โพสต์ถูกสร้างโดย NCSA_THAICERT

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

เมื่อวันที่ 19 มีนาคม 2026 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 1 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว ดังนี้

• CVE-2026-20131 Cisco Secure Firewall Management Center (FMC) Software and Cisco Security Cloud Control (SCC) Firewall Management Deserialization of Untrusted Data Vulnerability

ทาง CISA จะปรับปรุงและเพิ่มช่องโหว่ใหม่เข้าสู่แคตตาล็อก KEV อย่างต่อเนื่อง เพื่อให้ครอบคลุมความเสี่ยงที่ตรวจพบจริงในปัจจุบันและอนาคต

อ้างอิง
https://www.cisa.gov/news-events/alerts/2026/03/19/cisa-adds-one-known-exploited-vulnerability-catalog
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) จำนวน 5 รายการ เมื่อวันที่ 19 มีนาคม 2569 เพื่อให้ข้อมูลที่ทันเวลาเกี่ยวกับประเด็นด้านความมั่นคงปลอดภัย ช่องโหว่ และการโจมตีที่เกี่ยวข้องกับระบบ ICS โดยมีรายละเอียดดังนี้

• ICSA-26-078-03 Schneider Electric EcoStruxure Automation Expert
• ICSA-26-078-04 Schneider Electric EcoStruxure Power
• ICSA-26-078-06 CTEK Chargeportal
• ICSA-26-078-07 IGL-Technologies eParking.fi
• ICSA-26-078-08 Automated Logic WebCTRL Premium Server

CISA แนะนำให้ผู้ใช้งานและผู้ดูแลระบบ ตรวจสอบคำแนะนำ ICS ที่เผยแพร่ล่าสุด เพื่อศึกษารายละเอียดทางเทคนิคและแนวทางการลดความเสี่ยง (mitigations)

อ้างอิง
https://www.cisa.gov/news-events/ics-advisories

Industrial Sector

• CTEK Chargeportal
  "Successful exploitation of these vulnerabilities could enable attackers to gain unauthorized administrative control over vulnerable charging stations or disrupt charging services through denial-of-service attacks."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-06
• IGL-Technologies eParking.fi
  "Successful exploitation of these vulnerabilities could enable attackers to gain unauthorized administrative control over vulnerable charging stations or disrupt charging services through denial-of-service attacks."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-07
• Automated Logic WebCTRL Premium Server
  "Successful exploitation of these vulnerabilities could allow an attacker to read, intercept, or modify communications."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-08
• Schneider Electric Modicon M241, M251, And M262
  "Successful exploitation of this vulnerability could allow an attacker to cause a denial-of-service condition on the product."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-01
• Schneider Electric Modicon Controllers M241, M251, M258, And LMC058
  "Successful exploitation of this vulnerability may risk a Cross-site Scripting or an open redirect attack which could result in an account takeover scenario or the execution of code in the user browser."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-02
• Schneider Electric EcoStruxure Automation Expert
  "Schneider Electric is aware of a vulnerability in its EcoStruxure Automation Expert product. The EcoStruxure Automation Expert product is plant automation software designed for digital control systems in discrete, hybrid and continuous industrial processes. A totally integrated automation solution designed to enhance your flexibility, efficiency and scalability. Failure to apply the remediation provided below may risk execution of arbitrary commands on the engineering workstation, which could result in a potential compromise of full system."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-03
• Schneider Electric EcoStruxure PME And EPO
  "Schneider Electric is aware of a vulnerability in its EcoStruxure Power Monitoring Expert (PME) and EcoStruxure Power Operation (EPO) products. EcoStruxure Power Monitoring Expert (PME) is an on-premises software used to help power critical and energy-intensive facilities maximize uptime and operational efficiency. EcoStruxure Power Operation (EPO) are on-premises software offers that provides a single platform to monitor and control medium and lower power systems.Failure to apply the fix provided below may risk local arbitrary code execution, which could result in the local system being compromised, a disruption of operations, and/or unauthorized administrative control of the system."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-04
• Mitsubishi Electric CNC Series
  "Successful exploitation of this vulnerability could allow a remote attacker to cause an out-of-bounds read, resulting in a denial-of-service condition in the affected products."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-05
• A Brief Overview Of The Main Incidents In Industrial Cybersecurity. Q4 2025
  "In Q4 2025, 161 incidents were publicly confirmed by victims. All of these incidents are included in the table at the end of the overview, with select incidents described in detail. When evaluating the results of the quarter in terms of publicly confirmed cyberincidents at industrial enterprises, several observations can be made. First, attention is drawn to the disproportionately large number of incidents that have occurred in organizations from certain countries and territories, such as Japan and Taiwan. The number of incidents is particularly high when looking at estimates of the accessibility of computers related to industrial automation systems in these countries to cyberthreats."
  https://ics-cert.kaspersky.com/publications/reports/2026/03/19/a-brief-overview-of-the-main-incidents-in-industrial-cybersecurity-q4-2025/

Vulnerabilities

• Max Severity Ubiquiti UniFi Flaw May Allow Account Takeover
  "Ubiquiti has patched two vulnerabilities in the UniFi Network Application, including a maximum-severity flaw that may allow attackers to take over user accounts. The UniFi Network app (also known as the UniFi Controller) is management software that helps configure, monitor, and optimize Ubiquiti UniFi networking hardware, such as access points, switches, and gateways. "Combines powerful internet gateways with scalable WiFi and switching. Provides real-time traffic dashboards, visual topology maps, and optimization tips," the networking device manufacturer says. "The preferred way to deploy UniFi Network is on a UniFi Cloud Gateway, rather than on a server, laptop, or other self-hosted environment.""
  https://www.bleepingcomputer.com/news/security/ubiquiti-warns-of-unifi-flaw-that-may-enable-account-takeover/
  https://community.ui.com/releases/Security-Advisory-Bulletin-062-062/c29719c0-405e-4d4a-8f26-e343e99f931b
  https://securityaffairs.com/189689/security/critical-ubiquiti-unifi-unifi-security-flaw-allows-potential-account-hijacking.html
• Magento PolyShell: Unrestricted File Upload In Magento And Adobe Commerce
  "A critical flaw in Magento's REST API lets unauthenticated attackers upload executable files to any store. We named the vulnerability "PolyShell" because the attack uses a polyglot (code disguised as image). Sansec has not observed active exploitation so far. However, the exploit method is circulating already and Sansec expects automated attacks to appear soon."
  https://sansec.io/research/magento-polyshell
  https://www.bleepingcomputer.com/news/security/new-polyshell-flaw-allows-unauthenticated-rce-on-magento-e-stores/
• CISA Adds One Known Exploited Vulnerability To Catalog
  "CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2026-20131 Cisco Secure Firewall Management Center (FMC) Software and Cisco Security Cloud Control (SCC) Firewall Management Deserialization of Untrusted Data Vulnerability"
  https://www.cisa.gov/news-events/alerts/2026/03/19/cisa-adds-one-known-exploited-vulnerability-catalog
  https://securityaffairs.com/189682/security/u-s-cisa-adds-a-flaw-in-cisco-fmc-and-cisco-scc-firewall-management-to-its-known-exploited-vulnerabilities-catalog.html
• RIP RegPwn
  "As part of MDSec’s R&D work, we often discover vulnerabilities and develop exploits to support our red team engagements. When researching widely used software, it is often only a matter of time before the same vulnerability is discovered by other researchers and reported to the vendor. Two weeks ago we outlined an Elevation of Privilege vulnerability in Windows 11 that we had been leveraging in red teams but decided to report to the vendor ourselves. Ironically, today we’re documenting another Elevation Of Privilege vulnerability that was so elegant in its indicators, we kept it internal and used with great success across red team engagements since January 2025. For what will become obvious reasons, we named this vulnerability RegPwn and it affected Windows 10 and 11, as well as Windows Server 2012, 2016, 2019, 2022, and 2025. This vulnerability was fixed this Patch Tuesday and we believe is tracked as CVE-2026-24291."
  https://www.mdsec.co.uk/2026/03/rip-regpwn/

Malware

• Winos4.0 Malware Disguised As KakaoTalk Installation File
  "Typically, people perceive the sites that appear at the top of Google search results as the “most authoritative and official” sites. however, threat actors are playing on the psychology of such users, manipulating the search engine’s algorithms to place malicious sites at the top. SEO poisoning is an attack technique in which threat actors exploit search engine optimization (SEO) techniques to push malicious websites they control to the top of search results for specific keywords, often on pages one to three. the goal is to distribute malware or steal information by directing users to a carefully crafted fake site when they are trying to download official software or find information."
  https://asec.ahnlab.com/en/92971/
• Perseus: DTO Malware That Takes Notes
  "Most mobile malware must continuously evolve to remain effective in an environment shaped by improving security measures, platform restrictions, and user awareness. Rather than relying solely on traditional techniques, contemporary threats increasingly adapt by introducing new capabilities and leveraging legitimate system features in unintended ways. This ongoing evolution reflects a broader trend in which attackers refine their tooling to maintain persistence, evade detection, and maximize control over compromised devices, highlighting the importance of studying how such threats adapt over time."
  https://www.threatfabric.com/blogs/perseus-dto-malware-that-takes-notes
  https://www.bleepingcomputer.com/news/security/new-perseus-android-malware-checks-user-notes-for-secrets/
  https://thehackernews.com/2026/03/new-perseus-android-banking-malware.html
  https://therecord.media/malware-streaming-apps-android
• Operation GhostMail: Russian APT Exploits Zimbra Webmail To Target Ukraine State Agency
  "Seqrite Labs identified a targeted phishing campaign that exploits a cross-site scripting (XSS) vulnerability in Zimbra Collaboration (ZCS) to compromise a Ukrainian government entity. The phishing email has no malicious attachments, no suspicious links, no macros. The entire attack chain lives inside the HTML body of a single email, there are no malicious attachments. A social engineered internship inquiry is used to deliver an obfuscated JavaScript payload embedded directly in the email body. When the victim opens the email in a vulnerable Zimbra webmail session, it exploits CVE-2025-66376 which is a stored XSS bug caused by inadequate sanitization of CSS @import directives within the HTML content."
  https://www.seqrite.com/blog/operation-ghostmail-zimbra-xss-russian-apt-ukraine/
  https://www.bleepingcomputer.com/news/security/russian-apt28-military-hackers-exploit-zimbra-flaw-in-ukrainian-govt-attacks/
  https://thehackernews.com/2026/03/cisa-warns-of-zimbra-sharepoint-flaw.html
  https://therecord.media/russia-hackers-ukraine-zimbra-breach
  https://securityaffairs.com/189673/security/russian-apt-targets-ukraine-via-zimbra-xss-flaw-cve-2025-66376.html
  https://www.securityweek.com/russian-apt-exploits-zimbra-vulnerability-against-ukraine/
• Everyday Tools, Extraordinary Crimes: The Ransomware Exfiltration Playbook
  "As defenders have improved their ability to detect malicious code, attackers have adapted by reducing their reliance on bespoke implants. As a result, data exfiltration is no longer primarily driven by custom malware or specialized tooling. Instead, many modern exfiltration operations leverage legitimate, widely deployed utilities already present in enterprise environments, along with benign cloud storage locations as the destination of the exfiltration connections. This shift significantly complicates detection. Tools and services used for routine business operations can be repurposed to transfer stolen data outside the network without triggering traditional security controls. In many real-world incidents, exfiltration does not rely on novel protocols, custom command-and-control (C2) infrastructure, or overtly malicious binaries."
  https://blog.talosintelligence.com/everyday-tools-extraordinary-crimes-the-ransomware-exfiltration-playbook/
• Hasta La Vista, Hastalamuerte: An Overview Of The Gentlemen's TTPs
  "In face of so many new ransomware brands, and still remaining RaaS operations such as Medusa, Qilin, and DragonForce, prioritizing is not an easy task to accomplish. However, despite the amount of groups conducting attacks for extortion, the TTPs do not change that much; unless we are talking about Cl0p, Akira and other groups that pose a high risk. After all, why should they exploit complex and time-consuming vulnerabilities when there are so many low-hanging fruit out there such as vulnerable web-based remote services like RDWeb and SSL VPN devices and default or easy-to-guess passwords to brute force? Anyway, it is not up to us, but to the criminals, to decide what is the best (or the worst) strategy for a ransomware or extortion operation to conduct attacks."
  https://www.group-ib.com/blog/hastalamuerte-gentlemen-raas-ttps/
  https://www.infosecurity-magazine.com/news/ransomware-affiliate-gentlemen/
• Windsurf IDE Extension Drops Malware Via Solana Blockchain
  "Bitdefender researchers have discovered a malicious Windsurf IDE (integrated development environment) extension that deploys a multi-stage NodeJS stealer by using the Solana blockchain as the payload infrastructure. The extension, disguised as an R language support extension for Visual Studio Code, retrieves encrypted JavaScript from blockchain transactions, executes it using NodeJS runtime primitives, drops compiled add-ons to extract Chromium data, all the while establishing persistence with the help of a hidden PowerShell scheduled task. There’s an official, legitimate extension named REditorSupport, which is likely why the attacker used a very similar name to confuse potential victims."
  https://www.bitdefender.com/en-us/blog/labs/windsurf-extension-malware-solana
  https://hackread.com/windsurf-ide-extension-solana-blockchain-developer-data/
• Russia Turns Vienna Into West’s Biggest Spy Hub – Tracking NATO Communications
  "Russia has turned Vienna into its largest electronic espionage hub in the West, using its diplomatic compounds to monitor sensitive communications across NATO, the Middle East, and Africa. From rooftops across the Austrian capital, clusters of satellite dishes are used for covert signals intelligence (SIGINT), reviving a major Cold War-era function, the Financial Times reported, citing sources familiar with the matter. “This is one of our main concerns,” a senior European diplomat in Vienna said. “They are targeting NATO government and military communications… Vienna is their hub in Europe.”"
  https://www.kyivpost.com/post/72072
  https://securityaffairs.com/189653/intelligence/russia-establishes-vienna-as-key-western-spy-hub-targeting-nato.html
• New Malware Targets Users Of Cobra DocGuard Software
  "Symantec and Carbon Black researchers have uncovered a mysterious and stealthy new threat that hijacks the functionality and infrastructure of the legitimate security software Cobra DocGuard. Infostealer.Speagle is designed to surreptitiously harvest sensitive information from infected computers and transmit it to a Cobra DocGuard server that has been compromised by the attackers, masking the data exfiltration process as legitimate communications between client and server. Notably, Speagle appears to be capable of collecting information on highly targeted subjects, such as specifically seeking out documents related to Chinese ballistic missiles."
  https://www.security.com/threat-intelligence/speagle-cobradocguard-infostealer
  https://thehackernews.com/2026/03/speagle-malware-hijacks-cobra-docguard.html
• EDR Killers Explained: Beyond The Drivers
  "In recent years, EDR killers have become one of the most commonly seen tools in modern ransomware intrusions: an attacker acquires high privileges, deploys such a tool to disrupt protection, and only then launches the encryptor. Besides the dominating Bring Your Own Vulnerable Driver (BYOVD) technique, we also see attackers frequently abusing legitimate anti-rootkit utilities or using driverless approaches to block the communication of endpoint detection and response (EDR) software or suspend it in place. These tools are not just plentiful, but also behave predictably and consistently, which is precisely why affiliates reach for them."
  https://www.welivesecurity.com/en/eset-research/edr-killers-explained-beyond-the-drivers/
  https://thehackernews.com/2026/03/54-edr-killers-use-byovd-to-exploit-34.html
  https://www.helpnetsecurity.com/2026/03/19/edr-killer-ransomware-attacks/
• Analyzing The Current State Of AI Use In Malware
  "Unit 42 researchers searched through open-source intelligence (OSINT) and our internal telemetry for potential signs of malware made to any degree with large language models (LLMs). This includes either using LLMs to create the malware entirely or to assist with their functionality. This article examines two samples, both of which originated from our OSINT hunts. The rise of AI has sparked considerable interest in its potential applications within cybersecurity, both from the defender and attacker perspectives. We currently consider three primary use cases for AI as applied by the creators of malware:"
  https://unit42.paloaltonetworks.com/ai-use-in-malware/

