-report - Russian Spies Are Aggressively Seeking Western Technology As Sanctions Bite, Officials Say
"Russia’s intelligence agencies have grown more aggressive in their efforts to steal Western technology and defense secrets as sanctions squeeze the country’s wartime economy, three senior European intelligence officials told The Associated Press. Moscow’s agents are building fake companies, recruiting middlemen and deploying cyber spies and hackers who are gathering information that could also be used to attack key infrastructure, they said."
https://www.securityweek.com/russian-spies-are-aggressively-seeking-western-technology-as-sanctions-bite-officials-say/
อ้างอิง
Electronic Transactions Development Agency (ETDA)
- 1-Click RCE In Flowise (CVE-2026-40933): When Is Stdio MCP Actually a Vulnerability?
-
Anthropic เสริมความปลอดภัย Claude Code เพิ่มปลั๊กอินตรวจจับโค้ดเสี่ยงระหว่างพัฒนาโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
บริษัทรักษาความปลอดภัยไซเบอร์ร่วมปิด Glassworm Botnet หลังพบใช้แพ็กเกจและเครื่องมือปลอมโจมตีนักพัฒนาโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
พบการโจมตีผ่านช่องโหว่ Zero-Day บนระบบ KnowledgeDeliver เพื่อติดตั้งเว็บเชลล์และฝังมัลแวร์โพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Cyber Threat Intelligence 28 May 2026โพสต์ใน Cyber Security News
New Tooling
- Introducing EvidenceForge: Synthetic Security Logs That Don’t Look (as) Fake
"A lot of important work in security depends on having realistic log data to work with, and a lot of that work gets blocked, watered down, or quietly skipped because the data just isn’t available. The use cases come up constantly: teaching threat hunters, incident responders, and detection engineers with datasets that have known ground truth; validating that a detection fires on the right activity without drowning in false positives; and training ML models that need labeled, balanced, multi-source telemetry at scale. These are different problems with the same root cause. You need realistic, labeled security logs and you can’t get them easily."
https://blog.talosintelligence.com/introducing-evidenceforge-synthetic-security-logs-that-dont-look-as-fake/
https://github.com/Cisco-Talos/EvidenceForge - Vigolium: Open-Source Vulnerability Scanner
"Vigolium, an open-source vulnerability scanner that combines deterministic scanning with AI-driven auditing, launched its initial open-source release this month. The project ships 235+ scanner modules and an in-process agent runtime called olium that handles autonomous endpoint discovery, attack planning, and finding triage. The tool exposes two scanning paths. vigolium scan runs a multi-phase deterministic pipeline covering content discovery, browser-based spidering, and active and passive auditing. vigolium agent hands control to an LLM-driven harness that selects modules, generates custom JavaScript extensions, and runs source-code audits alongside dynamic scans."
https://www.helpnetsecurity.com/2026/05/27/vigolium-open-source-vulnerability-scanner/
https://github.com/vigolium/vigolium - Ebpf101
"Liz Rice's Learning eBPF — via the Isovalent tutorial — was our starting point, one chapter per directory. The repo has since gone well beyond it. The opening chapters retrace the tutorial's arc (BCC → libbpf/CO-RE → kprobes/uprobes); from there it keeps going — the verifier as a gate, the bpftool workflow, the XDP and tc datapath, tail calls, LSM BPF (policy enforcement), BPF iterators, and two applied capstones the tutorial never reaches: an XDP firewall and a rule-based intrusion-detection system, drawn respectively from a Columbia EECS6891 lecture (Yannis Zarkadas, Spring 2024) and a research paper (arXiv:2102.09980). All 23 chapters are built and run live on this machine; every program is written to be read."
