สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 
โพสต์ถูกสร้างโดย NCSA_THAICERT
-
Apple แก้ช่องโหว่ Beats Studio Buds หลังพบความเสี่ยงถูกดักฟังผ่านไมโครโฟนโพสต์ใน Cyber Security News
-
Xsolis เปิดเผยเหตุข้อมูลรั่วไหล กระทบบุคคลเกือบ 1.4 ล้านราย หลังถูกโจมตีแบบ Phishingโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
พบการโจมตีผ่าน WhatsApp แฮกเกอร์ส่งไฟล์ VBScript ปลอมแปลงเป็นเอกสารธุรกิจเพื่อเข้าควบคุมระบบโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
CISA เพิ่มช่องโหว่ที่ถูกใช้โจมตี 4 รายการลงในแคตตาล็อกโพสต์ใน Cyber Security News
เมื่อวันที่ 23 มิถุนายน 2569 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 4 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว มีรายละเอียดดังนี้
- CVE-2025-67038 Lantronix EDS5000 Code Injection Vulnerability
- CVE-2026-34908 Ubiquiti UniFi OS Improper Access Control Vulnerability
- CVE-2026-34909 Ubiquiti UniFi OS Path Traversal Vulnerability
- CVE-2026-34910 Ubiquiti UniFi OS Improper Input Validation Vulnerability
ทาง CISA จะปรับปรุงและเพิ่มช่องโหว่ใหม่เข้าสู่แคตตาล็อก KEV อย่างต่อเนื่อง เพื่อให้ครอบคลุมความเสี่ยงที่ตรวจพบจริงในปัจจุบันและอนาคต
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
CISA เผยแพร่คำแนะนำด้านระบบควบคุมอุตสาหกรรม (ICS) จำนวน 10 รายการโพสต์ใน OT Cyber Security News
Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) จำนวน 10 รายการ เมื่อวันที่ 23 มิถุนายน 2569 เพื่อให้ข้อมูลที่ทันเวลาเกี่ยวกับประเด็นด้านความมั่นคงปลอดภัย ช่องโหว่ และการโจมตีที่เกี่ยวข้องกับระบบ ICS โดยมีรายละเอียดดังนี้
- ICSA-26-174-01 Siemens WinCC Certificate Manager
- ICSA-26-174-02 Siemens SIPROTEC 5
- ICSA-26-174-03 Siemens Products using OpenSSL
- ICSA-26-174-04 Siemens SINEC INS
- ICSA-26-174-05 ABB Freelance Security Lock
- ICSA-26-174-06 Impact of Linux Kernel vulnerabilities on B&R products
- ICSA-26-174-07 Hubbell Aclara Metrum Cellular Web Interface
- ICSA-25-317-04 Brightpick Mission Control / Internal Logic Control (Update A)
- ICSA-24-345-06 Rockwell Automation Arena (Update C)
- ICSA-26-111-06 Zero Motorcycles Firmware (Update A)
อ้างอิง
-
ETDA Cyber Threat Intelligence 24 June 2026โพสต์ใน Cyber Security News
Vulnerabilities
- Cisco Unified CM Flaw CVE-2026-20230 Now Exploited In Attacks
"A high-severity SSRF vulnerability, tracked as CVE-2026-20230, in Cisco Unified Communications Manager Server is now being exploited in attacks. Cisco released security updates for the CVE-2026-20230 flaw on June 3, warning that exploitation could give attackers root privileges on the device. "A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to conduct server-side request forgery (SSRF) attacks through an affected device," warned Cisco."
https://www.bleepingcomputer.com/news/security/cisco-unified-cm-sme-flaw-cve-2026-20230-now-exploited-in-attacks/ - Security Vulnerabilities Endanger Connections Via Libssh2
"The open-source SSH library libssh2 is vulnerable. Attackers can exploit two security vulnerabilities to attack systems. In the worst case, malicious code can compromise computers. According to currently available information, the patch status is unclear. At the time of this report, there are no reports of attackers already exploiting the vulnerabilities. Companies use the library in sensitive areas of the network, for example, to remotely control routers and IoT devices and to manage servers. Consequently, successful attacks could have far-reaching consequences."
https://www.heise.de/en/news/Security-vulnerabilities-endanger-connections-via-libssh2-11339594.html - Eight-Year-Old Samsung KNOX Flaw Exposed Millions Of Galaxy Devices To Kernel Attacks
"Researchers found an eight-year old high severity vulnerability affecting nearly all Samsung devices from the Galaxy S9 to S25 living within the KNOX kernel. The flaw (CVE‑2026‑20971, CVSS 7.8) could be exploited through the interaction between PROCA and FIVE. PROCA, the process authenticator, is a proprietary subsystem in the kernel of the Samsung devices designed to prevent unauthorized processes from executing. It validates process authenticity using FIVE, the kernel side integrity subsystem, based on the Linux integrity-measurement model and extended by Samsung."
https://www.securityweek.com/eight-year-old-samsung-knox-flaw-exposed-millions-of-galaxy-devices-to-kernel-attacks/ - Vendor-Signed UEFI Applications Found Vulnerable To Secure Boot Bypass
"Multiple vendor-signed UEFI applications are vulnerable to Secure Boot bypass via a "Bring Your Own Vulnerable Driver" (BYOVD)-style attack. If a target system trusts the affected vendor’s certificate, an attacker can exploit these applications to execute arbitrary code during the early pre-boot phase before the operating system initializes. To mitigate this risk, system administrators should apply updates to the UEFI Forbidden Signature Database (DBX) that revoke trust in the affected vendor-signed binaries, preventing these vulnerable applications from executing during the boot process."
https://kb.cert.org/vuls/id/457458
Malware
- “Free World Cup Stream” Sites Are Serving Scams, Not Football
"With the World Cup on, you’ll find no shortage of websites promising every match, live, in HD, for free. They look convincing, usually with a video player, a “Live Stream Available” indicator, a row of server buttons, maybe a match schedule, and a “Watch Live” button. There’s no signup, no paywall, and seemingly, no catch. But of course there’s a catch. These sites aren’t really in the business of streaming football. What the page is really built to do is fire pop-ups, hidden ads, and redirects through an advertising network we detect as malicious. Instead of watching the match, visitors end up facing scams, malware, and fraudulent downloads."
https://www.malwarebytes.com/blog/threat-intel/2026/06/free-world-cup-stream-sites-are-serving-scams-not-football
https://www.helpnetsecurity.com/2026/06/23/fake-world-cup-streaming-sites-scams/ - Phishing Through Collaboration: Outlook Groups As An Attack Path And The Usage Of CalPhishing
"Fortra Intelligence and Research Experts (FIRE) is tracking phishing activity that abuses Outlook Groups and Microsoft 365 collaboration features to make malicious activity appear routine. The technique shifts malicious intent away from a single phishing email into a trusted productivity workflow. A user may see what looks like a normal group addition, internal update, shared resource, or calendar item before being pushed toward an action."
https://www.fortra.com/blog/phishing-through-collaboration
https://www.helpnetsecurity.com/2026/06/23/microsoft-365-collaboration-features-phishing/ - From PostCSS Masquerading To Windows RAT
"The package name is not random. The legitimate postcss-selector-parser package is widely used across the JavaScript build ecosystem, with npm reporting more than 150M weekly downloads. postcss-minify-selector-parser is not a classic one-character typo. Instead, it sits close enough to the legitimate package to look plausible during a quick dependency review. It uses the same postcss, selector, parser, and css keyword space, and it also depends on the real postcss-selector-parser. At the time of this report, the package remained live and accessible."
https://research.jfrog.com/post/from-postcss-typosquat-to-windows-rat/
https://thehackernews.com/2026/06/malicious-npm-packages-pose-as-postcss.html
https://www.infosecurity-magazine.com/news/lookalike-npm-package-postcss/ - GTA 6 Early Access Is Nothing But a Scam
"A new wave of scam websites is offering something millions of people want: a way to play Grand Theft Auto VI before it comes out. “Get GTA 6 before everyone else.” “Buy VIP early access.” Pay a few hundred dollars in cryptocurrency, enter a payment code, and supposedly unlock the game. But it’s a scam."
https://www.malwarebytes.com/blog/threat-intel/2026/06/gta-6-early-access-is-nothing-but-a-scam
https://www.infosecurity-magazine.com/news/gta-6-scams-emerge-as-preorders/
https://www.helpnetsecurity.com/2026/06/23/gta-6-early-access-scam/ - From Langflow To Monero: Inside CVE-2026-33017 Cryptominer
"This cryptocurrency-mining campaign shows how exposed AI application endpoints are becoming another route into enterprise environments. The payload might be familiar, but the delivery vector is not. A Langflow vulnerability gives commodity cryptominer operators a new front door into systems running AI application infrastructure."
https://www.trendmicro.com/en_us/research/26/f/from-langflow-to-monero-inside-cve-2026-33017-cryptominer.html - Malware à La Mode: Tracking Dropping Elephant Tradecraft Through a China-Themed Loader Chain
"Rapid7 researchers have identified a sophisticated malware campaign attributed to the threat actor "Dropping Elephant," characterized by the use of a China-themed decoy document to deliver a heavily reworked, in-memory remote access trojan (RAT). This campaign demonstrates advanced evasion techniques, including DLL side-loading with a legitimate Microsoft binary (Fondue.exe) and the use of "Donut" shellcode to map the RAT directly into memory, effectively bypassing traditional disk-based security controls."
https://www.rapid7.com/blog/post/tr-malware-tracking-dropping-elephant-tradecraft-china-themed-loader-chain/ - Cordyceps: The Silent Parasite Consuming Your Supply Chain
"Novee identified a systemic class of exploitable CI/CD vulnerabilities across the open-source supply chain – command injection, broken authentication logic, artifact poisoning chains, and privilege escalation in GitHub Actions workflows. Our team scanned roughly 30,000 high-impact repositories, validated hundreds of fully exploitable attack chains, and received confirmation of fixes at dozens of organizations, including Microsoft, Google, Apache, Cloudflare, and the Python Software Foundation. There are millions of repositories that are potentially affected by this same pattern."
https://novee.security/blog/cordyceps/
https://www.darkreading.com/application-security/cordyceps-malicious-pull-requests-developer-workflows
https://hackread.com/cordyceps-ci-cd-flaw-microsoft-google-apache-repos-hijack/ - Inside The FortiBleed Open Directory: A Technical Analysis Of What The Attacker Left Behind
"CloudSEK’s threat intelligence team is tracking FortiBleed, an active, large-scale credential-compromise campaign targeting internet-facing Fortinet FortiGate firewalls and SSL VPN gateways worldwide. Despite the name, FortiBleed is not a software vulnerability and is not linked to any newly disclosed Fortinet flaw or zero-day. It is the label given to a verified dataset of working device credentials that a threat group assembled through credential reuse, brute force, and offline hash cracking against exposed devices."