Breaches/Hacks/Leaks

• Navia Discloses Data Breach Impacting 2.7 Million People
  "Navia Benefit Solutions, Inc. (Navia) is informing nearly 2.7 million individuals of a data breach that exposed their sensitive information to attackers. An investigation into the incident revealed that the hackers had access to the organization's systems between December 22, 2025, and January 15, 2026. However, the company discovered the suspicious activity on January 23. Navia says that it responded immediately and launched an inquiry to determine the potential impact of the incident."
  https://www.bleepingcomputer.com/news/security/navia-discloses-data-breach-impacting-27-million-people/
  https://www.bankinfosecurity.com/worker-benefits-administrator-notifying-27m-hack-a-31085
• Bitrefill Blames North Korean Lazarus Group For Cyberattack
  "Crypto-powered gift card store Bitrefill says that the attack it suffered at the beginning of the month was likely perpetrated by North Korean hackers of the Bluenoroff group. During the investigation, the platform observed indicators similar to previous attacks attributed to the North Korean threat actor, like tactics, malware, IP and email addresses. “Based on indicators observed during the investigation - including the modus operandi, the malware used, on-chain tracing and reused IP + email addresses (!) - we find many similarities between this attack and past cyberattacks by the DPRK Lazarus / Bluenoroff group against other companies in the crypto industries,” reads Bitrefill's statement."
  https://www.bleepingcomputer.com/news/security/bitrefill-blames-north-korean-lazarus-group-for-cyberattack/

General News

• CISA Urges Endpoint Management System Hardening After Cyberattack Against US Organization
  "CISA is aware of malicious cyber activity targeting endpoint management systems of U.S. organizations based on the March 11, 2026 cyberattack against U.S.-based medical technology firm Stryker Corporation, which affected their Microsoft environment.1 To defend against similar malicious cyber activity, CISA urges organizations to harden endpoint management system configurations using the recommendations and resources provided in this alert. CISA is conducting enhanced coordination with federal partners, including the Federal Bureau of Investigation (FBI), to identify additional threats and determine mitigation actions."
  https://www.cisa.gov/news-events/alerts/2026/03/18/cisa-urges-endpoint-management-system-hardening-after-cyberattack-against-us-organization
  https://techcommunity.microsoft.com/blog/intunecustomersuccess/best-practices-for-securing-microsoft-intune/4502117
  https://www.bleepingcomputer.com/news/security/cisa-warns-businesses-to-secure-microsoft-intune-systems-after-stryker-breach/
  https://therecord.media/fbi-cisa-warn-of-microsoft-intune-risks-stryker
  https://www.bankinfosecurity.com/microsoft-intune-mdm-gains-notoriety-after-stryker-hack-a-31084
  https://cyberscoop.com/feds-keep-eyes-peeled-for-iran-cyberattacks-respond-to-stryker-breach/
  https://www.theregister.com/2026/03/19/microsoft_intune_lockdown_stryker/
  https://www.helpnetsecurity.com/2026/03/19/cisa-endpoint-management-system-warning/
• February 2026 APT Attack Trends Report (South Korea)
  "AhnLab utilizes its infrastructure to monitor for Advanced Persistent Threat (APT) attacks in South Korea. This report covers the classification and statistics on APT attacks on South Korea targets identified during the month of February 2026, and introduces the features of each type."
  https://asec.ahnlab.com/en/92972/
• FBI Seizes Handala Data Leak Site After Stryker Cyberattack
  "The FBI has seized two websites used by the Handala hacktivist group after the threat actors conducted a destructive cyberattack on medical technology giant Stryker that wiped approximately 80,000 devices. Both the hacktivist's handala-redwanted[.]to and handala-hack[.]to clearnet domains now display a seizure notice stating that the websites were seized under a seizure warrant issued by the District Court for the District of Maryland. "This domain has been seized by the Federal Bureau of Investigation ("FBI") pursuant to a seizure warrant issued by a United States District Court for the District of Maryland as apart of a law enforcement action by the FBI. Law enforcement authorities determined this domain was used to conduct, facilitate, or support malicious cyber activities on behalf of, or in coordination with, a foreign state actor," reads the seizure message."
  https://www.bleepingcomputer.com/news/security/fbi-seizes-handala-data-leak-site-after-stryker-cyberattack/
• Rethinking Cyber Preparedness In Age Of AI Cyberwarfare
  "Artificial intelligence is fundamentally transforming the cyberwarfare landscape, and while they may think otherwise, most organizations aren't ready for an AI-driven attack. Nearly 80% of IT decision-makers say their organization is prepared to handle a cyberwarfare attack, and 76% say they're confident they could combat AI-based attacks. But 54% of organizations say they have been hit by an AI-generated or AI-led attack in the past 12 months, and half of those haven't adequately secured their environment in the aftermath, according to a report by security firm Armis."
  https://www.bankinfosecurity.com/rethinking-cyber-preparedness-in-age-ai-cyberwarfare-a-31086
• The Agentic Era Arrives: How AI Is Transforming The Cyber Threat Landscape
  "The cyber security landscape is undergoing a significant shift. Between January and February 2026, we observed a major evolution in how threat actors adopt, weaponize, and operationalize AI. What was once experimental is now mature. What once required coordinated teams can now be executed by a single experienced developer with an AI‑powered IDE. And what enterprises embraced for productivity has simultaneously become a rapidly expanding attack surface. This report highlights the most significant trends shaping today’s threat environment-and what defenders must prepare for next."
  https://blog.checkpoint.com/research/the-agentic-era-arrives-how-ai-is-transforming-the-cyber-threat-landscape/
  https://engage.checkpoint.com/cpr-ai-threat-landscape-digest
• Inside Russia’s Shift To Credential-Based Intrusions: What CISOs Need To Know In 2026
  "Russia-linked hacktivist activity has entered a noticeably different phase. While earlier campaigns leaned heavily on disruption through denial-of-service and opportunistic scanning of exposed systems, the current trajectory shows a stronger dependence on credential-based intrusions and identity-based cyber attacks. For security leaders, this evolution matters because it lowers the technical barrier to entry while increasing the blast radius of compromise."
  https://cyble.com/blog/russia-credential-based-intrusions-cisos/
• AI Conundrum: Why MCP Security Can't Be Patched Away
  "Organizations rushing to connect their LLM-powered apps to external data sources and services using the Model Context Protocol (MCP) may be inadvertently creating attack surfaces that are fundamentally different from anything their existing security controls can handle. Making matters worse is that the risks are not the kind a security team can address via patching or configuration changes because they exist at the architectural level in both large language models (LLMs) and in MCP, says Gianpietro Cutolo, cloud threat researcher at Netskope, who is scheduled to highlight the issue at a session next week at the RSAC 2026 Conference in San Francisco"
  https://www.darkreading.com/application-security/mcp-security-patched
• SpyCloud’s 2026 Identity Exposure Report Reveals Explosion Of Non-Human Identity Theft
  "SpyCloud, the leader in identity threat protection, today released its annual 2026 Identity Exposure Report, one of the most comprehensive analyses of stolen credentials and identity exposure data circulating in the criminal underground and highlighting a sharp expansion in non-human identity (NHI) exposure. Last year, SpyCloud saw a 23% increase in its recaptured identity datalake, which now totals 65.7B distinct identity records. The report shows attackers are increasingly targeting machine identities and authenticated session artifacts in addition to traditional username and password combinations and personally identifiable information (PII)."
  https://hackread.com/spyclouds-2026-identity-exposure-report-reveals-explosion-of-non-human-identity-theft/
  https://spycloud.com/resource/report/spycloud-annual-identity-exposure-report-2026/
• AI Got It Wrong With High Confidence. Now What?
  "In this Help Net Security interview, Christian Debes, Head of Data Analytics & AI at SPRYFOX, talks about the growing gap between what AI models do and what their operators can explain. He argues this gap is already a liability, particularly when decisions affect people or money and no one can say why a model produced a certain output. Debes walks through how responsible teams approach confident wrong answers, why procurement leaders bear accountability when AI systems fail, and what explainability means as a translation layer between technical teams and business operators. He also addresses the EU AI Act and its risk of producing compliance theater, and closes with a frank assessment of where AI infrastructure is headed if explainability does not keep pace with model complexity."
  https://www.helpnetsecurity.com/2026/03/19/christian-debes-spryfox-ai-explainability-accountability/
• Iran Readied Cyberattack Capabilities For Response Prior To Epic Fury
  "America, Israel and ‘facilitating’ Gulf states received malicious attacks from Iranian APTs within days of Epic Fury, and there are around 60 Iran-linked hacktivist groups currently operating. It is little surprise that malicious Iranian cyber activity increased immediately after the US/Israel strikes commenced at the end of February 2026. It is more surprising that MOIS (Iranian Ministry of Intelligence and Security) and IRGC linked cyber groups seemed to be preparing themselves for this event. A study by Augur Security, which uses AI and behavioral modeling to provide early identification and mapping of malicious infrastructure, demonstrates that numerous government-linked groups (either with MOIS or one of the Islamic Revolutionary Guard Corps – IRGC – cyber units) showed increased infrastructure activity in the six months prior to Epic Fury."
  https://www.securityweek.com/iran-readied-cyberattack-capabilities-for-response-prior-to-epic-fury/
  https://www.augursecurity.com/post/threat-research-iran-2026-threat-posture-assessment
• 2026 Mobile Security: How Regulation And AI Are Reshaping Risk
  "Mobile security is entering its most transformative phase yet. Mobile is now the largest attack surface in the enterprise, and the least protected. In 2026, two forces will converge to redefine risk: regulatory shifts and the acceleration of AI-driven development. These changes will not only reshape how mobile apps are built, distributed, and secured but also challenge enterprises to rethink their governance, strategy, and resilience. The winners will be those who adapt quickly, leveraging AI responsibly while embedding mobile security into the foundations of development, not bolting it on after the fact."
  https://zimperium.com/blog/2026-mobile-security-how-regulation-and-ai-are-reshaping-risk
  https://www.infosecurity-magazine.com/news/financial-brands-mobile-banking/
• Federal Jury Convicts Charlotte Man For Cyber Extortion Scheme That Targeted International Technology Company
  "A federal jury returned a guilty verdict yesterday against a Charlotte man for carrying out an extensive cyber extortion scheme against a D.C.-based international technology company, announced Russ Ferguson, U.S. Attorney for the Western District of North Carolina. Cameron Curry, 27, was convicted of six counts of transmitting or willfully causing interstate communications with the intent to extort a victim company. U.S. District Judge Kenneth D. Bell presided over the three-day trial."
  https://www.justice.gov/usao-wdnc/pr/federal-jury-convicts-charlotte-man-cyber-extortion-scheme-targeted-international
  https://cyberscoop.com/cameron-curry-insider-attack-washington-tech-company/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

