สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 
โพสต์ถูกสร้างโดย NCSA_THAICERT
-
Fortinet เตือนช่องโหว่ FortiOS SSL VPN เสี่ยงถูกข้ามการยืนยันตัวตนสองชั้นโพสต์ใน Cyber Security News
-
FBI ยึดโดเมน ‘web3adspanels.org’ หลังพบใช้เก็บข้อมูลล็อกอินที่ถูกขโมยโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
ระวังโดเมนปลอมแอบอ้าง MAS เพื่อหลอกให้ติดตั้งมัลแวร์ Cosmali Loader ลงเครื่องโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
🚨 ด่วน! แจ้งเตือนกรณีช่องโหว่ในแพลตฟอร์มสร้างการทำงานอัตโนมัติ (Workflow Automation Platform) n8nโพสต์ใน Cyber Security News
️ ThaiCERT ได้ติดตามสถานการณ์ภัยคุกคามทางไซเบอร์ และพบข้อมูลการเปิดเผยช่องโหว่ระดับร้ายแรงในแพลตฟอร์ม n8nหากไม่ดำเนินการแก้ไข อาจทำให้ผู้ไม่หวังดีสามารถเรียกใช้งานคำสั่งบนระบบจากระยะไกล ส่งผลกระทบต่อความมั่นคงปลอดภัยของระบบสารสนเทศของหน่วยงานได้
รายละเอียดช่องโหว่
• ช่องโหว่ CVE-2025-65964 จัดอยู่ในประเภท Inclusion of Functionality from Untrusted Control Sphere หรือการนำฟังก์ชันหรือกลไกจากแหล่งที่ไม่อยู่ภายใต้การควบคุมมาใช้งาน ซึ่งอาจถูกผู้ไม่หวังดีนำไปใช้เพื่อควบคุมการทำงานของระบบและเรียกใช้งานฟังก์ชันที่มีอยู่เดิมในลักษณะที่เป็นอันตราย ส่งผลให้สามารถเรียกใช้งานคำสั่งจากระยะไกลได้
• ช่องโหว่นี้เกิดจากการควบคุมการตั้งค่า Git configuration ภายในฟังก์ชัน Git Node ของแพลตฟอร์ม n8n ที่ไม่เหมาะสม ส่งผลให้ผู้ใช้งานที่มีสิทธิ์สร้างหรือแก้ไขกระบวนการทำงานอัตโนมัติ (Workflow) ที่มีการใช้งาน Git Node สามารถกำหนดค่าพารามิเตอร์ core.hooksPath ให้ชี้ไปยังตำแหน่งของ Git hook ที่ถูกปรับแต่งมาเป็นพิเศษได้ เมื่อมีการเรียกใช้งาน Git operation ภายใน Workflow ที่ผู้ไม่หวังดีจัดเตรียมไว้ ระบบจะเรียกใช้งาน Git hook ดังกล่าวโดยอัตโนมัติ ซึ่งเนื่องจาก Git hook เป็นสคริปต์ที่ถูกประมวลผลในระดับระบบปฏิบัติการ พฤติกรรมดังกล่าวจึงอาจถูกนำไปใช้เพื่อรันคำสั่งใด ๆ บนระบบที่ให้บริการ n8n ภายใต้สิทธิ์ของกระบวนการ n8n ได้
ผลิตภัณฑ์และเวอร์ชันที่ได้รับผลกระทบ
• n8n เวอร์ชันก่อนหน้า 1.119.2️ ThaiCERT ขอแนะนำให้หน่วยงานที่ใช้งานเวอร์ชันที่ได้รับผลกระทบ เร่งดำเนินการตรวจสอบและแก้ไขโดยเร็ว
แนวทางการตรวจสอบและการป้องกัน-
แนวทางการตรวจสอบ
• ตรวจสอบแพลตฟอร์ม n8n ที่ใช้งานอยู่ ว่าเป็นเวอร์ชันที่ต่ำกว่า 1.119.2 หรือไม่
• ตรวจสอบ Workflow ที่มีการใช้งาน Git Node ภายในระบบ
• ตรวจสอบว่ามีการเชื่อมต่อหรือทำงานร่วมกับ Git Repository จากแหล่งภายนอกหรือแหล่งที่ไม่น่าเชื่อถือหรือไม่
• ตรวจสอบบันทึกเหตุการณ์ (Logs) ที่เกี่ยวข้องกับการทำงานของ Git Node และ Git operation ภายใน Workflow -
แนวทางการป้องกัน
• ดำเนินการอัปเดตแพลตฟอร์ม n8n เป็นเวอร์ชัน 1.119.2 หรือใหม่กว่า
• ใช้งานเฉพาะ Git Repository ที่มีความน่าเชื่อถือและผ่านการตรวจสอบแล้ว -
มาตรการชั่วคราว (กรณียังไม่สามารถอัปเดตได้ทันที)
• พิจารณา ยกเลิกหรือปิดการใช้งาน Git Node ภายในแพลตฟอร์ม n8n ชั่วคราว
• หลีกเลี่ยงการ clone หรือใช้งาน Git Repository จากแหล่งที่ไม่น่าเชื่อถือผ่าน Git Node
• จำกัดการใช้งาน Git Node ให้เฉพาะ Workflow ที่มีความจำเป็น และเฉพาะผู้ใช้งานที่ได้รับอนุญาตเท่านั้น
ทั้งนี้ มาตรการดังกล่าวเป็นเพียงแนวทางชั่วคราวเพื่อบรรเทาความเสี่ยง ผู้ดูแลระบบควรดำเนินการอัปเดตแพลตฟอร์มเป็นเวอร์ชันที่ปลอดภัยโดยเร็วที่สุด
อ้างอิง
https://nvd.nist.gov/vuln/detail/CVE-2025-65964
https://github.com/n8n-io/n8n/security/advisories/GHSA-wpqc-h9wp-chmq
https://cwe.mitre.org/data/definitions/829.html
ด้วยความปรารถนาดี
สำนักงานคณะกรรมการการรักษาความมั่นคงปลอดภัยไซเบอร์แห่งชาติ (สกมช.) / ThaiCERT -
-
Cyber Threat Intelligence 25 December 2025โพสต์ใน Cyber Security News
Industrial Sector
- Threat Landscape For Industrial Automation Systems. Middle East, Q3 2025
"In the Middle East, the percentage of ICS computers on which threats from email clients were blocked was 1.8 times higher than the global average. High levels of email threats (phishing), spyware, and ransomware clearly indicate that technological systems in the region are highly exposed to advanced attackers."
https://ics-cert.kaspersky.com/publications/reports/2025/12/24/threat-landscape-for-industrial-automation-systems-middle-east-q3-2025/ - Threat Landscape For Industrial Automation Systems. Asia, Q3 2025
"Southeast Asia has high rates of self-propagating malware. The region ranks first in the world in terms of the percentage of ICS computers on which viruses and malware for AutoCAD were blocked. In both cases, it leads by a wide margin. In most cases, malware for AutoCAD is distributed in the same way as viruses. This explains the high percentage exhibited by this malware category."
https://ics-cert.kaspersky.com/publications/reports/2025/12/24/threat-landscape-for-industrial-automation-systems-asia-q3-2025/
New Tooling
- Conjur: Open-Source Secrets Management And Application Identity
"Conjur is an open-source secrets management project designed for environments built around containers, automation, and dynamic infrastructure. It focuses on controlling access to credentials such as database passwords, API keys, and tokens that applications need at runtime. The project is maintained in the open and developed with input from a user and contributor base."
https://www.helpnetsecurity.com/2025/12/24/conjur-open-source-secrets-management/
https://github.com/cyberark/conjur
Vulnerabilities
- MongoDB Warns Admins To Patch Severe RCE Flaw Immediately
"MongoDB has warned IT admins to immediately patch a high-severity vulnerability that can be exploited in remote code execution (RCE) attacks targeting vulnerable servers. Tracked as CVE-2025-14847, this security flaw affects multiple MongoDB and MongoDB Server versions and can be exploited by unauthenticated threat actors in low-complexity attacks that don't require user interaction. CVE-2025-14847 is due to an improper handling of length parameter inconsistency, which can allow attackers to execute arbitrary code and potentially gain control of targeted devices."
https://www.bleepingcomputer.com/news/security/mongodb-warns-admins-to-patch-severe-rce-flaw-immediately/
https://jira.mongodb.org/browse/SERVER-115508 - Net-SNMP Snmptrapd Vulnerability
"A specially crafted packet to an net-snmp snmptrapd daemon can cause a buffer overflow and the daemon to crash."
https://github.com/net-snmp/net-snmp/security/advisories/GHSA-4389-rwqf-q9gq - Security Bulletin: NVIDIA Isaac Launchable - December 2025
"NVIDIA has released an update for the NVIDIA Isaac Launchable to address a security issue that might lead to the impacts described in this bulletin. To protect your system, download and install the latest version of Isaac Launchable."
https://nvidia.custhelp.com/app/answers/detail/a_id/5749
Malware
- Empty Promises In MENA: How Online Quick Cash Schemes Exploit The Gig Economy
"Fake online job ads continue to circulate across social media, especially in Arab countries, offering easy remote work and quick income. The sinister goal: to harvest sensitive information, from ID documents to banking details. This blog explains how the scheme operates, who the scammers target, and how to prevent falling victim to it."