https://www.cloudsek.com/blog/inside-the-fortibleed-open-directory-a-technical-analysis-of-what-the-attacker-left-behind
https://www.helpnetsecurity.com/2026/06/23/fortibleed-investigation-remediation/ - Payouts King Ransomware Initial Access Broker Deploys New Edgecution Malware
"Zscaler ThreatLabz has been monitoring ransomware operations that align with tactics previously employed by an initial access broker affiliated with Payouts King ransomware. In recent attacks, the threat actor leverages social engineering tactics paired with an innovative malware delivery mechanism. The technique utilizes a malicious Microsoft Edge browser extension that exploits the Chrome native messaging protocol to interact with host-native applications beyond the confines of the browser sandbox. By abusing this interface, the attackers gain direct host access, enabling them to manipulate the local filesystem, launch processes, and execute arbitrary code on the compromised host. We have dubbed this web browser-based malware Edgecution."
https://www.zscaler.com/blogs/security-research/payouts-king-ransomware-initial-access-broker-deploys-new-edgecution
Breaches/Hacks/Leaks
- Xsolis Data Breach Affects 1.4 Million Individuals
"Healthcare technology company Xsolis, Inc. has disclosed a data breach affecting nearly 1.4 million individuals. Tennessee-based Xsolis provides utilization management and revenue cycle solutions for hospitals, health systems, and payers. The company published a data security notice in early June, revealing that unauthorized activity was detected on its systems on January 22. The intrusion resulted from a targeted phishing attack carried out two days earlier."
https://www.securityweek.com/xsolis-data-breach-affects-1-4-million-individuals/
https://www.bleepingcomputer.com/news/security/healthtech-firm-xolis-suffers-data-breach-impacting-14-million-people/
https://securityaffairs.com/194067/cyber-crime/xsolis-data-breach-impacts-1-4-million-people.html
https://www.bankinfosecurity.com/xsolis-hack-affecting-14m-raises-ai-vendor-risk-concerns-a-32051 - Tata Electronics Confirms Cyberattack As Hackers Leak Data
"Tata Electronics has confirmed in a statement to BleepingComputer that it was the target of a cyberattack that impacted parts of its IT infrastructure. The company emphasizes that its operations continued to run normally and were not affected by the incident. "A few weeks ago, Tata Electronics identified a cybersecurity incident on some of our systems,” a Tata Electronics spokesperson told BleepingComputer."
https://www.bleepingcomputer.com/news/security/tata-electronics-confirms-cyberattack-as-hackers-leak-data/
https://therecord.media/tata-electronics-confirms-cyberattack - LastPass Confirms Data Breach In Klue Supply Chain Attack
"LastPass announced that hackers accessed customer data from its Salesforce environment after stealing the company's OAuth tokens in the Klue supply chain attack earlier this month. The password management platform says its products, services, and infrastructure were not affected by the incident and that customer vaults remained secure. “On June 12th, LastPass was made aware of an incident that occurred at Klue (klue.com), a third-party market intelligence platform utilized by our go-to-market teams, which integrates with our Salesforce and Gong systems,” LastPass says."
https://www.bleepingcomputer.com/news/security/lastpass-confirms-data-breach-in-klue-supply-chain-attack/
https://blog.lastpass.com/posts/klue-supply-chain-incident-and-lastpass-response
https://www.darkreading.com/cyberattacks-data-breaches/scope-salesforce-attacks-expands-icarus-leaks-data
https://hackread.com/lastpass-customer-data-breach-klue-oauth-token/
General News
- Nearly Half Of LG Smart TV Apps Are Laced With Proxies
"Everyone worries about the apps on their phone. Almost no one looks at the ones on their TV. We scanned 6,038 of them across LG and Samsung; 2,058 were selling your IP address. On screen, it's a relaxing fish tank. Or a clock. Or solitaire. Or puppies. Under the hood, it is a residential proxy: software that can send other people's internet traffic out through your living room. And we found it everywhere."
https://spur.us/blog/smart-tv-apps-residential-proxy-sdks
https://www.helpnetsecurity.com/2026/06/23/tv-residential-proxy-sdk/ - Only 7% Of Companies Are Ready For The AI Agents They Deployed
"Most organizations now run or pilot AI agents that operate on company data with limited human direction at each step, a share that reaches 88% in Veeam Software’s Data and AI Trust Gap report. The systems that are supposed to keep an eye on them have not caught up. That gap is the heart of the report. Most executives say their data problems are already holding their AI back. The issues are familiar ones: data that is out of date, data that contradicts itself, and data locked away in systems that do not talk to each other. An agent acting on shaky data does more than make a single mistake. It can repeat that mistake across thousands of decisions before anyone notices."
https://www.helpnetsecurity.com/2026/06/23/ai-trust-gap-research/ - Daybreak: Tools For Securing Every Organization In The World
"We’re expanding Daybreak to help democratize patching vulnerable software at machine speed. For example, we’ve applied our models to discover and generate patches for critical vulnerabilities in major browsers, network infrastructure, and operating systems such as FreeBSD and the Linux kernel. To scale the impact of these capabilities:"
https://openai.com/index/daybreak-securing-the-world/
https://thehackernews.com/2026/06/openai-expands-daybreak-with-gpt-55.html
https://www.infosecurity-magazine.com/news/openai-daybreak-gpt-5-5-cyber/
https://www.securityweek.com/openai-refocuses-cybersecurity-efforts-on-patching-over-discovery/
https://www.helpnetsecurity.com/2026/06/23/openai-expanded-daybreak-cybersecurity-initiative/ - Scattered Spider Teens Convicted Of TfL Cyber-Attack
"Two British youngsters who hacked Transport for London (TfL) in 2024 have pleaded guilty to their crimes, according to the National Crime Agency (NCA). Thalha Jubair, 20, from East London, and Owen Flowers, 18, from Walsall, West Midlands, were teenagers when they hacked London’s transport authority between August 31 and September 3 2024. Both are said to be members of the infamous Scattered Spider collective. The incident cost TfL £29m ($38m) in loss and recovery costs, according to the NCA. It apparently impacted TfL’s customer refund system for some time, downed the application system for Oyster photocards for children and young people, and forced all 28,000 employees to attend a TfL office for a password reset."
https://www.infosecurity-magazine.com/news/scattered-spider-teens-convicted/
https://therecord.media/guilty-plea-tfl-cyberattack-scattered-spider-members
https://www.bleepingcomputer.com/news/security/scattered-spider-members-plead-guilty-to-hacking-transport-for-london/
https://hackread.com/scattered-spider-hackers-guilty-tfl-cyberattack/
https://www.bankinfosecurity.com/2-british-men-plead-guilty-to-transport-for-london-hacks-a-32048 - Algerian Man Extradited To US For Running Cybercrime Marketplaces
"Abdellah Belmili, a 26-year-old Algerian national, was recently arrested in Spain and extradited to the United States, where he faces up to 30 years in prison for allegedly running two cybercrime marketplaces. According to the US Justice Department, Belmili, also known as Dila Belmili and Spox, was the administrator of a cybercrime marketplace called Market0Day between September and December 2020. Authorities said Spox was known for developing phishing kits targeting major American financial institutions."
https://www.securityweek.com/algerian-man-extradited-to-us-for-running-cybercrime-marketplaces/
https://cyberscoop.com/algerian-man-charged-cybercrime-marketplaces/ - He Thought He Was Secure; His Phone Number Got Stolen Anyway
"Torsten George, chief cybersecurity evangelist at ID Dataweb, Inc., felt helpless as he sat with his personal cell phone up to one ear and realized he was in the throes of an active attack. The person on the other end claimed to be an AT&T customer service representative looking to give George a discount for being a loyal customer. But it didn't take long to recognize that the “representative” was a threat actor with inside information on George's account history, derived through social engineering."
https://www.darkreading.com/cyber-risk/how-a-sim-swap-attack-led-to-a-near-account-takeover - CISO Conversations: Carl Froggett – Combining CISO And CIO At Deep Instinct
"Carl Froggett combines CISO and CIO. He currently occupies both positions at Deep Instinct. Before then, he was CISO at Citi for almost 17 years. Froggett has long believed the two roles overlap, making a combined role attractive. But it doesn’t work for all companies. Citi has more than 200,000 employees. Deep Instinct has fewer than 200. Combining CISO and CIO would be too much for one person at Citi, but works well at Deep Instinct."
https://www.securityweek.com/ciso-conversations-carl-froggett-combining-ciso-and-cio-at-deep-instinct/ - Justice Department Seizes Backend Infrastructure Used By The Huione Group For Money Laundering Services
"Today, the Justice Department announced the seizure of a cloud computing account used by subsidiaries of the Huione Group, a Cambodia-based corporate conglomerate. These subsidiaries are alleged to have assisted individuals and organizations in transferring proceeds of cryptocurrency investment frauds, cyber scams, and other criminal activities on cryptocurrency blockchains and allowing for the conversion of the proceeds of these schemes to the legitimate banking sector undetected.The seized account hosted backend infrastructure for the subsidiaries."
https://www.justice.gov/opa/pr/justice-department-seizes-backend-infrastructure-used-huione-group-money-laundering-services
https://home.treasury.gov/news/press-releases/sb0538
https://therecord.media/feds-seize-alleged-cyber-scam-infrastructure-southeast-asia
https://cyberscoop.com/doj-huione-group-cybercrime-seizure/ - Using Reddit To Manipulate AI Search Results Is Surprisingly Easy
"A Reddit comment that takes only a few seconds to write can end up influencing the answers generated by AI research tools. A Cornell Tech study found that a short snippet of user-generated text, sometimes as little as 13 words, was enough to affect the output of deep-research agents, AI systems that search the web, gather information from multiple sources, and generate reports with citations. The risks of relying on community-generated content are already familiar to many internet users. Google’s AI Overviews famously recommended adding glue to pizza sauce after pulling information from an old joke Reddit post."
https://www.helpnetsecurity.com/2026/06/23/reddit-ai-search-poisoning-research/
https://arxiv.org/pdf/2605.24245 - Inside The Dark Web: Stolen Identities For 95¢, Malware, And Scams-For-Hire
"Most people have heard of the dark web, but few understand what it actually looks like or what goes on there. To separate fact from fiction, our research team spent 48 hours exploring it firsthand and documenting what we found. The dark web isn’t inherently bad. It also serves legitimate purposes, providing a layer of privacy for journalists, whistleblowers, activists, and others who need to communicate anonymously. Accessing it typically requires the Tor browser, and a number of reputable organizations operate official dark web sites."