ศูนย์ประสานการรักษาความมั่นคงปลอดภัยระบบคอมพิวเตอร์แห่งชาติ (ThaiCERT) ได้ติดตามสถานการณ์ช่องโหว่ด้านความมั่นคงปลอดภัยที่ตรวจพบในผลิตภัณฑ์ Cisco Secure Firewall Management Center (FMC) ซึ่งเป็นระบบบริหารจัดการอุปกรณ์ Firewall ที่หน่วยงานจำนวนมากใช้งาน โดยบริษัทผู้พัฒนาได้เผยแพร่ประกาศแจ้งเตือนช่องโหว่ระดับวิกฤตหลายรายการ ซึ่งอาจส่งผลให้ผู้โจมตีสามารถสั่งให้ระบบประมวลผลคำสั่งที่เป็นอันตรายหรือยึดครองระบบได้ โดยช่องโหว่ที่สำคัญ ได้แก่ [1]

CVE-2026-20079 (CVSS v3.1: 10.0) เป็นช่องโหว่ประเภท Authentication Bypass ซึ่งอาจเปิดโอกาสให้ผู้โจมตีสามารถหลีกเลี่ยงกระบวนการยืนยันตัวตน และเข้าถึงฟังก์ชันหรือทรัพยากรของระบบที่ควรถูกจำกัดสิทธิ์ได้ โดยช่องโหว่นี้อาจถูกนำไปใช้ร่วมกับช่องโหว่อื่นเพื่อดำเนินการโจมตีเพิ่มเติม [2]
CVE-2026-20131 (CVSS v3.1: 10.0) เป็นช่องโหว่ประเภท Remote Code Execution (RCE) ที่เกิดจากการจัดการข้อมูล Java Deserialization ที่ไม่ปลอดภัย ซึ่งอาจเปิดโอกาสให้ผู้โจมตีที่ไม่ได้รับการยืนยันตัวตนสามารถส่งข้อมูลที่ถูกสร้างขึ้นเป็นพิเศษเพื่อสั่งให้ระบบประมวลผลคำสั่งหรือโค้ดที่ไม่ได้รับอนุญาต และยกระดับสิทธิ์เป็นระดับ root ได้ [3]

ทั้งนี้ มีรายงานจากแหล่งข้อมูลด้านความมั่นคงปลอดภัยบางแห่งว่าช่องโหว่ CVE-2026-20131 อาจถูกนำไปใช้ในการโจมตีจริงแล้วโดยกลุ่มแรนซัมแวร์ Interlock ซึ่งเปิดโอกาสให้ผู้โจมตีที่ไม่ได้รับการยืนยันตัวตนสามารถรันโค้ดบนระบบด้วยสิทธิ์ระดับ root ได้ ขณะที่ช่องโหว่ CVE-2026-20079 ซึ่งเป็น Authentication Bypass แม้ยังไม่พบการใช้โจมตีโดยตรง แต่มีความเสี่ยงสูงและอาจถูกนำไปใช้ร่วมกับช่องโหว่อื่นในการโจมตีได้ จึงขอให้ผู้ดูแลระบบเฝ้าระวังและติดตามสถานการณ์อย่างใกล้ชิด

2. ลักษณะการโจมตี
   หากผู้โจมตีสามารถใช้ประโยชน์จากช่องโหว่ดังกล่าวได้สำเร็จ อาจส่งผลให้เกิดความเสี่ยงต่อระบบของหน่วยงาน ดังนี้
   2.1 ผู้โจมตีอาจหลีกเลี่ยงกระบวนการยืนยันตัวตนของระบบ (Authentication Bypass) เพื่อเข้าถึงฟังก์ชันหรือทรัพยากรที่ควรถูกจำกัดสิทธิ์
   2.2 ผู้โจมตีอาจสามารถใช้ช่องโหว่เพื่อส่งข้อมูลที่ถูกสร้างขึ้นเป็นพิเศษเพื่อสั่งให้ระบบประมวลผลคำสั่งหรือโค้ดที่ไม่ได้รับอนุญาต
   2.3 ผู้โจมตีอาจสามารถยกระดับสิทธิ์และเข้าควบคุมระบบบริหารจัดการ Firewall ด้วยสิทธิ์ระดับสูง
   2.4 ผู้โจมตีสามารถใช้ระบบที่ถูกยึดครองเป็นฐานในการโจมตีต่อไปยังเครือข่ายภายในหน่วยงาน
   2.5 ผู้โจมตีอาจติดตั้งมัลแวร์หรือเครื่องมือเพิ่มเติมเพื่อคงอยู่ในระบบ (persistence) และดำเนินการโจมตีหรือกิจกรรมที่เป็นอันตรายในระยะยาว

3. ผลิตภัณฑ์ที่ได้รับผลกระทบ [4]
   ช่องโหว่ดังกล่าวส่งผลกระทบต่อผลิตภัณฑ์ของ Cisco ดังต่อไปนี้

• Cisco Secure Firewall Management Center (FMC) Software (on-premises)
  • เวอร์ชัน 6.4
  • เวอร์ชัน 7.X (ตั้งแต่ 7.0 ถึง 7.7)
  • เวอร์ชัน 10.0.0
    ทั้งนี้
• ระบบ Cisco Security Cloud Control (SCC) ซึ่งเป็นบริการแบบ SaaS ได้รับการอัปเดตแก้ไขโดยอัตโนมัติจากผู้พัฒนาแล้ว

4. แนวทางการแก้ไข
   4.1 ดำเนินการอัปเดตแพตช์ความปลอดภัยของ Cisco Secure Firewall Management Center (FMC) เป็นเวอร์ชันที่ได้รับการแก้ไข (Fixed Release) โดยเร็วที่สุด
   โดยสามารถศึกษารายละเอียดเวอร์ชันที่ได้รับผลกระทบและเวอร์ชันที่ได้รับการแก้ไขได้จากประกาศของ Cisco ดังนี้

• สำหรับช่องโหว่ CVE-2026-20079 ท่านสามารถติดตามอัปเดตการแก้ไขได้ที่ https://dg.th/4o7bik8ucp
• สำหรับช่องโหว่ CVE-2026-20131 ท่านสามารถติดตามอัปเดตการแก้ไขได้ที่ https://dg.th/ormdqgs2ue
  4.2 ตรวจสอบ Log ของระบบ เช่น Web Management Logs, System Logs และ Network Logs เพื่อค้นหาความผิดปกติหรือร่องรอยการโจมตี
  4.3 ตรวจสอบความผิดปกติภายในระบบ เนื่องจากช่องโหว่นี้อาจเปิดโอกาสให้ผู้โจมตีรันโค้ดด้วยสิทธิ์ root และใช้ระบบเป็นฐานในการโจมตีต่อภายในเครือข่าย

5. หากยังไม่สามารถอัปเดตได้ ควรดำเนินการดังนี้
   5.1 จำกัดการเข้าถึง Web-based Management Interface ของ Cisco Secure Firewall Management Center (FMC) เฉพาะผู้ดูแลระบบหรือเครือข่ายที่จำเป็น และหลีกเลี่ยงการเปิดหน้า Management ให้เข้าถึงได้จากอินเทอร์เน็ตโดยตรง
   5.2 ใช้มาตรการควบคุมการเข้าถึง เช่น การจำกัด IP, การแยกเครือข่ายสำหรับระบบบริหารจัดการ (management network segmentation) และการใช้งาน VPN สำหรับผู้ดูแลระบบ เพื่อช่วยลดโอกาสการถูกโจมตีจากภายนอก
   5.3 ตรวจสอบความผิดปกติของระบบ เช่น การรัน process ที่ไม่รู้จัก การเปลี่ยนแปลงไฟล์สำคัญ การสร้างบัญชีผู้ใช้หรือ scheduled task ที่ไม่ได้รับอนุญาต และพฤติกรรมที่อาจบ่งชี้ว่าผู้โจมตีได้รับสิทธิ์ระดับสูงแล้ว

เนื่องจากช่องโหว่นี้มีความรุนแรงระดับวิกฤต และสามารถถูกใช้เพื่อยกระดับสิทธิ์หรือรันคำสั่งบนระบบได้ ผู้ดูแลระบบควรดำเนินการอัปเดตแพตช์ความปลอดภัยเป็นเวอร์ชันที่ได้รับการแก้ไขโดยเร็วที่สุด

ThaiCERT ขอแจ้งเตือนหน่วยงานที่ใช้งาน Cisco Secure Firewall Management Center (FMC) ให้เร่งดำเนินการตรวจสอบเวอร์ชันของระบบ และอัปเดตแพตช์ความปลอดภัยตามที่ผู้พัฒนาแนะนำโดยเร็ว พร้อมทั้งดำเนินมาตรการควบคุมการเข้าถึงระบบบริหารจัดการอย่างเหมาะสม เพื่อลดความเสี่ยงจากการถูกโจมตีและการเข้าถึงระบบโดยไม่ได้รับอนุญาต

อ้างอิง
[1] https://dg.th/wr7s4g86m1
[2] https://dg.th/4o7bik8ucp
[3] https://dg.th/ormdqgs2ue
[4] https://dg.th/omvn4fgudy

เมื่อวันที่ 18 มีนาคม 2026 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 1 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว ดังนี้

• CVE-2026-20963 Microsoft SharePoint Deserialization of Untrusted Data Vulnerability

ทาง CISA จะปรับปรุงและเพิ่มช่องโหว่ใหม่เข้าสู่แคตตาล็อก KEV อย่างต่อเนื่อง เพื่อให้ครอบคลุมความเสี่ยงที่ตรวจพบจริงในปัจจุบันและอนาคต

อ้างอิง
https://www.cisa.gov/news-events/alerts/2026/03/18/cisa-adds-one-known-exploited-vulnerability-catalog-0
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) จำนวน 6 รายการ เมื่อวันที่ 19 มีนาคม 2569 เพื่อให้ข้อมูลที่ทันเวลาเกี่ยวกับประเด็นด้านความมั่นคงปลอดภัย ช่องโหว่ และการโจมตีที่เกี่ยวข้องกับระบบ ICS โดยมีรายละเอียดดังนี้

• ICSA-26-076-01 CODESYS in Festo Automation Suite
• ICSA-26-076-02 Schneider Electric SCADAPack and RemoteConnect
• ICSA-26-076-03 Schneider Electric EcoStruxure IT Data Center Expert
• ICSA-26-076-04 Siemens SICAM SIAPP SDK
• ICSA-25-160-02 Hitachi Energy’s Relion 670, 650, SAM600-IO series (Update A)
• ICSA-26-015-10 Schneider Electric EcoStruxure Power Build Rapsody (Update A)

CISA แนะนำให้ผู้ใช้งานและผู้ดูแลระบบ ตรวจสอบคำแนะนำ ICS ที่เผยแพร่ล่าสุด เพื่อศึกษารายละเอียดทางเทคนิคและแนวทางการลดความเสี่ยง (mitigations)

อ้างอิง
https://www.cisa.gov/news-events/ics-advisories
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Industrial Sector

• CODESYS In Festo Automation Suite
  "The following versions of CODESYS in Festo Automation Suite are affected:"
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-076-01
• Schneider Electric SCADAPack And RemoteConnect
  "Schneider Electric is aware of a vulnerability in its SCADAPack x70 RTU products. The SCADAPack 47xi, SCADAPack 47x and SCADAPack 57x product are Remote Terminal Units that provide communication capabilities for remote monitoring and control. Failure to apply the remediations provided below may risk unauthorized access to your RTU, which could result in the possibility of denial of service and loss of confidentiality, integrity of the controller."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-076-02
• Schneider Electric EcoStruxure Data Center Expert
  "Schneider Electric is aware of a hard-coded credentials vulnerability in its EcoStruxure IT Data Center Expert (DCE) product that requires administrator credentials and enabling a feature (SOCKS Proxy) that is off by default. The EcoStruxure IT Data Center Expert product is a scalable monitoring software that collects, organizes, and distributes critical device information providing a comprehensive view of equipment. Failure to apply the remediation provided below may risk information disclosure, and remote compromise of the offer which could result in disruption of operations and access to system data."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-076-03
• Siemens SICAM SIAPP SDK
  "The SICAM SIAPP SDK contains multiple vulnerabilities that could allow an attacker to disrupt the customer-developed SIAPP or its simulation environment. Potential impacts include denial of service within the SIAPP, corruption of SIAPP data, or exploit the simulation environment. These vulnerabilities are only exploitable if the API is used improperly or hardening measures are not applied. Siemens has released a new version for SICAM SIAPP SDK and recommends to update to the latest version."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-076-04