https://www.group-ib.com/blog/online-job-scams-mena/
https://www.infosecurity-magazine.com/news/scams-mena-fake-online-job/ - Evasive Panda APT Poisons DNS Requests To Deliver MgBot
"The Evasive Panda APT group (also known as Bronze Highland, Daggerfly, and StormBamboo) has been active since 2012, targeting multiple industries with sophisticated, evolving tactics. Our latest research (June 2025) reveals that the attackers conducted highly-targeted campaigns, which started in November 2022 and ran until November 2024. The group mainly performed adversary-in-the-middle (AitM) attacks on specific victims."
https://securelist.com/evasive-panda-apt/118576/ - GeoServer, Where Various CoinMiner Attacks Occur
"AhnLab SEcurity intelligence Center (ASEC) previously covered the case of threat actors exploiting the GeoServer vulnerability to install CoinMiner and NetCat through the “CoinMiner Attacks Exploiting GeoServer Vulnerability” blog. [1] The threat actors have been continuously targeting vulnerable GeoServers to install CoinMiner. This post will cover the identified cases of CoinMiner installation."
https://asec.ahnlab.com/en/91724/ - Fake MAS Windows Activation Domain Used To Spread PowerShell Malware
"A typosquatted domain impersonating the Microsoft Activation Scripts (MAS) tool was used to distribute malicious PowerShell scripts that infect Windows systems with the 'Cosmali Loader'. BleepingComputer has found that multiple MAS users began reporting on Reddit [1, 2] yesterday that they received pop-up warnings on their systems about a Cosmali Loader infection."
https://www.bleepingcomputer.com/news/security/fake-mas-windows-activation-domain-used-to-spread-powershell-malware/ - Product Security Advisory And Analysis: Observed Abuse Of FG-IR-19-283
"Fortinet has observed recent abuse of the July 2020 vulnerability FG-IR-19-283 / CVE-2020-12812 in the wild based on specific configurations. This blog analysis describes the observed abuse and provides additional context so that administrators can confirm that they are not impacted and guidance based on Fortinet observations to prevent FG-IR-19-283 from being exploited."
https://www.fortinet.com/blog/psirt-blogs/product-security-advisory-and-analysis-observed-abuse-of-fg-ir-19-283 - Operation PCPcat: Hunting a Next.js Credential Stealer That's Already Compromised 59K Servers
"A threat campaign called 'PCPcat' is silently harvesting credentials from Next.js deployments at scale. Through active honeypot reconnaissance, I breached their C2 API and exposed their operational metrics: 59,128 confirmed server compromises, a 64.6% success rate, and a blueprint for exploiting the entire global infrastructure. This is what industrial-scale credential theft looks like, and how to detect it."
https://beelzebub.ai/blog/threat-huntinga-analysis-of-a-nextjs-exploit-campaign/ - APT36 LNK-Based Malware Campaign Leveraging MSI Payload Delivery
"CYFIRMA is dedicated to providing advanced warning and strategic analysis of the evolving cyber threat landscape. Our latest report analyzes a targeted malware campaign attributed to APT-36, which leverages social engineering and a malicious shortcut file disguised as a government advisory PDF. The attack delivers a hidden MSI payload that deploys a .NET-based loader, malicious DLLs, and establishes registry-based persistence while displaying a legitimate-looking decoy document to avoid suspicion."
https://www.cyfirma.com/research/apt36-lnk-based-malware-campaign-leveraging-msi-payload-delivery/ - UNG0801: Tracking Threat Clusters Obsessed With AV Icon Spoofing Targeting Israel
"SEQRITE Labs’ APT Team has been tracking Unknown-Clusters [UNG0801], a slightly advanced yet persistent threat entity believed to originate from Western Asia, with activity primarily observed against Israeli organizations. The cluster shows a strong focus on enterprise environments, relying on socially engineered phishing lures written in Hebrew and designed to resemble routine internal communications, such as compliance updates, security advisories, or corporate webinar announcements."
https://www.seqrite.com/blog/ung0801-tracking-threat-clusters-obsessed-with-av-icon-spoofing-targeting-israel/ - Operation Artemis: Analysis Of HWP-Based DLL Side Loading Attacks
"Genians Security Center identified the “Artemis” campaign conducted by the APT37 group. The threat actor embedded a malicious OLE object inside an HWP document in a covert manner. The attack chain is triggered when the user trusts the document content and clicks the hyperlink. When the OLE object was loaded, the threat actor used a masquerading technique launching a legitimate process first. This multi-stage procedure leverages legitimate execution flow to evade detection by signature-based security solutions. Subsequently, the payload was executed by calling a malicious DLL within the execution context of the legitimate process."
https://www.genians.co.kr/en/blog/threat_intelligence/dll
General News
- Governance Maturity Defines Enterprise AI Confidence
"AI security has reached a point where enthusiasm alone no longer carries organizations forward. New Cloud Security Alliance research shows that governance has become the main factor separating teams that feel prepared from those that do not."
https://www.helpnetsecurity.com/2025/12/24/csa-ai-security-governance-report/ - Counterfeit Defenses Built On Paper Have Blind Spots
"Counterfeit protection often leans on the idea that physical materials have quirks no attacker can copy. A new study challenges that comfort by showing how systems built on paper surface fingerprints can be disrupted or bypassed. The research comes from teams at the University of Maryland and North Carolina State University, and examines paper based physically unclonable functions, or paper PUFs, which rely on microscopic surface variations in paper to authenticate products."
https://www.helpnetsecurity.com/2025/12/24/counterfeit-defenses-paper-puf-security/
https://arxiv.org/pdf/2512.09150 - Eurostar Accused Researchers Of Blackmail For Reporting AI Chatbot Flaws
"The rush to add AI to customer service, which we have been witnessing lately in almost every sector, can sometimes come at a high price for security. On December 22, 2025, the team of ethical hackers at Pen Test Partners (PTP) went public with a series of flaws they found in the new AI chatbot for Eurostar. For your information, Eurostar is the famous high-speed rail operator that connects the UK to mainland Europe through the Channel Tunnel, carrying millions of travellers between major hubs like London, Paris, and Amsterdam."
https://hackread.com/eurostar-blackmail-research-report-ai-chatbot-flaw/
https://www.theregister.com/2025/12/24/pentesters_reported_eurostar_chatbot_flaws/ - SEC Files Charges Over $14 Million Crypto Scam Using Fake AI-Themed Investment Tips
"The U.S. Securities and Exchange Commission (SEC) has filed charges against multiple companies for their alleged involvement in an elaborate cryptocurrency scam that swindled more than $14 million from retail investors. The complaint charged crypto asset trading platforms Morocoin Tech Corp., Berge Blockchain Technology Co., Ltd., and Cirkor Inc., as well as investment clubs AI Wealth Inc., Lane Wealth Inc., AI Investment Education Foundation (AIIEF) Ltd., and Zenith Asset Tech Foundation, in connection with the operation."
https://thehackernews.com/2025/12/sec-files-charges-over-14-million.html
https://www.sec.gov/newsroom/press-releases/2025-144-sec-charges-three-purported-crypto-asset-trading-platforms-four-investment-clubs-scheme-targeted
https://www.infosecurity-magazine.com/news/sec-charges-crypto-firms/
อ้างอิง
Electronic Transactions Development Agency (ETDA)
- Threat Landscape For Industrial Automation Systems. Middle East, Q3 2025
-
Cyber Threat Intelligence 24 December 2025โพสต์ใน Cyber Security News
Industrial Sector
- Threat Landscape For Industrial Automation Systems. Australia And New Zealand, Q3 2025
"The cybersecurity situation in Australia and New Zealand is among the most favorable across all regions. The region ranked 11th in Q3 2025 based on the percentage of ICS computers on which malicious objects were blocked. At the same time, the region was in higher positions in the relevant rankings for some threat sources and categories:"
https://ics-cert.kaspersky.com/publications/reports/2025/12/23/threat-landscape-for-industrial-automation-systems-australia-and-new-zealand-q3-2025/ - Threat Landscape For Industrial Automation Systems. South And North America (Canada), Q3 2025
"In South America, the percentage of ICS computers on which threats from mail clients were blocked is 1.8 times higher than the global average. On this metric, the region ranks third globally. High levels of email threats (phishing) and spyware clearly indicate that industrial OT systems in the region are highly exposed to advanced attackers."
https://ics-cert.kaspersky.com/publications/reports/2025/12/23/threat-landscape-for-industrial-automation-systems-south-and-north-america-canada-q3-2025/
Vulnerabilities
- Critical n8n Flaw (CVSS 9.9) Enables Arbitrary Code Execution Across Thousands Of Instances
"A critical security vulnerability has been disclosed in the n8n workflow automation platform that, if successfully exploited, could result in arbitrary code execution under certain circumstances. The vulnerability, tracked as CVE-2025-68613, carries a CVSS score of 9.9 out of a maximum of 10.0. The package has about 57,000 weekly downloads, according to statistics on npm. "Under certain conditions, expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime," the maintainers of the npm package said."