https://www.malwarebytes.com/blog/threat-intel/2026/06/inside-the-dark-web-stolen-identities-for-95¢-malware-and-scams-for-hire - Software-Defined Warfare: Crossing The Chasm In Two Software Areas
"Software-defined warfare is today’s reality for national security, shifting the emphasis in military operations from hardware to software, “the core of every weapon and supporting system” fielded for defense. The Atlantic Council’s 2025 Commission on Software-Defined Warfare: Final Report defines software-defined warfare as the “continuous integration and delivery of cutting-edge technology and leading interoperable software into legacy and future defense systems.” The report emphasizes the need for speed through artificial intelligence (AI) by calling on national security organizations to “acquire and sustain unified, shared platforms that support and accelerate the end-to-end development, deployment, and governance of AI solutions.”"
https://www.sei.cmu.edu/blog/software-defined-warfare-crossing-the-chasm-in-two-software-areas/ - Fake AI Agent Skill Passed Security Scans And Reportedly Reached 26,000 Agents
"Security firm AIR built a fake AI agent skill, pushed it through a popular skill marketplace and an Instagram ad, and says it reached roughly 26,000 agents, including some on corporate accounts. Every skill security scanner the firm tested it against marked it safe. The payload was harmless by design: it collected the user's email address and did nothing else. The point was to show that none of the signals people lean on to trust a skill caught it: not the scanners, not the GitHub stars, not the open-source reputation."
https://thehackernews.com/2026/06/fake-ai-agent-skill-passed-security.html
อ้างอิง
Electronic Transactions Development Agency (ETDA)
- Cisco Unified CM Flaw CVE-2026-20230 Now Exploited In Attacks
-
ETDA Cyber Threat Intelligence 23 June 2026โพสต์ใน Cyber Security News
New Tooling
- Agent Beacon: Open-Source Telemetry Layer For AI Agents
"AI coding agents such as Claude Code, Codex CLI, Cursor, and Claude Cowork run on developer laptops, CI jobs, cloud environments, where they edit files, run commands, and call outside tools. Beacon, an open-source project from Asymptote Labs, configures telemetry for those runtimes and writes a normalized record of what each agent does across local, CI, and cloud-agent surfaces."
https://www.helpnetsecurity.com/2026/06/22/agent-beacon-open-source-telemetry-layer-ai-agents/
https://github.com/Asymptote-Labs/agent-beacon/ - Sniff Out Stale AI Override Advice With This Open Source CLI
"The JavaScript development ecosystem may be a security nightmare, but it's also ripe for improvement. One such tool is the CVE Lite CLI, a free open source dependency scanner that helps reduce the risk of software supply chain attacks. It runs locally and provides actionable vulnerability fixes, if any are available. The tool, endorsed by OWASP, has recently been updated to include override auditing, which has the potential to avert transitive dependency vulnerabilities such as the March 2022 node-ipc package incident."
https://www.theregister.com/security/2026/06/23/sniff-out-stale-ai-override-advice-with-this-open-source-cli/5259853
https://owasp.org/cve-lite-cli/
Vulnerabilities
- PixelSmash – Critical FFmpeg Vulnerability Turns Media Files Into Weapons
"JFrog Security Research recently discovered and disclosed a critical vulnerability in FFmpeg, the world’s most widely deployed media processing framework. The discovered vulnerability, which we’ve named PixelSmash, is CVE-2026-8461 – a heap out-of-bounds write in the MagicYUV decoder (CVSS 8.8 High). We escalated this vulnerability from a simple crash all the way to reliable remote code execution – all it takes is processing a single malicious media file."
https://jfrog.com/blog/pixelsmash-critical-ffmpeg-vulnerability-turns-media-files-into-weapons/
https://www.bleepingcomputer.com/news/security/ffmpeg-fixes-pixelsmash-flaw-in-widely-used-video-decoder/ - Squidbleed (CVE-2026-47729)
"Two weeks ago, we dropped an HTTP/2 bomb cooked up by Codex Cyber. This time, we sent Claude Mythos Preview spelunking through Squid’s guts, and it surfaced clutching a 29-year-old bug. Meet Squidbleed: a Heartbleed-style vulnerability that leaks internal memory from every version of Squid Proxy, in its default configuration."
https://blog.calif.io/p/squidbleed-cve-2026-47729
https://thehackernews.com/2026/06/29-year-old-squid-proxy-bug-squidbleed.html
https://www.securityweek.com/decades-old-squid-proxy-flaw-squidbleed-can-expose-user-data/ - DifyTap: Zafran Discovers How Attackers Can Silently Wiretap AI Data Across Tenants On a Platform Powering 1M+ Apps
"Zafran Security uncovered four vulnerabilities in Dify, the open-source AI platform powering over one million applications and used by enterprises including Volvo, Maersk, Panasonic, and Thermo Fisher. Two were critical severity, two required no authentication, and three carried cross-tenant impact on Dify's multi-tenant cloud service, allowing one customer's data to be exposed to another."
https://www.zafran.io/resources/difytap-zafran-discovers-how-attackers-can-silently-wiretap-ai-data-across-tenants-on-a-platform-powering-1m-apps
https://thehackernews.com/2026/06/researchers-detail-difytap-flaws-in.html - The Global Namespace Risk: Universal Bucket Hijacking Technique For Cloud Data Exfiltration
"We recently identified a bucket hijacking technique impacting multiple services across major cloud service providers (CSPs). The attack technique exploits a fundamental architectural flaw that is common across cloud providers and could potentially affect other cloud providers as well. Our research reveals that an attacker can silently compromise an organization's active data streams by rerouting data into an external storage bucket. Because a storage bucket name is globally unique, an attacker can simply delete the bucket and then recreate it under the attacker's own account using the same name. This therefore creates a global namespace risk. This bucket hijacking reroutes critical logs and sensitive data directly to the attacker’s environment."
https://unit42.paloaltonetworks.com/cloud-bucket-hijacking-risks/
Malware
- A VBScript Campaign Distributed Through WhatsApp Deploying RMM Software
"In June 2026, we observed a malware campaign distributing malicious VBScript files through direct messages in WhatsApp. The campaign affected users across multiple countries and territories, including Malaysia, Brazil, India, Mexico, Singapore, UK, Spain, Taiwan, Australia, Russia and Vietnam, with the highest number of victims observed in Malaysia. At the time of writing this article, the campaign is still active."
https://securelist.com/whatsapp-vbs-rmm-campaign/120290/
https://www.bleepingcomputer.com/news/security/whatsapp-phishing-attack-uses-fake-business-docs-to-hack-pcs/
https://securityaffairs.com/194031/malware/whatsapp-malware-campaign-hijacks-trust-installs-legitimate-admin-tools.html - Dismantling FortiBleed: Inside a Russian Fortinet Compromise Operation
"Dismantling FortiBleed investigates an active credential-harvesting operation identified by the SOCRadar Threat Research Unit (STRU). The report traces the campaign from large-scale reconnaissance and credential sourcing through initial access, passive sniffer deployment, offline hash cracking, and targeted exfiltration. STRU assesses the operator to be an Initial Access Broker (IAB) motivated by financial gain, with tooling comments in the Cyrillic alphabet pointing to a likely Russian origin. The investigation began with a single exposed directory flagged by researcher Volodymyr “Bob” Diachenko and expanded into more than 260 operation servers."
https://socradar.io/resources/whitepapers/dismantling-fortibleed-inside-a-russian-fortinet-compromise-operation/
https://www.bleepingcomputer.com/news/security/fortibleed-campaign-used-custom-fortigate-sniffer-to-steal-credentials/
https://securityaffairs.com/194004/hacking/fortibleed-the-most-detailed-breakdown-yet-of-an-active-russian-credential-harvesting-operation.html - More Than 4,000 Legacy Routers Compromised By AryStinger, Turned Into Global Attack Proxies For Hackers
"On May 20, 2026, the Ministry of State Security's WeChat official account published an article "Your internet is slow, and the culprit turns out to be this!", highlighting that outdated routers are becoming a key entry point for threat actors to conduct cyber espionage. Inspired by this article, we feel it is imperative to take the compromise of old routers seriously. This article introduces an unusual attack campaign observed within QiAnXin XLab's field of view, specifically targeting router devices based on the RTL819X series chips. The mainstream active period of the RTL819X series chips was concentrated around 2012 to 2015. The attackers exploited vulnerabilities disclosed 13 years ago to compromise a large number of old routers, building reconnaissance and attack clusters for use in the pre-intrusion footprinting stage. (Note: The campaign disclosed in this article has no direct relationship to what the Ministry of State Security described.)"
https://blog.xlab.qianxin.com/arystinger-botnet-hijacks-legacy-routers-for-global-attacks-en/
https://thehackernews.com/2026/06/arystinger-malware-infects-4300-legacy.html
https://www.bleepingcomputer.com/news/security/arystinger-botnet-infected-thousands-of-d-link-routers-worldwide/
https://www.bankinfosecurity.com/arystinger-botnet-converts-legacy-routers-to-global-proxies-a-32045
https://www.malwarebytes.com/blog/news/2026/06/thousands-of-d-link-routers-under-control-of-arystinger-botnet
https://securityaffairs.com/193987/security/4300-outdated-routers-hijacked-in-stealthy-spy-infrastructure-by-arystinger-malware.html - Prinz Eugen Ransomware: a Deep Dive Into a New Go-Based Encryptor
"On May 11, 2026, our research team investigated a customer infected with a brand-new ransomware family called Prinz Eugen. The encryptor is freshly built, written in Go, and more technically deliberate than many first-wave ransomware samples. It performs recursive encryption, prioritizes recently modified files, uses ChaCha20-Poly1305 with integrity checks, and leaves no ransom note on disk. The first public report related to this family is dated April 16, when a public social media post noted that a new ransomware leak portal had appeared to extort Standard Bank Group, a leading financial institution in South Africa."
https://www.threatdown.com/blog/prinz-eugen-ransomware-a-deep-dive-into-a-new-go-based-encryptor/
https://www.bleepingcomputer.com/news/security/new-prinz-eugen-ransomware-prioritizes-recent-files-for-encryption/ - From Package To Postinstall Payload: Inside The Mastra Npm Supply Chain Compromise By Sapphire Sleet
"Microsoft assesses with high confidence that this activity is attributable to Sapphire Sleet, a North Korean state actor that primarily targets the financial sector. The infrastructure and post-compromise TTPs observed in this campaign are consistent with previously documented Sapphire Sleet activity. Sapphire Sleet also conducted a separate npm supply chain compromise affecting Axios, a popular JavaScript HTTP client, in April 2026."
https://www.microsoft.com/en-us/security/blog/2026/06/17/postinstall-payload-inside-mastra-npm-supply-chain-compromise/
https://www.bleepingcomputer.com/news/security/microsoft-links-mastra-ai-supply-chain-attack-to-north-korean-hackers/
https://www.infosecurity-magazine.com/news/mastra-ai-supply-chain-attack/
https://www.securityweek.com/north-korean-hackers-blamed-for-mastra-npm-supply-chain-attack/ - Threat Hunting Beyond Alerts: Finding The Activity Detection Misses
"Threat hunting is meant to uncover malicious activity before it becomes an incident. In reality, it can easily turn into a long expedition through noisy logs, vague indicators, and detection rules that lack the context needed to separate real risk from routine activity. The issue is rarely the analyst’s skill. The real bottleneck is intelligence quality. A standalone IP address, domain, or hash may be useful for blocking, but it does not explain the campaign behind it, the behaviors it leaves on endpoints, or the infrastructure likely to appear next."
https://hackread.com/threat-hunting-alerts-finding-activity-detection-misses/ - Lost In Relocation: Analysis Of a New Loader Distributing CASTLESTEALER
"A previously undocumented Windows loader tracked as OXLOADER is delivering the CASTLESTEALER infostealer via malicious Google Ads, with low detection rates across static engines and sandbox detonations. The loader uses several obfuscation layers (control-flow flattening, opaque predicates, mixed Boolean-Arithmetic), self-modifying decryption stubs, and abuses the Windows .reloc section to stage shellcode. Elastic Security Labs identified OXLOADER in an active campaign targeting one of our customers; CIS-region and Russian-language exclusions point to a financially motivated, Russian-speaking threat actor. We have found no prior public reporting on this family."
https://www.elastic.co/security-labs/oxloader-malware-loader-infostealer
https://thehackernews.com/2026/06/new-oxloader-loader-uses-malicious.html - Gizmodo Readers Hit With ClickFix Malware Prompts After Account Compromise
"Veteran tech website Gizmodo confirmed a compromise on Saturday after readers reported ClickFix malware prompts appearing on article pages. Users posted screenshots of fake CAPTCHA windows appearing on Gizmodo's site. The attack aims to fool users into running malicious code via their terminals. According to Proofpoint threat researcher Tommy M, the attack was seemingly launched by an affiliate of ErrTraffic, a ClickFix-as-a-service program that allows attackers to deliver whichever malware they choose."
https://www.theregister.com/security/2026/06/22/gizmodo-readers-hit-with-clickfix-malware-prompts-after-account-compromise/5259226 - Analyzing SHEET#CREEP: SHEETCREEP Is Up Again With Different Config Obfuscation
"The Securonix Threat Research team has identified an ongoing espionage campaign, tracked as SHEETCREEP, where threat actors deliver a C# remote access trojan through a diplomatic-themed ISO phishing lure. Building upon the initial discovery and excellent research of the SHEETCREEP malware family by Zscaler’s ThreatLabz, we observed that the RAT abuses the Google Sheets API as its command-and-control (C2) channelauthenticating via an embedded GCP service account private key and using individual spreadsheet tabs per victim for bidirectional communication. Our team successfully extracted the embedded credentials, authenticated to the live C2 spreadsheet, and identified 91 active victim tabs including a high-confidence target located in Pakistan."
https://www.securonix.com/blog/sheetcreep-evolved-google-sheets-rat - Ababil Of Minab Exposed: LA Metro SCADA Backups And Israeli Victim Data Left Open On An Iranian Staging Server
"Ababil of Minab is a pro-Iranian threat actor that surfaced in late March 2026, claiming destructive intrusions against targets in the United States, Israel, Saudi Arabia, and Turkey, including a confirmed breach of the Los Angeles County Metropolitan Transportation Authority. On May 26, 2026, Gambit Security published a technical report documenting SQL Server deletion, VM partition wipes, Veeam backup destruction, and file system damage across four victim environments, but deliberately withheld the identities of additional targets."
https://hunt.io/blog/ababil-of-minab-iranian-hackers-exposed-la-metro-breach-open-directory
Breaches/Hacks/Leaks
- JaredFromSubway MEV Bot Hacked In $15 Million Crypto Theft
"The JaredFromSubway Ethereum MEV (Maximal Extractable Value) bot suffered a $15 million loss after an attacker manipulated the opportunity-detection logic by creating fake cryptocurrency trading opportunities. The drain was detected on Saturday by blockchain security firm Blockaid, and today, JaredFromSubway confirmed that the attacker used fake pools and tokens to trick the bot into approving helper contracts. According to Blockaid, the attacker deployed contracts designed to appear as profitable MEV opportunities to JaredFromSubway's automated execution system."
https://www.bleepingcomputer.com/news/security/jaredfromsubway-mev-bot-hacked-in-15-million-crypto-theft/ - Hundreds Of AI-Powered iOS Apps Found Exposing Credentials
"Mobile app developers are packing AI features into everything from writing assistants to productivity tools and lifestyle apps. New research shows that securing access to those services remains a challenge. Researchers from Wake Forest University analyzed 444 iOS applications with LLM features and found 282 that exposed exploitable credentials or backend access mechanisms. The affected apps covered 13 categories, including productivity, entertainment, lifestyle, education, utilities, and health and fitness. LLM-powered applications reached 17 billion downloads in 2025 and accounted for 13% of all mobile app downloads."
https://www.helpnetsecurity.com/2026/06/22/llm-api-credential-leakage-ios-apps/
https://arxiv.org/pdf/2606.12212 - Suspected Cyberattack Triggers False Emergency Alerts Across Parts Of Brazil
"Brazil suspended its mobile phone emergency alert system after a suspected cyberattack triggered false warnings on phones across several states. The incident occurred early Saturday when at least a dozen unauthorized alerts were sent through Brazil's Civil Defense Alert system, a platform designed to warn residents about imminent threats such as floods, landslides and other natural disasters."
https://therecord.media/suspected-cyberattack-triggers-false-emergency-alerts-brazil
https://www.theregister.com/security/2026/06/22/brazil-begins-investigating-emergency-alert-system-breach/5259421 - Canadian Utility Fesses Up To Data Breach, But Key Details Remain Off-Grid
"A Canadian power utility says customer data may have walked out the door during a security incident, but isn't yet saying whether the intruders got anywhere near the systems responsible for keeping the lights on. London Hydro, which distributes electricity to more than 160,000 customers in and around London, Ontario, said on Saturday that it is investigating a data security incident that "may have impacted a portion of personal information on some accounts" and has started notifying affected customers."
https://www.theregister.com/security/2026/06/22/canadian-utility-fesses-up-to-data-breach-but-key-details-remain-off-grid/5259309
General News
- Who Pays When You Gate Cyber-Capable AI Models?
"In this interview with Help Net Security, Jaya Baloo, COO & CISO at Aisle, examines the debate over restricting access to cyber-capable AI models. She lays out the strongest argument for gating these tools, then explains where it breaks down for security teams who depend on the same capabilities for defense. Baloo argues that policymakers misread how attackers and defenders operate, that open-weight models cut both ways, and that limiting access can widen the gap between well-resourced organizations and everyone else."
https://www.helpnetsecurity.com/2026/06/22/jaya-baloo-aisle-gating-cyber-capable-ai-models/ - Encrypted DNS Still Tells An Eavesdropper Where To Look
"Encrypted DNS runs across much of the Internet. DNS over TLS, HTTPS, and QUIC keep the contents of a query away from anyone watching a network link. The encryption covers the message inside each packet. The packet still carries plaintext headers, and those values mark a flow as DNS. A new study measures this gap for the Internet of Things and offers a way to close part of it."
https://www.helpnetsecurity.com/2026/06/22/research-encrypted-dns-privacy/
https://arxiv.org/pdf/2606.10097 - What The Latest ShinyHunters Breaches Reveal About Modern Cyberattacks
"The latest wave of breaches attributed to the ShinyHunters cybercrime collective (e.g., University of Nottingham, DentaQuest, 7-Eleven, Medtronic, and Wynn Resorts), reinforces a hard truth security leaders can no longer ignore: attackers are increasingly bypassing traditional perimeter defenses and targeting identities, authentication workflows, SaaS integrations, and trusted access paths instead of exploiting software vulnerabilities directly. Over the past several months, ShinyHunters has been linked to attacks involving Salesforce environments, Snowflake customers, SaaS integrations, and identity platforms such as Okta. Researchers and incident responders have consistently observed the same pattern: stolen credentials, compromised OAuth tokens, social engineering, vishing, and abuse of legitimate access privileges."
https://www.securityweek.com/what-the-latest-shinyhunters-breaches-reveal-about-modern-cyberattacks/ - Stop Your Legacy Infrastructure From Hijacking Your AI Agents
"Earlier this month, I spoke at the Gartner Security & Risk Management Summit about a blind spot most security programs are still not accounting for - how attackers are circumventing AI security programs by using legacy infrastructure to hijack AI agents. AI adoption is moving faster than security programs can account for. Roughly 71% of organizations are piloting AI agents across their enterprise applications, and 31% have already moved them into production workflows."
https://thehackernews.com/2026/06/stop-your-legacy-infrastructure-from.html - Canada’s Spy Agency Used First-Of-Its-Kind Warrant To Clean Botnet-Infected Devices
"Canada's spy service got a judge's permission to reach into infected servers, home routers, and IoT gear sitting on Canadian soil and neutralize two foreign-run botnets. The Federal Court released a public version of the ruling on June 15. It is the first time the Canadian Security Intelligence Service has used its threat reduction warrant powers this way. The warrant let CSIS alter, degrade, and destroy botnet data on the infected machines and cut the devices loose from the networks."
https://thehackernews.com/2026/06/canadas-spy-agency-used-first-of-its.html
https://www.fct-cf.ca/en/pages/media/news-bulletins/file-c-6-24 - Intel Agencies: Frontier AI Models Will Reshape Cybersecurity Faster Than Expected
"Intelligence agencies for the United States, Canada, UK, Australia and New Zealand are warning that advanced AI models capable of wreaking havoc in the cyber domain are “months away” from being publicly available. In a joint statement, the Five Eyes alliance say they expect the kind of advanced hacking capabilities provided by frontier models like Anthropic’s Fable 5 and OpenAI’s Daybreak to become broadly available the public within the year, despite efforts by AI companies to withhold them or restrict their access."
https://cyberscoop.com/five-eyes-alliance-say-advanced-ai-hacking-models-months-away/
อ้างอิง
Electronic Transactions Development Agency (ETDA)
- Agent Beacon: Open-Source Telemetry Layer For AI Agents
-
Google เพิ่มมาตรการยืนยันตัวตนนักพัฒนา Android ลดความเสี่ยงติดตั้งแอปอันตรายโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Salesforce ปิดการเชื่อมต่อ Klue หลังพบการขโมย OAuth Token กระทบข้อมูลลูกค้าบางส่วนโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
พบมัลแวร์เครือข่ายบอตเน็ต AryStinger ยึดเราเตอร์ D-Link รุ่นเก่ากว่า 4,000 เครื่อง เพื่อใช้เป็นฐานปฏิบัติการโจมตีทางไซเบอร์โพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
พบการโจมตีช่องโหว่ปลั๊กอิน Gravity SMTP บน WordPress เสี่ยงข้อมูลสำคัญรั่วไหลโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
FortiBleed เปิดโปงแคมเปญ Credential Spraying ขนาดใหญ่ มุ่งโจมตี Fortinet VPN ทั่วโลกโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
กลุ่มแรนซัมแวร์ The Gentlemen ใช้เครื่องมือ GentleKiller โจมตีผ่านช่องโหว่ของไดรเวอร์เพื่อปิดกั้นระบบรักษาความปลอดภัยโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
CISA เพิ่มช่องโหว่ที่ถูกใช้โจมตี 1 รายการลงในแคตตาล็อกโพสต์ใน Cyber Security News
เมื่อวันที่ 18 มิถุนายน 2569 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 1 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว มีรายละเอียดดังนี้
- CISA Adds One Known Exploited Vulnerability to Catalog
ทาง CISA จะปรับปรุงและเพิ่มช่องโหว่ใหม่เข้าสู่แคตตาล็อก KEV อย่างต่อเนื่อง เพื่อให้ครอบคลุมความเสี่ยงที่ตรวจพบจริงในปัจจุบันและอนาคต
อ้างอิง
https://www.cisa.gov/news-events/alerts/2026/06/12/cisa-adds-one-known-exploited-vulnerability-catalog
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
CISA เผยแพร่คำแนะนำด้านระบบควบคุมอุตสาหกรรม (ICS) จำนวน 8 รายการโพสต์ใน OT Cyber Security News
Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) จำนวน 8 รายการ เมื่อวันที่ 18 มิถุนายน 2569 เพื่อให้ข้อมูลที่ทันเวลาเกี่ยวกับประเด็นด้านความมั่นคงปลอดภัย ช่องโหว่ และการโจมตีที่เกี่ยวข้องกับระบบ ICS โดยมีรายละเอียดดังนี้
- ICSMA-26-169-01 Apollo Pharmacy Blood Glucose Monitoring System APG-01 BT
- ICSA-26-169-01 AVer PTC cameras
- ICSA-26-169-02 AzeoTech DAQFactory
- ICSA-26-169-03 Rockwell Automation FactoryTalk Historian Site Edition
- ICSA-26-169-04 Schneider Electric EasyLogic T150 and Saitel DP
- ICSA-26-169-05 Mitsubishi Electric MELSEC iQ-F Series
- ICSA-26-169-06 Mitsubishi Electric Co.'s MELSEC iQ-F Series FX5-ENET/IP Ethernet Module
- ICSA-26-169-07 Schneider Electric Easergy, EcoStruxture, PowerLogic, and Saitel Products
-
Cyber Threat Intelligence 22 June 2026โพสต์ใน Cyber Security News
Financial Sector
- Security Issues In The Korean & Global Financial Sector In May 2026
"In Attack Stage 1 targeting the financial sector in May 2026, phishing had the highest score at 2.3. This is the highest figure since December 2025, indicating that Initial Breach attempts are increasingly centered on phishing. In Attack Stage 2, Dropper/Downloader had the highest rate at 1.4, while the backdoor also increased to 1.0 from 0.5 the previous month."
https://asec.ahnlab.com/en/94179/
Industrial Sector
Experts Warn Of 'Mismatch' In US Response To OT Hacking
"A cyberattack of any significant scale against operational technology in America's vital infrastructure and services would almost immediately overwhelm the online and offline resources available to responders, experts said this week. "We have a very large mismatch between expected capacity, expected demand, and current capacity," said Josh Corman, executive in residence for public safety and resilience at the Institute for Security and Technology."
https://www.bankinfosecurity.com/experts-warn-mismatch-in-us-response-to-ot-hacking-a-32026Vulnerabilities
- Unpatchable 'usbliter8' Exploit Breaks Apple A12 And A13 SecureROM Boot Chain
"Security researchers at Paradigm Shift have published a working exploit, dubbed usbliter8, that achieves arbitrary code execution inside the SecureROM of Apple's A12 and A13 chips. That code is burned into the silicon at manufacture. No software update can reach it. Affected devices will carry this flaw for as long as they stay in use."
https://thehackernews.com/2026/06/unpatchable-usbliter8-exploit-breaks.html
https://ps.tc/pages/blog-usbliter8.html
https://www.theregister.com/security/2026/06/19/researchers-drop-checkm8-style-bootrom-exploit-for-a12-and-a13-iphones/5259028 - AutoJack: How a Single Page Can RCE The Host Running Your AI Agent
"Ongoing research into AI agent framework security identified an exploit chain in AutoGen Studio (AutoGen’s open-source prototyping user interface) that allows untrusted web content rendered by a browsing agent to reach a local Model Context Protocol (MCP) WebSocket and spawn arbitrary processes on the host. The technique, which we call AutoJack, jacks the agent into becoming the attacker’s last-mile delivery vehicle by crossing the localhost trust boundary that many developer tools rely on."
https://www.microsoft.com/en-us/security/blog/2026/06/18/autojack-single-page-rce-host-running-ai-agent/
https://thehackernews.com/2026/06/autojack-attack-lets-one-web-page.html
Malware
- People, Process, Personas: Nisos Exposes The Human Risk In DPRK Employment Fraud Schemes
"Nisos assesses with high confidence that a Democratic People’s Republic of Korea (DPRK) state-sponsored cell conducted industrial-scale employment fraud against US companies, submitting more than 170,000 job applications that yielded 76 employment offers across 22 operatives between December 2024 and September 2025, utilizing appropriated identities, AI-driven interview assistance, and US-based facilitators to infiltrate UScompanies primarily in the technology sector."
https://nisos.com/research/dprk-employment-fraud-operation/
https://www.bankinfosecurity.com/north-korean-workers-try-try-try-again-a-32033 - Amazon Prime Day 2026: Bargains Begin June 23 — And So Do The Scams
"When Amazon Prime Day returns on June 23–26, 2026, more than 25 countries will take part in one of the largest shopping windows of the year. Spanning millions of products and generating billions of dollars in transactions in just 96 hours, the event is as lucrative for cyber criminals as it is anticipated by consumers. Major retail moments bring together the three ingredients’ attackers exploit most: a globally trusted brand, time-limited urgency, and massive purchase intent at scale. The result is predictable — phishing emails, fake websites, fraudulent offers, smishing campaigns, and account takeover attempts impersonating Amazon all surge during this period. What stands out in 2026 is the scale of the infrastructure Check Point Research (CPR) has already observed in the months leading up to the event."
https://blog.checkpoint.com/research/amazon-prime-day-2026-bargains-begin-june-23-and-so-do-the-scams/ - FIFA World Cup 2026: Hackers Target Football Fans With Fake Tickets Sites
"With the FIFA World Cup 2026 matches in full swing, cybercriminals are targeting fans with various scams to capitalize on the tournament’s popularity, security researchers warn. Multiple scam networks have been discovered by security firms so far. These networks are designed to steal funds and personal details from people looking for tickets, hotels, and betting options."
https://hackread.com/fifa-world-cup-2026-hackers-football-fake-tickets-sites/ - Supply-Chain Malware Is Evolving And Starting To Spread Like a Worm
"For years, most supply-chain attacks depended on a single point of compromise. An attacker would gain access to a vendor or library and insert malicious code into a trusted update. From there, the attack would spread only as far as that distribution channel allowed. That model has changed. Emerging threats like Shai-Hulud show how attackers are moving toward self-propagating supply-chain attacks that spread through developer ecosystems without continuous attacker control. Instead of maintaining access to one source, the malware turns each new compromised environment into another distribution point."
https://blog.barracuda.com/2026/06/18/supply-chain-malware-worm-shai-hulud - 1.16 Billion Attacks: How The FortiBleed Crew Broke FortiGate
"FortiBleed is not just a leak, it is an operation. A multi-operator crew has been running industrial-scale credential harvesting against Fortinet FortiGate SSL VPN appliances worldwide. The numbers are not subtle: 1.16 billion login attempts against 320,777 FortiGate targets, 2.1 billion more against 163,650 MSSQL servers, intercepted hashes cracked on a 45-GPU cluster, and live VPN sessions hijacked to pivot straight into Active Directory. This is the attack chain, the infrastructure behind it, and what it means for defenders."
https://ransomnews.com/fortibleed-fortigate-bruteforce-operation/
https://securityaffairs.com/193931/hacking/fortibleed-exposes-global-credential-spraying-operation.html
Breaches/Hacks/Leaks
- Texas Govt Data Breach Exposes Over 3 Million Driver’s Licenses
"The Texas Parks and Wildlife Department (TPWD) disclosed a data breach at its license system vendor that exposed personal information for more than three million individuals. The Texas Cyber Command discovered the intrusion and launched an investigation to determine the extent and impact of the unauthorized access. The state authority found that Social Security Numbers (SSNs), dates of birth, or any financial information, such as credit cards, have not been impacted."
https://www.bleepingcomputer.com/news/security/texas-govt-data-breach-exposes-over-3-million-drivers-licenses/
https://www.theregister.com/security/2026/06/19/texas-gov-vendor-breach-exposes-data-of-3m-hunters-anglers/5258815 - ShinyHunters Threatens To Leak Amazon One Medical Records
"Amazon bought One Medical for $3.9 billion in 2023 in its bid to bring transformational healthcare experiences to patients through a network of onsite and virtual primary care services. It serves employees of more than 8,500 U.S. clients. Now, prolific digital extortion gang ShinyHunters is threatening to dump 8.8 terabytes of data it allegedly stole from Amazon's One Medical business unit."
https://www.bankinfosecurity.com/shinyhunters-threatens-to-leak-amazon-one-medical-records-a-32027 - Leak Exposes Members Of Peter Thiel’s Secretive ‘Dialog’ Society
"A trove of internal records from a secret society for powerful figures in US politics, finance, and tech was left exposed online, WIRED has confirmed, naming participants in its events and revealing sensitive personal details they were assured would stay private. The group, called Dialog, is a private, invitation-only organization cofounded in 2006 by the billionaire tech investor Peter Thiel. It convenes US officials, foreign government figures, and Silicon Valley executives at off-the-record annual retreats. Dialog has spent two decades declining to disclose its members."
https://www.wired.com/story/leak-exposes-members-of-peter-thiels-secretive-dialog-society/
https://securityaffairs.com/193880/intelligence/peter-thiel-secret-society-leak-creates-a-perfect-target-list-for-espionage-influence-operations-and-blackmail.html - 24 Billion Records, Including Usernames And Passwords, Exposed In Colossal Data Leak: What Does That Mean For You?
"Cybernews researchers discovered an exposed database containing 24 billion records, including usernames, email addresses, plaintext passwords, and login URLs. The data appears to come from infostealer malware logs, records stolen from infected devices and collected from Telegram channels, breach compilations, and other sources."
https://cybernews.com/security/24-billion-credentials-data-leak/
https://securityaffairs.com/193864/security/24-billion-stolen-credentials-exposed-in-massive-data-leak.html
General News
- May 2026 Threat Trend Report On Ransomware
"This report summarizes the quantity of new ransomware samples collected during the month of May 2026, the number of affected systems, statistics on targeted businesses, and major Korean & Global ransomware issues. Statistics on samples and affected systems are based on AhnLab’s detection names, while statistics on targeted businesses are aggregated based on the time when publicly available information from ransomware groups’ DLS (Dedicated Leaks Sites, ransomware PR sites or PR pages) was collected via the ATIP (AhnLab Threat Intelligence Platform) infrastructure."
https://asec.ahnlab.com/en/94185/ - CISA Urges Hardening Fortinet Devices After Reports Of Credential Exposure
"CISA is aware of global reports that malicious cyber actors have targeted internet-accessible Fortinet devices across government and private sector organizations using compromised credentials. This activity, referred to as FortiBleed, involves the exposure of leaked credentials associated with approximately 74,000 Fortinet devices, including firewalls and virtual private network (VPN) gateways."
https://www.cisa.gov/news-events/alerts/2026/06/18/cisa-urges-hardening-fortinet-devices-after-reports-credential-exposure
https://www.bleepingcomputer.com/news/security/cisa-warns-fortinet-users-to-secure-devices-after-fortibleed-leak/
https://thehackernews.com/2026/06/cisa-warns-fortinet-customers-as.html
https://www.securityweek.com/fortibleed-86000-fortinet-device-credentials-compromised/
https://securityaffairs.com/193902/hacking/cisa-warns-of-active-exploitation-following-fortibleed-leak.html - Stressors, AI Forcing Changes To Cybersecurity Teams
"Chief information security officers (CISOs) are faced with overwhelming workloads, the need to keep up with the changes wrought by AI, and fears of liability if they get something wrong — causing some to leave the industry. More than two-thirds of cybersecurity and IT professionals (68%) consider their job more difficult today than two years ago, with more than half saying that the complexity and workload have both increased (55%), and that cyberthreats have become more overwhelming (52%); that's according to a survey-based report published by the Information Systems Security Association (ISSA) International and analyst firm Omdia."
https://www.darkreading.com/cybersecurity-operations/stressors-ai-changes-cybersecurity-teams - Analysis Of Reported Credential Compromise Of FortiGate Devices
"Fortinet is aware of reports of malicious cyber actors targeting Fortinet devices in a credential-harvesting campaign referred to as FortiBleed. Based on our initial analysis, we believe the activity involves threat actors reusing credentials from previous incidents (FG-IR-26-060, FG-IR-25-647) and employing brute-force techniques (as described in a March blog, “Attacks at the Speed of AI”) against devices with weak password hygiene and no multi-factor authentication (MFA). Fortinet provided detailed guidance at the time of these advisories and we continue to strongly encourage all customers to ensure these remediation steps have been completed."
https://www.fortinet.com/blog/psirt-blogs/analysis-of-reported-credential-compromise-of-fortigate-devices - Companies Are Discarding The Logs They Need To Catch a Breach
"Many large enterprises discard most of the log data their systems generate, and they do it on purpose to keep costs down. A Dynatrace survey of 450 senior IT leaders at large enterprises found that half of organizations drop or never collect an average of 86 percent of their logs, even after filtering and aggregation. Many also limit how long they retain the logs they do keep. That choice carries a security cost of its own."
https://www.helpnetsecurity.com/2026/06/19/report-log-management-security-risk/ - Asia-Pacific Scam Networks Generate Nearly $40 Billion a Year
"Cybercrime is taking a larger share of criminal activity in Asia and the Pacific. More than half of surveyed jurisdictions reported that cybercrime accounts for over 30% of all crimes recorded nationally, according to INTERPOL’s 2025/2026 Asia and South Pacific Cyberthreat Assessment Report. Rapid digital adoption has expanded the region’s digital footprint and increased exposure to cyber threats. Criminal groups target businesses, governments, and individuals through online fraud, ransomware, phishing campaigns, and credential theft."
https://www.helpnetsecurity.com/2026/06/19/interpol-asia-cybercrime-trends-report/ - Confidence Lacks In Threat Detection Across Non-Email Channels Like Slack And Teams
"Cybersecurity leaders are increasingly concerned about their ability to detect threats as attackers shift beyond email to collaboration platforms such as Slack and Microsoft Teams. According to new research from KnowBe4, many organizations lack confidence in their visibility across these non-email channels, despite their growing use in cyber-attacks. An in-person survey of 169 cybersecurity professionals, conducted at Infosecurity Europe 2026, found that 50% said their organization lacks strong confidence in detecting threats across messaging and social platforms."
https://www.infosecurity-magazine.com/news/threat-detection-across-nonemail/ - Forget Data Leakage: Shadow AI's Real Threat Is Access Control
"The first wave of enterprise AI concern was straightforward. It was simply employees pasting sensitive data into public AI tools. Security teams responded with usage policies, domain blocks, and data loss prevention rules. That response made sense at the time. It doesn't fit the problem anymore."
https://thehackernews.com/2026/06/forget-data-leakage-shadow-ais-real.html
อ้างอิง
Electronic Transactions Development Agency (ETDA)
- Security Issues In The Korean & Global Financial Sector In May 2026
-
Cyber Threat Intelligence 19 June 2026โพสต์ใน Cyber Security News
Healthcare Sector
- Apollo Pharmacy Blood Glucose Monitoring System APG-01 BT
"Successful exploitation of these vulnerabilities could allow an attacker to obtain sensitive health-related information and prevent legitimate users from establishing a connection with the device."
https://www.cisa.gov/news-events/ics-medical-advisories/icsma-26-169-01
Industrial Sector
- AVer PTC Cameras
"Successful exploitation of this vulnerability could allow arbitrary code execution."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-169-01 - AzeoTech DAQFactory
"Successful exploitation of this vulnerability could allow an attacker to upload malicious .ctl files that may lead to arbitrary code execution."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-169-02 - Rockwell Automation FactoryTalk Historian Site Edition
"Successful exploitation of these vulnerabilities could allow an attacker to obtain a valid authentication token, perform a denial of service, or crash the system."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-169-03 - Schneider Electric EasyLogic T150 And Saitel DP
"Successful exploitation this vulnerability could allow an attacker to gain unauthorized access to sensitive files"
https://www.cisa.gov/news-events/ics-advisories/icsa-26-169-04 - Mitsubishi Electric MELSEC iQ-F Series
"Successful exploitation of this vulnerability could allow a remote attacker to cause a denial-of-service (DoS) condition in the affected product by rapidly establishing a large number of TCP connections to it, resulting in an inconsistency in the product's internal connection management process and triggering improper memory access."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-169-05 - Mitsubishi Electric Co.'s MELSEC iQ-F Series FX5-ENET/IP Ethernet Module
"Successful exploitation of this vulnerability could allow a remote attacker to cause a denial-of-service (DoS) condition in the affected product by continuously sending a large number of communication packets to the Ethernet port of the product in a short period of time, increasing the processing load of the product, preventing the internal anomaly-detection processing from being performed, and causing the communication function to stop."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-169-06 - Schneider Electric Easergy, EcoStruxture, PowerLogic, And Saitel Products
"Schneider Electric is aware of vulnerabilities in its PowerChute
Serial Shutdown product. The PowerChute Serial Shutdown product is a UPS management software enabling graceful system shutdown and energy management capabilities for desktop, servers and workstations. Failure to apply the remediation provided below may risk improper input validation which could result in disruption of operations and access to system data."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-169-07 - CISA Urges OT Resilience In Dark Remarks About Cyberattacks
"Critical U.S. infrastructure like water, power and even banking systems will be successfully hacked by enemy cyber warriors in the event of a military confrontation with a peer adversary like Russia or China, officials from the nation's civilian cyber defense agency said. That means utilities must learn to operate at some level, for some time without reliable internet connectivity or the technology it enables, they said."
https://www.bankinfosecurity.com/cisa-urges-ot-resilience-in-dark-remarks-about-cyberattacks-a-32014 - A Brief Overview Of The Main Incidents In Industrial Cybersecurity. Q1 2026
"In Q1 2026, 131 incidents were publicly confirmed by victims. All of these incidents are included in the table at the end of the overview, with select incidents described in detail. Several significant incidents were unveiled this quarter from the perspective of the threat landscape. Reports of attacks on Poland’s critical infrastructure – including traditional and renewable energy , in an attempt to gain access to automated control systems, as well as loud statements about attacks on nuclear power facilities, allegedly “avoided” any potential negative consequences for the facility’s operation, clearly indicate that the Overton window is shifting in a dangerous direction for society."
https://ics-cert.kaspersky.com/publications/reports/2026/06/18/a-brief-overview-of-the-main-incidents-in-industrial-cybersecurity-q1-2026/
Vulnerabilities
- PSA: Supply Chain Compromise Targets ShapedPlugin, Backdoored Pro Plugins Distributed Via Official Channels
"The Wordfence Threat Intelligence Team was notified on June 11th, 2026 of a potential supply chain compromise affecting ShapedPlugin, a WordPress plugin vendor with over 400,000 active free plugin installations. Fortunately, Wordfence customers have already had malware signature detection for the particular backdoor used in this attack. During our investigation, we discovered that attackers compromised the vendor’s build and distribution pipeline, injecting backdoor code into Pro plugin releases distributed through official licensed update channels. As with all supply chain compromises, this attack is particularly insidious because affected site owners followed security best practices: they purchased legitimate licenses and installed updates directly from the vendor’s official update system. Supply chain compromises are becoming significantly more common in all software, including WordPress software."
https://www.wordfence.com/blog/2026/06/psa-supply-chain-compromise-targets-shapedplugin-backdoored-pro-plugins-distributed-via-official-channels/
https://www.bleepingcomputer.com/news/security/shapedplugin-update-flow-hacked-to-infect-wordpress-sites/ - F5 Issues Out-Of-Band Patches For Critical NGINX Vulnerabilities
"Cybersecurity company F5 has released out-of-band security updates to address multiple NGINX web server vulnerabilities, including two critical-severity flaws that could allow attackers to execute code on vulnerable systems. The two critical vulnerabilities were found in the ngx_http_v3_module (CVE-2026-42530) and the ngx_http_proxy_v2_module and ngx_http_grpc_module (CVE-2026-42055), and can be exploited by unauthenticated remote attackers to trigger a denial-of-service (DoS) attack or code execution on NGINX systems with non-default configurations."
https://www.bleepingcomputer.com/news/security/f5-issues-out-of-band-patches-for-critical-nginx-vulnerabilities/
https://thehackernews.com/2026/06/f5-patches-two-critical-nginx-open.html
https://www.securityweek.com/f5-patches-critical-high-severity-nginx-vulnerabilities/
https://securityaffairs.com/193842/security/f5-patches-critical-nginx-vulnerabilities-enabling-unauthenticated-code-execution.html - Atlassian, Splunk Patch Critical Vulnerabilities
"Atlassian and Splunk on Wednesday announced patches for multiple vulnerabilities in their products, including critical-severity flaws. Splunk resolved a critical issue in AI Toolkit that could allow authenticated attackers with admin roles to execute arbitrary OS commands on the host the Splunk Enterprise instance runs on. “The vulnerability is possible because of an unsafe shell execution pattern in the btool configuration helper, which constructs OS command strings from dynamic parameters without disabling shell interpretation,” Splunk explains."
https://www.securityweek.com/atlassian-splunk-patch-critical-vulnerabilities/ - Critical Command Execution Vulnerability Patched In Cisco ISE
"Cisco has released fixes for a critical-severity command execution vulnerability in Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC). Tracked as CVE-2026-20181 (CVSS score of 9.1), the issue exists because user-supplied input is improperly validated, allowing an attacker to send a crafted HTTP request and obtain user-level access to the underlying operating system. The attacker could then elevate their privileges to root."
https://www.securityweek.com/critical-command-execution-vulnerability-patched-in-cisco-ise/
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-multi-G5WP8vv
https://securityaffairs.com/193849/uncategorized/cisco-fixed-a-critical-ise-vulnerability-that-lets-attackers-to-gain-root-access.html - CISA Adds One Known Exploited Vulnerability To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2026-20253 Splunk Enterprise Missing Authentication for Critical Function Vulnerability"
https://www.cisa.gov/news-events/alerts/2026/06/18/cisa-adds-one-known-exploited-vulnerability-catalog - Apple Fixes Beats Studio Buds Flaw That Let Hackers Spy On Conversations
"Apple has released security updates to patch a high-severity flaw affecting the Beats Studio Buds wireless earbuds that could allow attackers in Bluetooth range to spy on users' conversations. "An attacker within Bluetooth range may be able to listen through the microphone of a device which is not yet paired and actively seeking pair requests," Apple explained in a Tuesday advisory. "This is a vulnerability in open source code and Apple Software is among the affected projects. The CVE-ID was assigned by a third party.""
https://www.bleepingcomputer.com/news/security/apple-fixes-beats-studio-buds-flaw-that-let-hackers-spy-on-conversations/
https://support.apple.com/en-us/127557 - FIFA Bug Exposes World Cup Streams To Remote Takeover
"An egregious access control vulnerability in FIFA's Microsoft Entra environment allowed an ethical hacker to gain direct control over global World Cup television streams, match management systems, and more. Not since 1962, when USSR vice admiral Vasily Arkhipov saved the human race by refusing to consent to a nuclear missile launch, has humanity been spared such a potentially horrific fate as it was just a few days ago."
https://www.darkreading.com/application-security/fifa-bug-world-cup-streams-remote-takeover - Google Told Researcher 'Nice Catch!' Then Denied Bug Bounty For Flaw It Still Hasn't Fixed
"Google has a security hole in a Kubernetes operator that could allow attackers to bypass Google Cloud Platform (GCP) identity and access protections and gain full control over any organization's cloud environment. Or it has a serious communication and transparency problem when it comes to its bug bounty programs. Maybe both. Researcher and frequent cloud bug hunter Justin O'Leary told us that he found and reported to Google a major flaw that allows any Kubernetes namespace user to bypass GCP's Identity and Access Management (IAM) controls and therefore gain root access to managing an organization's cloud resources."
https://www.theregister.com/security/2026/06/18/google-told-researcher-nice-catch-then-denied-bug-bounty-for-flaw-it-still-hasnt-fixed/5258076
https://olearysec.com/research/config-connector-authorization-bypass/ - PeopleSoft PeopleTools Pre-Authentication RCE: A PSIGW SSRF Chain That Executes Inside The JVM
"Enterprise resource planning systems handle some of the most sensitive data an organization holds, but they are also deeply connected to internal infrastructure. When a pre-authentication remote code execution (RCE) chain surfaces in one of the most widely deployed ERP platforms and is already being exploited in the wild, it warrants close attention. In this blog entry, TrendAI Research details a technical analysis of an active pre-authentication exploitation chain in Oracle PeopleSoft PeopleTools, the development platform used to build and maintain PeopleSoft applications. PeopleSoft PeopleTools versions 8.61, and 8.62 are affected, per Oracle’s advisory."
https://www.trendmicro.com/en_us/research/26/f/PeopleTools.html - Attackers Actively Exploiting Sensitive Information Exposure Vulnerability In Gravity SMTP Plugin
"On March 30th, 2026, we publicly disclosed a Sensitive Information Exposure vulnerability in Gravity SMTP, a WordPress plugin with an estimated 100,000 active installations. This vulnerability can be leveraged by unauthenticated attackers to retrieve detailed system configuration data and, critically, any API keys, secrets, and OAuth tokens configured for the plugin’s email integrations. The vendor released the fully patched version on March 17th, 2026, and we originally disclosed this vulnerability in the Wordfence Intelligence vulnerability database on March 30th, 2026. The Wordfence Firewall has already blocked over 17 million exploit attempts targeting this vulnerability."
https://www.wordfence.com/blog/2026/06/attackers-actively-exploiting-sensitive-information-exposure-vulnerability-in-gravity-smtp-plugin/
Malware
- Crypto Clipper Uses Tor And Worm-Like Propagation For Persistence And Control
"Microsoft Threat Intelligence and Microsoft Defender Experts identified a Windows-based cryptocurrency clipper that has affected users since February of 2026. Clipper malware relies on stealing clipboard data and parsing it for valuable assets. The clipper in this campaign relies on Windows Script Host and ActiveX-driven logic to launch a bundled Tor proxy and poll a hidden-service C2 server. It carries out high-frequency clipboard theft, screenshot exfiltration, and wallet-address substitution."
https://www.microsoft.com/en-us/security/blog/2026/06/17/crypto-clipper-uses-tor-worm-like-propagation-for-persistence-control/
https://www.bleepingcomputer.com/news/security/usb-worm-spreads-crypto-stealing-malware-via-windows-shortcut-files/
https://thehackernews.com/2026/06/microsoft-details-windows-clipper.html
https://securityaffairs.com/193860/uncategorized/tor-based-clipper-malware-targets-wallet-seed-phrases.html - Klue Integration Abused In Salesforce Data Theft
"In June 2026, ReliaQuest observed a compromised integration for Klue, a competitive-intelligence platform that syncs battlecard and win/loss data with Salesforce, being used to exfiltrate customer relationship management (CRM) data from enterprise environments. The activity follows the same third-party OAuth-abuse playbook behind the Salesloft Drift and Gainsight compromises that rattled Salesforce ecosystems throughout 2025 and 2026, reinforcing that trusted software-as-a-service (SaaS) integrations remain a high-value yet little-monitored route to reach sensitive data."
https://reliaquest.com/blog/threat-spotlight-integration-abused-in-crm-data-theft
https://www.bleepingcomputer.com/news/security/klue-oauth-breach-linked-to-icarus-salesforce-data-theft-attacks/
https://www.darkreading.com/cyberattacks-data-breaches/salesforce-data-thefts-klue-app-compromise
https://www.bankinfosecurity.com/attackers-steal-salesforce-data-from-klue-battlecards-users-a-32011 - Killing Me Gently: Inside Gentlemen’s EDR Killer Framework
"ESET researchers analyzed the robust EDR-killing toolset of the ransomware-as-a-service gang Gentlemen. Since the beginning of 2026, Gentlemen has emerged as one of the most active gangs in the ransomware ecosystem. The group distinguishes itself through a mature, operator-maintained set of endpoint detection and response (EDR) killers, i.e., tools for disrupting security software. Additionally, unlike most top-tier gangs, Gentlemen does not exhibit a strong US-centric victimology, instead targeting victims across Southeast Asia, South America, and Western Europe."
https://www.welivesecurity.com/en/eset-research/killing-me-gently-inside-gentlemens-edr-killer-framework/
https://www.bleepingcomputer.com/news/security/gentlemen-ransomware-uses-multiple-edr-killers-to-disable-defenses/
https://www.bankinfosecurity.com/gentlemen-ransomware-gang-standardizes-edr-killing-a-32007
https://www.helpnetsecurity.com/2026/06/18/eset-gentlemen-edr-killers/ - Operation FanTrap: Inside The FIFA 2026 Fraud Ecosystem
"The FIFA World Cup 2026 has become more than a global sporting event. It has evolved into a large-scale cybercrime opportunity exploited by threat actors through a coordinated ecosystem of fraudulent domains, social media channels, messaging platforms, pirated streaming services, and dark web activity. Since May 2026, Cyble Research and Intelligence Labs (CRIL) has identified nearly 4,000 domains impersonating FIFA-related brands, ticketing platforms, streaming services, and fan-facing resources."
https://cyble.com/blog/operation-fantrap-fifa-2026-fraud-ecosystem/
Operation Escaneo: Infrastructure Exposure, TTP Analysis, And Attribution Assessment Of An Advanced Intrusion * Campaign Against Mexican Federal Agencies And Financial Institutions
"This report documents a coordinated, multi-stage campaign run by a threat actor targeting critical infrastructure across Latin America. Artifacts from the threat actor's staging server reveal a sophisticated operational toolchain spanning all phases of the MITRE ATT&CK framework, from automated reconnaissance through data exfiltration. The campaign is characterised by a proprietary distributed reconnaissance engine (Kimera), a curated exploit armory targeting enterprise perimeter devices (Fortinet, Ivanti, Cisco), portable lateral movement toolkits, and layered command-and-control infrastructure using Neo-reGeorg webshells, Chisel reverse tunnels, and compromised Cisco routers with persistent GRE tunnels."
https://www.cloudsek.com/blog/operation-escaneo-mexican-government-financial-institutions-cyberattack
https://www.darkreading.com/cybersecurity-operations/operation-escaneo-signals-shift-latam-threat-landscape
https://www.infosecurity-magazine.com/news/operation-escaneo-cloudsek-latam/ - Retro Gaming Fans Are The New Target For Fake GitHub Malware
"Retro gaming fans should be careful with GitHub projects that claim to be tools or plugins for their consoles. Attackers can disguise ordinary computer malware as homebrew software, and the technique works against any retro platform with an active modding scene, not just one console. We recently looked at one example aimed at PlayStation Vita owners: a fake project that pretends to be a free audio tool but actually runs Windows malware on your computer."
https://www.malwarebytes.com/blog/threat-intel/2026/06/retro-gaming-fans-are-the-new-target-for-fake-github-malware - SmartApeSG Launches Okendo Reviews Supply Chain Attack
"On May 14, 2026, the Zscaler ThreatLabz team identified unusually high activity associated with the threat actor SmartApeSG to deploy malware. During our examination, we discovered malicious JavaScript code embedded in a legitimate reviews widget found on numerous websites. Our analysis revealed that the affected component was the Okendo Reviews widget, a popular customer review platform used by more than 18,000 brands. Because the Okendo Reviews widget is widely deployed, this compromise enabled downstream exposure across any website that utilized the widget. The widget is typically deployed on high-visibility e-commerce pages, including: storefront homepages, product information pages, and review submissions."
https://www.zscaler.com/blogs/security-research/smartapesg-launches-okendo-reviews-supply-chain-attack - Threat Actors Abuse Claude.ai Shared Chat For ClickFix Malvertising Campaign
"TrendAI Research tracked a sustained malvertising campaign that abused Google Ads to deliver ClickFix social engineering attacks disguised as popular AI developer tools. The campaign impersonated at least six legitimate brand names, including ChatGPT Codex, Perplexity, Cursor IDE, JetBrains, Claude AI, and claude.ai, and simultaneously ran Mac utility scam lures."
https://www.trendmicro.com/en_us/research/26/f/claudeai-shared-chat-abused-in-malvertising.html - World Cup-Themed Phishing Campaign Delivers Voidrift Malware With Highly Personalized Lures
"Cofense Intelligence has identified an active phishing campaign exploiting excitement around the FIFA World Cup 2026 to deliver a sophisticated malware family known as Voidrift. The campaign is notable for its high degree of personalization. Each email is tailored with the recipient's name, their company's name, and even the company's logo embedded directly into the image of the free t-shirt, indicating that threat actors invested meaningful reconnaissance effort before launching attacks."
https://cofense.com/blog/world-cup-themed-phishing-campaign-delivers-voidrift-malware-with-highly-personalized-lures
Breaches/Hacks/Leaks
- Nintendo Confirms Data Stolen In WebMD Subsidiary Cyberattack
"Nintendo of America has confirmed to BleepingComputer that threat actors stole survey data from the third-party TinyPulse service used internally, but its systems were not compromised. The company’s statement comes after claims from the Shadowbyt3$ “extortion-as-a-service” threat group that they exfiltrated sensitive data related to Nintendo of America employees. “We are aware of an issue involving TinyPulse, a third-party service used for internal employee surveys at Nintendo of America,” stated Nintendo."
https://www.bleepingcomputer.com/news/security/nintendo-confirms-data-stolen-in-webmd-subsidiary-cyberattack/
General News
- May 2026 Infostealer Trend Report
"This report summarizes the distribution channels, number of infostealers, number of detections, target companies, and execution types of new infostealers collected during the month of May 2026. The collected samples were analyzed based on data from AhnLab SEcurity intelligence Center (ASEC)’s automated data collection system, Email Honeypot system, automated malware C2 analysis system, and AhnLab product diagnostic logs."
https://asec.ahnlab.com/en/94172/ - International Law Enforcement Initiate Hunt On Malware Group SocGholish
"In Operation Endgame, a major operation this week disrupted a key infection chain used by cybercriminals. Within an international cooperation, 14.971 websites infected with SocGholish malware were remediated. This malware is used by a criminal group that plays a pivotal role in international cybercrime, namely: Evil Corp."
https://www.politie.nl/en/news/2026/juni/18/11-international-law-enforcement-initiate-hunt-on-malware-group-socgholish.html
https://www.proofpoint.com/us/blog/threat-insight/sayonara-socgholish-operation-endgame-disrupts-major-cybercrime-operation
https://www.bleepingcomputer.com/news/security/law-enforcement-nukes-socgholish-malware-from-nearly-15-000-sites/
https://cyberscoop.com/socgholish-malware-botnet-takedown-evilcorp/
https://hackread.com/operation-endgame-disrupts-socgholish-malware/
https://www.helpnetsecurity.com/2026/06/18/law-enforcement-socgholish-operation-endgame/ - AI Inherits People's Permissions But Not Judgment
"Most enterprise security programs carry a quiet assumption: Whoever sits on the other side of a control is a person. Someone who can be trained, who pauses before acting and who, even with wide-ranging access, brings instinct to bear about what's worth opening, what's safe to share and what to leave untouched."
https://www.bankinfosecurity.com/blogs/ai-inherits-peoples-permissions-but-judgment-p-4133
https://mind.io/content/research-report-impact-of-data-trust-on-ai-success - 5 Key Takeaways From Inside The Shape-Shifting Inbox: A Modern Playbook For Security Leaders
"Artificial intelligence is accelerating one of the most significant shifts the cybersecurity industry has seen in years. During Cofense’s webinar, Inside the Shape-Shifting Inbox: A Modern Playbook for Security Leaders, CEO Marc Olsen and Board Advisor George Gerchow explored how AI is transforming phishing from a high-effort, tactical attack into a highly scalable, adaptive business risk."
https://cofense.com/blog/5-key-takeaways-from-inside-the-shape-shifting-inbox-a-modern-playbook-for-security-leaders - How Software Development’s Speed Obsession Enabled TeamPCP’s Chaos Crusade
"TeamPCP is on a rampage through open-source software. In less than four months, the threat actor has compromised and injected malicious code into more than 1,000 software packages. The extraordinary spree has transformed how software developers and maintainers distribute and manage their code, as their dependencies and repositories have become one of the most effective and prevalent attack vectors this year."
https://cyberscoop.com/teampcp-breaks-open-source-software-trust-model/ - Get Out Of Security Debt By Tackling The Exposure Problem
"Security teams already know they have too many vulnerabilities. What they often underestimate is how much of that risk remains exposed. Right now, 82% of organizations carry security debt. These are vulnerabilities that have been open for more than a year. At the same time, flaws that are both severe and likely to be exploited are increasing. That combination is what turns a backlog into real risk. Vulnerabilities are not just being discovered. They are persisting in production systems long enough to be found and used."
https://www.darkreading.com/cyber-risk/security-debt-tackle-exposure-problem - Securing Digital Keys When Your Phone Unlocks The Car
"In this interview with Help Net Security, Alysia Johnson, President of the Car Connectivity Consortium (CCC), explains how the CCC Digital Key has grown from a single-brand feature into a standard meant to work across phones, automakers, and suppliers. She talks through what changed with Version 4, why the team focused on interoperability and testing instead of one new threat, and how NFC fallback access stays protected. She also covers fast credential revocation when a phone is lost or stolen, and how crypto agility prepares the standard for post-quantum demands over a car’s long life."
https://www.helpnetsecurity.com/2026/06/18/alysia-johnson-car-connectivity-consortium-securing-digital-keys/ - What Happens To Oversight When AI Agents Write a Lab’s Own Code
"Inside the labs building frontier AI, a growing share of the coding gets done by the AI itself. These agents write, edit, and run software with light human oversight between steps, and they reach into production infrastructure, research pipelines, and potentially the systems that train and evaluate future models. A new analysis from researchers at the University of Oxford and SaferAI digs into the security risks that live in everything around those agents: the people reviewing their code, the pipelines watching them, and the policies that set the rules, along with the models themselves."
https://www.helpnetsecurity.com/2026/06/18/research-ai-coding-agent-oversight/
https://arxiv.org/pdf/2606.13474 - Most Agentic AI Projects In Production Have Stalled Over Data Problems
"Enterprises are connecting AI agents to live data feeds and putting them to work on tasks that once required human review, from IT operations to software development. The number doing this in production reached 32 percent in 2026, up from 29 percent the year before, according to Confluent’s annual Data Streaming Report, which surveyed 4,625 IT leaders across 14 countries."
https://www.helpnetsecurity.com/2026/06/18/report-agentic-ai-in-production/ - AI In The Underground: Curiosity, Claims, And Concerns
"Counter Threat Unit (CTU) researchers have observed artificial intelligence (AI) emerging into a prominent topic in underground communities, with threat actors discussing its potential, claiming its use for malware and tool development, and expressing concerns. Many claims have not been validated, but the posts reveal perceptions about generative AI and examples of how it may be used in cybercriminal activity. In some respect, threat actors are facing the same challenge as everyone else — seeking to preserve economic viability during a technological transition while trying to identify how and when to embrace AI."
https://www.sophos.com/en-us/blog/ai-in-the-underground-curiosity-claims-and-concerns
https://www.infosecurity-magazine.com/news/cybercriminals-worried-ai-take/ - Hostile States Behind 75% Of Cyber-Attacks On UK Critical Infrastructure, NCSC Warns
"Three-quarter of cyber incidents affecting UK critical infrastructure organizations over the past year originated from nation-state actors or were linked to hostile states such as Russia, China and Iran, according to Richard Horne, CEO of the UK’s National Cyber Security Centre (NCSC). Speaking at the Royal United Services Institute (RUSI) Annual Security Lecture 2026 on June 17, Horne said the agency dealt with 200 cyber incidents affecting critical nation infrastructure (CNI) between June 2025 and May 2026."
https://www.infosecurity-magazine.com/news/hostile-states-cni-75-percent-ncsc/ - Cybercrime Surges In APAC As Digitalization Takes Hold
"Cybercrime is taking hold in Asia and the South Pacific just as it has elsewhere in the world, with organized crime gangs exploiting the adoption of new technologies, according to Interpol. The policing network said that cybercrime now accounts for 30% of crime in over half of the countries covered by its 2025/2026 Asia and South Pacific Cyberthreat Assessment Report. The study, which is sponsored by the UK government, assessed cybercrime trends across 18 Southeast Asian countries and Pacific Island states."
https://www.infosecurity-magazine.com/news/cybercrime-surges-apac-digitization/
https://www.theregister.com/cyber-crime/2026/06/18/cyber-offenses-now-account-for-around-a-third-of-all-crime-across-asia-and-south-pacific/5257716 - No Exploits Required
"Well hey y’all. I just got hooked up with this space to somewhat-routinely write about vulnerabilities, cybersecurity, and infosec history. I’m currently at runZero, where I’m the vice president of security research, which basically means that I spend most of my time hanging around with some incredibly bright and devoted people who are also cunning and shrewd. We’re all dedicated to the notion that it is, in fact, possible to secure networks by being smart and creative with your approaches to exposure management."
https://www.securityweek.com/no-exploits-required/
อ้างอิง
Electronic Transactions Development Agency (ETDA)
- Apollo Pharmacy Blood Glucose Monitoring System APG-01 BT
-
พบการโจมตี Supply Chain ผ่านระบบอัปเดต ShapedPlugin กระทบเว็บไซต์ WordPressโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Kodak ยืนยันเหตุข้อมูลรั่วไหล หลังกลุ่ม ShinyHunters อ้างขโมยข้อมูลกว่า 2.2 ล้านรายการโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
ระวังภัยมัลแวร์ขโมย Crypto โดยอาศัยเครือข่ายรีวิวปลอม เพื่อสร้างความน่าเชื่อถือหลอกลวงผู้ใช้งานโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