Vulnerabilities

• Vulnerability Advisory: Pre-Auth Remote Code Execution Via Buffer Overflow In Telnetd LINEMODE SLC Handler
  "Dream Security uncovered a new buffer overflow vulnerability (CVE-2026-32746) in the GNU Inetutils telnetd daemon, specifically in the code that handles LINEMODE SLC (Set Local Characters) option negotiation. An unauthenticated remote attacker can exploit this by sending a specially crafted message during the initial connection handshake — before any login prompt appears. Successful exploitation can result in remote code execution as root. An initial report was sent to the GNU Inetutils security team following the discovery. Given the trivial exploitation requirements and the complete system compromise this enables, service disablement is required, until a fix will be released."
  https://dreamgroup.com/vulnerability-advisory-pre-auth-remote-code-execution-via-buffer-overflow-in-telnetd-linemode-slc-handler/
  https://thehackernews.com/2026/03/critical-telnetd-flaw-cve-2026-32746.html
  https://securityaffairs.com/189620/hacking/researchers-warn-of-unpatched-critical-telnetd-flaw-affecting-all-versions.html
• Your KVM Is The Weak Link: How $30 Devices Can Own Your Entire Network
  "Compromising a KVM device gives an attacker the equivalent of physical access to every machine connected to it. Not “kind of like” physical access. Actual keyboard, video, and mouse control, at the BIOS level, below the operating system, below EDR, below every security control you have deployed. An attacker may also use the USB drive and CD image emulation feature to boot the system from removable media, thereby proving the ability to access the OS file systems directly and/or install a new OS. This is an attack surface that security teams consistently overlook."
  https://eclypsium.com/blog/your-kvm-is-the-weak-link-how-30-dollar-devices-can-own-your-entire-network/
  https://thehackernews.com/2026/03/9-critical-ip-kvm-flaws-enable.html
• ConnectWise Patches New Flaw Allowing ScreenConnect Hijacking
  "ConnectWise is warning ScreenConnect customers of a cryptographic signature verification vulnerability that could lead to unauthorized access and privilege escalation. The flaw affects ScreenConnect versions before 26.1. It is tracked as CVE-2026-3564 and received a critical severity score. ScreenConnect is a remote access platform typically used by managed service providers (MSPs), IT departments, and support teams. It can be either cloud-hosted by ConnectWise or on-premise on the customer's server."
  https://www.bleepingcomputer.com/news/security/connectwise-patches-new-flaw-allowing-screenconnect-hijacking/
  https://nvd.nist.gov/vuln/detail/CVE-2026-3564
• CISA Adds One Known Exploited Vulnerability To Catalog
  "CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2025-66376 Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting Vulnerability"
  https://www.cisa.gov/news-events/alerts/2026/03/18/cisa-adds-one-known-exploited-vulnerability-catalog
  https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-patch-zimbra-xss-flaw-exploited-in-attacks/
  https://securityaffairs.com/189628/security/u-s-cisa-adds-microsoft-sharepoint-and-zimbra-flaws-to-its-known-exploited-vulnerabilities-catalog.html
• CISA Adds One Known Exploited Vulnerability To Catalog
  "CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2026-20963 Microsoft SharePoint Deserialization of Untrusted Data Vulnerability"
  https://www.cisa.gov/news-events/alerts/2026/03/18/cisa-adds-one-known-exploited-vulnerability-catalog-0
• Apple Pushes First Background Security Improvements Update To Fix WebKit Flaw
  "Apple has released its first Background Security Improvements update to fix a WebKit flaw tracked as CVE-2026-20643 on iPhones, iPads, and Macs without requiring a full operating system upgrade. The CVE-2026-20643 flaw allows malicious web content to bypass the browser's Same Origin Policy. Apple says the flaw is a cross-origin issue in the Navigation API that was addressed with improved input validation. The vulnerability was discovered by security researcher Thomas Espach, with the new update available on iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1, and macOS 26.3.2."
  https://www.bleepingcomputer.com/news/security/apple-pushes-first-background-security-improvements-update-to-fix-webkit-flaw/
  https://thehackernews.com/2026/03/apple-fixes-webkit-vulnerability.html
  https://www.securityweek.com/apple-debuts-background-security-improvements-with-fresh-webkit-patches/
  https://www.helpnetsecurity.com/2026/03/18/apple-background-security-improvements-updates/
  https://www.malwarebytes.com/blog/news/2026/03/apple-patches-webkit-bug-that-could-let-sites-access-your-data
• Claudy Day: Chaining Prompt Injection And Data Exfiltration In Claude.ai
  "Claude.ai is one of the most widely used AI assistants worldwide. Millions of people trust it with sensitive conversations, business strategy, health concerns, financial planning, personal relationships, and increasingly connect it to enterprise tools, files, and APIs through integrations and MCP servers. That trust comes with a critical assumption: that the instructions Claude receives are the ones the user intended to give. Oasis Security researchers discovered that for a significant period, this assumption could be broken, and worked with Anthropic to close the gap."
  https://www.oasis.security/blog/claude-ai-prompt-injection-data-exfiltration-vulnerability
  https://www.darkreading.com/vulnerabilities-threats/claudy-day-trio-flaws-claude-users-data-theft
  https://www.bankinfosecurity.com/claudy-day-forecast-chat-data-theft-a-31059
  https://hackread.com/claudy-day-flaws-data-theft-fake-claude-ai-ads/
• CVE-2026-3888: Important Snap Flaw Enables Local Privilege Escalation To Root
  "The Qualys Threat Research Unit has identified a Local Privilege Escalation (LPE) vulnerability affecting default installations of Ubuntu Desktop version 24.04 and later. This flaw (CVE-2026-3888) allows an unprivileged local attacker to escalate privileges to full root access through the interaction of two standard system components: snap-confine and systemd-tmpfiles. While the exploit requires a specific time-based window (10–30 days), the resulting impact is a complete compromise of the host system."
  https://blog.qualys.com/vulnerabilities-threat-research/2026/03/17/cve-2026-3888-important-snap-flaw-enables-local-privilege-escalation-to-root
  https://thehackernews.com/2026/03/ubuntu-cve-2026-3888-bug-lets-attackers.html
  https://www.infosecurity-magazine.com/news/ubuntu-flaw-enables-root-access/
  https://securityaffairs.com/189614/security/cve-2026-3888-ubuntu-desktop-24-04-vulnerable-to-root-exploit.html
• Cheshire Cat Security: WhatsApp View Once Is Completely Broken — And WhatsApp Won’t Fix It
  "As part of our ongoing research into Meta’s WhatsApp security, we found and responsibly disclosed a new View Once privacy issue that allows attackers to easily remove its protection. To our surprise, unlike with our previous reports on similar issues about View Once security, WhatsApp replied that they will not fix this issue, leaving users exposed to such attacks. WhatsApp’s reply, and its inconsistencies with how they addressed these issues previously, proves they do not have a clear security model for this privacy feature — which is strategically more severe than our specific finding."
  https://medium.com/@TalBeerySec/cheshire-cat-security-whatsapp-view-once-is-completely-broken-and-whatsapp-wont-fix-it-e0bbeef15872
  https://www.securityweek.com/researcher-discovers-4th-whatsapp-view-once-bypass-meta-wont-patch/

Malware

• Amazon Threat Intelligence Teams Identify Interlock Ransomware Campaign Targeting Enterprise Firewalls
  "Amazon threat intelligence has identified an active Interlock ransomware campaign exploiting CVE-2026-20131, a critical vulnerability in Cisco Secure Firewall Management Center (FMC) Software that could allow an unauthenticated, remote attacker to execute arbitrary Java code as root on an affected device, which was disclosed by Cisco on March 4, 2026. After Cisco’s disclosure, Amazon threat intelligence began research into this vulnerability using Amazon MadPot’s global sensor network—a system of honeypot servers that attract and monitor cybercriminal activity. While looking for any current or past exploits of this vulnerability, our research found that Interlock was exploiting this vulnerability 36 days before its public disclosure, beginning January 26, 2026. This wasn’t just another vulnerability exploit, Interlock had a zero-day in their hands, giving them a week’s head start to compromise organizations before defenders even knew to look. Upon making this discovery, we shared our findings with Cisco to help support their investigation and protect customers."
  https://aws.amazon.com/blogs/security/amazon-threat-intelligence-teams-identify-interlock-ransomware-campaign-targeting-enterprise-firewalls/
  https://thehackernews.com/2026/03/interlock-ransomware-exploits-cisco-fmc.html
  https://www.bleepingcomputer.com/news/security/interlock-ransomware-exploited-secure-fmc-flaw-in-zero-day-attacks-since-january/
  https://www.bankinfosecurity.com/interlock-ransomware-exploited-cisco-firewall-flaw-for-weeks-a-31073
  https://cyberscoop.com/cisco-firewall-sd-wan-vulnerabilities-exploited/
  https://www.theregister.com/2026/03/18/amazon_cisco_firewall_0_day_ransomware/
• Attackers Wielding DarkSword Threaten iOS Users
  "Mobile devices now sit at the convergence of access, identity, and sensitive corporate data—effectively relocating the enterprise perimeter into every employee’s pocket. Recently observed threats demonstrate that the mobile attack surface has fundamentally expanded, moving beyond app-based malware to include sophisticated, hit-and-run campaigns that can disrupt operations and trigger material financial damage faster than traditional attack vectors. In a tangible example of how attacks are evolving, Lookout Threat Labs has discovered DarkSword, a full iOS exploit chain and payload for iPhones running iOS versions between iOS 18.4 and 18.6.2."
  https://www.lookout.com/threat-intelligence/article/darksword
  https://www.bleepingcomputer.com/news/security/new-darksword-ios-exploit-used-in-infostealer-attack-on-iphones/
  https://www.darkreading.com/threat-intelligence/darksword-iphone-exploit-spies-thieves
  https://therecord.media/russia-linked-hackers-use-iphone-exploit-ukraine
  https://cyberscoop.com/second-ios-exploit-kit-emerges-from-suspected-russian-hackers-using-possible-u-s-government-developed-tools/
  https://www.securityweek.com/darksword-ios-exploit-kit-used-by-state-sponsored-hackers-spyware-vendors/
  https://www.theregister.com/2026/03/18/darksword_exploit_kit_steals_iphone/
• Transparent COM Instrumentation For Malware Analysis
  "COM automation is a core Windows technology that allows code to access external functionality through well-defined interfaces. It is similar to traditionally loading a DLL, but is class-based rather than function-based. Many advanced Windows capabilities are exposed through COM, such as Windows Management Instrumentation (WMI). Scripting and late-bound COM calls operate through the IDispatch interface. This creates a key analysis point that many types of malware leverage when interacting with Windows components.This analysis point is quite complex and hard to safely instrumentate at scale. In this article, Cisco Talos presents DispatchLogger, a new open-source tool that closes this gap by delivering high visibility into late-bound IDispatch COM object interactions via transparent proxy interception."
  https://blog.talosintelligence.com/transparent-com-instrumentation-for-malware-analysis/
• Technical Analysis Of SnappyClient
  "In December 2025, Zscaler ThreatLabz identified a new command-and-control (C2) framework implant that we track as SnappyClient, which was delivered using HijackLoader. SnappyClient has an extended list of capabilities including taking screenshots, keylogging, a remote terminal, and data theft from browsers, extensions, and other applications. In this blog post, ThreatLabz provides a technical analysis of SnappyClient, including its core features, configuration, network communication protocol, commands, and post-infection activities."
  https://www.zscaler.com/blogs/security-research/technical-analysis-snappyclient
  https://www.darkreading.com/cyberattacks-data-breaches/new-c2-implant-snappyclient-targets-crypto-wallets
• SideWinder Espionage Campaign Expands Across Southeast Asia
  "Recent cyber-espionage activity attributed to the SideWinder threat group suggests that the India-linked operation has expanded across Southeast Asia, including Indonesia and Thailand, while continuing to rely on phishing, credential theft, and infrastructure churn to avoid detection. The group often uses a government-audit themed phishing attack to convince employees to open a link, and has consistently reused certain techniques — such as staged execution and frequent domain changes — allowing SideWinder to shift geographic targets without altering its core malware toolkit, researchers with cybersecurity services firm ITSEC Group stated in a report released this week. The group, which the researchers also referred to as RagaSerpent, started targeting Thailand in late 2025 and Indonesia earlier this year, the report stated."
  https://www.darkreading.com/threat-intelligence/sidewinder-espionage-campaign-expands-across-southeast-asia
  https://itsec.asia/storage/file/cGUOOhIvql4c13rWYNeZV8aGl8UPDsEBtcHmv5tC.pdf
• Reverse Engineering .NET AOT Malware: A Guide To Trace The Multi-Stage Attack Chain With Binary Ninja
  "This blog serves both as an examination of newly identified malware and as a practical guide for researchers beginning their journey into malware analysis. Throughout the guide, we use Binary Ninja to reverse engineer the samples. Howler Cell’s mission is not only to publish research that equips defenders with actionable threat intelligence, but also to empower and educate others to perform their own analysis. We hope this guide proves valuable to aspiring threat researchers."
  https://www.cyderes.com/howler-cell/reverse-engineering-net-aot-malware
  https://hackread.com/net-aot-malware-code-black-box-evade-detection/
• Disrupting ShieldGuard: a Security Extension Primed To Drain Crypto Wallets
  "Okta Threat Intelligence has discovered and helped industry partners to take down the infrastructure of a cryptocurrency scam called “ShieldGuard”. ShieldGuard claims to be a blockchain project that offers - through its promotion of a browser extension - a capability that blocks known threats to cryptocurrency wallets, such as phishing or malicious smart contracts. The project was promoted using a multi-level marketing campaign in which users would be rewarded for early use of the extension (via a cryptocurrency “airdrop”) and for promoting the capability to other users."
  https://www.okta.com/blog/threat-intelligence/disrupting-shieldguard--a-security-extension-primed-to-drain-cry/
  https://www.infosecurity-magazine.com/news/crypto-scam-shieldguard-dismantled/
• Inside a Network Of 20,000+ Fake Shops
  "We mapped a sprawling fake shop operation of over 20,000 domains, dozens of shared IP addresses and identical storefronts with different names pasted on top. They exist for one purpose: to steal your payment details and personal data. The thread that ties them all together is a browser tab title most people would never think twice about: “Unrivaled selection only for you.”"
  https://www.malwarebytes.com/blog/scams/2026/03/inside-a-network-of-20000-fake-shops
• AI Wrote This Malware: Dissecting The Insides Of a Vibe-Coded Malware Campaign
  "The term ‘Vibe coding,’ first coined back in February of 2025 by OpenAI researchers, has exploded across digital platforms. With hundreds of articles and YouTube Videos discussing the dangers of Vibe coding and warning the internet about the rise of “Vibe Coders”, while others labelled it as the fundamental shift in software development and the future of coding. Vibe Coding is an approach where the AI does heavy lifting, rather than the user. Instead of manually writing code or implementing algorithms, users describe their intent through text-based prompt, and the LLMs respond with fully functional code and explanation. Unsurprisingly, the internet is now flooded with guides on the best LLMs and prompts to generate “perfect” code."
  https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ai-written-malware-vibe-coded-campaign/
• The SOC Files: Time To “Sapecar”. Unpacking a New Horabot Campaign In Mexico
  "In this installment of our SOC Files series, we will walk you through a targeted campaign that our MDR team identified and hunted down a few months ago. It involves a threat known as Horabot, a bundle consisting of an infamous banking Trojan, an email spreader, and a notably complex attack chain. Although previous research has documented Horabot campaigns (here and here), our goal is to highlight how active this threat remains and to share some aspects not covered in those analyses."
  https://securelist.com/horabot-campaign/119033/
• From Misconfigured Spring Boot Actuator To SharePoint Exfiltration: How Stolen Credentials Bypass MFA
  "Many cybersecurity incidents don’t begin with sophisticated malware or advanced exploits. Instead, they often start with simple misconfigurations and poor credential practices. When these weaknesses combine, attackers can move from reconnaissance to full data compromise surprisingly quickly. This case study walks through an incident that involves:"
  https://www.trendmicro.com/en_us/research/26/c/from-misconfigured-spring-boot-actuator-to-sharepoint-exfiltrati.html
• GlassWorm Hits MCP: 5th Wave With New Delivery Techniques
  "GlassWorm Strikes Again: Wave 5 Brings Invisible Code to MCP Servers, GitHub Repos, and Hundreds of Extensions. Five waves. Five months. One relentless threat actor. We first exposed GlassWorm back in October 2025 - the first self-propagating worm hiding in VSCode extensions using invisible Unicode characters. Since then, we've tracked them through four waves: invisible payloads, a return strike where we accessed their server and found real victims, compiled Rust binaries, and a full pivot to macOS with hardware wallet trojans."
  https://www.koi.ai/blog/glassworm-hits-mcp-5th-wave-with-new-delivery-techniques
• Iranian Botnet Exposed Via Open Directory: 15-Node Relay Network And Active C2
  "Threat actors make mistakes. Sometimes those missteps are subtle; a misconfigured server, a reused TLS certificate. Other times, operators leave a directory open on their own staging infrastructure, exposing deployment scripts, configuration files, bash history, and more for anyone willing to look. This research builds on our recent analysis of Iranian APT infrastructure, but represents a different layer of that ecosystem: a financially or personally motivated operator rather than a state-directed one. During a routine review of exposed servers in Iran using AttackCapture, Hunt.io researchers identified a threat actor's full working environment: a censorship bypass tunnel network spanning Finland and Iran, an SSH-based botnet framework, and a compiled bot client with a hardcoded C2 address still under active development."
  https://hunt.io/blog/iran-botnet-operation-open-directory
• Fast-Draft Open VSX Extension Compromised By BlokTrooper
  "The KhangNghiem/fast-draft extension, listed on open-vsx.org/extension/KhangNghiem/fast-draft and now sitting above 26,000 downloads, had multiple malicious releases that execute a GitHub-hosted downloader and pull a second-stage RAT and infostealer from the BlokTrooper/extension repository. The confirmed malicious releases in the version line we inspected are 0.10.89, 0.10.105, 0.10.106, and 0.10.112. What makes this case unusual is that the malicious releases are not continuous. Versions through 0.10.88 appear clean. 0.10.111 also appears clean, even though it sits between malicious versions, and the latest Open VSX release as of 2026-03-17, 0.10.135, does not contain the same loader either."
  https://www.aikido.dev/blog/fast-draft-open-vsx-bloktrooper
• Katana: a Mirai Variant That Compiles Its Own Rootkit On Android TV Set-Top Boxes
  "This report documents the Katana botnet, a Mirai variant targeting Android TV set-top boxes through ADB exploitation. The devices it infects are low-cost, often unbranded boxes running the Android Open Source Project (AOSP) without Google Play Protect or official Google certification, not Google-branded Android TV products. Katana is part of a growing wave of botnets exploiting the same attack surface: residential proxy services that expose internal networks, enabling mass ADB exploitation of Android TV devices. This delivery method, first documented in the context of the Kimwolf proxy botnet and subsequently disclosed to affected proxy providers in late 2025, has since attracted multiple independent operators. The economics are straightforward: for the cost of a residential proxy subscription, an operator gains access to tens of millions of AOSP devices with unauthenticated remote shell access — without writing a single exploit."
  https://github.com/deepfield/public-research/blob/main/katana/report.md