https://github.com/douglasmun/ebpf101
Vulnerabilities
- CISA Adds Three Known Exploited Vulnerabilities To Catalog
"CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2026-8398 Daemon Tools Lite Embedded Malicious Code Vulnerability
CVE-2026-45321 TanStack Unspecified Vulnerability
CVE-2026-48027 Nx Console Embedded Malicious Code Vulnerability"
https://www.cisa.gov/news-events/alerts/2026/05/27/cisa-adds-three-known-exploited-vulnerabilities-catalog - MediaArea Heap-Based Buffer Overflow Vulnerabilities
"Cisco Talos’ Vulnerability Discovery & Research team recently disclosed four vulnerabilities in MediaArea MediaInfoLib library. The vulnerabilities mentioned in this blog post have been patched by their respective vendor, in adherence to Cisco’s third-party vulnerability disclosure policy."
https://blog.talosintelligence.com/mediaarea-heap-based-buffer-overflow-vulnerabilities/ - All Major LLMs Exposed To Multi-Turn Manipulation, Warn Researchers
"The safety guardrails of several prominent large language models (LLM) can be bypassed if a user tricks the LLM into having a multi-pronged, ongoing conversation, researchers at Cisco have warned. The researchers examined commonly used LLMs and frontier AI models including OpenAI’s ChatGPT, Anthropic’s Claude, Google Gemini, Amazon Nova, xAI’s Grok and others to test how their built-in safety guardrails held up against potential threats from real-world attackers. They found that many of the models could be tricked into performing actions they should not be able to."
https://www.infosecurity-magazine.com/news/all-major-llms-exposed-to-multi/ - How To Get a 100% Conference Acceptance Rate, The Novee Way: A High-Severity CVE In Leading Call-For-Papers Software
"As a founding engineer and security researcher at Novee, my job is to think like an attacker – and to train Novee’s AI agents to do the same. When I discovered this particular exploit, however, I was doing something ordinary: preparing conference submissions. Different events, different review committees, different deadlines, but I noticed the same submission form kept appearing under different logos. Much of the technical conference world runs its CFPs on pretalx, an open-source platform behind everything from hacker camps to academic symposiums. From the outside, each event looks independent. Underneath, it is one codebase serving them all."
https://novee.security/blog/pretalx-stored-xss-vulnerability-account-takeover/
https://www.securityweek.com/vulnerability-in-popular-conference-software-granted-attackers-a-100-talk-acceptance-rate/
https://www.theregister.com/security/2026/05/27/pretalx-xss-flaw-exposed-conference-cfp-systems/5246598 - CVE-2026-27771: NoScope Discovered 30,000+ Gitea Instances Exposing Private Container Images For 4 Years
"CVE-2026-27771 allowed unauthenticated access to private container images on Gitea instances. 30,000+ deployments were affected. The flaw went undetected for 4 years. NoScope discovered and responsibly disclosed it. If you run Gitea Update to v1.26.2 immediately. If you can't update right now, set [service].REQUIRE_SIGNIN_VIEW=true in your Gitea configuration as a temporary stopgap. Note this stopgap isn't suitable if you intentionally expose some containers publicly."
https://www.noscope.com/blog/gitea-instances-exposing-private-container
https://thehackernews.com/2026/05/gitea-vulnerability-exposes-private.html
Malware
-
Don’t Trust ‘secure Mail’! Malicious Files Impersonating Credit Card Companies Are Being Distributed
"ahnLab recently confirmed the distribution of malicious files disguised as security emails from a major credit card company in Korea. this attack has a similar flow to the Kimsuky group’s past malicious LNK distribution case of disguising password files, but it is characterized by a change in the command execution of the initial LNK file. in particular, the execution of additional files and malicious files and the behavior of the malicious files changed depending on whether the security service of the infected environment was enabled or disabled. let’s take a look at the main behavior of this case and user precautions."
https://asec.ahnlab.com/en/93855/ -
From Poisoned Search Results To GPU Mining: A Cryptojacking Campaign Abusing ScreenConnect And Microsoft .NET Utilities
"Microsoft Defender Experts identified an active cryptojacking campaign in which malicious download sites are surfaced not only through traditional search engine poisoning, but also through AI chatbot interactions. This emerging delivery technique extends social engineering beyond conventional search results and increases the visibility of malicious software recommendations. The campaign impersonates trusted system utilities including CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack, and PDFgear to target users likely to own high-performance GPUs. Rather than maximizing infection volume, the threat actor appears focused on compromising systems with higher mining value."
https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/
https://thehackernews.com/2026/05/ai-chatbot-recommendations-redirect.html
https://www.bleepingcomputer.com/news/security/gpu-mining-malware-spreads-via-seo-poisoning-ai-chatbots/
https://www.helpnetsecurity.com/2026/05/27/ai-chatbot-cryptojacking-campaign/ -
Disrupting Glassworm: Inside CrowdStrike’s Takedown Of a Developer-Targeting Botnet
"On May 26, 2026, at 14:00 UTC, the CrowdStrike Counter Adversary Operations team executed a coordinated takedown of the Glassworm botnet, a global threat targeting software developers through the open-source supply chain. In collaboration with Google and the Shadowserver Foundation, we struck all four of Glassworm's command-and-control (C2) channels simultaneously, severing the operators from their infected machines and their ability to deliver new malicious payloads. This takedown matters beyond the botnet. Glassworm marked a significant shift in the threat landscape that should serve as a wake-up call for every organization that ships or consumes software. Adversaries are no longer just targeting products, they're targeting the developers who build them."
https://www.crowdstrike.com/en-us/blog/inside-crowdstrike-takedown-of-a-developer-targeting-botnet/
https://www.bleepingcomputer.com/news/security/glassworm-botnet-disrupted-after-resilient-c2-infrastructure-takedown/
https://thehackernews.com/2026/05/glassworm-malware-takedown-disrupts.html
https://www.bankinfosecurity.com/glassworm-group-software-supply-chain-attackers-disrupted-a-31792
https://www.infosecurity-magazine.com/news/crowdstrike-google-takedown/
https://cyberscoop.com/crowdstrike-glassworm-botnet-takedown/
https://www.securityweek.com/glassworm-botnet-disrupted/
https://securityaffairs.com/192749/cyber-crime/how-cybersecurity-firms-took-down-glassworm-botnet-in-one-shot.html
https://www.theregister.com/cyber-crime/2026/05/27/crowdstrike-google-shatter-glassworm-botnet/5247337 -
FBI Warns Of In-Person Data Theft Attacks From Extortion Gang
"The FBI warned on Tuesday that the Silent Ransom Group (SRG) extortion gang is now targeting U.S.-based law firms in in-person data theft attacks. "As of Spring 2026, SRG actors use a social engineering scheme to pose as an employee from the victim's IT department. SRG actors either directly call or send phishing emails to urge employees to call the SRG actor posing as IT support," the FBI warned in a Tuesday flash alert. "While on the phone, the SRG actor directs the employee to grant access to a remote desktop session. If that attempt fails, SRG sends a threat actor to the victim's location to gain access to insert a storage device into the victim's computer.""
https://www.bleepingcomputer.com/news/security/fbi-warns-of-silent-ransom-group-in-person-data-theft-attacks/
https://www.ic3.gov/CSA/2026/260526.pdf
https://www.darkreading.com/cyberattacks-data-breaches/ransomware-actors-steal-law-firm-data
https://therecord.media/fbi-warns-hackers-visit-law-firms-to-steal-data
https://cyberscoop.com/fbi-warning-silent-ransom-group-law-firms/
https://www.securityweek.com/fbi-hackers-sending-operatives-in-person-to-insert-usb-drives-and-steal-data/
https://www.theregister.com/security/2026/05/27/fbi-crooks-enter-legal-offices-and-steal-data-via-usb-drive/5247212
https://www.helpnetsecurity.com/2026/05/27/fbi-silent-ransom-group-law-firms-social-engineering/ -
OverlayPhantom: The Android Banking Trojan Hiding In Plain Sight
"Cyble Research and Intelligence Labs (CRIL) has identified a novel Android banking trojan, dubbed OverlayPhantom, actively distributed in the wild via malicious URLs. The malware employs a two-stage infection chain, using a dropper application that impersonates trusted platforms, including the official Austrian government identity application, ID Austria, and the widely used consumer platform TikTok, to deceive victims into installing it. Once deployed, OverlayPhantom masquerades as “Google Play Services” and abuses Android’s Accessibility Service to gain persistent, elevated control of the infected device."
https://cyble.com/blog/overlayphantom-android-banking-trojan/ -
The GHOST STADIUM Score: Billions At Stake At The World’s Largest Football Tournament
"The 2026 FIFA World Cup is set to be the largest sporting event in history. Hosted across three nations — the United States, Canada, and Mexico — the tournament will take place from June 11 to July 19, 2026, featuring 104 matches played in 16 cities. The scale is unprecedented: FIFA estimates that more than six million fans will fill stadiums, with an average of 450,000 visitors per city. More than 150 million tickets were requested within the first 15 days of the sales window alone, making this edition approximately 30 times oversubscribed compared to previous tournaments. For context, the 2022 Qatar World Cup drew over 3.4 million in-stadium fans with an average attendance capacity of 96.3 per cent. The 2026 edition is expected to nearly double that figure."
https://www.group-ib.com/blog/ghost-stadium-football-fraud/
https://www.infosecurity-magazine.com/news/ghost-stadium-fifa-world-cup-fraud/ -
Fake LinkedIn Emails Abuse Adobe To Track Victims
"Cybercriminals are abusing Adobe infrastructure in a LinkedIn phishing campaign that steals passwords and redirects victims to the legitimate LinkedIn site afterward. The phishing email masquerades as a business inquiry designed to look like it’s come via LinkedIn and includes a fake “contract” attachment. But it contains a number of red flags:"
https://www.malwarebytes.com/blog/threat-intel/2026/05/fake-linkedin-emails-abuse-adobe-to-track-victims -
‘SymJack’ Attack Turns AI Coding Agents Into Supply Chain Attack Delivery Systems
"Trust and automation are key to many attacks; and trust with automation is inherent in the use of AI coding agents. Malicious repositories are a frequent factor in many supply chain attacks, estimated at between 20% and 40%. Such repositories can be used to fool a developer using an AI coding agent into generating bad code that can silently slip into the CI pipeline. That is just one possibility of the SymJack attack described by Adversa AI. The attack requires three elements: attacker control of the coding agent repo, a ready-made malicious MCP server, and a developer’s use of an AI coding tool."
https://www.securityweek.com/symjack-attack-turns-ai-coding-agents-into-supply-chain-attack-delivery-systems/
https://adversa.ai/blog/the-approval-prompt-is-lying-to-you-symlink-rce-in-five-ai-coding-agents-claude-code-cursor-antigravity-copilot-grok-build -
Grandoreiro Malware Campaign Targets Europe And Latin America
"WatchGuard telemetry identified a campaign associated to Grandoreiro that uses the DLL Side-Loading technique abusing four different softwares, targeting banks in Portugal. Also, it was identified cases of a known campaign that uses a malicious VBS to deliver the malware, targeting companies in Spain, Portugal, Mexico and Latin America. Grandoreiro has been active since at least 2016 and is now one of the most widespread banking trojans globally. Despite the disruption of some operators and the joint operations with INTERPOL and local law enforcement resulting in the arrest of gang members in Spain, Brazil, and Argentina, that occurred in 2021 and 2024, they’re still active due to only part of the gang was arrested and the ones that was not arrested are continuing the operations."
https://www.watchguard.com/wgrd-security-hub/secplicity-blog/grandoreiro-malware-campaign-targets-europe-and-latin-america -
Malware-Slop: New Malicious Npm Package Leaks Its Own GitHub Private Token
"A malicious npm package that reads and uploads files from “/mnt/user-data” was uploaded to GitHub. OX Security observed around 7 active exfiltration in the threat actor’s GitHub repository before it was taken down, most of them are probably tests conducted by the threat actor itself. The malware reached 676 downloads, and is still live on npm (at time of publishing)."
https://www.ox.security/blog/malware-slop-new-malicious-npm-package-leaks-its-own-github-private-token/
https://thehackernews.com/2026/05/malicious-npm-package-stole-files-from.html -
Ababil Of Minab: How An Iran-Linked Crew Exfiltrated Data From Four Countries And Destroyed IT, Backups, And Recovery At a Subset Of Victims
"Gambit Security Threat Intelligence team investigated an intrusion campaign targeting organizations in the United States, Israel, Saudi Arabia, and Turkey: exfiltration across all of them, with destructive operations at a subset. The activity surfaced publicly in late March and early April 2026, after a pro-Iranian persona calling itself Ababil of Minab claimed to have compromised the Los Angeles County Metropolitan Transportation Authority (LACMTA / LA Metro), destroyed systems, and exfiltrated data. Our investigation found that Ababil of Minab is unlikely to be a new, standalone hacktivist crew as they claim."
https://gambit.security/blog-posts/babil-of-minab-iran-mois-destruction-campaign
https://therecord.media/iranian-intelligence-behind-hack-of-la-transit-system
https://www.securityweek.com/la-metro-cyberattack-linked-to-iranian-state-sponsored-hackers/
https://securityaffairs.com/192764/hacktivism/the-la-metro-attack-wasnt-hacktivism-it-was-a-state-operation-with-a-costume-on.html -
Attackers Disguising Phishing As Google AppSheet Notifications
"Phishing campaigns have become significantly more sophisticated and convincing in recent years. Sender addresses are now nearly identical to the real deal, emails are flawlessly written, and users are called by their names. But what do you do when a suspicious email comes from a clearly legitimate email address? Lately, phishers have been exploiting the Google AppSheet platform to set up email blasts that originate from an official Google-linked address. Following a successful attack, they walk away with their victims’ accounts and sensitive data."
https://www.kaspersky.com/blog/appsheet-phishing-emails/55827/ -
Breaches/Hacks/Leaks
-
Latin American Cybercriminals Hoover Up Government Data
"Cyber threat groups in Latin and South America have increasingly targeted government agencies and contractors, stealing and monetizing citizen data at a rate that has made the public-administration sector in the region the most-breached in the past year. In mid-May, a group known as La Pampa Leaks claimed to have compromised Uruguay's government-sponsored identity service managed by telecommunications provider Antel, reportedly monetizing the information as a citizen-data lookup service. In February, a hacking collective known as the Chronus Group claimed to have stolen data from 25 different Mexican government agencies and groups. And, in Colombia, cyberattackers targeted the nation's health ministry with more than 23 million attempted attacks during the month of March."
https://www.darkreading.com/cyberattacks-data-breaches/latin-american-cybercriminals-government-data -
UK Visa Portal Exposed Thousands Of Applicants’ Passports And Selfies — Then Called The Lawyers On Us
"A website called UK Visa Portal publicly exposed thousands of passports and selfie photos of applicants who paid the site to obtain a U.K. immigration visa, TechCrunch has learned. An anonymous person notified TechCrunch about the security lapse, saying that the website was exposing at least 100,000 documents from people who uploaded their passports and selfies to the website as part of the application process. The website is not affiliated with the U.K. government, and some have complained that they mistakenly paid a fee to this company instead of using the official GOV.UK website."
https://techcrunch.com/2026/05/27/uk-visa-portal-spilled-thousands-of-applicants-passports-and-selfies-online-and-hasnt-fixed-the-leak/
General News
- Dutch Police Arrests Suspect Linked To Ajax Football Club Hack
"The Dutch National Police arrested a 35-year-old man suspected of hacking the professional football club Ajax Amsterdam (AFC Ajax) earlier this year. The suspect was arrested in Buren and, according to a Tuesday press release, he is believed to have hacked into the football club's systems multiple times. "On the morning of Tuesday, May 26, the police arrested a 35-year-old man from the municipality of Buren for computer trespassing at the Amsterdam football club Ajax. The man is suspected of deliberately unlawful intrusion into Ajax's computer systems several times," the police said."
https://www.bleepingcomputer.com/news/security/dutch-police-arrests-suspect-linked-to-ajax-football-club-hack/
https://therecord.media/dutch-police-arrest-man-over-cyber-breach-ajax-football - UK Spy Chief Labels AI ‘unstoppable Force’ With Offensive, Defensive Ramifications For Cyberspace
"Artificial intelligence is an “unstoppable force” that allows tech to be “weaponized just below the threshold of traditional warfare,” including in cyberspace, the head of a U.K. intelligence, security and cybersecurity agency said Wednesday. We live in a world “where the latest frontier AI is rapidly unearthing fault lines in technologies our society relies on every single day,” said Anne Keast-Butler, director of the Government Communications Headquarters (GCHQ) spy agency. “The ground beneath our feet is shifting, and shifting fast. Which means cybersecurity has never been more important.”"
https://cyberscoop.com/gchq-warns-ai-cyber-warfare-threats/
https://www.securityweek.com/uk-cyberspying-chief-calls-ai-an-unstoppable-force-and-warns-about-russia/ - 62% Of Critical Vulnerabilities Have Exploits Circulating Before Scanners Can Detect Them
"Eighteen months ago, security teams had roughly four months between a new CVE and a working exploit. As of April 2026, that window is ten hours. We wanted to understand what that compression means for the detection tools most organizations depend on: vulnerability scanners. So the Cogent Research team analyzed 69,159 CVEs published between January 2025 and April 2026, tracking three timestamps for each one: when the CVE was published, when a working exploit became available, and when the major scanner vendors (Tenable, Qualys, and Rapid7) shipped detection signatures. The findings are not encouraging for teams that rely on scanner output as their primary visibility into new threats."
https://www.cogent.com/blog/2026-q2-detection-gap-report-findings
https://www.darkreading.com/threat-intelligence/ai-assisted-exploit-development-scanner-detection - Coinflow CISO On Crypto Payments Security Under AI Pressure
"Crypto payment firms sit near the top of the target list for advanced persistent threat groups, and the workload on their security leaders keeps growing. Malcolm Portelli, CISO at Coinflow, runs the company’s security program from Malta. Coinflow is headquartered in the United States and operates across multiple jurisdictions. Portelli sat down for this interview at the Span Cyber Security Arena conference. Portelli says the sector drives his threat model more than the location. “It’s more the industry which we operate in. So, financial services, Web3, and crypto and all that comes with that. Crypto is a big target, especially for the big APTs. They’re always looking at how they can get into crypto firms because that’s their chosen money.”"
https://www.helpnetsecurity.com/2026/05/27/malcolm-portelli-coinflow-crypto-payments-security/ - 68% Of UK Firms Plan To Increase Cyber Spending As AI Risks Rise
"More than two-thirds of UK businesses have said they plan to increase cybersecurity spending over the next 12 months as AI adoption and geopolitical uncertainty reshape technology budgets. According to the Q1 2026 Barclays Business Prosperity Index, 68% of UK business leaders expect to increase cybersecurity investment, while 46% believe new technologies are increasing their exposure to cybersecurity risks."
https://www.infosecurity-magazine.com/news/uk-firms-cyber-spending-ai-risks/ - More CVEs, Same Playbook: 2026 Vulnerability Exploitation In The Wild
"Proofpoint's dual telemetry streams — targeted attack visibility covering hundreds of millions of messages daily, and a global network sensor array that generated over 3 million alerts and identified four undisclosed CVEs in 2026 to date — present a consistent picture: attackers are opportunistic. They grab newly published CVEs when public proof-of-concept code appears, chain them with established techniques, and move on. What has changed is the volume of vulnerabilities feeding that pipeline. NIST reported that CVE submissions in Q1 2026 were nearly one-third higher than the same quarter last year, and that the National Vulnerability Database still cannot keep pace with enrichment. The widely-cited driver is AI-assisted vulnerability discovery: frontier models are enabling both defenders and researchers — and, increasingly, anyone with access to an open-weights model — to surface bugs at machine speed. The exploit window is narrowing, but the exploitation pattern remains recognizable."
https://www.proofpoint.com/us/blog/threat-insight/more-cves-same-playbook-2026-vulnerability-exploitation-wild - The Credential Crisis: How Stolen Credentials Defeat Modern Security
"The modern cyber use of the word ‘credentials’ stems from the Latin ‘creder’: to believe. As society evolved into the Middle Ages, the early notion of ‘Believe me. I am Socrates’ became, ‘Believe this physical letter that proves I am Socrates.’ Those physical letters became known as ‘credentialis’, or a paper that authenticated the bearer. In today’s cyber world, we call that paper ‘credentials. It is no longer physical, but virtual, and the meaning has expanded to ‘you can trust in the belief that I am who I say I am and you can treat me as such: I am Socrates.’ Socrates is the identity, and the credentials prove it."
https://www.securityweek.com/the-credential-crisis-how-stolen-credentials-defeat-modern-security/ - Expecting The Unexpected: Monitoring For Drift In ML Systems
"Imagine the following scenario: you and a team of cyber experts have been tasked with protecting your organization from cyberattacks. You’ve developed a machine learning (ML) model to screen incoming and outgoing traffic. You feel you can rest easy, as your model achieves near-perfect performance during test and evaluation. One day, you are awakened by a frantic call from your CEO—your customers’ private data have been leaked. How could this happen? you think to yourself, as you begin investigating why your model failed to stop this attack."
https://www.sei.cmu.edu/blog/expecting-the-unexpected-monitoring-for-drift-in-ml-systems/ - SOC Threat Radar — May 2026
"Attackers are successfully signing in to Microsoft 365 accounts using IP addresses that look more like legitimate users. To do this, attackers are using VPNs or frequently changing IP addresses. This helps their activity to blend in with everyday employee logins. Researchers noted that in April there was an increase of around 25% in malicious logins coming from low-risk countries such as the UK and the U.S., rather than regions that are more usually associated with suspicious logins."
https://blog.barracuda.com/2026/05/27/soc-threat-radar-may-2026 - Romanian National Sentenced For Selling Access To Networks Of Oregon State Government Office And Other U.S. Victims
"A Romanian national was sentenced yesterday to 56 months in prison in connection with an online intrusion into an Oregon state government office in 2021 and other cyber-attacks on U.S. victims. According to court documents, Catalin Dragomir, 46, formerly of Constanta, Romania, sold access to a computer on the network of an Oregon state government office after obtaining unauthorized access to it in June of 2021. During the sale, Dragomir provided the prospective buyer with samples of personal identifying information from the computer. He also sold access to the computer networks of numerous other victims in the United States, causing losses of at least $250,000."
https://www.justice.gov/opa/pr/romanian-national-sentenced-selling-access-networks-oregon-state-government-office-and-other
https://therecord.media/romanian-national-sentenced-to-over-4-years-oregon-hack
https://www.securityweek.com/romanian-hacker-sentenced-to-prison-in-us-for-selling-access-to-state-network/
https://securityaffairs.com/192770/cyber-crime/romanian-hacker-gets-nearly-5-years-in-us-prison-over-network-intrusion.html - Out Of The Crypt: The Evolving Cyber Extortion Economy
"This blog dives into the growing trend of data theft and extortion activities which no longer require the use of ransomware to pressure victims into paying a demand. We examine the financially-motivated threat actors using both single and double extortion techniques and what this means for organizations going forward, especially with the arrival of frontier AI models."
https://unit42.paloaltonetworks.com/cyber-extortion-economy/
อ้างอิง
Electronic Transactions Development Agency (ETDA)
- Introducing EvidenceForge: Synthetic Security Logs That Don’t Look (as) Fake
-
Microsoft ออกอัปเดตความปลอดภัย แก้ช่องโหว่ RCE ใน SharePoint Serverโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