https://thehackernews.com/2025/12/critical-n8n-flaw-cvss-99-enables.html
https://github.com/n8n-io/n8n/security/advisories/GHSA-v98v-ff95-f3cp
https://censys.com/advisory/cve-2025-68613
https://securityaffairs.com/186036/hacking/critical-n8n-flaw-could-enable-arbitrary-code-execution.html - CISA Adds One Known Exploited Vulnerability To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2023-52163 Digiever DS-2105 Pro Missing Authorization Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/12/22/cisa-adds-one-known-exploited-vulnerability-catalog
https://securityaffairs.com/186021/security/u-s-cisa-adds-a-flaw-in-digiever-ds-2105-pro-to-its-known-exploited-vulnerabilities-catalog.html - Revisiting CVE-2025-50165: A Critical Flaw In Windows Imaging Component
"ESET researchers examined CVE‑2025‑50165, a serious Windows vulnerability described to grant remote code execution by merely opening a specially crafted JPG file – one of the most widely used image formats. The flaw, found and documented by Zscaler ThreatLabz, piqued our interest, as Microsoft assessed its severity as critical but deemed its exploitability as less likely. Our root cause analysis allowed us to pinpoint the exact location of the faulty code and reproduce the crash. We believe that the exploitation scenario is harder than it appears to be."
https://www.welivesecurity.com/en/eset-research/revisiting-cve-2025-50165-critical-flaw-windows-imaging-component/ - CVE-2025–52692: Discovery And Exploitation Of Zero-Day Vulnerability In Linksys E9450-SG Router
"At the Centre for Strategic Infocomm Technologies (CSIT), we perform vulnerability research on a wide range of platforms including Internet of Things (IoT) devices. Consumer routers are particularly attractive targets because they expose internal networks and often contain exploitable flaws. Most consumers use routers provided by their Internet Service Provider (ISP). One such router is the Linksys E9450-SG AX5400 Wi-Fi 6 router that Singtel distributed in 2021. It is certified as a CSA CLS Level 1 device (CSA/060225/V0009)."
https://medium.com/csit-tech-blog/cve-2025-52692-discovery-and-exploitation-of-zero-day-vulnerability-in-linksys-e9450-sg-router-cda5c829bbf9
Malware
- From Cheats To Exploits: Webrat Spreading Via GitHub
"In early 2025, security researchers uncovered a new malware family named Webrat. Initially, the Trojan targeted regular users by disguising itself as cheats for popular games like Rust, Counter-Strike, and Roblox, or as cracked software. In September, the attackers decided to widen their net: alongside gamers and users of pirated software, they are now targeting inexperienced professionals and students in the information security field."
https://securelist.com/webrat-distributed-via-github/118555/
https://www.bleepingcomputer.com/news/security/webrat-malware-spread-via-fake-vulnerability-exploits-on-github/
https://www.helpnetsecurity.com/2025/12/23/fake-poc-exploits-webrat-malware/ - From Email To Exfiltration: How Threat Actors Steal ADP Login And Personal Data
"Recently, threat actors have been impersonating employees at major companies, such as ADP, a leading global provider of human resources management and payroll processing services. The Cofense Phishing Defense Center (PDC) recently observed a new phishing campaign imitating ADP, allowing the threat actor to gain access to employee accounts and steal sensitive information. To help employees identify phishing threats and become the first line of defense against threat actors, we broke down this real-life example."
https://cofense.com/blog/from-email-to-exfiltration-how-threat-actors-steal-adp-login-and-personal-data - RTO Scam Wave Continues: A Surge In Browser-Based e-Challan Phishing And Shared Fraud Infrastructure
"Following our earlier reporting on RTO-themed threats, CRIL observed a renewed phishing wave abusing the e-Challan ecosystem to conduct financial fraud. Unlike earlier Android malware-driven campaigns, this activity relies entirely on browser-based phishing, significantly lowering the barrier for victim compromise. During the course of this research, CRIL also noted that similar fake e-Challan scams have been highlighted by mainstream media outlets, including Hindustan Times, underscoring the broader scale and real-world impact of these campaigns on Indian users."
https://cyble.com/blog/rto-scam-wave-continues/ - Malicious Chrome Extensions “Phantom Shuttle” Masquerade As a VPN To Intercept Traffic And Exfiltrate Credentials
"Socket's Threat Research Team identified two malicious Chrome extensions sharing the same name Phantom Shuttle (幻影穿梭), published by the same threat actor using the email theknewone.com@gmail[.]com, distributed since at least 2017. The extensions market themselves as "multi-location network speed testing plugins" for developers and foreign trade personnel. Users pay subscriptions ranging from ¥9.9 to ¥95.9 CNY ($1.40 to $13.50 USD) believing they're purchasing a legitimate VPN service, but both variants perform identical malicious operations. Behind the subscription facade, the extensions execute complete traffic interception through authentication credential injection, operate as man-in-the-middle proxies, and continuously exfiltrate user data to the threat actor's C2 server."
https://socket.dev/blog/malicious-chrome-extensions-phantom-shuttle
https://thehackernews.com/2025/12/two-chrome-extensions-caught-secretly.html
https://www.bleepingcomputer.com/news/security/malicious-extensions-in-chrome-web-store-steal-user-credentials/ - Indian Income Tax-Themed Phishing Campaign Targets Local Businesses
"Over the past few months, tax-themed phishing and malware campaigns have surged, particularly during and after the Income Tax Return (ITR) filing season. With ongoing public discussions around refund timelines, these scams appear more credible, giving attackers the perfect context to craft convincing lures. We recently analyzed emails impersonating the Indian Income Tax Department (ITD). At first glance, the message resembled an official “Tax Compliance Review Notice.” However, deeper investigation revealed it was part of a broader phishing campaign targeting Indian businesses with a multi-stage infection chain designed to deploy persistent Remote Access Trojans (RATs) or infostealer malware."
https://www.seqrite.com/blog/indian-income-tax-themed-phishing-campaign-targets-local-businesses/ - In Depth Analysis Of The Alleged Qilin, DragonForce And LockBit Alliance
"On the occasion of the announcement made by the ransomware group DragonForce regarding the creation of an alliance between DragonForce, Qilin, and LockBit, identified on September 15, 2025, the Cyber Intelligence Team conducted an analysis based on internally collected data to assess the potential risk and the credibility of the claim. This activity was carried out as part of ongoing ransomware claims monitoring operations aimed at identifying emerging risks and issuing customer alerts."
https://labs.yarix.com/2025/12/in-depth-analysis-of-the-alleged-qilin-dragonforce-and-lockbit-alliance/ - Quishing Campaigns : Advanced QR-Code Phishing Evaluation And Insights
"CYFIRMA examines a sophisticated phishing campaign that leverages QR-code-based delivery, commonly referred to as “quishing,” to target employees with messages related to payroll and compensation. By combining personalized social engineering with obfuscated scripts and dynamically generated infrastructure, attackers increase the likelihood of engagement while evading traditional security controls. The campaign demonstrates a high level of operational sophistication, emphasizing the shift toward targeted, industry-specific threats. Findings underscore the need for enhanced user awareness, proactive monitoring, and intelligence-driven defenses to protect organizational credentials and sensitive data."
https://www.cyfirma.com/research/quishing-campaigns-advanced-qr-code-phishing-evaluation-and-insights/
Breaches/Hacks/Leaks
- Baker University Says 2024 Data Breach Impacts 53,000 People
"Baker University has disclosed a data breach after attackers gained access to its network one year ago and stole the personal, health, and financial information of over 53,000 individuals. Founded in 1858, Baker University is a private university in Baldwin City, Kansas, with nearly 2,000 enrolled students (1,457 undergraduates) and over 300 employees. The school detected suspicious activity on its network after a December 2024 outage and found that attackers had access to its systems from December 2 to 19, stealing sensitive documents."
https://www.bleepingcomputer.com/news/security/baker-university-data-breach-impacts-over-53-000-individuals/ - More Than 22 Million Aflac Customers Impacted By June Data Breach
"A data breach in June exposed the information of more than 22 million Aflac customers, according to a new statement from the company. The Georgia-based insurance giant published a statement on Friday about the conclusion of a months-long investigation into a cybersecurity incident announced earlier this year. The company previously warned the Securities Exchange Commission (SEC) that while it was able to stop a hacker intrusion “within hours,” some files were stolen by the cybercriminals."
https://therecord.media/22-million-impacted-aflac-breach
General News
- Formal Proofs Expose Long Standing Cracks In DNSSEC
"DNSSEC is meant to stop attackers from tampering with DNS answers. It signs records so resolvers can verify that data is authentic and unchanged. Many security teams assume that if DNSSEC validation passes, the answer can be trusted. New academic research suggests that assumption deserves closer scrutiny. Researchers from Palo Alto Networks, Purdue University, the University of California Irvine, and the University of Texas at Dallas present an analysis of DNSSEC that goes beyond bug hunting. Instead of searching for individual flaws, the team built a mathematical model of the protocol and asked a deeper question. Does DNSSEC, as written and deployed, always behave securely under all conditions?"