Breaches/Hacks/Leaks

• Marquis: Ransomware Gang Stole Data Of 672K People In Cyberattack
  "Marquis, a Texas-based financial services provider, revealed this week that a ransomware gang stole the data of over 670,000 individuals in an August 2025 cyberattack that also disrupted operations at 74 banks across the United States. The company provides digital marketing, data analytics, compliance, and CRM services to more than 700 banks, credit unions, and mortgage lenders across the United States. In data breach notifications filed with U.S. Attorney General offices in early December, Marquis said it suffered a ransomware attack on August 14, 2025, after the threat actors compromised a SonicWall firewall."
  https://www.bleepingcomputer.com/news/security/marquis-ransomware-gang-stole-data-of-672-000-people-in-2025-cyberattack/
  https://therecord.media/marquis-bank-vendor-data-breach
• Nordstrom's Email System Abused To Send Crypto Scams To Customers
  "Customers of upscale department store chain Nordstrom received fraudulent messages from a legitimate company email address that promoted cryptocurrency scams disguised as a St. Patrick’s Day promotion. The emails promise recipients to double the cryptocurrency amount deposited to a specific wallet address over the next two hours. "Send cryptocurrency to any of your unique deposit addresses below, and we'll send you right back 200% of the amount you sent," reads the fraudulent message."
  https://www.bleepingcomputer.com/news/security/nordstroms-email-system-abused-to-send-crypto-scams-to-customers/
• Aura Confirms Data Breach Exposing 900,000 Marketing Contacts
  "Identity protection company Aura has confirmed that an unauthorized party gained access to nearly 900,000 customer records containing names and email addresses. The company states that the incident was caused by a voice phishing attack targeting an employee, which exposed the sensitive data of 20,000 current and 15,000 former customers. In a communication this week, Aura states that the data originated from a marketing tool used by a company acquired by Aura in 2021, which exposed limited information."
  https://www.bleepingcomputer.com/news/security/aura-confirms-data-breach-exposing-900-000-marketing-contacts/

General News

• Telegram’s Crackdown In 2026 And Why Cyber Criminals Are Still Winning
  "If you’ve been following the Telegram crackdown news, then you’ll know that Telegram entered 2026 under significant pressure. After years of being a largely permissive environment, the platform dramatically increased enforcement following the arrest of CEO Pavel Durov in late 2024 and the rollout of stricter moderation throughout 2025. Millions of channels were taken down, Telegram bans became frequent, automation was introduced, and transparency around enforcement reached an all time high. Yet despite these efforts, cyber criminal ecosystems on Telegram are not shrinking. These cyber criminal communities are adapting, and quickly."
  https://blog.checkpoint.com/research/telegrams-crackdown-in-2026-and-why-cyber-criminals-are-still-winning/
• AI-Powered Cyber Warfare: How Autonomous Attack Agents Are Changing The Threat Landscape
  "A few years ago, most cyberattacks still depended heavily on human effort—skilled operators manually probing systems, testing vulnerabilities, and executing campaigns step by step. That model is quietly breaking down. In conversations with security teams and analysts over the past year, one theme keeps coming up: attackers are no longer just using tools—they’re starting to deploy systems that can think, adapt, and act on their own. This is where AI-powered cyber warfare begins to shift from buzzword to reality. At the center of this shift are autonomous attack agents, AI-driven systems that don’t just assist attackers but actively participate in decision-making. And that changes the threat landscape in a very real way."
  https://cyble.com/blog/ai-powered-cyber-warfare-attack-agents/
• Clear Communication: The Missing Link In Cybersecurity Success
  "Time and time again in cybersecurity, effective communication is the obstacle to technical and non-technical teams being able to truly collaborate. Diverse working groups, while essential for coming up with effective cybersecurity strategies and ideas, can be brought to a standstill when communication isn't rooted in trust. At this year's RSAC Conference, husband and wife duo Rebecca Grapsy and Kevin Grapsy are set to deliver a talk on this subject. And for them, it's personal."
  https://www.darkreading.com/cybersecurity-operations/clear-communication-missing-link-cybersecurity-success
• Beyond Analytics: The Silent Collection Of Commercial Intelligence By TikTok And Meta Ad Pixels
  "TikTok and Meta's tracking pixels are quietly harvesting personal data, granular checkout interactions, and detailed commerce intelligence from the websites that implement them. The collection is going far beyond what ad attribution requires, creating serious privacy compliance risks and competitive disadvantages for the businesses involved. Jscrambler conducted a runtime analysis of the ad pixels used by TikTok and Meta on actual websites, revealing that their default behavior requires immediate attention from every organization that employs them. The analysis focused on large companies in the retail, hospitality, and healthcare sectors. However, it's worth noting that most businesses with an online presence use these tracking pixels on their websites."
  https://jscrambler.com/blog/beyond-analytics-tiktok-meta-ad-pixels
  https://www.darkreading.com/cyber-risk/meta-tiktok-steal-sensitive-pii
• From Hot CVEs To The Full Attack Surface: How AI Is Reshaping Threat Intelligence
  "For a long time, defenders operated with a practical advantage. Although thousands of vulnerabilities are disclosed each year, only a small fraction ever show up in large-scale attacks. Instead, the same CVEs appeared in post-mortem reports again and again. That pattern made prioritization possible. Security teams could focus on patching, detection, and response around a limited set of exposures and accept that much of the backlog, while not ideal, was unlikely to be targeted at scale and the teams could prioritize based on the identified patterns and each organization’s unique risk assessment."
  https://www.fortinet.com/blog/industry-trends/from-hot-cves-to-the-full-attack-surface-how-ai-is-reshaping-threat-intelligence
• Cybercriminals Scale Up, Government Sector Hit Hardest
  "Government agencies faced the highest volume of cyberattack campaigns in 2025, according to new findings from HPE Threat Labs, which tracked 1,186 active campaigns over the course of the year. The data covers activity observed between January 1 and December 31, 2025, and reflects a broad mix of sectors and attack types. Government agencies were targeted in 274 campaigns, the largest share among all industries. Financial services followed with 211 campaigns, while technology companies accounted for 179. Defense saw 98 campaigns, and manufacturing recorded 75. Telecommunications and healthcare each logged 63 campaigns, while education and transportation each recorded 61."
  https://www.helpnetsecurity.com/2026/03/18/government-agencies-cyberattack-campaigns-volume/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Financial Sector

• Bank Built Its Own Threat Hunting Agent Because Vendors Can’t Keep Pace With New Threats
  "Australia’s Commonwealth Bank built its own agentic AI threat hunting tools, because vendors are too slow to develop tools that can cope with emerging AI-powered threats, according to General Manager of Cyber Defence Operations Andrew Pade. Speaking at analyst firm Gartner’s Security & Risk Management Summit in Sydney on Tuesday, Pade said he joined the bank six years ago when it logged 80 million daily threat signals. That figure now tops four billion, and he said AI is one reason for the growth."
  https://www.theregister.com/2026/03/17/commonwealth_bank_ai_defense/

Vulnerabilities

• Instant Hijack: Critical 10.0 CVSS File Browser Flaw Grants Automatic Admin Rights
  "Security researchers have issued a high-priority alert for users of File Browser, a popular open-source self-hosted cloud storage solution. A critical logic flaw has been discovered in the platform’s registration system that can automatically grant full administrative powers to any new user who signs up. The vulnerability, tracked as CVE-2026-32760, has been assigned a maximum CVSS score of 10, reflecting its potential for total system takeover with zero technical effort from an attacker."
  https://securityonline.info/instant-hijack-critical-10-cvss-file-browser-flaw-cve-2026-32760/
• Hidden Instructions In README Files Can Make AI Agents Leak Data
  "Developers rely on AI coding agents to set up projects, install dependencies, and run commands by following instructions in repository README files, which provide setup guidance for software projects. New research identifies a security risk when attackers hide malicious instructions in those documents. Tests showed that hidden instructions in README files could trigger AI agents to send sensitive data to external servers in up to 85% of cases."
  https://www.helpnetsecurity.com/2026/03/17/ai-agents-readme-files-data-leak-security-risk/
  https://arxiv.org/pdf/2603.11862
• Open, Closed And Broken: Prompt Fuzzing Finds LLMs Still Fragile Across Open And Closed Models
  "Unit 42 researchers have developed a genetic algorithm-inspired prompt fuzzing method to automatically generate variants of disallowed requests that preserved their original meaning. This method also measures guardrail fragility under systematic rephrasing. Our research uncovered guardrail weaknesses, with evasion rates ranging from low single digits to high levels in specific keyword and/or model combinations. The key difference from prior single-prompt jailbreak examples is scalability. Small failure rates become reliable when attackers can automate at volume."
  https://unit42.paloaltonetworks.com/genai-llm-prompt-fuzzing/

Malware

• Poisoned Typeface: How Simple Font Rendering Poisons Every AI Assistant, And Only Microsoft Cares
  "LayerX researchers have discovered how a simple custom font can compromise every AI system in the market. With nothing more than a custom font and simple CSS, we created a webpage where the browser renders instructions that would lead the user to execute a reverse shell, while the DOM text analyzed by AI tools contains harmless video game fanfiction. The malicious instructions exist only in the rendering layer, and every AI web assistant we tested failed to identify the threat. Fonts are a well-known attack vector for deploying malware, and our research demonstrated how they can also be leveraged for prompt injection and poisoning AI systems. As a result, every AI system – including ChatGPT, Claude, Gemini, and others – can be targeted by this attack, leading to potential data leakage and/or execution of malicious code."
  https://layerxsecurity.com/blog/poisoned-typeface-a-simple-font-rendering-poisons-every-ai-assistant-and-only-microsoft-cares/
  https://www.bleepingcomputer.com/news/security/new-font-rendering-trick-hides-malicious-commands-from-ai-tools/
• Casting a Wider Net: ClickFix, Deno, And LeakNet’s Scaling Threat
  "Ransomware operator “LeakNet” is currently averaging about three victims per month, but it’s scaling up and shifting tactics. In recent incidents we investigated, the group added a new initial access path and a new loader technique: “ClickFix” lures hosted on compromised websites and a Deno-based, in-memory loader that most security tools won’t catch. No matter how it gets in, LeakNet then follows the same post-exploitation steps: execution, lateral movement, and payload staging."
  https://reliaquest.com/blog/threat-spotlight-casting-a-wider-net-clickfix-deno-and-leaknets-scaling-threat
  https://www.bleepingcomputer.com/news/security/leaknet-ransomware-uses-clickfix-and-deno-runtime-for-stealthy-attacks/
  https://thehackernews.com/2026/03/leaknet-ransomware-uses-clickfix-via.html
• Claude Fraud - When Trusted Tools Become The Attack Surface: Weaponizing AI Developer Tooling Against The Security Community
  "We’re calling it Claude Fraud. A sophisticated, multi-variant malware campaign actively targeting developers and security professionals who use AI coding tools — exploiting the trusted Claude.ai brand to deliver infostealer malware via Google Sponsored search results, fake landing pages, legitimate AI platforms, and trojanized VS Code extensions. Two confirmed attack vectors. Thousands of victims documented publicly. More in the wild. What makes Claude Fraud notable is not just the technical execution — it is the target profile and the deliberate exploitation of trust. The victims are technically sophisticated people: software engineers, security practitioners, AI-tool power users. Newer Claude Code adopters are equally at risk — curiosity about AI tools and the pressure to adopt quickly can be just as effective as technical familiarity at lowering a user's guard. The attackers engineered something that, by design, does not look suspicious to that audience."
  https://blog.7ai.com/claude-fraud-malware-campaign-ai-developer-tools
  https://hackread.com/clickfix-attack-devs-macsync-malware-fake-claude-tools/
• Vidar Stealer 2.0 Distributed Via Fake Game Cheats On GitHub And Reddit
  "The TRU team has been tracking several malware campaigns targeting video game cheaters as their primary victim group. These campaigns represent an increasingly prevalent threat vector that exploits the growing usage of cheats in competitive online gaming. The scale is especially concerning: Threat actors are systematically weaponizing the cheating ecosystem across virtually every major online game title. Our investigation revealed that the infrastructure supporting these campaigns is extensive, spanning multiple distribution platforms and leveraging legitimate services to evade detection."
  https://www.acronis.com/en/tru/posts/vidar-stealer-20-distributed-via-fake-game-cheats-on-github-and-reddit/
  https://hackread.com/vidar-2-0-infostealer-fake-game-cheats-github-reddit/
• Weaponizing LSPosed: Remote SMS Injection And Identity Spoofing In Modern Payment Ecosystems
  "LSPosed, a powerful framework for rooted Android devices, has been weaponized by attackers to remotely inject fraudulent SMS messages and spoof user identities in modern payment ecosystems. This report exposes a critical vulnerability: the exploitation of LSPosed modules to intercept and modify sensitive system APIs, enabling precise identity theft and unauthorized financial transactions. It reveals the devastating potential of this technique for large-scale payment fraud and identity takeover."
  https://www.cloudsek.com/blog/weaponizing-lsposed-remote-sms-injection-and-identity-spoofing-in-modern-payment-ecosystems-2
  https://www.infosecurity-magazine.com/news/android-attack-bypasses-payment/
• CursorJack: Weaponizing Deeplinks To Exploit Cursor IDE
  "Cursor implements deeplinks for Model Context Protocol (MCP) to provide a mechanism for installation of MCP servers in Cursor IDE. This blog describes CursorJack, a method of potentially abusing Cursor MCP deeplinks that, under certain conditions, could enable code execution or allow installation of a malicious remote MCP server. The behavior described below is specific to the test environments noted and does not imply silent or zero‑click exploitation by default. It does, however, highlight the urgent need to secure agentic AI environments."
  https://www.proofpoint.com/us/blog/threat-insight/cursorjack-weaponizing-deeplinks-exploit-cursor-ide
  https://www.infosecurity-magazine.com/news/cursor-jack-attack-path-ai/
• Fake Pudgy World Site Steals Your Crypto Passwords
  "A phishing site impersonating the newly-launched Pudgy World browser game is targeting crypto users with a technique that goes well beyond a convincing logo and matching color scheme. Pudgy World is a free-to-play browser game built around the Pudgy Penguins NFT brand. Players explore a virtual world, customize penguin avatars, and complete quests. But some features are tied to digital collectibles and in-game items stored in cryptocurrency wallets."
  https://www.malwarebytes.com/blog/scams/2026/03/fake-pudgy-world-site-steals-your-crypto-passwords
• RondoDox Botnet: From Zero To 174 Exploited Vulnerabilities
  "According to a 2024 report from IoT Analytics, there were 16.6 billion Internet of Things (IoT) connected devices at the end of 2023, and that number is expected to grow to 41.1 billion by 2030. This means an increased attack surface for malicious actors to take advantage of, especially given that the security posture of the vendors that provide these devices varies greatly. Previous research from Bitsight TRACE has exposed security risks stemming from IoT devices, including ICS and OT systems, IoT cameras, and threats like RapperBot."
  https://www.bitsight.com/blog/rondodox-botnet-infrastructure-analysis
  https://www.securityweek.com/rondodox-botnet-targeted-174-vulnerabilities/
  https://securityaffairs.com/189569/malware/rondodox-botnet-expands-arsenal-targeting-174-flaws-and-hits-15000-daily-exploit-attempts.html
• Analysis Of The Spear-Phishing And KakaoTalk-Linked Threat Campaign By The Konni Group
  "Genians Security Center conducted an in-depth analysis of a malware distribution campaign by the Konni APT group that used North Korea-themed content as a lure. The analysis confirmed that the threat actor attempted initial intrusion through a spear-phishing email disguised as a notice appointing the recipient as a North Korean human rights lecturer, and then induced execution of a malicious LNK file to install remote access malware, leading to the initial compromise."
  https://www.genians.co.kr/en/blog/threat_intelligence/kakaotalk
  https://thehackernews.com/2026/03/konni-deploys-endrat-through-spear.html
• Operation CamelClone: Multi-Region Espionage Campaign Targets Government And Defense Entities Amidst Regional Tensions
  "Seqrite Labs APT Team has been monitoring threats across the globe and recently identified a campaign targeting multiple countries. Also looking across the Middle East, taking into account of the current geopolitical tensions. What makes this campaign interesting is the targeting of different regions within a similar timeframe while using the same infection techniques throughout the campaign. In this blog, we will analyze the infection chain used in this campaign, which starts with a malicious archive and eventually leads to the deployment of a legitimate tool that is abused by the threat actor. We will also look at the infrastructure used in the campaign, where the attackers leverage public anonymous file-sharing websites to host and distribute their payloads."
  https://www.seqrite.com/blog/operation-camelclone-multi-region-espionage-campaign-targets-government-and-defense-entities-amidst-regional-tensions/

Breaches/Hacks/Leaks

• Medusa Ransomware Gang Claims Attacks On Prominent Mississippi Hospital, New Jersey County
  "A prominent ransomware gang has taken credit for a devastating attack on the biggest hospital in Mississippi and a large county in New Jersey. The Medusa ransomware operation, which experts believe is run out of Russia, said recently it was behind the cyberattack on the University of Mississippi Medical Center (UMMC). UMMC is one of the most important healthcare organizations in the state — employing 10,000 people and housing Mississippi’s only children's hospital, only Level I trauma center, only Level IV neonatal intensive care unit and the state’s only organ transplant programs."
  https://therecord.media/medusa-ransomware-mississippi-cyber