https://www.helpnetsecurity.com/2025/12/23/dnssec-validation-risks-research/
https://arxiv.org/pdf/2512.11431 - AI Code Looks Fine Until The Review Starts
"Software teams have spent the past year sorting through a rising volume of pull requests generated with help from AI coding tools. New research puts numbers behind what many reviewers have been seeing during work. The research comes from CodeRabbit and examines how AI co-authored code compares with human written code across hundreds of open source projects. The findings track issue volume, severity, and the kinds of problems that appear most often. The data shows recurring risks tied to logic, correctness, readability, and security that matter directly to security and reliability teams."
https://www.helpnetsecurity.com/2025/12/23/coderabbit-ai-assisted-pull-requests-report/ - Cloud Security Is Stuck In Slow Motion
"Cloud environments are moving faster than the systems meant to protect them. A new Palo Alto Networks study shows security teams struggling to keep up with development cycles, growing cloud sprawl, and attacker tactics that now compress breaches into minutes instead of weeks."
https://www.helpnetsecurity.com/2025/12/23/palo-alto-networks-cloud-incident-response-report/ - The Week In Vulnerabilities: More Than 2,000 New Flaws Emerge
"Cyble Vulnerability Intelligence researchers tracked 2,415 vulnerabilities in the last week, a significant increase over even last week’s very high number of new vulnerabilities. The increase signals a heightened risk landscape and expanding attack surface in the current threat environment. Over 300 of the disclosed vulnerabilities already have a publicly available Proof-of-Concept (PoC), significantly increasing the likelihood of real-world attacks."
https://cyble.com/blog/it-vulnerabilities-ics-record-week-new-flaws/ - Amazon Fends Off 1,800 Suspected DPRK IT Job Scammers
"Much has been said about IT worker scams in the last few years, but it's not every day that we get a glimpse into how pervasive the issue has become. Stephen Schmidt, senior vice president and chief security officer at Amazon, wrote on LinkedIn over the weekend that the company has prevented "more than 1,800 suspected DPRK operatives from joining [Amazon] since April 2024, and we've detected 27% more DPRK-affiliated applications quarter-over-quarter this year.""
https://www.darkreading.com/remote-workforce/amazon-fends-off-dprk-it-job-scammers - Top Ransomware Trends Of 2025
"The past year was much quieter than 2024 in ransomware takedown and anti-cybercrime law enforcement operations. Additionally, less organized collectives such as Scattered Spider, Lapsus$ and ShinyHunters grabbed many of the headlines in 2025. However, traditional ransomware syndicates continued to be active throughout the year. According to ransomware tracking website Ransomware.live, 306 groups were active over the past year, listing 7902 victims at the time of writing. This is significantly higher than the 6129 victims listed in 2024 and the 5336 victims listed in 2023."
https://www.infosecurity-magazine.com/news/top-ransomware-trends-of-2025/ - Why Third-Party Access Remains The Weak Link In Supply Chain Security
"Your next breach probably won’t start inside your network—it will start with someone you trust. Every supplier, contractor, and service provider needs access to your systems to keep business running, yet each login is a potential doorway for attackers. Access management is meant to control the risks of granting that access, but weak controls and poor hygiene remain the norm. The Thales Digital Trust Index report, Third-Party Edition, highlights that over half of surveyed professionals (51%) keep access to partner systems for days or even a month after they no longer need it, turning everyday collaborations into hidden vulnerabilities that accumulate over time."
https://securityaffairs.com/186026/security/why-third-party-access-remains-the-weak-link-in-supply-chain-security.html - U.S. DoJ Seizes Fraud Domain Behind $14.6 Million Bank Account Takeover Scheme
"The U.S. Justice Department (DoJ) on Monday announced the seizure of a web domain and database that it said was used to further a criminal scheme designed to target and defraud Americans by means of bank account takeover fraud. The domain in question, web3adspanels[.]org, was used as a backend web panel to host and manipulate illegally harvested bank login credentials. Users to the website are now greeted by a seizure banner that says the domain was taken down in an international law enforcement operation led by authorities from the U.S. and Estonia."
https://thehackernews.com/2025/12/us-doj-seizes-fraud-domain-behind-146.html
https://therecord.media/us-disrupts-bank-account-takeover-operation-web3adspanels
https://www.securityweek.com/feds-seize-password-database-used-in-massive-bank-account-takeover-scheme/
อ้างอิง
Electronic Transactions Development Agency (ETDA)
- Threat Landscape For Industrial Automation Systems. Australia And New Zealand, Q3 2025
-
Cyber Threat Intelligence 23 December 2025โพสต์ใน Cyber Security News
Industrial Sector
- Threat Landscape For Industrial Automation Systems. Europe, Q3 2025
"High levels of email threats (phishing) and spyware clearly indicate that industrial systems in the region are highly exposed to advanced attackers. In Eastern Europe, the percentage of ICS computers on which threats from email clients were blocked is 1.3 times higher than the global average. The percentage of ICS computers on which malicious documents are blocked also exceeds the global average by a factor of 1.3."
https://ics-cert.kaspersky.com/publications/reports/2025/12/22/threat-landscape-for-industrial-automation-systems-europe-q3-2025/ - Threat Landscape For Industrial Automation Systems. Russia, Q3 2025
"The main categories of internet threats blocked on ICS computers include denylisted internet resources, malicious scripts and phishing pages, and miners. The list of denylisted internet resources is used to prevent initial infection attempts. In particular, the following threats on ICS computers are blocked with the aid of this list:"
https://ics-cert.kaspersky.com/publications/reports/2025/12/22/threat-landscape-for-industrial-automation-systems-russia-q3-2025/
New Tooling
- Anubis: Open-Source Web AI Firewall To Protect From Scraper Bots
"Anubis is an open-source tool designed to protect websites from automated scraping and abusive traffic by adding computational friction before a request is served. Maintained by TecharoHQ, the project targets a growing problem for site operators who want to keep content accessible to humans while limiting large scale automated collection."
https://www.helpnetsecurity.com/2025/12/22/anubis-open-source-web-ai-firewall-protect-from-bots/
https://github.com/TecharoHQ/anubis
Vulnerabilities
- Critical RCE Flaw Impacts Over 115,000 WatchGuard Firewalls
"Over 115,000 WatchGuard Firebox devices exposed online remain unpatched against a critical remote code execution (RCE) vulnerability actively exploited in attacks. The security flaw, tracked as CVE-2025-14733, affects Firebox firewalls running Fireware OS 11.x and later (including 11.12.4_Update1), 12.x or later (including 12.11.5), and 2025.1 up to and including 2025.1.3. Successful exploitation enables unauthenticated attackers to execute arbitrary code remotely on vulnerable devices, following low-complexity attacks that don't require user interaction."
https://www.bleepingcomputer.com/news/security/over-115-000-watchguard-firewalls-vulnerable-to-ongoing-rce-attacks/
Malware
- The Shadow Of JWT-Based Authentication: A Fatal Threat Behind The Convenience
"JWT, which has become the standard for modern web applications and mobile apps, provides the convenience of stateless authentication. However, when operated and managed unsafely, it can become a single point of failure that collapses the entire authentication system. This post introduces the concept and authentication methods of JWT, analyzes its key vulnerabilities based on CVE cases, and suggests practical defense strategies for prevention and mitigation."
https://asec.ahnlab.com/en/91676/ - From ClickFix To Code Signed: The Quiet Shift Of MacSync Stealer Malware
"While reviewing the detections of our in-house YARA rules, Jamf Threat Labs observed a signed and notarized stealer that did not follow the typical execution chains we have seen in the past. The sample in question looked highly similar to past variants of the increasingly active MacSync Stealer malware but was revamped in its design. Unlike earlier MacSync Stealer variants that primarily rely on drag-to-terminal or ClickFix-style techniques, this sample adopts a more deceptive, hands-off approach."
https://www.jamf.com/blog/macsync-stealer-evolution-code-signed-swift-malware-analysis/
https://www.bleepingcomputer.com/news/security/new-macsync-malware-dropper-evades-macos-gatekeeper-checks/
https://www.securityweek.com/macsync-macos-malware-distributed-via-signed-swift-application/ - NPM Package With 56K Downloads Caught Stealing WhatsApp Messages
"The lotusbail npm package presents itself as a WhatsApp Web API library - a fork of the legitimate @whiskeysockets/baileys package. With over 56,000 downloads and functional code that actually works as advertised, it's the kind of dependency developers install without a second thought. The package has been available on npm for 6 months and is still live at the time of writing. Behind that working functionality: sophisticated malware that steals your WhatsApp credentials, intercepts every message, harvests your contacts, installs a persistent backdoor, and encrypts everything before sending it to the threat actor's server."
https://www.koi.ai/blog/npm-package-with-56k-downloads-malware-stealing-whatsapp-messages
https://thehackernews.com/2025/12/fake-whatsapp-api-package-on-npm-steals.html
https://www.bleepingcomputer.com/news/security/malicious-npm-package-steals-whatsapp-accounts-and-messages/
https://www.theregister.com/2025/12/22/whatsapp_npm_package_message_steal/ - Phishing Campaign Leverages Trusted Google Cloud Automation Capabilities To Evade Detection
"This report describes a phishing campaign in which attackers impersonate legitimate Google generated messages by abusing Google Cloud Application Integration to distribute malicious emails that appear to originate from trusted Google infrastructure. The emails mimic routine enterprise notifications such as voicemail alerts and file access or permission requests, making them appear normal and trustworthy to recipients."
https://blog.checkpoint.com/research/phishing-campaign-leverages-trusted-google-cloud-automation-capabilities-to-evade-detection/ - Nezha: The Monitoring Tool That’s Also a Perfect RAT
"Ontinue’s Cyber Defense Center discovered attackers using Nezha, a legitimate open-source monitoring tool, as a post-exploitation RAT. The agent provides SYSTEM/root level access, file management, and an interactive web terminal. VirusTotal shows 0/72 detections because it isn’t malware, it’s legitimate software pointed at attacker infrastructure. Installation is silent. Detection only occurs when attackers execute commands through the agent. Organisations should hunt for Nezha presence proactively and ensure behavioural monitoring is in place to catch post-exploitation activity."
https://www.ontinue.com/resource/nezha-the-monitoring-tool-thats-also-a-perfect-rat/
https://hackread.com/hackers-abuse-monitoring-tool-nezha-trojan/
https://www.infosecurity-magazine.com/news/nezha-abused-post-exploitation/ - DDoS Incident Disrupts France’s Postal And Banking Services Ahead Of Christmas
"France’s national postal service, La Poste, confirmed that a suspected cyberattack disrupted its websites and mobile applications days before Christmas, slowing deliveries and knocking some online services offline. In a statement on Monday, La Poste said that a distributed denial-of-service (DDoS) incident knocked key digital systems offline. The company said there was no evidence that customer data had been compromised, but acknowledged that postal operations, including parcel distribution, had been affected."
https://therecord.media/la-poste-france-ddos-disruption-days-before-christmas - I Am Not a Robot: ClickFix Used To Deploy StealC And Qilin
"ClickFix is an increasingly common tactic used by threat actors to install malicious software on victims’ devices. It has gone through a number of evolutions but essentially relies on a victim following a series of instructions that masquerade as a human verification request. The actions result in the download of malware, typically an infostealer or remote access trojan (RAT)."
https://www.sophos.com/en-us/blog/i-am-not-a-robot-clickfix-used-to-deploy-stealc-and-qilin - Inside DPRK Operations: New Lazarus And Kimsuky Infrastructure Uncovered Across Global Campaigns
"Throughout the analysis, we surfaced clusters of operational assets that had not been connected publicly before, revealing active tool-staging servers, credential theft environments, FRP tunneling nodes, and certificate-linked infrastructure fabric controlled by DPRK operators. These findings help outline how different parts of the DPRK operational infrastructure continue to intersect across campaigns and provide defenders with clearer visibility into the infrastructure habits these actors rely on."
https://hunt.io/blog/dprk-lazarus-kimsuky-infrastructure-uncovered
Breaches/Hacks/Leaks
- Nissan Says Thousands Of Customers Exposed In Red Hat Breach
"Nissan Motor Co. Ltd. (Nissan) has confirmed that information of thousands of its customers has been compromised after the data breach at Red Hat in September. The Japanese multinational automobile manufacturer headquartered in Yokohama, Japan, produces more than 3.2 million cars a year. The company employs 120,000 people and has a strong presence in Japan, North America, Europe, and Asia. In an announcement yesterday, Nissan informed that it was indirectly impacted by a security breach incident at the U.S.-based enterprise software company Red Hat."
https://www.bleepingcomputer.com/news/security/nissan-says-thousands-of-customers-exposed-in-red-hat-breach/ - Romanian Water Authority Hit By Ransomware Attack Over Weekend
"Romanian Waters (Administrația Națională Apele Române), the country's water management authority, was hit by a ransomware attack over the weekend. Officials with the National Cyber Security Directorate (DNSC) said Sunday that the incident impacted approximately 1,000 computer systems at the national water authority and 10 of its 11 regional offices. While the breach affected servers running geographic information systems, databases, email, and web services, as well as Windows workstations and domain name servers, operations and operational technology (OT) systems controlling water infrastructure are unaffected."
https://www.bleepingcomputer.com/news/security/romanian-water-authority-hit-by-ransomware-attack-over-weekend/
https://therecord.media/romania-national-water-agency-ransomware-attack
https://securityaffairs.com/186010/cyber-crime/romanian-waters-confirms-cyberattack-critical-water-operations-unaffected.html
https://www.theregister.com/2025/12/22/around_1000_systems_compromised_in/ - University Of Phoenix Data Breach Impacts Nearly 3.5 Million Individuals
"The Clop ransomware gang has stolen the data of nearly 3.5 million University of Phoenix (UoPX) students, staff, and suppliers after breaching the university's network in August. Headquartered in Phoenix, Arizona, UoPX is a private for-profit university founded in 1976 with 82,700 enrolled students and 3,400 employees (nearly 2,300 academic staff). In early December, the university disclosed the incident on its official website, and Phoenix Education Partners, its parent company, filed an 8-K with the U.S. Securities and Exchange Commission (SEC)."
https://www.bleepingcomputer.com/news/security/university-of-phoenix-data-breach-impacts-nearly-35-million-individuals/ - Coupang Breach Affecting 33.7 Million Users Raises Data Protection Questions
"oupang, South Korea's leading e-commerce platform, recently disclosed a data breach affecting 33.7 million customer accounts which is equivalent to nearly two-thirds of the Korean population. This represents the largest e-commerce security incident in South Korea's history and could result in fines of up to $900 million (approximately 1.2 trillion KRW). This breach exposed vulnerabilities in data protection systems, particularly for e-commerce platforms that handle sensitive data including transaction histories, delivery addresses, and payment methods."
https://www.bleepingcomputer.com/news/security/coupang-breach-affecting-337-million-users-raises-data-protection-questions/
General News
- Browser Agents Don’t Always Respect Your Privacy Choices
"Browser agents promise to handle online tasks without constant user input. They can shop, book reservations, and manage accounts by driving a web browser through an AI model. A new academic study warns that this convenience comes with privacy risks that security teams should not ignore."
https://www.helpnetsecurity.com/2025/12/22/browser-agents-privacy-risks-study/
https://arxiv.org/pdf/2512.07725 - 574 Arrests And USD 3 Million Recovered In Coordinated Cybercrime Operation Across Africa
"Law enforcement in 19 countries have arrested 574 suspects and recovered approximately USD 3 million in a significant cybercrime operation across Africa. Operation Sentinel (27 October – 27 November) focused on three prevalent crime types: business email compromise (BEC), digital extortion and ransomware, all identified as growing threats in INTERPOL’s 2025 Africa Cyber Threat Assessment Report. During the INTERPOL-coordinated initiative, over 6,000 malicious links were taken down and six distinct ransomware variants were decrypted. The cases investigated during the month-long operation were linked to estimated financial losses exceeding USD 21 million."
https://www.interpol.int/News-and-Events/News/2025/574-arrests-and-USD-3-million-recovered-in-coordinated-cybercrime-operation-across-Africa
https://www.bleepingcomputer.com/news/security/interpol-led-action-decrypts-6-ransomware-strains-arrests-hundreds/
https://www.helpnetsecurity.com/2025/12/22/europol-africa-cybercrime-arrests-2025/ - Building Cyber Talent Through Competition, Residency, And Real-World Immersion
"In this Help Net Security interview, Chrisma Jackson, Director of Cybersecurity & Mission Computing Center and CISO at Sandia National Laboratories, reflects on where the cyber talent pipeline breaks down and what it takes to fix it. She discusses skill gaps, hiring and retention realities, and how cybersecurity careers are evolving beyond traditional paths."
https://www.helpnetsecurity.com/2025/12/22/chrisma-jackson-sandia-national-laboratories-recruiting-cybersecurity-professionals/ - 86% Surge In Fake Delivery Websites Hits Shoppers During Holiday Rush
"An 86% increase in malicious postal service websites over the past month has heightened the risk for consumers tracking holiday deliveries. Cybercriminals are reportedly capitalizing on the seasonal spike in online shopping by sending convincing messages that appear to come from legitimate delivery companies, often warning of delayed or suspended packages. The fake alerts typically arrive via text message or email and include links designed to steal personal or financial information. With shoppers expecting frequent updates, these scams are more likely to succeed during peak shipping periods."
https://www.infosecurity-magazine.com/news/surge-fake-delivery-holidays/ - Rising Tides: When Cybersecurity Becomes Personal – Inside The Work Of An OSINT Investigator
"“All of us matter, or none of us do,” a strong statement from Shannon Miller, OSINT Investigator and Privacy Consultant. For those of us who know Miller, it’s not the first time we’ve heard that plea and it won’t be the last. Her significant career and non-profit work to help victims of domestic danger and other similar malice find safety, she’s seen first-hand how the dangers are amplified for marginalized and vulnerable groups who do not have as much access to tools, education, and other critical resources to protect themselves and their families."
https://www.securityweek.com/rising-tides-when-cybersecurity-becomes-personal-inside-the-work-of-an-osint-investigator/ - Spy Turned Startup CEO: 'The WannaCry Of AI Will Happen'
"In my past life, it would take us 360 days to develop an amazing zero day," Zafran Security CEO Sanaz Yashar said. She's talking about the 15 years she spent working as a spy - she prefers "hacking architect" - inside the Israel Defense Forces' elite cyber group, Unit 8200. "Now, the volume and speed is changing so much that for the first time ever, we have a negative time-to-exploit, meaning it takes less than a day to see vulnerabilities being exploited, being weaponized before they were patched," Yashar told The Register. "That is not something you used to see."
https://www.theregister.com/2025/12/22/zafran_security_ceo/
อ้างอิง
Electronic Transactions Development Agency (ETDA)
- Threat Landscape For Industrial Automation Systems. Europe, Q3 2025
-
มัลแวร์ MacSync Stealer บน MacOS ปลอมใบรับรอง แฝงแอปแชทขโมยรหัสผ่านโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
ช่องโหว่ร้ายแรงในแพลตฟอร์ม n8n (CVE-2025-68613)โพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
มัลแวร์ WebRAT ระบาดใหม่ แฝงตัวมาในคราบโค้ดทดสอบช่องโหว่ (Fake Exploits) บน GitHubโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
🚨 ด่วน! ช่องโหว่ n8n Workflow Automation Platform รีบแก้ไขทันที!โพสต์ใน Cyber Security News️ ThaiCERT ได้ติดตามสถานการณ์ภัยคุกคามทางไซเบอร์ และพบการแจ้งเตือนช่องโหว่ระดับวิกฤต (Critical) ในแพลตฟอร์ม n8n Workflow Automation Platform ซึ่งเป็นเครื่องมือทำ Automation ยอดนิยม หากไม่ดำเนินการแก้ไข ผู้ไม่ประสงค์ดีสามารถใช้ช่องโหว่นี้เข้ายึดครองระบบและสั่งการเครื่องเซิร์ฟเวอร์ได้โดยสมบูรณ์ รายละเอียดช่องโหว่ที่สำคัญ • CVE-2025-68613 มีคะแนน CVSS: 9.9 ซึ่งเป็นช่องโหว่ประเภท Remote Code Execution (RCE) • สาเหตุเกิดจากการประมวลผล Workflow Expression ที่ไม่ปลอดภัย ทำให้ผู้ใช้งานที่ผ่านการยืนยันตัวตน (Authenticated User) สามารถส่งค่า Expression ที่ออกแบบมาเป็นพิเศษเข้าสู่ระบบ เพื่อรันโค้ดอันตรายภายใต้สิทธิ์การทำงานของ n8n ส่งผลให้ผู้โจมตีสามารถเข้าถึงข้อมูล แก้ไขไฟล์ หรือสั่งการระบบปฏิบัติการได้ (ปัจจุบันพบระบบที่มีความเสี่ยงกว่า 1 แสนระบบทั่วโลก) ผลิตภัณฑ์และเวอร์ชันที่ได้รับผลกระทบ
• n8n Workflow Automation Platform เวอร์ชันตั้งแต่ 0.211.0 ขึ้นไป ที่ยังไม่ได้อัปเดตเป็นเวอร์ชันที่มีการแก้ไข แนวทางการป้องกัน, มาตรการชั่วคราว กรณียังไม่สามารถอัปเดตได้ทันที และแนวทางการตรวจสอบ- แนวทางการป้องกัน • ดำเนินการอัปเดตซอฟต์แวร์ n8n ทันที ให้เป็นเวอร์ชันที่ได้รับการแก้ไขแล้ว ได้แก่:
เวอร์ชัน 1.120.4
เวอร์ชัน 1.121.1
เวอร์ชัน 1.122.0
-
มาตรการชั่วคราว กรณียังไม่สามารถอัปเดตได้ทันที
• จำกัดสิทธิ์การสร้างหรือแก้ไข Workflow ไว้เฉพาะผู้ดูแลระบบหรือผู้ใช้งานที่เชื่อถือได้เท่านั้น เพื่อลดความเสี่ยงจากการโจมตีภายใน
• จำกัดการเข้าถึงหน้าบริหารจัดการ n8n จากเครือข่ายภายนอก (Internet) และอนุญาตให้เข้าถึงผ่าน VPN หรือระบุ IP Address ที่เชื่อถือได้เท่านั้น
• แยกระบบ (Network Segmentation) โดยไม่ให้เซิร์ฟเวอร์ n8n เชื่อมต่อกับระบบสำคัญอื่นๆ ขององค์กรโดยตรง หากไม่มีความจำเป็น
• ปรับสภาพแวดล้อมการทำงาน (Hardened Environment) โดยจำกัดสิทธิ์ของระบบปฏิบัติการ (OS Permissions) และการเข้าถึงเครือข่ายของเซิร์ฟเวอร์ให้เหลือเท่าที่จำเป็นที่สุด -
แนวทางการตรวจสอบ
• ตรวจสอบเวอร์ชันของ n8n ที่ใช้งานอยู่ว่าเป็นเวอร์ชันที่มีความเสี่ยงหรือไม่
• ตรวจสอบ Log การทำงานของระบบและการสร้าง Workflow ว่ามี Expression ที่ผิดปกติ หรือมีการเรียกใช้งานจากบัญชีผู้ใช้ที่ไม่น่าไว้วางใจหรือไม่
• เฝ้าระวัง Process การทำงานบนเซิร์ฟเวอร์ ว่ามีการรันคำสั่งแปลกปลอมภายใต้ User ที่รัน service ของ n8n หรือไม่
อ้างอิง:- https://thehackernews.com/2025/12/critical-n8n-flaw-cvss-99-enables.html
- https://nvd.nist.gov/vuln/detail/CVE-2025-68613
- https://censys.com/advisory/cve-2025-68613
- https://dg.th/ykr6gub5dp
ด้วยความปรารถนาดี
สำนักงานคณะกรรมการการรักษาความมั่นคงปลอดภัยไซเบอร์แห่งชาติ (สกมช.) / ThaiCERT -
มัลแวร์ Android ‘Wonderland’ ใช้แอปปลอม ขโมย OTP และยึดเครื่องจากระยะไกลโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
ปฏิบัติการ Interpol ถอดรหัสแรนซัมแวร์ 6 ตระกูล จับกุมผู้ต้องสงสัยหลายร้อยรายโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
เตือนภัยนักพัฒนา! พบแพ็กเกจเถื่อนบน npm และ NuGet แฝงมัลแวร์ดักข้อมูล WhatsApp และขโมย Credentials บัญชี Google Adsโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Infy APT กลับมาเคลื่อนไหว ใช้ Foudre – Tonnerre ลอบจารกรรมข้อมูลเป้าหมายทั่วโลกโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Waymo ระงับให้บริการชั่วคราว หลังเหตุไฟฟ้าดับในซานฟรานซิสโกโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
รัฐบาลอังกฤษถูกโจมตีทางไซเบอร์ ข้อมูลวีซ่ารั่วไหล ผู้เชี่ยวชาญหวั่นผลกระทบด้านความมั่นคงระยะยาวโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
🚨ด่วน! แจ้งเตือนกรณีช่องโหว่ในซอฟต์แวร์ HPE OneViewโพสต์ใน Cyber Security News️ ThaiCERT ได้ติดตามสถานการณ์ภัยคุกคามทางไซเบอร์ และพบการแจ้งเตือนช่องโหว่ระดับวิกฤตในซอฟต์แวร์ Hewlett Packard Enterprise OneView (HPE OneView) หากไม่ดำเนินการแก้ไขผู้โจมตีสามารถรันไฟล์ที่เป็นอันตรายจากระยะไกล รายละเอียดช่องโหว่ที่สำคัญ
• CVE-2025-37164 มีคะแนน CVSS: 10.0 ซึ่งส่งผลกระทบต่อซอฟต์แวร์ OneView และเป็นช่องโหว่ประเภท Remote Code Execution (RCE) โดยช่องโหว่นี้ผู้โจมตีสามารถรันไฟล์ที่เป็นอันตรายจากระยะไกล โดยไม่ผ่านการยืนยันตัวตน ผลิตภัณฑ์และเวอร์ชันที่ได้รับผลกระทบ
• HPE OneView ทุกเวอร์ชันจนถึงเวอร์ชัน 10.20
️ แนะนำให้หน่วยงานที่ใช้งานเวอร์ชันที่ได้รับผลกระทบ เร่งดำเนินการตรวจสอบและแก้ไขทันที แนวทางการตรวจสอบและการป้องกัน- แนวทางการตรวจสอบ
• ตรวจสอบ HPE OneView ที่ใช้งานว่าเป็นเวอร์ชันใด
• เฝ้าระวังพฤติกรรมการทำงานผิดปกติของระบบบริหารจัดการ เช่น การรันคำสั่งที่ผิดปกติ, การเชื่อมต่อเครือข่ายที่ไม่คุ้นเคย หรือกระบวนการที่ถูกสร้างโดย process ที่ไม่รู้จัก
• ใช้เครื่องมือความมั่นคงปลอดภัย เช่น IDS/IPS, EDR หรือ SIEM เพื่อวิเคราะห์และแจ้งเตือนกิจกรรมที่ผิดปกติบนระบบ HPE OneView
• หลีกเลี่ยงการเปิดเผยบริการ HPE OneView ไปยังอินเทอร์เน็ตโดยตรง หากไม่จำเป็น ควรใช้ VPN หรือควบคุมการเข้าถึงจากเครือข่ายภายในเท่านั้น - แนวทางการป้องกัน
• ดำเนินการอัปเดตซอฟต์แวร์ HPE OneView ให้เป็นเวอร์ชัน 11.00 หรือสูงกว่า
• จำกัดการเข้าถึงบริการ HPE OneView จากเครือข่ายภายนอก และอนุญาตเฉพาะแหล่งที่เชื่อถือได้เท่านั้น
• สแกนหาช่องโหว่ (Vulnerability Scanning) และ Penetration Testing เพื่อประเมินความเสี่ยงที่อาจเกิดขึ้นในระบบภายในขององค์กร
• เฝ้าติดตามประกาศจาก HPE และหน่วยงานความปลอดภัยไซเบอร์ เพื่อรับทราบข้อมูลอัปเดตและคำแนะนำเพิ่มเติม - มาตรการชั่วคราว กรณียังไม่สามารถอัปเดตได้ทันที
• จำกัดการเข้าถึงบริการจากเครือข่ายภายนอก และอนุญาตให้เข้าถึงเฉพาะจาก IP Addresss หรือเครือข่ายที่เชื่อถือได้
• กำหนดไฟร์วอลล์ให้อนุญาตเฉพาะ IP Address หรือเครือข่ายที่จำเป็นต่อการปฏิบัติงาน และปิดกั้นการเข้าถึงจากแหล่งที่ไม่เกี่ยวข้องหรือไม่สามารถยืนยันความน่าเชื่อถือ
• แยกระบบบริหารจัดการออกจากเครือข่ายหลักของหน่วยงาน เพื่อจำกัดขอบเขตและผลกระทบที่อาจเกิดขึ้น
• กำหนดค่าการเข้าถึงระบบตามหลักการ Least Privilege และจำกัดแหล่งที่มาของการเชื่อมต่อให้เฉพาะที่มีความจำเป็น
• จัดทำและทบทวนแผนตอบสนองเหตุการณ์ด้านความมั่นคงปลอดภัยไซเบอร์ (Incident Response Plan) เพื่อให้สามารถดำเนินการได้อย่างรวดเร็ว หากตรวจพบการโจมตี
อ้างอิง:- https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2025-121/
- https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbgn04985en_us&docLocale=en_US#vulnerability-summary-1
ด้วยความปรารถนาดี
สำนักงานคณะกรรมการการรักษาความมั่นคงปลอดภัยไซเบอร์แห่งชาติ (สกมช.) / ThaiCERT
- แนวทางการตรวจสอบ
-
CISA เพิ่มช่องโหว่ที่ถูกใช้โจมตี 1 รายการลงในแคตตาล็อกโพสต์ใน Cyber Security News
เมื่อวันที่ 22 ธันวาคม 2025 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 1 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว ดังนี้
- CVE-2023-52163 Digiever DS-2105 Pro Missing Authorization Vulnerability
ทั้งนี้ คำสั่ง BOD 22-01 ของ CISA กำหนดให้มี แคตตาล็อก Known Exploited Vulnerabilities (KEV) เพื่อรวบรวมช่องโหว่ (CVEs) ที่มีความเสี่ยงสูงและถูกใช้งานโจมตีจริง หน่วยงาน Federal Civilian Executive Branch (FCEB) ต้องดำเนินการแก้ไขช่องโหว่ที่ระบุภายในเวลาที่กำหนด เพื่อปกป้องเครือข่ายจากภัยคุกคาม
ทาง CISA จะปรับปรุงและเพิ่มช่องโหว่ใหม่เข้าสู่แคตตาล็อก KEV อย่างต่อเนื่อง เพื่อให้ครอบคลุมความเสี่ยงที่ตรวจพบจริงในปัจจุบันและอนาคต
อ้างอิง
https://www.cisa.gov/news-events/alerts/2025/12/22/cisa-adds-one-known-exploited-vulnerability-catalog
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Cyber Threat Intelligence 23 December 2025โพสต์ใน Cyber Security News
Industrial Sector
- Threat Landscape For Industrial Automation Systems. Europe, Q3 2025
"High levels of email threats (phishing) and spyware clearly indicate that industrial systems in the region are highly exposed to advanced attackers. In Eastern Europe, the percentage of ICS computers on which threats from email clients were blocked is 1.3 times higher than the global average. The percentage of ICS computers on which malicious documents are blocked also exceeds the global average by a factor of 1.3."
https://ics-cert.kaspersky.com/publications/reports/2025/12/22/threat-landscape-for-industrial-automation-systems-europe-q3-2025/ - Threat Landscape For Industrial Automation Systems. Russia, Q3 2025
"The main categories of internet threats blocked on ICS computers include denylisted internet resources, malicious scripts and phishing pages, and miners. The list of denylisted internet resources is used to prevent initial infection attempts. In particular, the following threats on ICS computers are blocked with the aid of this list:"
https://ics-cert.kaspersky.com/publications/reports/2025/12/22/threat-landscape-for-industrial-automation-systems-russia-q3-2025/
New Tooling
- Anubis: Open-Source Web AI Firewall To Protect From Scraper Bots
"Anubis is an open-source tool designed to protect websites from automated scraping and abusive traffic by adding computational friction before a request is served. Maintained by TecharoHQ, the project targets a growing problem for site operators who want to keep content accessible to humans while limiting large scale automated collection."
https://www.helpnetsecurity.com/2025/12/22/anubis-open-source-web-ai-firewall-protect-from-bots/
https://github.com/TecharoHQ/anubis
Vulnerabilities
- Critical RCE Flaw Impacts Over 115,000 WatchGuard Firewalls
"Over 115,000 WatchGuard Firebox devices exposed online remain unpatched against a critical remote code execution (RCE) vulnerability actively exploited in attacks. The security flaw, tracked as CVE-2025-14733, affects Firebox firewalls running Fireware OS 11.x and later (including 11.12.4_Update1), 12.x or later (including 12.11.5), and 2025.1 up to and including 2025.1.3. Successful exploitation enables unauthenticated attackers to execute arbitrary code remotely on vulnerable devices, following low-complexity attacks that don't require user interaction."
https://www.bleepingcomputer.com/news/security/over-115-000-watchguard-firewalls-vulnerable-to-ongoing-rce-attacks/
Malware
- The Shadow Of JWT-Based Authentication: A Fatal Threat Behind The Convenience
"JWT, which has become the standard for modern web applications and mobile apps, provides the convenience of stateless authentication. However, when operated and managed unsafely, it can become a single point of failure that collapses the entire authentication system. This post introduces the concept and authentication methods of JWT, analyzes its key vulnerabilities based on CVE cases, and suggests practical defense strategies for prevention and mitigation."
https://asec.ahnlab.com/en/91676/ - From ClickFix To Code Signed: The Quiet Shift Of MacSync Stealer Malware
"While reviewing the detections of our in-house YARA rules, Jamf Threat Labs observed a signed and notarized stealer that did not follow the typical execution chains we have seen in the past. The sample in question looked highly similar to past variants of the increasingly active MacSync Stealer malware but was revamped in its design. Unlike earlier MacSync Stealer variants that primarily rely on drag-to-terminal or ClickFix-style techniques, this sample adopts a more deceptive, hands-off approach."
https://www.jamf.com/blog/macsync-stealer-evolution-code-signed-swift-malware-analysis/
https://www.bleepingcomputer.com/news/security/new-macsync-malware-dropper-evades-macos-gatekeeper-checks/
https://www.securityweek.com/macsync-macos-malware-distributed-via-signed-swift-application/ - NPM Package With 56K Downloads Caught Stealing WhatsApp Messages
"The lotusbail npm package presents itself as a WhatsApp Web API library - a fork of the legitimate @whiskeysockets/baileys package. With over 56,000 downloads and functional code that actually works as advertised, it's the kind of dependency developers install without a second thought. The package has been available on npm for 6 months and is still live at the time of writing. Behind that working functionality: sophisticated malware that steals your WhatsApp credentials, intercepts every message, harvests your contacts, installs a persistent backdoor, and encrypts everything before sending it to the threat actor's server."
https://www.koi.ai/blog/npm-package-with-56k-downloads-malware-stealing-whatsapp-messages
https://thehackernews.com/2025/12/fake-whatsapp-api-package-on-npm-steals.html
https://www.bleepingcomputer.com/news/security/malicious-npm-package-steals-whatsapp-accounts-and-messages/
https://www.theregister.com/2025/12/22/whatsapp_npm_package_message_steal/ - Phishing Campaign Leverages Trusted Google Cloud Automation Capabilities To Evade Detection
"This report describes a phishing campaign in which attackers impersonate legitimate Google generated messages by abusing Google Cloud Application Integration to distribute malicious emails that appear to originate from trusted Google infrastructure. The emails mimic routine enterprise notifications such as voicemail alerts and file access or permission requests, making them appear normal and trustworthy to recipients."
https://blog.checkpoint.com/research/phishing-campaign-leverages-trusted-google-cloud-automation-capabilities-to-evade-detection/ - Nezha: The Monitoring Tool That’s Also a Perfect RAT
"Ontinue’s Cyber Defense Center discovered attackers using Nezha, a legitimate open-source monitoring tool, as a post-exploitation RAT. The agent provides SYSTEM/root level access, file management, and an interactive web terminal. VirusTotal shows 0/72 detections because it isn’t malware, it’s legitimate software pointed at attacker infrastructure. Installation is silent. Detection only occurs when attackers execute commands through the agent. Organisations should hunt for Nezha presence proactively and ensure behavioural monitoring is in place to catch post-exploitation activity."
https://www.ontinue.com/resource/nezha-the-monitoring-tool-thats-also-a-perfect-rat/
https://hackread.com/hackers-abuse-monitoring-tool-nezha-trojan/
https://www.infosecurity-magazine.com/news/nezha-abused-post-exploitation/ - DDoS Incident Disrupts France’s Postal And Banking Services Ahead Of Christmas
"France’s national postal service, La Poste, confirmed that a suspected cyberattack disrupted its websites and mobile applications days before Christmas, slowing deliveries and knocking some online services offline. In a statement on Monday, La Poste said that a distributed denial-of-service (DDoS) incident knocked key digital systems offline. The company said there was no evidence that customer data had been compromised, but acknowledged that postal operations, including parcel distribution, had been affected."
https://therecord.media/la-poste-france-ddos-disruption-days-before-christmas - I Am Not a Robot: ClickFix Used To Deploy StealC And Qilin
"ClickFix is an increasingly common tactic used by threat actors to install malicious software on victims’ devices. It has gone through a number of evolutions but essentially relies on a victim following a series of instructions that masquerade as a human verification request. The actions result in the download of malware, typically an infostealer or remote access trojan (RAT)."
https://www.sophos.com/en-us/blog/i-am-not-a-robot-clickfix-used-to-deploy-stealc-and-qilin - Inside DPRK Operations: New Lazarus And Kimsuky Infrastructure Uncovered Across Global Campaigns
"Throughout the analysis, we surfaced clusters of operational assets that had not been connected publicly before, revealing active tool-staging servers, credential theft environments, FRP tunneling nodes, and certificate-linked infrastructure fabric controlled by DPRK operators. These findings help outline how different parts of the DPRK operational infrastructure continue to intersect across campaigns and provide defenders with clearer visibility into the infrastructure habits these actors rely on."
https://hunt.io/blog/dprk-lazarus-kimsuky-infrastructure-uncovered
Breaches/Hacks/Leaks
- Nissan Says Thousands Of Customers Exposed In Red Hat Breach
"Nissan Motor Co. Ltd. (Nissan) has confirmed that information of thousands of its customers has been compromised after the data breach at Red Hat in September. The Japanese multinational automobile manufacturer headquartered in Yokohama, Japan, produces more than 3.2 million cars a year. The company employs 120,000 people and has a strong presence in Japan, North America, Europe, and Asia. In an announcement yesterday, Nissan informed that it was indirectly impacted by a security breach incident at the U.S.-based enterprise software company Red Hat."
https://www.bleepingcomputer.com/news/security/nissan-says-thousands-of-customers-exposed-in-red-hat-breach/ - Romanian Water Authority Hit By Ransomware Attack Over Weekend
"Romanian Waters (Administrația Națională Apele Române), the country's water management authority, was hit by a ransomware attack over the weekend. Officials with the National Cyber Security Directorate (DNSC) said Sunday that the incident impacted approximately 1,000 computer systems at the national water authority and 10 of its 11 regional offices. While the breach affected servers running geographic information systems, databases, email, and web services, as well as Windows workstations and domain name servers, operations and operational technology (OT) systems controlling water infrastructure are unaffected."
https://www.bleepingcomputer.com/news/security/romanian-water-authority-hit-by-ransomware-attack-over-weekend/
https://therecord.media/romania-national-water-agency-ransomware-attack
https://securityaffairs.com/186010/cyber-crime/romanian-waters-confirms-cyberattack-critical-water-operations-unaffected.html
https://www.theregister.com/2025/12/22/around_1000_systems_compromised_in/ - University Of Phoenix Data Breach Impacts Nearly 3.5 Million Individuals
"The Clop ransomware gang has stolen the data of nearly 3.5 million University of Phoenix (UoPX) students, staff, and suppliers after breaching the university's network in August. Headquartered in Phoenix, Arizona, UoPX is a private for-profit university founded in 1976 with 82,700 enrolled students and 3,400 employees (nearly 2,300 academic staff). In early December, the university disclosed the incident on its official website, and Phoenix Education Partners, its parent company, filed an 8-K with the U.S. Securities and Exchange Commission (SEC)."
https://www.bleepingcomputer.com/news/security/university-of-phoenix-data-breach-impacts-nearly-35-million-individuals/ - Coupang Breach Affecting 33.7 Million Users Raises Data Protection Questions
"oupang, South Korea's leading e-commerce platform, recently disclosed a data breach affecting 33.7 million customer accounts which is equivalent to nearly two-thirds of the Korean population. This represents the largest e-commerce security incident in South Korea's history and could result in fines of up to $900 million (approximately 1.2 trillion KRW). This breach exposed vulnerabilities in data protection systems, particularly for e-commerce platforms that handle sensitive data including transaction histories, delivery addresses, and payment methods."
https://www.bleepingcomputer.com/news/security/coupang-breach-affecting-337-million-users-raises-data-protection-questions/
General News
- Browser Agents Don’t Always Respect Your Privacy Choices
"Browser agents promise to handle online tasks without constant user input. They can shop, book reservations, and manage accounts by driving a web browser through an AI model. A new academic study warns that this convenience comes with privacy risks that security teams should not ignore."
https://www.helpnetsecurity.com/2025/12/22/browser-agents-privacy-risks-study/
https://arxiv.org/pdf/2512.07725 - 574 Arrests And USD 3 Million Recovered In Coordinated Cybercrime Operation Across Africa
"Law enforcement in 19 countries have arrested 574 suspects and recovered approximately USD 3 million in a significant cybercrime operation across Africa. Operation Sentinel (27 October – 27 November) focused on three prevalent crime types: business email compromise (BEC), digital extortion and ransomware, all identified as growing threats in INTERPOL’s 2025 Africa Cyber Threat Assessment Report. During the INTERPOL-coordinated initiative, over 6,000 malicious links were taken down and six distinct ransomware variants were decrypted. The cases investigated during the month-long operation were linked to estimated financial losses exceeding USD 21 million."
https://www.interpol.int/News-and-Events/News/2025/574-arrests-and-USD-3-million-recovered-in-coordinated-cybercrime-operation-across-Africa
https://www.bleepingcomputer.com/news/security/interpol-led-action-decrypts-6-ransomware-strains-arrests-hundreds/
https://www.helpnetsecurity.com/2025/12/22/europol-africa-cybercrime-arrests-2025/ - Building Cyber Talent Through Competition, Residency, And Real-World Immersion
"In this Help Net Security interview, Chrisma Jackson, Director of Cybersecurity & Mission Computing Center and CISO at Sandia National Laboratories, reflects on where the cyber talent pipeline breaks down and what it takes to fix it. She discusses skill gaps, hiring and retention realities, and how cybersecurity careers are evolving beyond traditional paths."
https://www.helpnetsecurity.com/2025/12/22/chrisma-jackson-sandia-national-laboratories-recruiting-cybersecurity-professionals/
86% Surge In Fake Delivery Websites Hits Shoppers During Holiday Rush
"An 86% increase in malicious postal service websites over the past month has heightened the risk for consumers tracking holiday deliveries. Cybercriminals are reportedly capitalizing on the seasonal spike in online shopping by sending convincing messages that appear to come from legitimate delivery companies, often warning of delayed or suspended packages. The fake alerts typically arrive via text message or email and include links designed to steal personal or financial information. With shoppers expecting frequent updates, these scams are more likely to succeed during peak shipping periods."
https://www.infosecurity-magazine.com/news/surge-fake-delivery-holidays/ - Rising Tides: When Cybersecurity Becomes Personal – Inside The Work Of An OSINT Investigator
"“All of us matter, or none of us do,” a strong statement from Shannon Miller, OSINT Investigator and Privacy Consultant. For those of us who know Miller, it’s not the first time we’ve heard that plea and it won’t be the last. Her significant career and non-profit work to help victims of domestic danger and other similar malice find safety, she’s seen first-hand how the dangers are amplified for marginalized and vulnerable groups who do not have as much access to tools, education, and other critical resources to protect themselves and their families."
https://www.securityweek.com/rising-tides-when-cybersecurity-becomes-personal-inside-the-work-of-an-osint-investigator/ - Spy Turned Startup CEO: 'The WannaCry Of AI Will Happen'
"In my past life, it would take us 360 days to develop an amazing zero day," Zafran Security CEO Sanaz Yashar said. She's talking about the 15 years she spent working as a spy - she prefers "hacking architect" - inside the Israel Defense Forces' elite cyber group, Unit 8200. "Now, the volume and speed is changing so much that for the first time ever, we have a negative time-to-exploit, meaning it takes less than a day to see vulnerabilities being exploited, being weaponized before they were patched," Yashar told The Register. "That is not something you used to see."
https://www.theregister.com/2025/12/22/zafran_security_ceo/
อ้างอิง
Electronic Transactions Development Agency (ETDA) - Threat Landscape For Industrial Automation Systems. Europe, Q3 2025