General News

• Cyber-Attacks Against The EU And Its Member States: Council Sanctions Three Entities And Two Individuals
  "The Council adopted today restrictive measures against three entities and two individuals responsible for cyber-attacks carried out against EU member states and EU partners. The Council has listed Integrity Technology Group, a China-based company, that has routinely provided products used to compromise and access devices in EU members states, across Europe and worldwide. Between 2022 and 2023, through their technical and material support, more than 65,000 devices were hacked across six member states."
  https://www.consilium.europa.eu/en/press/press-releases/2026/03/16/cyber-attacks-against-the-eu-and-its-member-states-council-sanctions-three-entities-and-two-individuals/
  https://www.bleepingcomputer.com/news/security/europe-sanctions-chinese-and-iranian-firms-for-cyberattacks/
  https://www.bankinfosecurity.com/eu-belatedly-sanctions-chinese-iranian-hackers-a-31058
  https://securityaffairs.com/189585/security/eu-sanctions-chinese-and-iranian-actors-over-cyberattacks-on-critical-infrastructure.html
  https://www.theregister.com/2026/03/17/eu_iran_cyber_sanctions/
  https://www.helpnetsecurity.com/2026/03/17/eu-sanctions-china-iran-cyberattacks/
• Middle East Cyber Warfare Intensifies: Rising Attacks, Hacktivist Surge, And Global Risk Exposure
  "The ongoing Middle East war has evolved into a cyber battlefield, with state-sponsored operations targeting critical infrastructure and essential services. Analysts warn that the region is witnessing an unprecedented escalation in Middle East cyber warfare, with attacks affecting governments, energy networks, finance, communications, and industrial systems. These operations, often executed through proxy groups, aim to destabilize societies, disrupt supply chains, and exert geopolitical pressure. Despite early disruptions to Iranian command centers, Iran and its affiliated groups retain substantial cyber capabilities. Incidents already linked to these campaigns include fuel distribution delays in Jordan and interference with navigation systems, impacting over 1,100 ships near the Strait of Hormuz, posing risks to global oil and gas trade."
  https://cyble.com/blog/middle-east-cyber-warfare-2026-hybrid-conflict/
• 2025 Identity Threat Landscape Report
  "Credential compromise from malware logs was not a static risk in 2025 — it compounded. Recorded Future observed a consistent upward trend throughout the year, with the second half producing 50% more indexed credentials than the first. The final three months of the year were particularly active: They saw 90% more volume than the first three months, reflecting both the continued proliferation of infostealer malware-as-a-service (MaaS) and the disruption and reformation of major malware families mid-year (covered in detail in the malware section below)."
  https://www.recordedfuture.com/blog/identity-trend-report-march-blog
  https://www.darkreading.com/identity-access-management-security/more-attackers-logging-in-not-breaking-in
• Ransomware Under Pressure: Tactics, Techniques, And Procedures In a Shifting Threat Landscape
  "Since 2018, when many financially motivated threat actors began shifting their monetization strategy to post-compromise ransomware deployments, ransomware has become one of the most pervasive threats to organizations across almost every industry vertical and region. In recent years ransomware operations have evolved, creating a robust ecosystem that has lowered the barrier to entry via the commoditization and specialization of the supporting underground communities, which is exemplified by the proliferation of the ransomware-as-a-service (RaaS) business model. While ransomware remains a dominant threat due to the volume of activity and the potential for serious operational disruptions, we have observed multiple indicators that suggest the overall profitability of ransomware operations is in decline."
  https://cloud.google.com/blog/topics/threat-intelligence/ransomware-ttps-shifting-threat-landscape/
  https://www.darkreading.com/threat-intelligence/less-lucrative-ransomware-market-makes-attackers-alter-methods
• GitGuardian Reports An 81% Surge Of AI-Service Leaks As 29M Secrets Hit Public GitHub
  "In 2025, Developer Commits Using Claude Code Show 3.2% Secret Leak Rate vs. 1.5% Baseline. The Human Factor Remains Critical. GitGuardian, the security leader behind GitHub’s most installed application, today released the 5th edition of its “State of Secrets Sprawl” report, documenting how mainstream AI adoption in 2025 reshaped software delivery and accelerated the exposure of non-human identities (NHIs) and their secrets across public and internal systems. While the software ecosystem is growing quickly, leaked secrets are growing faster, and remediation is not keeping up."
  https://hackread.com/gitguardian-reports-an-81-surge-of-ai-service-leaks-as-29m-secrets-hit-public-github/
  https://www.gitguardian.com/state-of-secrets-sprawl-report-2026
• Surge In Nation State Attacks On UK Firms Amid Cyber Warfare Fears
  "Over half (54%) of UK companies were hit by nation state attacks last year as IT leaders grew increasingly fearful of AI-powered threats, according to a new report from Armis. The security vendor’s 2026 Armis Cyberwarfare Report was based on interviews with 1900 global IT decision-makers (ITDMs), including 500 from the UK, alongside proprietary data from Armis Labs. It revealed an increase in the number of UK ITDMs reporting state-sponsored attacks, up from 47% in last year’s report."
  https://www.infosecurity-magazine.com/news/nation-state-attacks-uk-firms/
  https://www.armis.com/cyberwarfare-2025/
• 90% Of People Don’t Trust AI With Their Data
  "AI didn’t sneak into our lives. It burst through the door, took a seat at the table, and started finishing our sentences. Instead of a helpful list of links, Google now tries to answer your question. Microsoft’s Copilot drafts replies to your boss before you’ve had coffee. Your phone summarizes conversations you don’t even remember having. Every major tech company is racing to add AI to its products because no one wants to be left behind. And the public is often forced to accommodate such corporate whims because of the increasing effects of “enshittification,” as explained by Cory Doctorow on the Lock and Code podcast."
  https://www.malwarebytes.com/blog/privacy/2026/03/90-of-people-dont-trust-ai-with-their-data
• AI, APIs And DDoS Collide In New Era Of Coordinated Cyberattacks
  "New research from internet infrastructure giant Akamai shows that layer 7 (application layer) DDoS attacks have increased in volume while Layer 3 (network layer) and layer 4 (transport layer) attacks have increased in scale. These, together with increasing API and web application attacks have converged into a new operating model for attackers. The latest State of the Internet Report from Akamai finds three major developments over the last year: DDoS attacks continue but evolve; API attacks increase, driven largely (but not solely) by growth in corporate use of agentic AI; and criminal use of AI as a force multiplier makes attacks cheaper, more sophisticated, stealthier and more difficult to attribute."
  https://www.securityweek.com/ai-apis-and-ddos-collide-in-new-era-of-coordinated-cyberattacks/
  https://www.akamai.com/lp/soti/app-api-ddos-security-report-2026
  https://www.akamai.com/content/dam/site/en/documents/state-of-the-internet/2026/app-api-ddos-security-report-2026-pdf-preview.pdf
  https://www.infosecurity-magazine.com/news/average-number-daily-api-attacks/
• Operationalizing Raw Threat Data
  "Barracuda’s AI-powered XDR platform, managed by Barracuda SOC staff, ingests large amounts of real-time, global threat data. And it turns that data into actionable, operational insights that lead to rapid, highly effective response to cyber incidents. We spoke to Eric Russo, Barracuda’s Director of SOC Defensive Security, to learn more about how that process of operationalizing threat data takes place, and why it’s central to how Barracuda Managed XDR reduces cyber risk while also reducing IT overhead through automation."
  https://blog.barracuda.com/2026/03/17/operationalizing-raw-threat-data
• Switzerland Built a Secure Alternative To BGP. The Rest Of The World Hasn't Noticed Yet
  "BGP, the Border Gateway Protocol, was not designed to be secure. It was designed to work – to route packets between the thousands of autonomous systems that make up the internet, quickly and at scale. For four decades, it has done exactly that. It has also, throughout those four decades, been exploited, misconfigured, and abused in ways that were predictable from the start. Route hijacks reroute traffic through hostile networks. Route leaks knock services offline. Nation-state cyber crews weaponize BGP to intercept communications at scale. These are not theoretical threats. They are documented, recurring events, and they remain possible today for one simple reason: BGP has no native way to verify that a network claiming to own a block of addresses actually does."
  https://www.theregister.com/2026/03/17/switzerland_bgp_alternative/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

ศูนย์ประสานการรักษาความมั่นคงปลอดภัยระบบคอมพิวเตอร์แห่งชาติ (ThaiCERT) แจ้งเตือนหน่วยงานและผู้ดูแลระบบเกี่ยวกับการตรวจพบช่องโหว่ในระบบปฏิบัติการ Ubuntu ที่เกี่ยวข้องกับการทำงานของ systemd ซึ่งอาจเปิดโอกาสให้ผู้โจมตีสามารถยกระดับสิทธิ์จากผู้ใช้งานทั่วไปไปเป็นผู้ดูแลระบบสูงสุดได้ [1]

1. รายละเอียดช่องโหว่
   CVE-2026-3888 (CVSS v3.1: 7.8) เป็นช่องโหว่ประเภท Race Condition (Timing-based vulnerability) ที่เกิดขึ้นในกระบวนการจัดการทรัพยากรของ systemd
   ช่องโหว่นี้เกี่ยวข้องกับการทำงานร่วมกันระหว่าง snapd (ระบบจัดการแพ็กเกจของ Ubuntu) และ systemd-tmpfiles ซึ่งใช้ในการจัดการไฟล์และ directory ชั่วคราวภายในระบบ เช่น /tmp
   โดย snapd มีหน้าที่ในการติดตั้งและจัดการแอปพลิเคชันในรูปแบบ sandbox และในระหว่างการทำงานจะมีการสร้างหรือจัดการไฟล์ชั่วคราว ซึ่งต้องอาศัย systemd-tmpfiles ในการดำเนินการ
   อย่างไรก็ตาม ในกระบวนการดังกล่าวนั้น มีช่องว่างของช่วงเวลาในการประมวลผลของระบบอยู่ ซึ่งเกิดขึ้นในระหว่างที่ systemd กำลังดำเนินการ และยังไม่มีการตรวจสอบหรือยืนยันความถูกต้องของทรัพยากรอย่างครบถ้วน
   ผู้โจมตีสามารถใช้ประโยชน์จากช่องว่างดังกล่าว โดย:
   1.1 อาศัยช่องว่างของช่วงเวลาในการประมวลผลของระบบ (Race Condition) ในระหว่างที่ systemd กำลังจัดการทรัพยากร
   1.2 แทรกหรือปรับเปลี่ยน resource เช่น file หรือ symbolic link โดยเฉพาะใน directory ชั่วคราว เช่น /tmp
   1.3 หลอกให้ systemd-tmpfiles ดำเนินการกับ object ที่อยู่ภายใต้การควบคุมของผู้โจมตีส่งผลให้ผู้โจมตีสามารถเขียนหรือแก้ไขไฟล์สำคัญของระบบ และดำเนินการคำสั่งภายใต้สิทธิ์ระดับสูง (root) ได้ นำไปสู่การยกระดับสิทธิ์ (Privilege Escalation) และการเข้าควบคุมระบบ
   ช่องโหว่นี้เป็นลักษณะ Local Privilege Escalation โดยผู้โจมตีจำเป็นต้องสามารถเข้าถึงระบบได้ในระดับผู้ใช้งานก่อน จากนั้นจึงอาศัยช่องโหว่ในการทำงานของ snapd และ systemd เพื่อยกระดับสิทธิ์เป็น root โดยอาศัยช่องว่างดังกล่าว

2. ผลิตภัณฑ์ที่ได้รับผลกระทบ [2]
   ช่องโหว่นี้ส่งผลกระทบต่อระบบปฏิบัติการ Ubuntu หลายเวอร์ชัน โดยเฉพาะระบบที่ใช้งานแพ็กเกจ snapd ในเวอร์ชันก่อนหน้าที่ได้รับการแก้ไข

• Ubuntu 25.10
• Ubuntu 24.04 LTS
• Ubuntu 22.04 LTS
• Ubuntu 20.04 LTS
• Ubuntu 18.04 LTS
• Ubuntu 16.04 LTS
  โดยระบบที่ใช้งาน snapd เวอร์ชันก่อนหน้าที่ได้รับการแก้ไข (ต่ำกว่าเวอร์ชัน 2.73 ในแต่ละ Ubuntu release) หรือยังไม่ได้ติดตั้ง security update ยังคงได้รับผลกระทบจากช่องโหว่นี้

3. แนวทางการแก้ไข
   3.1 ดำเนินการอัปเดตแพตช์ความปลอดภัยของ Ubuntu, snapd และ systemd เป็นเวอร์ชันล่าสุดทันที
   3.2 เวอร์ชันที่ได้รับการแก้ไขแล้ว (Patched Versions)
   ช่องโหว่ดังกล่าวได้รับการแก้ไขแล้วในแพ็กเกจ snapd เวอร์ชันดังต่อไปนี้

• Ubuntu 24.04 LTS : snapd เวอร์ชัน 2.73+ubuntu24.04.1 ขึ้นไป
• Ubuntu 25.10 : snapd เวอร์ชัน 2.73+ubuntu25.10.1 ขึ้นไป
• Ubuntu 26.04 (Development) : snapd เวอร์ชัน 2.74.1+ubuntu26.04.1 ขึ้นไป

• Upstream snapd : เวอร์ชัน 2.75 ขึ้นไป
  3.3 ตรวจสอบแพ็กเกจ systemd และ dependency ที่เกี่ยวข้องให้เป็นเวอร์ชันที่ได้รับการแก้ไขแล้ว
  3.4 จำกัดสิทธิ์ของผู้ใช้งานภายในระบบ (Principle of Least Privilege) เพื่อลดความเสี่ยงจากการถูกยกระดับสิทธิ์
  3.5 ติดตั้งและใช้งานระบบตรวจจับพฤติกรรม (EDR/XDR) เพื่อเฝ้าระวังการใช้งานสิทธิ์ผิดปกติ

4. มาตรการลดความเสี่ยง (กรณีที่ยังไม่สามารถอัปเดตได้)
   4.1 จำกัดการเข้าถึงระบบเฉพาะผู้ใช้งานที่จำเป็น และปิดการเข้าถึง shell จากภายนอกหากไม่จำเป็น
   4.2 เฝ้าระวังและตรวจสอบบันทึกเหตุการณ์ (Logs) ที่เกี่ยวข้องกับ systemd และ privilege escalation
   4.3 ตรวจสอบความผิดปกติของไฟล์สำคัญ เช่น การเปลี่ยนแปลง symbolic link หรือ temporary file
   4.4 ใช้การควบคุมเพิ่มเติม เช่น SELinux / AppArmor เพื่อลดผลกระทบจากการถูกโจมตี

ThaiCERT เน้นย้ำให้หน่วยงานและผู้ดูแลระบบเร่งตรวจสอบและอัปเดตระบบโดยเร็ว เนื่องจากช่องโหว่นี้สามารถนำไปสู่การยึดครองระบบได้หากถูกนำไปใช้ร่วมกับการเข้าถึงระบบในระดับผู้ใช้งาน

#ThaiCERT #NCSA #สกมช #CyberSecurity #Ubuntu #systemd #PrivilegeEscalation #CVE20263888

อ้างอิง
[1] https://dg.th/bl504gfjip
[2] https://dg.th/iwhdoy5rfz

️ ThaiCERT ได้ติดตามสถานการณ์ภัยคุกคามทางไซเบอร์ และพบประกาศด้านความปลอดภัยเกี่ยวกับช่องโหว่หมายเลข CVE-2026-22769 ในผลิตภัณฑ์ Dell RecoverPoint for Virtual Machines พบการโจมตีจริงจากกลุ่มผู้ไม่หวังดีเพื่อเข้าควบคุมระบบในระดับสูงสุด (Root) และฝังตัวในเครือข่ายระยะยาว[1]

1.รายละเอียดช่องโหว่
CVE-2026-22769 (CVSS v3.1: 10.0) เป็นช่องโหว่ที่เกิดจากการกำหนดข้อมูลรับรองเริ่มต้นแบบฝังตายตัว (Hardcoded Credential) ภายในระบบ Dell RecoverPoint for Virtual Machines รุ่นที่ได้รับผลกระทบ โดยข้อมูลที่ถูกเผยแพร่ระบุว่า credentials สำหรับผู้ใช้ admin ถูกเก็บอยู่ในไฟล์กำหนดค่าของ Apache Tomcat Manager ทำให้ผู้โจมตีสามารถล็อกอินเข้าสู่ Tomcat Manager แล้วอัปโหลดไฟล์ WAR ที่เป็นอันตรายผ่าน endpoint สำหรับ deploy จากนั้นสั่งรันคำสั่งบนอุปกรณ์ได้ด้วยสิทธิ์ระดับ Root ส่งผลให้เกิดการเข้าควบคุมระบบโดยสมบูรณ์และฝัง persistence ได้[2]

2.ผลิตภัณฑ์ที่ได้รับผลกระทบ

• Dell RecoverPoint for Virtual Machines เวอร์ชันก่อน 6.0.3.1 HF1
• Dell ระบุรายการเวอร์ชันที่ได้รับผลกระทบอย่างชัดเจน ได้แก่ 5.3 SP4 P1, 6.0, 6.0 SP1, 6.0 SP1 P1, 6.0 SP1 P2, 6.0 SP2, 6.0 SP2 P1, 6.0 SP3 และ 6.0 SP3 P1
• Dell ยังระบุเพิ่มเติมว่าเวอร์ชัน 5.3 SP4, 5.3 SP3, 5.3 SP2 และอาจรวมถึงเวอร์ชันที่เก่ากว่านี้ ก็อาจได้รับผลกระทบเช่นกัน

3. แนวทางการป้องกันและแก้ไข[3]

• อัปเกรด Dell RecoverPoint for Virtual Machines เป็นเวอร์ชัน 6.0.3.1 HF1 โดยเร็วที่สุด ซึ่งเป็นเวอร์ชันที่ Dell ออกมาเพื่อแก้ไขช่องโหว่นี้โดยตรง
• สำหรับระบบที่ใช้งานเวอร์ชัน 5.3 SP4 P1 ให้ดำเนินการ migrate ไปยัง 6.0 SP3 ก่อน แล้วจึงอัปเกรดต่อเป็น 6.0.3.1 HF1 หรือใช้ remediation script ตามที่ Dell เผยแพร่
• สำหรับระบบที่ใช้งานเวอร์ชัน 6.x ตามรายการที่ได้รับผลกระทบ ให้เลือกอัปเกรดเป็น 6.0.3.1 HF1 หรือใช้ remediation script ของ Dell หากยังไม่สามารถอัปเกรดได้ทันที
• Dell แนะนำให้ติดตั้งระบบนี้ไว้ภายในเครือข่ายที่เชื่อถือได้ (trusted, access-controlled internal network) และต้องมีการป้องกันด้วย firewall และ network segmentation อย่างเหมาะสม โดยไม่ควรเปิดใช้งานบนเครือข่ายสาธารณะหรือเครือข่ายที่ไม่น่าเชื่อถือ

4.มาตรการลดความเสี่ยงหากยังไม่สามารถอัปเกรดได้ [4]

• จำกัดการเข้าถึงระบบ RecoverPoint for Virtual Machines ให้อยู่เฉพาะภายในเครือข่ายองค์กรที่เชื่อถือได้ และปิดกั้นการเข้าถึงจากภายนอกผ่าน Firewall, ACL หรือระบบควบคุมการเข้าถึงเครือข่ายอื่น ๆ
• ตรวจสอบบันทึกเหตุการณ์ของ Tomcat Manager โดยเฉพาะคำขอที่เรียกไปยัง "/manager" ซึ่ง Dell และ Google/Mandiant ระบุว่าควรถูกมองว่าเป็นพฤติกรรมต้องสงสัย หากพบคำขอประเภท "PUT /manager/text/deploy?path=...&update=true" ให้ถือว่าอาจเกี่ยวข้องกับการอัปโหลด WAR อันตราย
• ตรวจสอบไฟล์และพาธสำคัญที่เกี่ยวข้องกับการโจมตี เช่น ไฟล์ WAR ใน "/var/lib/tomcat9", ไฟล์ compiled artifacts ใน "/var/cache/tomcat9/Catalina", และ log ของ Tomcat ใน "/var/log/tomcat9/" เพื่อค้นหาร่องรอยการ deploy แอปพลิเคชันผิดปกติ
• ตรวจสอบการแก้ไขไฟล์ "/home/kos/kbox/src/installation/distribution/convert_hosts[.]sh" ซึ่งรายงานระบุว่าถูกใช้เพื่อสร้าง persistence สำหรับมัลแวร์ BRICKSTORM และ GRIMBOLT ให้ทำงานซ้ำทุกครั้งที่ระบบเริ่มต้นใหม่
• เฝ้าระวังการเชื่อมต่อผิดปกติไปยังตัวบ่งชี้เครือข่ายที่มีการเผยแพร่ เช่น IP 149.248.11[.]71 และ endpoint wss://149.248.11[.]71/rest/apisession ซึ่งถูกรายงานว่าเกี่ยวข้องกับ C2 ของ GRIMBOLT

อ้างอิง
[1] https://dg.th/wkl59ob7qr
[2] https://dg.th/8jmw9zqp3r
[3] https://dg.th/mru1tspa5w
[4] https://dg.th/mwpuq7ik83

ศูนย์ประสานการรักษาความมั่นคงปลอดภัยระบบคอมพิวเตอร์แห่งชาติ (ThaiCERT) แจ้งเตือนหน่วยงานและผู้ดูแลระบบเกี่ยวกับพบช่องโหว่ในบริการ telnetd ของชุดเครื่องมือ GNU Inetutils
ซึ่งเปิดโอกาสให้ผู้โจมตีสามารถเข้าควบคุมระบบได้ในสิทธิ์สูงสุด (Root) โดยไม่จำเป็นต้องผ่านการยืนยันตัวตน (Unauthenticated) เพียงแค่เชื่อมต่อผ่านพอร์ต 23[1]

1.รายละเอียดช่องโหว่
CVE-2026-32746 (CVSS v3.1: 9.8) เป็นช่องโหว่ประเภท Buffer Overflow ที่เกิดขึ้นในส่วนจัดการตัวเลือก LINEMODE SLC (Set Local Characters)
โดยปัญหาเกิดจากฟังก์ชัน add_slc ไม่ตรวจสอบขนาดข้อมูลก่อนเขียนลงหน่วยความจำ (Out-of-bounds Write) ผู้โจมตีสามารถส่งแพ็กเก็ตที่ปรับแต่งมาเป็นพิเศษในช่วงการเจรจาการเชื่อมต่อ (Negotiation phase) เพื่อรันคำสั่งอันตราย (Remote Code Execution :RCE) ได้ทันที

2.ผลิตภัณฑ์ที่ได้รับผลกระทบ [2]
2.1 GNU Inetutils ทุกเวอร์ชันจนถึงเวอร์ชัน 2.7
2.2 ระบบปฏิบัติการ Linux/Unix-like และอุปกรณ์เครือข่าย/Embedded Systems ที่ใช้งานชุดเครื่องมือดังกล่าว

3. แนวทางการแก้ไข
   3.1 อัปเดตเป็นเวอร์ชัน 2.8 ล่าสุดทันทีหรือเวอร์ชันที่ได้รับการแพตช์จากผู้ผลิต(เช่น Debian, Ubuntu, Red Hat) โดยเร็วที่สุด
   3.2 หากไม่มีความจำเป็นต้องใช้งาน ให้ดำเนินการ ปิด (Disable) บริการ telnetd และปิดพอร์ต 23 ทันที
   3.3 ยกระดับความปลอดภัย โดยเปลี่ยนไปใช้โปรโตคอล SSH แทนการใช้ Telnet ซึ่งไม่มีการเข้ารหัสข้อมูล
   3.4 หากจำเป็นต้องใช้งาน Telnet ต้องจำกัดการเข้าถึงผ่าน Firewall (ACLs) ให้เข้าถึงได้เฉพาะหมายเลขไอพีที่เชื่อถือได้เท่านั้น และห้ามเปิดพอร์ตสู่สาธารณะโดยเด็ดขาด

4.มาตรการลดความเสี่ยง (กรณีที่ยังไม่สามารถอัปเดตได้)
4.1 ตั้งค่า Firewall หรือ Network Security Group เพื่อบล็อกการเชื่อมต่อพอร์ต 23 จากภายนอกหน่วยงาน
4.2 บังคับใช้การเชื่อมต่อผ่าน VPN ก่อนเข้าถึงบริการ Telnet ภายในระบบ
4.3 ตรวจสอบบันทึก (Logs) การเชื่อมต่อเพื่อหาความผิดปกติ เช่น การส่งข้อมูลขนาดใหญ่ผิดปกติในช่วงเริ่มต้นการเชื่อมต่อ (Pre-auth phase)
4.4 เนื่องจากช่องโหว่มีค่า CVSS สูงถึง 9.8 ผู้ดูแลระบบควรให้ความสำคัญสูงสุดในการตรวจสอบอุปกรณ์กลุ่ม Legacy และ IoT ในเครือข่าย

ThaiCERT เน้นย้ำให้หน่วยงานและผู้ดูแลระบบเร่งสำรวจอุปกรณ์เครือข่ายและเซิร์ฟเวอร์ในความดูแลทันที

#ThaiCERT #NCSA #สกมช #CyberSecurity #CVE202632746 #Telnet #Vulnerability

อ้างอิง
[1] https://dg.th/pbn340wmda
[2] https://dg.th/u657oiba1c

ThaiCERT ได้ติดตามสถานการณ์ภัยคุกคามทางไซเบอร์ และพบประกาศอัปเดตความมั่นคงปลอดภัยจาก watchTowr Labs เกี่ยวกับช่องโหว่ใน BMC FootPrints ซึ่งเป็นโซลูชัน IT Service Management (ITSM) นักวิจัยพบว่า BMC FootPrints แทบไม่มีการรายงานช่องโหว่ใหม่ๆ (CVE) เลยตั้งแต่ปี 2014 ซึ่งกลายเป็นสัญญาณอันตราย (Red Flag) ว่าตัวซอฟต์แวร์อาจขาดการตรวจสอบด้านความปลอดภัยที่ทันสมัย นักวิจัยจึงได้ทดลองโจมตีและพบช่องโหว่ที่สามารถนำมาต่อกัน (Chaining) เพื่อยึดระบบได้โดยไม่ต้องมีรหัสผ่าน โดยช่องโหว่เหล่านี้ประกอบด้วยการข้ามการยืนยันตัวตน (authentication bypass), blind SSRF 2 รายการ และ deserialization of untrusted data

1. รายละเอียดช่องโหว่

• CVE-2025-71257 / WT-2025-0069 - Authentication Bypass: สามารถเข้าถึงเส้นทางที่เกี่ยวข้องกับการรีเซ็ตรหัสผ่านและได้รับ SEC_TOKEN แม้ไม่ผ่านการยืนยันตัวตน ซึ่งช่วยให้ข้ามกลไกกรองคำขอที่ปกติจะพาไปหน้า login ได้
• CVE-2025-71258 / WT-2025-0070 - Blind Server-Side Request Forgery (SSRF): เมื่อได้โทเคนดังกล่าวแล้ว ผู้โจมตีสามารถสั่งให้ระบบส่งคำขอออกไปยังปลายทางที่กำหนดผ่านฟังก์ชัน import/searchWeb ได้
• CVE-2025-71259 / WT-2025-0071 - Blind Server-Side Request Forgery (SSRF): ผู้วิจัยพบ blind SSRF อีกจุดหนึ่งผ่านฟังก์ชัน external feed/RSS ซึ่งถูกใช้เพื่อให้ระบบเชื่อมต่อออกไปยังปลายทางภายนอกตามที่ผู้โจมตีกำหนด
• CVE-2025-71260 / WT-2025-0072 - Deserialization of Untrusted Data / RCE Chain: พบปัญหา deserialization ในองค์ประกอบ "/aspnetconfig" ซึ่งสามารถนำไปสู่ arbitrary file write และเมื่อเชื่อมกับช่องโหว่แรก(Authentication Bypass)อาจพัฒนาเป็น pre-authenticated RCE ได้

• หมายเหตุหมายเลข CVE ตามรายงานยังไม่พบข้อมูลการเผยแพร่สู่สาธารณะ

2. ผลิตภัณฑ์ที่ได้รับผลกระทบ
   BMC FootPrints ตั้งแต่ 20.20.02 ถึง 20.24.01.001 [6]

3. แนวทางการแก้ไข

• BMC ได้แก้ไขช่องโหว่ทั้ง 4 รายการแล้ว และมี hotfix/release ที่เกี่ยวข้อง ได้แก่ 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002 และ 20.24.01
• ควรตรวจสอบ release notes และช่องทาง support ของ BMC เพื่อเลือกแพตช์ล่าสุดที่ตรงกับสายเวอร์ชันที่ใช้งานอยู่ โดยเอกสารสาธารณะของ BMC ยังแสดงรุ่นแพตช์ในบางสาย เช่น 20.23.01.002 และ 20.24.01.002

4. หากยังไม่สามารถอัปเดตได้ ควรดำเนินการดังนี้

• จำกัดการเข้าถึงหน้าและบริการสำหรับผู้ดูแลระบบของ FootPrints ให้เฉพาะเครือข่ายที่เชื่อถือได้หรือผ่าน VPN[2]
• ไม่ควรเปิดเผยระบบบริหารจัดการนี้สู่สาธารณะโดยตรง หากไม่จำเป็น
• ใช้ ACL / reverse proxy / WAF เพื่อจำกัดเส้นทางที่เกี่ยวข้องกับการจัดการระบบ[3]
• เฝ้าระวัง log ของเว็บแอปและ Tomcat สำหรับความพยายามเข้าถึงที่ผิดปกติ โดยเฉพาะฟังก์ชัน password reset, import/external feed และส่วนประกอบที่เกี่ยวข้องกับ aspnetconfig
• ตรวจสอบระบบที่ใช้งาน BMC FootPrints ทุกสาขาเวอร์ชัน และจัดลำดับความสำคัญในการแพตช์ระบบที่เข้าถึงได้จากเครือข่ายภายนอก

5. แหล่งอ้างอิง
   [1] https://dg.th/b9dtiszlvk
   [2] https://dg.th/rc2z0eu8kp
   [3] https://dg.th/ukts6qvez8

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand