สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 
โพสต์ถูกสร้างโดย NCSA_THAICERT
-
พบแคมเปญฟิชชิงปลอมเป็นอีเมลร้องเรียนจากลูกค้า มุ่งโจมตีธุรกิจโรงแรมและที่พักโพสต์ใน Cyber Security News
-
Polymarket เตรียมชดเชยผู้ใช้งานเต็มจำนวน หลังถูกโจมตีแบบ Supply Chainโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
ตรวจพบแคมเปญมัลแวร์ Miasma แฝงรหัสอันตรายในแพ็กเกจ npm กว่า 20 รายการ มุ่งเป้าขโมยข้อมูลสำคัญของนักพัฒนาโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
ETDA Cyber Threat Intelligence 29 June 2026โพสต์ใน Cyber Security News
Healthcare Sector
- Healthcare Leaders See a Fatal Cyber Incident As Inevitable
"Healthcare practices run on a chain of outside vendors. An EMR system holds clinical records, a billing platform processes claims, a telehealth tool supports remote visits, and a cloud provider stores data. Every one of those connections gives an outside company a path into the practice, and any one of them can break. That is what happened across the sector over the past year. According to Omega Systems’ 2026 Healthcare IT Landscape Report, the large majority of practices dealt with at least one operational disruption that traced back to a vendor or a vendor’s own supplier. The disruptions ranged from brief outages to repeated failures that froze patient intake and slowed cash flow."
https://www.helpnetsecurity.com/2026/06/26/cyber-incident-healthcare-vendor-risk/
New Tooling
- Modelplane: Open-Source Control Plane For AI Inference
"Organizations that run open-weight models on hardware they own operate GPU fleets spread across clouds, neoclouds, and on-premise data centers. Each fleet handles model placement, replica scaling, infrastructure provisioning, weight distribution, and traffic routing. Teams have built this coordination layer by hand, one operator at a time. Upbound, the company behind the Crossplane project, released Modelplane, an open-source control plane that manages fleet-wide coordination for AI inference. The software installs in a user’s own environment and orchestrates models, the serving stack, and the infrastructure beneath them. It runs across cloud, neocloud, and on-premise systems, from a single GPU to multi-node deployments. The first public version, v0.1.0, carries the Apache 2.0 license."
https://www.helpnetsecurity.com/2026/06/26/modelplane-open-source-control-plane-ai-inference/
https://github.com/modelplaneai/modelplane
Vulnerabilities
- Synology Issues Critical Fix For MailPlus Server Vulnerabilities
"Synology has has fixed critical vulnerabilities in MailPlus Server, a software package used to run private email infrastructure on Synology NAS devices.
The security update fixes three flaws:
CVE-2026-13136, stemming from faulty authorization checks, may allow remote attackers to read or write arbitrary files and conduct denial-of-service (DoS) attacks
CVE-2026-13135, caused by improper restriction of communication channel to intended endpoints, may allow remote attackers to access internal services
CVE-2025-15660, arising from the use of a cryptographically weak pseudo-random number generator, may allow adjacent attackers to read or write arbitrary files and conduct DoS attacks."
https://www.helpnetsecurity.com/2026/06/26/synology-mailplus-server-vulnerabilities/
https://www.synology.com/en-global/security/advisory/Synology_SA_26_11 - Critical Unauthenticated Remote Code Execution In Splunk Enterprise (CVE-2026-20253)
"Splunk disclosed a critical unauthenticated remote code execution (RCE) vulnerability in Splunk Enterprise tracked as CVE-2026-20253 on June 10, 2026. The vulnerability has a CVSS score of 9.8 and stems from missing authentication on a PostgreSQL sidecar service recovery endpoint that can be reached through the Splunk Web interface, which proxies requests to the internal PostgreSQL sidecar service without enforcing authentication. A successful attacker can create or truncate arbitrary files and ultimately achieve arbitrary code execution under the Splunk service account."
https://www.zscaler.com/blogs/security-research/critical-unauthenticated-remote-code-execution-splunk-enterprise-cve-2026 - MCP Auto-Execution: From Git Clone To Cloud Compromise In Amazon Q VS Code Extension
"Wiz Research discovered a high-severity vulnerability in Amazon Q Developer Extension for Visual Studio Code (VS Code), Amazon's AI-powered coding assistant for VS Code, which allowed attackers to achieve arbitrary code execution and cloud credential theft simply by having a developer open a malicious repository. Amazon Q automatically loaded MCP server configurations from workspace files without user consent. Combined with full environment inheritance, this enabled immediate code execution. Amazon has remediated this issue in language server version 1.65.0."
https://www.wiz.io/blog/amazon-q-vulnerability
https://aws.amazon.com/security/security-bulletins/2026-047-aws/
https://thehackernews.com/2026/06/amazon-q-developer-flaw-could-let.html
https://www.securityweek.com/amazon-q-flaw-enabled-cloud-credential-theft-via-malicious-repositories/
https://www.theregister.com/cyber-crime/2026/06/26/amazon-q-flaw-let-booby-trapped-git-repos-execute-code-swipe-cloud-creds/5263202 - CISA Adds Two Known Exploited Vulnerabilities To Catalog
"CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2026-12569 PTC Windchill and FlexPLM Improper Input Validation Vulnerability
CVE-2026-20230 Cisco Unified Communications Manager Server-Side Request Forgery (SSRF) Vulnerability"
https://www.cisa.gov/news-events/alerts/2026/06/25/cisa-adds-two-known-exploited-vulnerabilities-catalog
https://www.bleepingcomputer.com/news/security/cisa-sets-urgent-deadline-to-fix-cisco-flaw-exploited-in-attacks/
https://thehackernews.com/2026/06/cisa-adds-exploited-ptc-windchill-rce.html
https://www.securityweek.com/first-ever-exploitation-of-ptc-windchill-vulnerability-discovered-in-the-wild/
https://securityaffairs.com/194290/security/u-s-cisa-adds-cisco-and-ptc-windchill-and-flexplm-flaws-to-its-known-exploited-vulnerabilities-catalog.html - New Linux Pedit COW Exploit Enables Root Access By Poisoning Cached Binaries
"A flaw in the Linux kernel's traffic-control subsystem can let a local unprivileged user gain root on affected systems. CVE-2026-46331, nicknamed "pedit COW," is an out-of-bounds write in the packet-editing action (act_pedit) that corrupts shared page-cache memory. A public, working exploit appeared within a day of the CVE assignment on June 16. Red Hat rates the flaw as important."
https://thehackernews.com/2026/06/new-linux-pedit-cow-exploit-enables.html - Dissecting And Exploiting Linux LPE Variant: DirtyClone (CVE-2026-43503)
"During an audit of recent Linux kernel patches, the JFrog Security Research team identified that despite fixes addressing the DirtyFrag vulnerability family, a residual issue remained unaddressed. This gap allowed the same vulnerability class to persist through a different packet processing path in the XFRM/IPsec subsystem. We reported the issue to the Linux kernel maintainers on May 19. This coincided with a related broader report from the original DirtyFrag researcher “Hyunwoo Kim" on May 16. The variants were patched and merged into mainline on May 21 (v7.1-rc5, 9e171fc1d7d7), and assigned CVE-2026-43503."
https://research.jfrog.com/post/dissecting-and-exploiting-linux-lpe-variant-dirtyclone-cve-2026-43503/
https://thehackernews.com/2026/06/new-dirtyclone-linux-kernel-flaw-lets.html
https://securityaffairs.com/194338/uncategorized/dirtyclone-fourth-linux-kernel-flaw-in-six-weeks-escalates-to-root.html
Malware
- FBI: Russian Hackers Now Target Signal Backup Recovery Keys
"The FBI and CISA are warning that a phishing campaign targeting Signal users tied to Russian intelligence services has evolved to steal Signal Backup Recovery Keys, allowing attackers to access victims' historical messages. The updated public service announcement is an update to a March 2026 advisory that warned the threat actors were targeting users of commercial messaging applications, particularly Signal, through phishing campaigns designed to hijack accounts rather than break end-to-end encryption."
https://www.bleepingcomputer.com/news/security/fbi-russian-hackers-now-target-signal-backup-recovery-keys/
https://www.ic3.gov/PSA/2026/PSA260626
https://thehackernews.com/2026/06/fbi-warns-russian-intelligence-hackers.html
https://securityaffairs.com/194360/intelligence/new-fbi-alert-russian-intelligence-uses-signal-recovery-keys-to-access-messages.html - We Coined The Poisoned Tenant Attack In 2023; In 2026, Someone Used It On Us
"Three years ago, we published the poisoned tenant attack as part of the Browser and Identity Attacks matrix. Last week, someone used it to target Push Security employees and customers through OpenAI's organization invitation feature. This post breaks down what happened, explores what the payoff is for an attacker, and connects the incident to a broader pattern of SaaS platform abuse that is accelerating across the industry."
https://pushsecurity.com/blog/openai-poisoned-tenant-attack
https://www.bleepingcomputer.com/news/security/cybersecurity-firms-targeted-by-fraudulent-openai-organization-invites/ - From CI/CD To Cloud Data: How Shai Hulud Persistence Leads To Redshift Breach
"Organizations with modern CI/CD pipelines face threats from the Shai Hulud supply chain campaign, a software worm attributed to TeamPCP that has been targeting npm and PyPI packages since late 2025. Named after the giant sandworms in Dune, Shai Hulud injects malicious packages that execute during installs or CI jobs, harvesting build credentials to move into cloud infrastructure. Organizations running modern CI/CD are learning a critical lesson from the Shai Hulud supply chain campaign: a poisoned build dependency doesn't stop at the pipeline—it becomes a bridge into the production cloud."
https://www.fortinet.com/blog/threat-research/from-ci-cd-to-cloud-data-how-shai-hulud-persistence-leads-to-redshift-breach - Mirage2FA: Obfuscated HTML Loader Delivers Microsoft 365 MFA Phishing Kit
"Fortra Intelligence and Research Experts (FIRE) have identified a multi-stage Microsoft 365 phishing kit, which we have named Mirage2FA, delivered through a secure document and payment-themed email lure. The attack uses short-lived HTML smuggling and obfuscated JavaScript-loaders in a single phishing workflow, creating a “mirage” effect that helps it evade detection while targeting 2FA/MFA protections. It is an example of phishing campaigns increasingly using multiple tactics to harvest credentials and bypass or intercept 2FA/MFA workflows. The impact of such an attack on businesses could result in account takeover, fraudulent payment redirection, data theft, internal phishing, unauthorized access to sensitive documents, and more."
https://www.fortra.com/blog/mirage2fa-obfuscated-html-loader-delivers-microsoft-365-mfa-phishing-kit
https://www.helpnetsecurity.com/2026/06/26/mirage2fa-phishing-kit-microsoft-365-html-smuggling/ - Breaking Out Of Chrome’s Sandbox: A Native Messaging Backdoor Observed In Italy
"In June 2026, we analysed a malware campaign distributed through Italian-language phishing emails. The message pretended to deliver an invoice and used the subject Fattura #2818999851. The victim was shown what looked like a PDF document. The downloaded file was instead an obfuscated Windows JavaScript file named Fattura-2819889242.pfd.js. The unusual pfd.js ending was likely intended to look similar to .pdf at a quick glance."
https://www.d3lab.net/breaking-out-of-chromes-sandbox-a-native-messaging-backdoor-observed-in-italy/
https://www.malwarebytes.com/blog/news/2026/06/malware-steals-chrome-session-cookies-to-take-over-your-accounts - STOCKSTAY Another Day: The Latest Addition To Turla’s Intelligence Gathering Apparatus
"Google Threat Intelligence Group (GTIG) has conducted an in-depth analysis of a .NET backdoor, tracked as STOCKSTAY, that has been continually developed and deployed by the Russia-linked threat actor Turla (aka SUMMIT, Secret Blizzard, VENOMOUS BEAR, UAC-0194) since at least December 2022. Turla has deployed STOCKSTAY against government and military organizations in Ukraine, as well as entities with an interest in Italian foreign policy. Used for ongoing cyber espionage, this backdoor shares significant code and functional overlaps with KAZUAR, a successful toolkit previously attributed to Turla. The group has a long history of targeting a wide range of industries, with a particular focus on western Ministries of Foreign Affairs, and defense organizations within the context of heightened political tensions."
https://cloud.google.com/blog/topics/threat-intelligence/stockstay-turla-intelligence-gathering
https://thehackernews.com/2026/06/google-details-turlas-new-stockstay.html
https://therecord.media/russia-turla-espionage-ukraine-stockstay-malware
https://www.securityweek.com/russian-apt-deploys-stockstay-backdoor-against-ukrainian-targets/ - Malware Brief: Banking Trojans Are Still With Us, And They’re More Dangerous
"Banking trojans are still widely used in 2026 but now operate as part of broader attack chains. Modern variants combine credential theft, remote access and device takeover capabilities. Mobile banking trojans are expanding quickly, shifting attacks closer to users and unmanaged devices. Threat actors are pairing familiar malware with newer lures, including AI-themed tools and social engineering. For SMBs, banking trojans are often the first step toward account takeover, fraud or ransomware."
https://blog.barracuda.com/2026/06/25/banking-trojans-2026-account-takeover-fraud - Miasma Mini Shai-Hulud Hits LeoPlatform Npm Packages And GitHub Actions, Expands To The Go Ecosystem
"Socket Threat Research is tracking a new supply chain attack wave tied to the Mini Shai-Hulud, Miasma, and Hades malware family. The latest activity includes malicious npm releases affecting LeoPlatform and RStreams packages, GitHub Actions workflow abuse, and a related Go module compromise involving the Verana Blockchain project. While many of the affected npm packages were published through the czirker account, the activity is not limited to that publisher: three additional malicious packages, hexo-deployer-wrangler, hexo-shoka-swiper, and prism-silq, were published by the npm user llxlr."
https://socket.dev/blog/miasma-mini-shai-hulud-hits-leoplatform-npm-packages-go-ecosystem
https://thehackernews.com/2026/06/miasma-malware-targets-npm-packages-and.html
https://www.theregister.com/security/2026/06/26/miasma-campaign-poisons-20-plus-npm-packages-hunts-for-developer-secrets/5262886 - Photo ZIP Campaign Targeting Hospitality Industry Delivers Node.js Implant For Persistent Access
"Microsoft Threat Intelligence has identified an active multi-stage intrusion campaign targeting organizations in the hospitality and hotel industry since April 2026. We’ve observed this activity through aggregated threat intelligence and security signals across multiple organizations in Europe and Asia. Microsoft has not attributed this campaign to a known threat actor. The campaign uses photo-themed ZIP archives that the target users download through the browser. These archives contain fake image shortcut files that, when launched, start an attack chain that relies on obfuscated PowerShell, a Node.js-based implant, dual registry persistence, and command-and-control (C2) communications over non-standard ports."
https://www.microsoft.com/en-us/security/blog/2026/06/25/photo-zip-campaign-targeting-hospitality-industry-delivers-node-js-implant-persistent-access/
https://thehackernews.com/2026/06/microsoft-warns-of-photo-zip-phishing.html
https://securityaffairs.com/194349/uncategorized/hospitality-sector-hit-by-phishing-campaign-using-fake-guest-complaint-emails.html - Russia Used Social Engineering To Breach Prominent Messaging Accounts, Ukraine Says
"Ukraine's security agency said it had uncovered, together with the FBI, a long-running Russian campaign to compromise the messaging accounts of government officials, military personnel, politicians and activists in Ukraine, Europe and the United States. The campaign was aimed at gaining access to sensitive military, political and economic information exchanged through messaging applications, while also stealing victims' personal data, the Security Service of Ukraine (SBU) said in a statement on Thursday."
https://therecord.media/russia-ukraine-social-engineering-messaging-accounts
https://thehackernews.com/2026/06/ukraine-says-russian-intelligence-used.html - Malware-Laced USBs Breach Japanese Military Networks
"Counterfeit flash drives embedded with a Chinese-linked computer virus and used by the Japanese army are now dispensing malware throughout other secure networks in the country. First reported by The Nikkei newspaper, the virus was overlooked until February 2025, when military personnel reported slower device speeds - almost a full year after the flash drives were delivered to Japan's Self-Defense Forces in March 2024. According to internal documents, the original source of procurement for the drives is no longer verifiable. An investigation by the army's Cyber Defense Unit found that six of eight USB drives analyzed contained the malicious program, with more than 50 out of 480 computers infected. Roughly half of the computers affected ran on closed internal networks."
https://www.bankinfosecurity.com/malware-laced-usbs-breach-japanese-military-networks-a-32094 - Fake Shops Target Shoppers Across Europe With Fake Samsung Deals, Counterfeit Goods And World Cup Scams
"Cybercriminals are scaling fake online stores into a coordinated multinational business. A Bitdefender Labs investigation identified more than 55 fake-shop campaigns targeting consumers across 12 European countries between March and May 2026. The campaigns mimicked some of the world’s most recognizable brands, including Samsung, Nike, Adidas, ZARA, H&M, Amazon, Lidl, and SHEIN."
https://www.bitdefender.com/en-us/blog/labs/fake-shops-europe-samsung-world-cup-scams - Clone This Repo And I Own Your Machine
"Indirect prompt injection is far more than just another chatbot problem; it is a very real and serious attack vector that can result in catastrophic damage, much of which will be irreversible. Take, for example, modern agentic IDEs and coding agents, which can request the use of various tools. Once such tools are authorized, the LLM can ask to execute shell commands, open local files, and make network calls. This sort of tool usage sets the stage for very serious exploits. As an example, this blog post will show how, in the absence of any red flags or systemic suspicion from Claude code, an attacker gained shell access to a developer machine."
https://0din.ai/blog/clone-this-repo-and-i-own-your-machine
https://www.bleepingcomputer.com/news/security/clean-github-repo-tricks-ai-coding-agents-into-running-malware/ - From San Pedro To Salinas: How a Chinese Framework “DCloud Uni-App” Powers a Global Scam Economy
"In 2024, a small Argentine town called San Pedro became the focus of international press coverage after thousands of residents (approximately 20% of the total population), including the chief of police and members of the city council, discovered that a cryptocurrency platform they had invested in and been promoting was a coordinated scam. The platform, called RainbowEx, displayed fictional trading activity, pulled deposits from victims through stablecoin transfers, and blocked withdrawals once the scheme was publicly exposed. The complex scandal was covered by The New York Times, La Opinión Semanario, Buenos Aires Herald, and other prominent news outlets."
https://www.infoblox.com/blog/threat-intelligence/from-san-pedro-to-salinas-how-a-chinese-framework-dcloud-uni-app-powers-a-global-scam-economy/
https://www.securityweek.com/chinese-framework-powers-200000-scam-sites/
Breaches/Hacks/Leaks
Polymarket Customers Lose $3 Million In Supply-Chain Attack
"Polymarket says it will fully reimburse customers who lost an estimated $3 million after hackers injected a malicious script into the platform's frontend following a breach at a third-party vendor. The company states in a brief announcement that the hack was the result of a supply-chain attack that impacted a dependency on its website."
https://www.bleepingcomputer.com/news/security/polymarket-customers-lose-3-million-in-supply-chain-attack/
https://www.securityweek.com/3-million-reportedly-stolen-in-polymarket-hack/
https://securityaffairs.com/194266/security/third-party-breach-at-polymarket-leads-to-2-94m-crypto-theft.html- CMC Releases Analysis And Guidance For Education Sector After Canvas Data Breach
"The UK’s Cyber Monitoring Centre (CMC) has shared its analysis of the Canvas cyber incident affecting Instructure’s Learning Management System as the education technology firm prepares to share its own findings next week. The CMC said that approximately 160 UK higher education institutions were affected and threat actors exfiltrated confidential course and user data. In total, around 9000 educational institutions are thought to have been affected worldwide."
https://www.infosecurity-magazine.com/news/cmc-analysis-education-canvas-data/ - More Klue Breach Victims Identified As Hackers Get Hacked
"Roughly two dozen Klue customers have come forward and confirmed that their Salesforce instances were compromised in a supply chain attack earlier this month. The attack unfolded between June 11 and 12, when hackers used compromised legacy credentials to access the market intelligence platform Klue, obtain OAuth tokens for customers’ Klue integrations, and exfiltrate data in bulk. Salesforce disabled the Klue integration on June 17, and its status page shows it has yet to re-enable it. Gong also disabled the integration."
https://www.securityweek.com/more-klue-breach-victims-identified-as-hackers-get-hacked/
General News
The AI Pentesting Pulse: Decoding The 2.7x Risk Multiplier In LLM Deployments
"Right now, the media and regulators are hyper-focused on frontier models being pulled back by the government for being "too dangerous"—despite heavy debate over whether their extreme guardrails actually rendered them useless in the first place. But while the world is distracted by theoretical doomsday scenarios of super-intelligent models escaping the lab, Cobalt pentesting data in 2026 reveals the actual, immediate danger is already inside your network: well-meaning developers rushing to bolt standard LLMs onto legacy architectures."
https://www.cobalt.io/blog/the-ai-pentesting-pulse-decoding-the-2.7x-risk-multiplier-in-llm-deployments
https://www.darkreading.com/cybersecurity-operations/ai-decline-confidence-autonomous-penetration-testing- Linux Foundation And Industry Leaders Launch Akrites To Defend Critical Open Source Software Against AI-Enabled Cyber Threats
"The Linux Foundation, the nonprofit organization enabling mass innovation through open source, today announced Akrites, a coordinated industry effort to harden the world’s most critical open source software in the era of AI-assisted vulnerability discovery. Backed by founding commitments from Amazon Web Services, Anthropic, Chainguard, Cisco, Citi, Endor Labs, Ericsson, Google, IBM, JPMorganChase, Microsoft and GitHub, NVIDIA, OpenAI, RapidFort, Red Hat, Rust Foundation, Sonatype, Vodafone and Zscaler, the initiative unites major technology companies, AI labs, financial institutions, and security vendors around a shared mission: to coordinate the remediation of vulnerabilities in widely used open source projects with upstream maintainers before those vulnerabilities can be exploited."
https://www.linuxfoundation.org/press/linux-foundation-and-industry-leaders-launch-akrites-to-defend-critical-open-source-software-against-ai-enabled-cyber-threats
https://www.securityweek.com/linux-foundation-unveils-new-open-source-security-project-akrites/
https://www.helpnetsecurity.com/2026/06/26/akrites-open-source-security-framework/ - A Privacy-First Take On Local Malware Analysis
"Submitting a suspicious file to VirusTotal or MalwareBazaar places a copy of that file on a platform other people can search. Analysts across the industry rely on these services to get a quick verdict on whether a binary is dangerous. The convenience carries a condition many overlook. Once a sample reaches a public repository, the person who wrote it can locate it there. Skilled operators watch these platforms for the hashes of their own tools, and a match tells them their campaign has been detected. Files tied to a targeted intrusion can also carry sensitive material from the victim, which then sits on a third-party system."
https://www.helpnetsecurity.com/2026/06/26/burnyard-local-malware-analysis/
https://arxiv.org/pdf/2606.24778 - Two CEOs On Why Security And AI Readiness Belong Together
"SuperOps and Guardz are bundling PSA, RMM, MDM, and agentic SecOps into one offering for MSPs. In this Help Net Security Q&A, SuperOps CEO Arvind Parthiban and Guardz CEO Dor Eisner explain how a connected stack cuts the time and context lost to tool-switching, lowers costs against multi-vendor setups, and helps close the gap between average MSP margins of 8% and the 18% top performers reach. They also discuss what makes a platform AI-native, and why they treat security readiness and AI readiness as one conversation."
https://www.helpnetsecurity.com/2026/06/26/superops-guardz-ceo-partnership/ - The New MCP Specification: What Security Teams Must Prepare For
"The upcoming MCP 2026-07-28 specification represents the most significant architectural evolution of the Model Context Protocol (MCP) since it began. What began as a local, single-user AI integration tool is transforming into a platform capable of supporting enterprise-scale, cloud native deployments. Following the release candidate published on May 21, 2026, the final specification is scheduled for release on July 28, 2026, accompanied by a formal 12-month deprecation window for select legacy functionality."
https://www.akamai.com/blog/security-research/new-mcp-specification-security-teams-must-prepare
https://www.securityweek.com/new-enterprise-ready-mcp-specification-brings-new-security-challenges/ - Third-Party Breaches Teach Education Sector a Costly Lesson In Vendor Risk
"Cybercriminals have long viewed the education sector, with its mix of legacy technology and new applications, uneven IT resources, and large amounts of data, as an easy and enticing target. From the smallest rural K-12 districts to the world's most prestigious universities, IT professionals in education are focused on getting and keeping students and staff online, rather than protecting the systems their devices run on. Many have slim security budgets and are chronically understaffed. And the vast amounts of operational and personal data they hold could be ransomed or sold for use in future cybercrimes."
https://www.darkreading.com/cyber-risk/third-party-breaches-teaches-education-lesson-vendor-risk
อ้างอิง
Electronic Transactions Development Agency (ETDA)
- Healthcare Leaders See a Fatal Cyber Incident As Inevitable
-
Google ออกอัปเดต Chrome 149 แก้ไขช่องโหว่ร้ายแรง 18 รายการโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
ระบบสื่อสารรถไฟ GSM-R ขัดข้องทั่วเยอรมนี ส่งผลให้รถไฟหยุดให้บริการเป็นวงกว้างโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
เตือนภัย ส่วนขยาย Microsoft Edge ถูกนำมาใช้เป็นช่องทางโจมตีด้วย Ransomwareโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
ETDA Cyber Threat Intelligence 26 June 2026โพสต์ใน Cyber Security News
Industrial Sector
- The OT Segmentation Imperative: Why It Can't Wait Any Longer
"Ask any team running industrial operations about network segmentation and you'll hear a familiar story. Everyone agrees it's critical. It's mandated by IEC 62443, NERC CIP and NIS2. It limits the blast radius and prevents lateral movement across networks. Yet for most organizations, network segmentation has remained at the top of the "planned but not deployed" list for years. That inaction is becoming increasingly difficult to justify."
https://www.bankinfosecurity.com/blogs/ot-segmentation-imperative-cant-wait-any-longer-p-4136
Vulnerabilities
- GitLab Patches Code Execution, Information Disclosure Vulnerabilities
"GitLab has rolled out Community Edition (CE) and Enterprise Edition (EE) security updates that resolve 13 vulnerabilities, including three high-severity bugs. The most severe is CVE-2026-10086, an XSS flaw in the Analytics dashboard of GitLab EE, rooted in the improper sanitization of user-supplied input. According to GitLab, the security defect could have allowed an authenticated user with developer rights to execute arbitrary client-side code in the context of other users’ sessions."
https://www.securityweek.com/gitlab-patches-code-execution-information-disclosure-vulnerabilities/
https://docs.gitlab.com/releases/patches/patch-release-gitlab-19-1-1-released/ - Chrome 149 Update Resolves 18 Severe Vulnerabilities
"Google on Wednesday rolled out a new Chrome 149 update that resolves 18 vulnerabilities, including four critical and 14 high-severity security defects. More than half of the addressed issues, including three critical and seven high-severity, are use-after-free flaws, a type of memory corruption bug that could lead to remote code execution (RCE). In Chrome, use-after-free vulnerabilities can be combined with security holes in the underlying operating system or in a privileged browser process to escape the sandbox."
https://www.securityweek.com/chrome-149-update-resolves-18-severe-vulnerabilities/
https://www.malwarebytes.com/blog/news/2026/06/update-chrome-to-patch-critical-browser-security-flaws - 25-Year-Old Vulnerability Patched In Curl
"The open source data transfer tool and library curl has been updated this week with patches for 18 vulnerabilities, including one introduced 25 years ago. The flaws, four medium and 14 low-severity, were discovered as part of a community effort after Anthropic’s Mythos discovered a single curl bug in early May. This release resolves the highest number of CVEs patched with a single curl update, including an issue that was introduced in version 7.7, shipped on March 22, 2001."
https://www.securityweek.com/25-year-old-vulnerability-patched-in-curl/
https://curl.se/mail/lib-2026-06/0026.html
https://securityaffairs.com/194220/security/curl-fixes-a-25-year-old-bug-in-its-largest-cve-release-yet.html - BadBlocker: 11 Million Users, One Server Call Away From Compromise
"Adblock for YouTube (cmedhionkhpnakcndndgjdbohmhepckk) is a Chrome Web Store extension with over 11 million installs and a 4.4-star rating. It blocks ads on YouTube and it works well. It also contains the architectural ingredients for arbitrary JavaScript execution on any website, activated by a single server-side configuration change, without an extension update, without a store review, and without any visible sign that something has changed. In practical terms, that could mean reading pages, stealing data, and acting as the user inside personal accounts, work apps, admin panels, and other sensitive browser sessions."
https://www.island.io/blog/badblocker-11-million-users-one-server-call-away-from-compromise
https://thehackernews.com/2026/06/chrome-ad-blocker-with-10m-installs.html
Malware
- Fake Invoices Are Moving From Inboxes To Shopping Apps
"A fake invoice in your email is easy to ignore. A fake invoice inside your order history feels different. Norton customers have reported fake Norton invoices appearing inside the Shop app, the shopping and order-tracking app from Shopify. Public reports suggest the same technique is not limited to Norton. Similar suspicious Shop app notifications have used McAfee, Apple gift cards, iPhones, PayPal-style payment claims and other high-value purchases as bait. The impersonated brand may change, but the mechanics are familiar: make the user believe they have been charged, then give them a phone number to call."
https://www.gendigital.com/blog/insights/research/fake-invoices-shopping-apps
https://www.bleepingcomputer.com/news/security/order-tracking-app-shop-abused-to-push-callback-phishing-attacks/ - Bluekit Phishing-As-a-Service: Browser-In-The-Middle, Evolved
"Netcraft has identified and is actively detecting live deployments of Bluekit, a sophisticated Phishing-as-a-Service (PhaaS) platform that introduces a meaningful shift in how adversary-in-the-middle (AitM) phishing is executed. While Bluekit was first documented by Varonis Threat Labs — who assessed at the time that it appeared to still be in development — Netcraft can confirm the platform is now operational at scale, with approximately 70 hostnames detected in the last week."
https://www.netcraft.com/blog/bluekit-phishing-as-a-service-threat
https://www.bleepingcomputer.com/news/security/bluekit-phishing-kit-adopts-browser-in-the-middle-for-login-theft/ - Gamaredon In 2025: Leveraging Tunnels, Workers, Dead Drops, And New Alliances
"Cyberespionage has remained a constant feature of Russia’s war against Ukraine. ESET Research has long tracked Gamaredon, one of the most active Russia-aligned advanced persistent threat (APT) groups targeting Ukraine. The group, attributed by the Security Service of Ukraine (SSU) to the 18th Center of Information Security of Russia’s FSB, maintained a high operational tempo throughout 2025."
https://www.welivesecurity.com/en/eset-research/gamaredon-2025-leveraging-tunnels-workers-dead-drops-new-alliances/
https://www.darkreading.com/threat-intelligence/russia-apt-gamaredon-arsenal-defense
https://www.bankinfosecurity.com/russias-gamaredon-adapts-tactics-to-target-ukraine-a-32068 - ClickFix: The Attack That Turns Users Into Their Own Attackers
"ClickFix has quickly become one of the most prevalent social engineering techniques on the web. The attack flips a familiar security assumption on its head: instead of slipping a malicious file past endpoint defenses, the attacker convinces the victim to run the payload themselves. No exploit. No malicious attachment. Just a user, a clipboard, and a convincing prompt."
https://blog.checkpoint.com/securing-user-and-access/clickfix-the-attack-that-turns-users-into-their-own-attackers/ - Introduction To COM Usage By Windows Threats
"Component Object Model (COM) is one of the Windows technologies that analysts regularly encounter but may not always prioritize during triage, as the manual analysis of COM functionality in binary executable files can be labor-intensive. The post starts with a brief introduction into COM, following how binaries utilizing COM can be analyzed, and some examples of malware families and their usage of COM. The post concludes with a list of further resources."
https://blog.talosintelligence.com/introduction-to-com-usage-by-windows-threats/ - Russia Breaks Into Human Rights Activist’s Phone With Cellebrite
"We analyzed Russian activist Andrey Pivovarov’s phone, finding that Russian authorities used forensic extraction tools made by Cellebrite to gain access to his device. A document prepared by Russian authorities confirms that Cellebrite was used to extract information to aid in Pivovarov’s prosecution. Importantly, we found that authorities continued to use Cellebrite for political repression even after the company had cancelled its contracts with Russian customers."
https://citizenlab.ca/research/russia-breaks-into-human-rights-activists-phone-with-cellebrite/
https://therecord.media/russia-used-cellebrite-tool-after-company-pulled-out-of-country
https://cyberscoop.com/russia-cellebrite-activist-phone-hacking/ - Millenium: A RAT Rewritten, A Threat Multiplied
"Group-IB analyzes Millenium RAT version 4.*, a remote access trojan that has undergone an architectural shift from .NET to native C++, while continuing to leverage the Telegram Bot API for command and control, requiring no dedicated server infrastructure. This blog also profiles the developer “ShinyEnigma”, and threat actor cluster “Y2K Operators” responsible for active Millenium RAT exploitation campaigns. Over 62,000 compromised endpoints across more than 160 countries have been identified, with infections accelerating sharply in Q1 2026."
https://www.group-ib.com/blog/millenium-rat-maas/ - Beware Of “Parcel Expert” Job Offers: They’re Parcel Mule Scams
"A parcel mule scam, also called a reshipping scam, is a fake job offer designed to recruit people into handling stolen goods. It usually starts with a fake remote job offer that promises easy money for receiving, inspecting, repackaging, and forwarding packages from home. The “employer” may claim to be connected to familiar companies, but the real purpose is to move goods bought with stolen payment information so they are harder to trace. Victims often think they are doing routine logistics work, but they are actually helping criminals launder stolen merchandise."
https://www.malwarebytes.com/blog/scams/2026/06/beware-of-parcel-expert-job-offers-theyre-parcel-mule-scams - Fake Domain Renewal Emails Trick Website Owners Into Paying Scammers
"You receive an email warning that your website’s domain name is about to expire. Renew now, it says, or your website and email could stop working. The link opens a professional-looking page that already knows your domain name, displays your registrar and expiry date, and starts a countdown timer. It feels urgent and personal, so it feels real."
https://www.malwarebytes.com/blog/threat-intel/2026/06/fake-domain-renewal-emails-trick-website-owners-into-paying-scammers - CL-STA-1062 Targets Southeast Asian Governments And Critical Infrastructure
"Throughout 2025, we observed a cluster of activity targeting government entities and critical infrastructure in Southeast Asia. Specifically, the activity targeted state-owned enterprises in the energy and government sectors. The Chinese-speaking attackers behind this cluster, which we track as CL-STA-1062, have been active since at least March 2022. We assess with high confidence that this is the same cluster, known as UAT-7237, that was reported for its campaigns against web hosting infrastructure in Taiwan in mid 2025. We also observed CL-STA-1062 campaigns in earlier operations targeting strategic sectors in East Asia, indicating a broader, sustained regional focus."
https://unit42.paloaltonetworks.com/cl-sta-1062-tinyrct-backdoor/ - Inside Vidar’s ABE Bypass: From Memory Scanning To APC Injections
"Infostealers are constantly evolving, and so are the techniques they use to bypass Application-Bound Encryption (ABE). In recent weeks, Vidar has been among the most actively developed stealers and, apart from multiple updates to its string obfuscation and a reworked approach to protecting its configuration, it has also introduced a novel technique for bypassing ABE. And while there have been many other changes in Vidar lately, with new versions dropping every week, in this blog post we focus solely on the ABE bypass and its technical aspects."
https://www.gendigital.com/blog/insights/research/inside-vidar-abe-bypass - Inside Eastern Europe's C2 Sprawl: 3,900+ Servers, 302 Providers, One Host Doing Half The Work
"Eastern Europe has long served as a reliable foundation for both commodity cybercrime and state-linked threat operations, a region where bulletproof hosting providers, major telecoms, and cloud infrastructure coexist within the same ASN pools. Over a three-month window from March 12 to June 12, 2026, we mapped malicious infrastructure across 10 countries in the region, covering Belarus, Bulgaria, the Czech Republic, Hungary, Poland, Moldova, Romania, Russia, Slovakia, and Ukraine. Across 302 distinct hosting providers, we identified more than 3,900 active C2 servers. The distribution was anything but even. A single Bulgarian provider accounted for more than half of all detected C2 infrastructure, a level of concentration that doesn't surface when you're tracking individual IPs or domains. It only becomes visible when you look at the hosting layer itself, which is exactly what this analysis does."
https://hunt.io/blog/eastern-europe-malicious-infrastructure-report
Breaches/Hacks/Leaks
- Cal Water Says No OT Systems Breached In Iranian Handala Cyberattack
"The investigation conducted by California Water Service (Cal Water) into the recent cyberattack claimed by the Iranian hacker group Handala found no evidence of activity in the water utility’s operational technology (OT) environment. Handala, which claims to be a hacktivist collective but is widely believed to be a front for Iranian government hacking operations, said it could have disrupted the water supply after gaining access to Cal Water systems but decided not to do so. The statement suggested that the hackers had gained deep access to industrial control systems (ICS)."
https://www.securityweek.com/cal-water-finds-no-evidence-of-ot-activity-after-hackers-claimed-they-could-disrupt-water-supply/ - Another Russian Dairy Company Reportedly Disrupted By Cyberattack
"A cyberattack has snarled logistics and accounting operations at a dairy producer in Russia's republic of Bashkortostan, forcing the company to process shipments and paperwork manually, according to local media. The attack affected the IT systems of Ufagormolzavod, a manufacturer based in Ufa, the regional capital, but did not interrupt production, the company's chief executive, Ildar Faizullin, said."
https://therecord.media/russia-dairy-producter-cyberattack-ufa - Ukraine's State Postal Operator Reports App Disruption After Cyberattack
"Ukraine's state-owned postal operator, Ukrposhta, said on Thursday that its mobile application is experiencing temporary disruptions following an overnight "enemy" attack on the company's IT systems. "Our specialists are already working to restore the service. We are doing everything we can to ensure you can return to using the app normally as soon as possible," Ukrposhta said."
https://therecord.media/ukraine-state-postal-operator-reports-disruption
General News
- Poland Busts SIM-Swapping Gang Tied To Millions In Crypto Theft
"Authorities in Poland have arrested four members of an organized cybercrime group accused of breaching telecommunications partners and hijacking email accounts to carry out SIM-swapping attacks. The operation was carried out by the Polish Cybercrime Bureau (CBZC) with support from the FBI and Homeland Security Investigations (HSI) in the United States. According to investigators, the suspects carried out sophisticated cyberattacks to obtain data used in SIM-swapping attacks."
https://www.bleepingcomputer.com/news/security/poland-busts-sim-swapping-gang-tied-to-millions-in-crypto-theft/ - Why Patch Directives Only Go So Far
"When CISA issues an emergency directive, the message to every federal agency and every security team paying attention is to patch now. For CVE-2026-50751, a CVSS 9.3 authentication bypass in Check Point Remote Access VPN, that directive landed on June 21. despite exploitation beginning in early May. That, six-week active intrusion gap is not a footnote. It is the entire story."
https://cyberscoop.com/why-security-patching-is-not-enough-cve-2026-50751-op-ed/ - In Less Than 24 Hours, Attackers Weaponize Cisco CUCM Flaw
"Attackers have begun actively exploiting a critical flaw in Cisco Unified Communications Manager (CUCM) to gain root access on vulnerable systems. The attacks appear to have begun less than 24 hours after researchers at SSD Secure Disclosure this week released proof-of-concept code (PoC) along with a full exploit chain for the vulnerability."
https://www.darkreading.com/cyberattacks-data-breaches/less-than-24-hours-attackers-weaponize-cisco-cucm-flaw - EdTech Attackers Shift From Schools To Their Software Suppliers
"Threats against the education sector have mounted over the past five years and are becoming even more widespread, as attackers set their sights on educational technology (edtech) vendors. Rather than conducting ransomware or other attacks against an individual school or district, cyberattackers now target learning management systems (LMS) and other educational applications to victimize hundreds, if not thousands, of institutions in one fell swoop."
https://www.darkreading.com/cyberattacks-data-breaches/edtech-attackers-shift-schools-software-suppliers - Europe Evolves Into Ransomware's Favorite Region
"A specter is haunting Europe — the specter of ransomware. After a global lull in 2024 and 2025, the ransomware-as-a-service (RaaS) ecosystem appears to be back to form, at least in Europe. Researchers from Black Kite tracked 684 ransomware attacks across the continent through the first four months of 2026. That's 55% more than the 441 recorded in the first four months of 2025, even more than the 643 recorded through the first half of 2025."
https://www.darkreading.com/cybersecurity-analytics/europe-evolves-ransomware-favorite-region
https://www.infosecurity-magazine.com/news/increase-ransomware-europe/ - The Uptime Questions Every Engineering Leader Should Ask This Week
"In this interview with Help Net Security, Mattias Geniar, CTO at Oh Dear, explains why most outages start quietly, as creeping latency or a slow rise in errors. He argues teams alert on the wrong things: absolute numbers instead of changes, isolated endpoints instead of real user outcomes. He covers alert fatigue, the DNS and certificate failures buried deep in the stack, the risk of leaning on one provider, and the mistakes tired engineers make at 3am. Geniar closes with questions leaders should ask to test their uptime story."
https://www.helpnetsecurity.com/2026/06/25/mattias-geniar-oh-dear-preventing-outages/ - LLM Security Advice Looks Solid Until You Check The Hard Cases
"Plenty of people now type their security worries straight into a chatbot. A hacked account, a suspicious email, a stalker who might be tracking a phone, all of it lands in the same window someone would use to ask about dinner. A benchmark called HelpBench tests how well chatbots handle those moments, and the results give security professionals something to watch in what their users are being told."
https://www.helpnetsecurity.com/2026/06/25/helpbench-llm-security-advice/
https://arxiv.org/pdf/2606.24819 - Recommendations When Using LLM-Backed Generative AI Systems For FOSS Contributions
"The entire community of computer users, which quickly approaches every human, faces the growing conundrum of generative artificial intelligence systems backed by Large Language Models (“LLM-gen-AI”)1. Software freedom activists face particularly difficult challenges in this regard; these LLM-gen-AI systems have been applied in earnest to the endeavors of software creation and modification."
https://sfconservancy.org/llm-gen-ai/llm-backed-generative-ai-recommendations.html
https://www.helpnetsecurity.com/2026/06/25/foss-ai-in-open-source/ - Most Teams Will Ship AI-Written Infrastructure Code With Little Review
"AI-assisted development has settled into everyday practice across software organizations, and developers using it move from idea to working code in hours. That code does not stay with the developers who prompt it. It flows downstream to the DevOps and platform teams who deploy and maintain it, and those teams are not getting the same speed boost."
https://www.helpnetsecurity.com/2026/06/25/ai-infrastructure-governance-gap-report/ - Twenty Million US IP Connections Used By Proxy Services
"Millions of residential IP connections in the US are collected annually for use in proxy services, with many households unaware that they may ultimately be used by threat actors, a new report has warned. Non-profit the Digital Citizens Alliance claimed in a new report, Cybercrime by Doorbell, that an estimated 20 million or more connections end up as proxies, often without the knowledge of their owners."
https://www.infosecurity-magazine.com/news/twenty-million-us-ip-connections/
https://resproxy.digitalcitizensalliance.org/hubfs/resproxy/DCA_Cybercrime-by-Doorbell-Report.pdf - Trust In Automated AI Vulnerability Scanning Collapses To 9%, New Study Finds
"A large number of false negatives has significantly eroded confidence in automated AI testing for vulnerabilities, a new study from Cobalt has found. The Cobalt State of Pentesting Report 2026 is based on two comparative surveys in 2025 and 2026 of around 450 cybersecurity professionals. It found that the percentage of organizations relying entirely on AI automation for testing sank from 29% to 9% over the period, with nearly half (47%) of respondents now preferring a hybrid testing model."
https://www.infosecurity-magazine.com/news/trust-ai-vulnerability-scanning/
https://resource.cobalt.io/ai-pentesting-pulse-report-2026-tyd - New CISA Guide Assists Federal Agencies With Transitioning To Modernized Zero Trust Architectures
"Today, the Cybersecurity and Infrastructure Security Agency (CISA) published a guide that helps federal civilian agencies advance their zero trust capabilities and adopt modern architectures supported under the Trusted Internet Connections (TIC) 3.0 Initiative. Part of CISA’s Journey to Zero Trust series, this guide helps agencies transition away from the limitations of using TIC 2.0 and capitalize on TIC 3.0 flexibilities to employ Secure Access Service Edge (SASE) solutions. Federal agencies will better understand, plan and mature to zero trust architecture to improve user experience, increase visibility and control, and enable telemetry sharing with CISA services."
https://www.cisa.gov/news-events/news/new-cisa-guide-assists-federal-agencies-transitioning-modernized-zero-trust-architectures
https://www.cisa.gov/resources-tools/resources/using-sase-modern-tic-30-solution
https://www.cisa.gov/sites/default/files/2026-06/The_Journey_to_Zero_Trust_Using_SASE_in_a_Modern_TIC-3.0_Solution_CB_Approved_508c.pdf
https://www.infosecurity-magazine.com/news/cisa-sase-tic-3-0-zero-trust/ - Inside The 2026 SMB Threat Landscape: From Phishing And Scams To Fake AI Tools
"Small and medium-sized businesses (SMBs) remain attractive targets for cybercriminals – in both mass cyberattacks and sophisticated campaigns targeting larger enterprises through trusted relationship attacks. At the same time, smaller businesses may lack the robust cybersecurity policies and necessary resources to protect themselves against an evolving threat landscape."
https://securelist.com/smb-threat-report-2026/120357/ - NIST Opens Updated IoT Security Guidance To Public Review
"The National Institute of Standards and Technology (NIST) announced Wednesday that it’s seeking public feedback on updated Internet of Things (IoT) security guidelines. Updated to reflect current security needs, the guidance provides general considerations on the impact of IoT products on risk assessments and aims to establish cybersecurity requirements to support security controls. The initial public draft (IPD) of SP 800-213 Revision 1, titled ‘IoT Product Cybersecurity Guidelines for the Federal Government: Establishing IoT Product Cybersecurity Requirements’, is available for download on NIST’s website (PDF), with the public comment period ending August 24."
https://www.securityweek.com/nist-opens-updated-iot-security-guidance-to-public-review/
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-213r1.ipd.pdf - SOC Threat Radar — June 2026
"Incidents mitigated in the last month by Barracuda Managed XDR show how weak access controls and exposed remote services attract mass-targeting adversaries and pave the way for more severe attacks. LemonDuck malware infects endpoints for cryptomining. GoldBrute botnet brute-forces remote services. Password spraying attacks from Iran are targeting VPNs."
https://blog.barracuda.com/2026/06/25/soc-threat-radar-june-2026 - Why ShinyHunters Attacks Expose a Growing Data Security Risk
"While a lot of attention is being paid to a pending apocalypse of vulnerabilities that are being discovered by the latest generation of artificial intelligence (AI) models, a series of relatively simpler cyberattacks from a shadowy syndicate known as ShinyHunters are proving to be the most lethal. The most recent cyberattack launched by this group was against Madison Square Garden (MSG), the parent organization of the New York Knicks and Liberty basketball teams and the New York Rangers hockey team. As fans of the Knicks were celebrating the team’s NBA championship, cybersecurity teams and the executive leadership of MSG were contending with the theft of 45 GB of corporate and customer data."
https://blog.barracuda.com/2026/06/24/shinyhunters-attacks-data-security-risks
อ้างอิง
Electronic Transactions Development Agency (ETDA)
- The OT Segmentation Imperative: Why It Can't Wait Any Longer
-
ETDA Cyber Threat Intelligence 25 June 2026โพสต์ใน Cyber Security News
Industrial Sector
- Where IT Meets OT And Railway Cybersecurity Gets Harder
"In this interview with Help Net Security, Jorge Aldegunde, Global Head of Railway Services at DNV, talks through what happens when old operational technology meets newer IT in monorail systems. He explains why open networks widened the attack surface, how teams decide whether to patch a signalling flaw without stopping trains, and who carries the liability. Aldegunde covers regulation like CRA and NIS2, training veteran engineers to think about threat actors, and spotting intruders who have been inside for months. His main rule: manage your risks and plan for resilience, not perfection."
https://www.helpnetsecurity.com/2026/06/24/jorge-aldegunde-dnv-railway-cybersecurity/
New Tooling
- Praxen: Open-Source AI Agent Behavior Verification
"Praxen is an open-source tool with a simple job: it checks whether an AI agent does what it claims to do. The tool takes an agent’s declared policy, looks at how the agent operates, and points out every spot where the two drift apart. It is the reference implementation of Agent Behavior Verification, a control model that hands each agent an authorized role and then confirms the controls hold that agent to it. The idea borrows from how companies manage their own employees. Every person gets a defined set of permissions, and the same logic now applies to software agents, where each one carries a scope of activity it is allowed to perform."
https://www.helpnetsecurity.com/2026/06/24/praxen-open-source-ai-agent-behavior-verification/
https://github.com/open-agent-ai-security/praxen
Vulnerabilities
- CISA Adds Four Known Exploited Vulnerabilities To Catalog
"CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2025-67038 Lantronix EDS5000 Code Injection Vulnerability
CVE-2026-34908 Ubiquiti UniFi OS Improper Access Control Vulnerability
CVE-2026-34909 Ubiquiti UniFi OS Path Traversal Vulnerability
CVE-2026-34910 Ubiquiti UniFi OS Improper Input Validation Vulnerability"
https://www.cisa.gov/news-events/alerts/2026/06/23/cisa-adds-four-known-exploited-vulnerabilities-catalog
https://www.bleepingcomputer.com/news/security/cisa-warns-of-max-severity-ubiquiti-flaws-exploited-in-attacks/
https://thehackernews.com/2026/06/cisa-warns-critical-lantronix-eds5000.html
https://www.securityweek.com/critical-ubiquiti-vulnerabilities-in-attackers-crosshairs/
https://securityaffairs.com/194142/security/u-s-cisa-adds-ubiquiti-unifi-os-and-lantronix-eds5000-plugin-flaws-to-its-known-exploited-vulnerabilities-catalog.html - When Defenses Become Attack Surface: CVE-2026-20971, a Samsung Kernel UAF
"Our team found a UAF vulnerability in Samsung's Android kernel. The vulnerability affected Samsung Android devices starting at Galaxy S9 through Galaxy S25, as well as additional devices (we tested S21, S22, S24, A54). Both Qualcomm and Exynos chipset based devices were impacted. The vulnerability could be exploited from any untrusted app, and allowed attackers to obtain multiple memory corruption primitives, potentially leading to complete device takeover."
https://lucidbitlabs.com/blog/when-defenses-become-attack-surface/
https://securityaffairs.com/194090/security/samsung-knox-kernel-uaf-exposes-millions-of-galaxy-devices.html - Researchers Trick AI Browsers Into Leaking Credentials
"A range of AI-powered web browsers have been tricked into abandoning their safety guardrails and leaking user data after being convinced they were playing a game. Researchers at LayerX demonstrated the technique, which they named BioShocking, against six agentic browsers and plugins, including OpenAI's ChatGPT Atlas, Perplexity's Comet and Anthropic's Claude extension. In a proof-of-concept (PoC) attack, all six were steered into copying a user's login credentials and sending them to an attacker."
https://www.infosecurity-magazine.com/news/bioshocking-ai-browser-prompt/
Malware
- Backdoor.Mistic: New Backdoor May Be Linked To Ransomware Access Broker
"Stealthy new backdoor used in cybercrime intrusions since April 2026 may be associated with Woodgnat (aka KongTuke), an initial access broker whose ModeloRAT toolkit has fed Qilin and other ransomware operations."
https://www.security.com/threat-intelligence/new-mistic-backdoor-modeloRAT
https://www.bleepingcomputer.com/news/security/stealthy-mistic-backdoor-linked-to-ransomware-access-broker-kongtuke/
https://www.securityweek.com/new-mistic-rat-opens-door-to-several-ransomware-families/ - Iran-Linked MuddyWater Poses As Ransomware Gang To Mask Cyber Espionage
"The line between ransomware activity and nation-state backed cyber campaigns is blurring, as state-sponsored cyber espionage groups adopt tools and techniques associated with cyber criminals to disguise their intelligence operations, a report has warned. Analysis by cybersecurity researchers at NCC Group has described how MuddyWater, a hacking and cyber espionage group associated with Iran’s Ministry of Intelligence and Security, posed as the Chaos ransomware group to hide its espionage activity."
https://www.infosecurity-magazine.com/news/iranlinked-muddywater-poses-as/ - Total Access To All Your Devices.” Sextortion Scammers Strike Again
"At the moment, we’re seeing all kinds of sextortion emails. The scam is cheap to run, easy to automate, and apparently profitable enough that cybercriminals keep using it. Some criminals put more effort into their messages than others. Sextortion emails are messages claiming that scammers recorded you through your webcam while you watched pornography and now demand payment. They have been around for years and keep evolving with small changes in wording and fake technical detail."
https://www.malwarebytes.com/blog/scams/2026/06/total-access-to-all-your-devices-sextortion-scammers-strike-again - StrikeShark: Investigating a New Campaign Delivering Cobalt Strike Through SharkLoader
"During our research of activity affecting a diplomatic organization in Indonesia, we uncovered a previously undocumented malware family that we have named SharkLoader. What initially appeared to be an isolated case quickly expanded into a broader campaign as we identified additional SharkLoader infections across multiple countries and sectors. Our investigation revealed that SharkLoader serves as a loader designed to deploy Cobalt Strike Beacon on compromised systems. We observed the threat actor deploying SharkLoader through exploitation of internet-facing applications, including Microsoft Exchange, Microsoft SharePoint, and Openfire Server, as well as through malware-based delivery mechanisms."
https://securelist.com/strikeshark-campaign/120326/ - The Broker Behind FortiBleed: Anatomy Of a Russian-Speaking Access Operation
"At Mysterium VPN, we often think about who gets to sit in the middle of someone else's connection. Usually, that means a camera, a router, or an internet provider. This time, it’s something heavier: a firewall. The exact device a company buys to keep strangers out of its network turned out to be the front door a criminal crew walked through — and then cataloged, priced, and put up for sale. In mid-June 2026, security researcher Volodymyr "Bob" Diachenko posted on LinkedIn that he had stumbled upon a live, exposed server containing what appeared to be working login credentials for tens of thousands of Fortinet firewalls (Fortinet is one of the world's largest makers of network security hardware)."
https://www.mysteriumvpn.com/news/fortibleed-access-broker
https://securityaffairs.com/194132/cyber-crime/fortibleed-the-broker-who-turned-73000-firewalls-into-a-product-catalog.html - MacOS.Gaslight | Rust Backdoor Turns Prompt Injection On The Analyst, Not The Sandbox
"In early June, an Apple XProtect update surfaced a Mach-O sample that had been uploaded to VirusTotal on May 22. The XProtect rule targets the file purely on its hash rather than on any internal strings or bytecode, yet the sample remains undetected by static engines on VirusTotal at the time of writing. The binary is ad hoc signed and carries the identifier endpoint-macos-aarch64-5555494492fc075f441637fb9d894913dde3a2ea."
https://www.sentinelone.com/labs/macos-gaslight-rust-backdoor-turns-prompt-injection-on-the-analyst-not-the-sandbox/
https://www.infosecurity-magazine.com/news/macos-gaslight-rust-backdoor/ - Zero-Day Exploitation Of Vulnerability (CVE-2026-20245) In Cisco Catalyst SD-WAN Manager
"In early 2026, Mandiant identified a threat actor targeting SD-WAN infrastructure at a service provider. After gaining initial access, the threat actor exploited a zero-day vulnerability (CVE-2026-20245) in Cisco Catalyst SD-WAN to escalate privileges from a compromised administrative account to root-level access. The vulnerability stems from the device’s file upload feature lacking the ability to properly filter malicious data."
https://cloud.google.com/blog/topics/threat-intelligence/zero-day-exploitation-cisco-catalyst-sd-wan-manager
https://www.bleepingcomputer.com/news/security/mandiant-reveals-how-cisco-sd-wan-zero-day-attacks-gained-root-access/
https://www.darkreading.com/cyberattacks-data-breaches/attackers-hit-cisco-sd-wan-flaw-2-months-before-disclosure
https://cyberscoop.com/cisco-sd-wan-zero-day-exploit-communications-provider/ - GhostShell (MB-0009): Targeting Ukraine’s UAV Operations And Defense Supply Chain
"Today, we are taking a look at malware linked to yet another threat actor, one that has been active since at least February 2026. Since I could not associate the malware with any previously attributed threat actor, I am naming the actor GhostShell (you’ll find out why later in this article) and assigning it the Malwarebox identifier MB-0009."
https://blog.synapticsystems.de/ghostshell-mb-0009-targeting-ukraines-uav-operations-and-defense-supply-chain/
https://hackread.com/ghostshell-hacking-group-ukraine-drone-defense-sector/
Breaches/Hacks/Leaks
- KDDI Breach Affects Six Japanese ISPs, Exposes 14.2 Email Credentials
"Japanese telecommunications operator KDDI has confirmed it suffered a breach that has affected five other internet services providers (ISPs) and potentially exposed 14.2 customer email accounts. In a public statement released on June 23, KDDI Corporation said an unauthorized actor unlawfully gained access to an email system it provides to several Japanese ISPs, meaning that data linked to customers of these email services may have leaked. Specifically, KDDI said up to 14.22 million email addresses and passwords have likely been compromised."
https://www.infosecurity-magazine.com/news/kddi-breach-japanese-telcos/ - Indian Auto Giant Bajaj Auto Hit By Ransomware Incident
"India's automotive giant Bajaj Auto disclosed on Tuesday that it had been hit by a ransomware attack affecting its operations and a technology-focused subsidiary. The company said in a regulatory filing that it became aware of the incident on Tuesday morning and had taken precautionary measures to contain its impact. It added that its technical team and cybersecurity experts responded immediately and that mitigation efforts had so far been "successful.""
https://therecord.media/indian-auto-giant-bajaj-auto-hit-by-ransomware - German Rail Services Resume After Wireless Communications Outage
"Germany's state-owned rail operator Deutsche Bahn restored train services early Wednesday after a technical failure in its railway communications network brought rail traffic across the country to a standstill for roughly two hours overnight, disrupting both long-distance and regional services. The outage, which began late Tuesday, halted trains nationwide and also affected S-Bahn commuter services connecting major cities with surrounding suburbs. While services resumed Wednesday morning, Deutsche Bahn warned passengers to expect lingering delays and cancellations."
https://therecord.media/deutsche-bahn-railroad-gsmr-outage
General News
Security Is No Longer An IT Problem: Why Boards Must Rethink Cyber Resilience In The Age Of AI
"For years, organisations approached email security as a technology problem. Deploy a secure email gateway (SEG), add filtering tools, automate remediation workflows, and assume the problem was solved. That approach no longer works. Today’s attackers are using AI to create polymorphic phishing campaigns that continuously evolve to evade traditional detection systems. They rotate URLs, vary sender identities, change subject lines, and modify content at scale. The result is that many organisations are discovering that even sophisticated email security tools and Microsoft 365 protections cannot stand alone against modern threats."
https://cofense.com/blog/security-is-no-longer-an-it-problem-why-boards-must-rethink-cyber-resilience-in-the-age-of-ai- Scaling Cybercrime Disruption Through Innovation And AI
"Microsoft is taking a new approach to fighting cybercrime, targeting the cyberattack supply chain, not just individual services. In a case unsealed today, we are simultaneously targeting two widely used cybercrime tools, Amadey and StealC, after AI-assisted analysis revealed they rely on the same infrastructure. This action goes after the cybercrime “assembly line,” where coordinated tools drive ransomware, financial fraud, and disruptions to public services. Amadey and StealC are often used alongside each other: Amadey helps attackers gain access to devices, while StealC steals passwords and sensitive information. Together, they form a critical link in the chain. In the first two weeks of May alone, Amadey and StealC were linked to more than 140,000 infected computers globally, highlighting how widely they are used."
https://blogs.microsoft.com/on-the-issues/2026/06/24/scaling-cybercrime-disruption-through-innovation-and-ai/
https://www.europol.europa.eu/media-press/newsroom/news/global-cyber-strike-disrupts-socgholish-amadey-and-stealc-malware-networks
https://www.proofpoint.com/us/blog/threat-insight/stealc-you-later-proofpoint-and-ibm-x-force-support-operation-endgame
https://www.bleepingcomputer.com/news/security/amadey-stealc-malware-operations-disrupted-in-operation-endgame-action/
https://thehackernews.com/2026/06/amadey-and-stealc-malware-network.html
https://therecord.media/stealc-amadey-socgholish-malware-takedown-europol-microsoft
https://cyberscoop.com/microsoft-amadey-stealc-takedown/
https://www.bankinfosecurity.com/infostealers-stealc-amadey-disrupted-in-police-crackdown-a-32062
https://www.infosecurity-magazine.com/news/operation-endgame-stealc-amadey/
https://hackread.com/operation-endgame-stealc-amadey-socgholish-malware/
https://www.securityweek.com/microsoft-and-allies-smash-shared-infrastructure-of-amadey-and-stealc-malware/
https://securityaffairs.com/194173/cyber-crime/europol-disrupts-stealc-and-amadey-malware-infrastructure-in-operation-endgame.html
https://www.helpnetsecurity.com/2026/06/24/operation-endgame-stealc-amadey-malware-disrupted/ - Trust No One: Automating MacOS Privilege Escalation At Scale
"A novel macOS privilege escalation technique allows standard user accounts to silently disable leading enterprise security products—including major Endpoint Detection and Response (EDR) and Mobile Device Management (MDM) solutions—without requiring administrator credentials, kernel exploits, or triggering security alerts. The attack exploits a fundamental flaw in how macOS XPC services establish trust boundaries by chaining CDHash kernel cache exploitation with NIB payload injection to impersonate trusted application components. Consequently, any non-root user can invoke arbitrary privileged XPC methods with zero authentication. This exposure exists widely across applications implementing inter-component XPC communication in the macOS ecosystem."
https://xmcyber.com/blog/faind-my-xpc-breaks-a-key-trust-boundary/
https://www.darkreading.com/application-security/apple-macos-security-gap-users-disable-security-tools
https://www.securityweek.com/macos-weaknesses-chained-to-silently-disable-endpoint-security-agents/ - Security Testing Was Built For a Slower World
"Software teams are pushing code into production faster than security testing can keep up. AI is accelerating development cycles and adding pressure to security programs that rely on periodic validation and manual penetration testing. The State of AI in Pentesting report from Aikido Security found that 76% of organizations have had to stop, restrict, or roll back AI-driven behavior in the past 12 months. Another 71% said AI or automation made a security issue harder to detect, investigate, or fix."
https://www.helpnetsecurity.com/2026/06/24/ai-security-testing-report/ - How Threat Actors Are Using AI In Real Attacks: Cheaper, Faster, Harder To Spot
"AI is making familiar cyber attacks cheaper to build, faster to scale, easier to tailor, and harder to spot. Across the incidents and dark-web discussions in this report, threat actors used AI to improve what already works: phishing, social engineering, malicious code, identity fraud, and early post-compromise activity. The tradecraft is familiar, but the pace isn’t. We’ve tracked that shift for the past two years. In our 2024 AI-Powered Cybercrime report, we saw early signs of cybercriminal AI use, which consisted mostly of phishing email polish, basic LLM-generated scripts, and the emergence of malicious GPTs like “WormGPT” (now defunct) and “FraudGPT” on the dark web. By mid-2025, the picture had expanded to deepfake services, AI-assisted scripts, and a growing underground market for AI-enabled tools. Over the past year, the core uses have stayed largely the same, but AI has moved closer into the heart of the offensive workflow."
https://reliaquest.com/campaigns/how-threat-actors-use-ai/executive-summary
https://www.infosecurity-magazine.com/news/ai-attacks-cheaper-faster-covert/ - Anthropic’s Mythos Model Found Vulnerabilities In Classified US Government Systems, Official Says
"A U.S. official told The Associated Press on Tuesday that one of Anthropic’s artificial intelligence models had identified vulnerabilities in highly sensitive and secure U.S. government computer systems during a testing exercise. The official, who spoke on the condition of anonymity to discuss the matter, said Anthropic had teamed up with U.S. intelligence agencies to conduct tests using the company’s Mythos model. It had identified certain vulnerabilities within hours, but that does not mean the model was able to exploit them within that time, the official said."
https://www.securityweek.com/anthropics-mythos-model-found-vulnerabilities-in-classified-us-government-systems-official-says/ - Agentic AI Security: Wrong Context, Wrong Decisions At Machine Speed
"Context is the central plank of AI in general, and agentic AI in particular. If an AI system doesn’t have the correct context, it cannot make the correct decisions. Security is moving toward reliance on the autonomous and automatic action of agentic AI. It has little choice. The increasing speed, volume and efficiency of attacks automated by adversarial use of both generative and agentic AI will only be matched by defensive AI with as little slow human intervention (the proverbial man-in-the-loop) as possible."
https://www.securityweek.com/agentic-ai-security-wrong-context-wrong-decisions-at-machine-speed/ - A Closer Look At Africa’s Evolving Cyberthreat Landscape
"The Africa region experiences an interesting mix of cyberattacks, threat actors, victims, and victim types. Ransomware and fraud are not the dominant threat types, and there aren’t many well-known names in the list of top threat actors. It’s not that the region has it easy—far from it—but Africa presents a different kind of threat landscape when we break down the numbers."
https://blog.barracuda.com/2026/06/23/africa-evolving-cyberthreat-landscape - OpenClaw’s Skill Marketplace And The Emerging AI Supply Chain Threat
"OpenClaw is an AI agent that executes third-party skills from ClawHub, its dedicated marketplace. Skills are markdown-driven packages with broad local system access, making ClawHub a critical link in the agentic software supply chain. Following its release, the ecosystem saw several malicious campaigns. Those early findings, published in February 2026, prompted ClawHub to integrate VirusTotal and ClawScan, enabling proactive screening of published skills and code-level analysis to block skills flagged as malicious from download."
https://unit42.paloaltonetworks.com/openclaw-ai-supply-chain-risk/
https://www.darkreading.com/cyber-risk/malicious-openclaw-skills-clawhub-threaten-ai-supply-chain - DraftKings Hacker 'Snoopy' Sentenced To 18 Months In Prison
"A 21-year-old using the alias "Snoopy" was sentenced to 18 months in prison for his role in hacking DraftKings accounts in the November 2022 cyberattack. In December 2025, the man, Nathan Austad of Minnesota, pleaded guilty to conspiracy to commit computer intrusion, admitting that he and co-conspirators compromised 60,000 DraftKings user accounts. During the attack, the hackers added payment methods under their control to 1,600 accounts and stole $600,000."
https://www.bleepingcomputer.com/news/security/draftkings-hacker-snoopy-sentenced-to-18-months-in-prison/
https://www.justice.gov/usao-sdny/pr/third-defendant-sentenced-prison-hacking-fantasy-sports-and-betting-website
https://www.securityweek.com/third-draftkings-hacker-sentenced-to-18-months-in-prison/ - Open-Source Security Is Posing Challenges Governments Can’t Easily Solve
"An epidemic of cyberattacks on open-source software has mounted in recent months, making clear how uniquely difficult it is to protect the publicly available code, from both a policy and a technical perspective, that serves as the foundation for so much of the digital world. While open-source software security got a boost in attention under President Joe Biden — whose administration grappled with the fallout from the potentially catastrophic Log4j flaw that emerged in 2021 — a number of open-source experts say that government protection efforts have suffered setbacks under President Donald Trump. Many also say companies that heavily rely on open-source software, which is basically all of them, haven’t shouldered enough of the responsibility for safeguarding it."
https://cyberscoop.com/open-source-software-security-crisis/ - Exclusive: Meet AIVEX, a New Triage Model Built To Reduce Supply Chain Threat And Risk
"Remediation priority (vulnerability triaging) traditionally focuses on Software Bill of Materials (SBOMs) and Vulnerability Exploitability eXchange (VEX) statements provided with the software and supplemented by CVSS scores. That is not enough in today’s environment. SBOMs list the components within the software. They emanated from Executive Order 14028 designed to reduce supply chain attacks. VEX statements emerged soon afterward to indicate whether any known vulnerabilities are exploitable. The separate CVSS score is used as a severity indicator for vulnerability remediation priority. It’s not working – supply chain attacks continue."
https://www.securityweek.com/exclusive-meet-aivex-a-new-triage-model-built-to-reduce-supply-chain-threat-and-risk/ - Navigating The Threat Landscape Of The 2026 FIFA World Cup
"As the 2026 FIFA World Cup progresses, Flashpoint analysts continue to monitor a dynamic threat environment spanning physical security, civil unrest, cyber threats, and geopolitical developments. While analysts have not identified any credible indications of an imminent attack targeting tournament venues or participants, several notable developments have emerged since our previous assessment:"
https://flashpoint.io/blog/2026-fifa-world-cup-threat-landscape/
https://www.darkreading.com/cybersecurity-operations/2026-fifa-world-cup-faces-surge-cyber-threats - Do CISOs Need a Code Of Ethics?
"Dark Reading Confidential Episode 19: Kickbacks, no-show jobs, "dirty" VCs, and shelf ware — industry expert Robert "RSnake" Hansen explains why he thinks its time for a CISO code of ethics to ensure cybersecurity bosses aren't engaged in self-dealing that could risk enterprise, and even national, security."
https://www.darkreading.com/cybersecurity-operations/ciso-code-of-ethics - When Information Becomes The Attack Surface – Understanding AI Agent Traps
"AI agents go beyond answering questions. They can autonomously browse websites, read emails, search company files, query software tools, and more. AI models producing incorrect answers is hardly a threat, until agents encounter information that’s maliciously designed to influence what it sees, believes, remembers, or executes. An agent leverages webpages, document stores, wikis, images, emails, or tools to produce intended outputs. But what happens when these sources mask malicious instructions?"
https://www.securityweek.com/when-information-becomes-the-attack-surface-understanding-ai-agent-traps/
อ้างอิง
Electronic Transactions Development Agency (ETDA)
- Where IT Meets OT And Railway Cybersecurity Gets Harder
-
พบ Mistic RAT ถูกใช้เป็นช่องทางเข้าถึงองค์กร เสี่ยงนำไปสู่การโจมตีแรนซัมแวร์โพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Tata Electronics ยืนยันถูกโจมตีทางไซเบอร์ หลังกลุ่ม World Leaks เผยแพร่ข้อมูลที่อ้างว่าขโมยจากบริษัทโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
LastPass ยืนยันเหตุข้อมูลลูกค้าส่วน CRM รั่วไหลจากการโจมตีซัพพลายเชนผ่านแพลตฟอร์ม Klueโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Apple แก้ช่องโหว่ Beats Studio Buds หลังพบความเสี่ยงถูกดักฟังผ่านไมโครโฟนโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Xsolis เปิดเผยเหตุข้อมูลรั่วไหล กระทบบุคคลเกือบ 1.4 ล้านราย หลังถูกโจมตีแบบ Phishingโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
พบการโจมตีผ่าน WhatsApp แฮกเกอร์ส่งไฟล์ VBScript ปลอมแปลงเป็นเอกสารธุรกิจเพื่อเข้าควบคุมระบบโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
CISA เพิ่มช่องโหว่ที่ถูกใช้โจมตี 4 รายการลงในแคตตาล็อกโพสต์ใน Cyber Security News
เมื่อวันที่ 23 มิถุนายน 2569 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 4 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว มีรายละเอียดดังนี้
- CVE-2025-67038 Lantronix EDS5000 Code Injection Vulnerability
- CVE-2026-34908 Ubiquiti UniFi OS Improper Access Control Vulnerability
- CVE-2026-34909 Ubiquiti UniFi OS Path Traversal Vulnerability
- CVE-2026-34910 Ubiquiti UniFi OS Improper Input Validation Vulnerability
ทาง CISA จะปรับปรุงและเพิ่มช่องโหว่ใหม่เข้าสู่แคตตาล็อก KEV อย่างต่อเนื่อง เพื่อให้ครอบคลุมความเสี่ยงที่ตรวจพบจริงในปัจจุบันและอนาคต
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
CISA เผยแพร่คำแนะนำด้านระบบควบคุมอุตสาหกรรม (ICS) จำนวน 10 รายการโพสต์ใน OT Cyber Security News
Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) จำนวน 10 รายการ เมื่อวันที่ 23 มิถุนายน 2569 เพื่อให้ข้อมูลที่ทันเวลาเกี่ยวกับประเด็นด้านความมั่นคงปลอดภัย ช่องโหว่ และการโจมตีที่เกี่ยวข้องกับระบบ ICS โดยมีรายละเอียดดังนี้
- ICSA-26-174-01 Siemens WinCC Certificate Manager
- ICSA-26-174-02 Siemens SIPROTEC 5
- ICSA-26-174-03 Siemens Products using OpenSSL
- ICSA-26-174-04 Siemens SINEC INS
- ICSA-26-174-05 ABB Freelance Security Lock
- ICSA-26-174-06 Impact of Linux Kernel vulnerabilities on B&R products
- ICSA-26-174-07 Hubbell Aclara Metrum Cellular Web Interface
- ICSA-25-317-04 Brightpick Mission Control / Internal Logic Control (Update A)
- ICSA-24-345-06 Rockwell Automation Arena (Update C)
- ICSA-26-111-06 Zero Motorcycles Firmware (Update A)
อ้างอิง
-
ETDA Cyber Threat Intelligence 24 June 2026โพสต์ใน Cyber Security News
Vulnerabilities
- Cisco Unified CM Flaw CVE-2026-20230 Now Exploited In Attacks
"A high-severity SSRF vulnerability, tracked as CVE-2026-20230, in Cisco Unified Communications Manager Server is now being exploited in attacks. Cisco released security updates for the CVE-2026-20230 flaw on June 3, warning that exploitation could give attackers root privileges on the device. "A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to conduct server-side request forgery (SSRF) attacks through an affected device," warned Cisco."
https://www.bleepingcomputer.com/news/security/cisco-unified-cm-sme-flaw-cve-2026-20230-now-exploited-in-attacks/ - Security Vulnerabilities Endanger Connections Via Libssh2
"The open-source SSH library libssh2 is vulnerable. Attackers can exploit two security vulnerabilities to attack systems. In the worst case, malicious code can compromise computers. According to currently available information, the patch status is unclear. At the time of this report, there are no reports of attackers already exploiting the vulnerabilities. Companies use the library in sensitive areas of the network, for example, to remotely control routers and IoT devices and to manage servers. Consequently, successful attacks could have far-reaching consequences."
https://www.heise.de/en/news/Security-vulnerabilities-endanger-connections-via-libssh2-11339594.html - Eight-Year-Old Samsung KNOX Flaw Exposed Millions Of Galaxy Devices To Kernel Attacks
"Researchers found an eight-year old high severity vulnerability affecting nearly all Samsung devices from the Galaxy S9 to S25 living within the KNOX kernel. The flaw (CVE‑2026‑20971, CVSS 7.8) could be exploited through the interaction between PROCA and FIVE. PROCA, the process authenticator, is a proprietary subsystem in the kernel of the Samsung devices designed to prevent unauthorized processes from executing. It validates process authenticity using FIVE, the kernel side integrity subsystem, based on the Linux integrity-measurement model and extended by Samsung."
https://www.securityweek.com/eight-year-old-samsung-knox-flaw-exposed-millions-of-galaxy-devices-to-kernel-attacks/ - Vendor-Signed UEFI Applications Found Vulnerable To Secure Boot Bypass
"Multiple vendor-signed UEFI applications are vulnerable to Secure Boot bypass via a "Bring Your Own Vulnerable Driver" (BYOVD)-style attack. If a target system trusts the affected vendor’s certificate, an attacker can exploit these applications to execute arbitrary code during the early pre-boot phase before the operating system initializes. To mitigate this risk, system administrators should apply updates to the UEFI Forbidden Signature Database (DBX) that revoke trust in the affected vendor-signed binaries, preventing these vulnerable applications from executing during the boot process."
https://kb.cert.org/vuls/id/457458
Malware
- “Free World Cup Stream” Sites Are Serving Scams, Not Football
"With the World Cup on, you’ll find no shortage of websites promising every match, live, in HD, for free. They look convincing, usually with a video player, a “Live Stream Available” indicator, a row of server buttons, maybe a match schedule, and a “Watch Live” button. There’s no signup, no paywall, and seemingly, no catch. But of course there’s a catch. These sites aren’t really in the business of streaming football. What the page is really built to do is fire pop-ups, hidden ads, and redirects through an advertising network we detect as malicious. Instead of watching the match, visitors end up facing scams, malware, and fraudulent downloads."
https://www.malwarebytes.com/blog/threat-intel/2026/06/free-world-cup-stream-sites-are-serving-scams-not-football
https://www.helpnetsecurity.com/2026/06/23/fake-world-cup-streaming-sites-scams/ - Phishing Through Collaboration: Outlook Groups As An Attack Path And The Usage Of CalPhishing
"Fortra Intelligence and Research Experts (FIRE) is tracking phishing activity that abuses Outlook Groups and Microsoft 365 collaboration features to make malicious activity appear routine. The technique shifts malicious intent away from a single phishing email into a trusted productivity workflow. A user may see what looks like a normal group addition, internal update, shared resource, or calendar item before being pushed toward an action."
https://www.fortra.com/blog/phishing-through-collaboration
https://www.helpnetsecurity.com/2026/06/23/microsoft-365-collaboration-features-phishing/ - From PostCSS Masquerading To Windows RAT
"The package name is not random. The legitimate postcss-selector-parser package is widely used across the JavaScript build ecosystem, with npm reporting more than 150M weekly downloads. postcss-minify-selector-parser is not a classic one-character typo. Instead, it sits close enough to the legitimate package to look plausible during a quick dependency review. It uses the same postcss, selector, parser, and css keyword space, and it also depends on the real postcss-selector-parser. At the time of this report, the package remained live and accessible."
https://research.jfrog.com/post/from-postcss-typosquat-to-windows-rat/
https://thehackernews.com/2026/06/malicious-npm-packages-pose-as-postcss.html
https://www.infosecurity-magazine.com/news/lookalike-npm-package-postcss/ - GTA 6 Early Access Is Nothing But a Scam
"A new wave of scam websites is offering something millions of people want: a way to play Grand Theft Auto VI before it comes out. “Get GTA 6 before everyone else.” “Buy VIP early access.” Pay a few hundred dollars in cryptocurrency, enter a payment code, and supposedly unlock the game. But it’s a scam."
https://www.malwarebytes.com/blog/threat-intel/2026/06/gta-6-early-access-is-nothing-but-a-scam
https://www.infosecurity-magazine.com/news/gta-6-scams-emerge-as-preorders/
https://www.helpnetsecurity.com/2026/06/23/gta-6-early-access-scam/ - From Langflow To Monero: Inside CVE-2026-33017 Cryptominer
"This cryptocurrency-mining campaign shows how exposed AI application endpoints are becoming another route into enterprise environments. The payload might be familiar, but the delivery vector is not. A Langflow vulnerability gives commodity cryptominer operators a new front door into systems running AI application infrastructure."
https://www.trendmicro.com/en_us/research/26/f/from-langflow-to-monero-inside-cve-2026-33017-cryptominer.html - Malware à La Mode: Tracking Dropping Elephant Tradecraft Through a China-Themed Loader Chain
"Rapid7 researchers have identified a sophisticated malware campaign attributed to the threat actor "Dropping Elephant," characterized by the use of a China-themed decoy document to deliver a heavily reworked, in-memory remote access trojan (RAT). This campaign demonstrates advanced evasion techniques, including DLL side-loading with a legitimate Microsoft binary (Fondue.exe) and the use of "Donut" shellcode to map the RAT directly into memory, effectively bypassing traditional disk-based security controls."
https://www.rapid7.com/blog/post/tr-malware-tracking-dropping-elephant-tradecraft-china-themed-loader-chain/ - Cordyceps: The Silent Parasite Consuming Your Supply Chain
"Novee identified a systemic class of exploitable CI/CD vulnerabilities across the open-source supply chain – command injection, broken authentication logic, artifact poisoning chains, and privilege escalation in GitHub Actions workflows. Our team scanned roughly 30,000 high-impact repositories, validated hundreds of fully exploitable attack chains, and received confirmation of fixes at dozens of organizations, including Microsoft, Google, Apache, Cloudflare, and the Python Software Foundation. There are millions of repositories that are potentially affected by this same pattern."
https://novee.security/blog/cordyceps/
https://www.darkreading.com/application-security/cordyceps-malicious-pull-requests-developer-workflows
https://hackread.com/cordyceps-ci-cd-flaw-microsoft-google-apache-repos-hijack/ - Inside The FortiBleed Open Directory: A Technical Analysis Of What The Attacker Left Behind
"CloudSEK’s threat intelligence team is tracking FortiBleed, an active, large-scale credential-compromise campaign targeting internet-facing Fortinet FortiGate firewalls and SSL VPN gateways worldwide. Despite the name, FortiBleed is not a software vulnerability and is not linked to any newly disclosed Fortinet flaw or zero-day. It is the label given to a verified dataset of working device credentials that a threat group assembled through credential reuse, brute force, and offline hash cracking against exposed devices."
https://www.cloudsek.com/blog/inside-the-fortibleed-open-directory-a-technical-analysis-of-what-the-attacker-left-behind
https://www.helpnetsecurity.com/2026/06/23/fortibleed-investigation-remediation/ - Payouts King Ransomware Initial Access Broker Deploys New Edgecution Malware
"Zscaler ThreatLabz has been monitoring ransomware operations that align with tactics previously employed by an initial access broker affiliated with Payouts King ransomware. In recent attacks, the threat actor leverages social engineering tactics paired with an innovative malware delivery mechanism. The technique utilizes a malicious Microsoft Edge browser extension that exploits the Chrome native messaging protocol to interact with host-native applications beyond the confines of the browser sandbox. By abusing this interface, the attackers gain direct host access, enabling them to manipulate the local filesystem, launch processes, and execute arbitrary code on the compromised host. We have dubbed this web browser-based malware Edgecution."
https://www.zscaler.com/blogs/security-research/payouts-king-ransomware-initial-access-broker-deploys-new-edgecution
Breaches/Hacks/Leaks
- Xsolis Data Breach Affects 1.4 Million Individuals
"Healthcare technology company Xsolis, Inc. has disclosed a data breach affecting nearly 1.4 million individuals. Tennessee-based Xsolis provides utilization management and revenue cycle solutions for hospitals, health systems, and payers. The company published a data security notice in early June, revealing that unauthorized activity was detected on its systems on January 22. The intrusion resulted from a targeted phishing attack carried out two days earlier."
https://www.securityweek.com/xsolis-data-breach-affects-1-4-million-individuals/
https://www.bleepingcomputer.com/news/security/healthtech-firm-xolis-suffers-data-breach-impacting-14-million-people/
https://securityaffairs.com/194067/cyber-crime/xsolis-data-breach-impacts-1-4-million-people.html
https://www.bankinfosecurity.com/xsolis-hack-affecting-14m-raises-ai-vendor-risk-concerns-a-32051 - Tata Electronics Confirms Cyberattack As Hackers Leak Data
"Tata Electronics has confirmed in a statement to BleepingComputer that it was the target of a cyberattack that impacted parts of its IT infrastructure. The company emphasizes that its operations continued to run normally and were not affected by the incident. "A few weeks ago, Tata Electronics identified a cybersecurity incident on some of our systems,” a Tata Electronics spokesperson told BleepingComputer."
https://www.bleepingcomputer.com/news/security/tata-electronics-confirms-cyberattack-as-hackers-leak-data/
https://therecord.media/tata-electronics-confirms-cyberattack - LastPass Confirms Data Breach In Klue Supply Chain Attack
"LastPass announced that hackers accessed customer data from its Salesforce environment after stealing the company's OAuth tokens in the Klue supply chain attack earlier this month. The password management platform says its products, services, and infrastructure were not affected by the incident and that customer vaults remained secure. “On June 12th, LastPass was made aware of an incident that occurred at Klue (klue.com), a third-party market intelligence platform utilized by our go-to-market teams, which integrates with our Salesforce and Gong systems,” LastPass says."
https://www.bleepingcomputer.com/news/security/lastpass-confirms-data-breach-in-klue-supply-chain-attack/
https://blog.lastpass.com/posts/klue-supply-chain-incident-and-lastpass-response
https://www.darkreading.com/cyberattacks-data-breaches/scope-salesforce-attacks-expands-icarus-leaks-data
https://hackread.com/lastpass-customer-data-breach-klue-oauth-token/
General News
- Nearly Half Of LG Smart TV Apps Are Laced With Proxies
"Everyone worries about the apps on their phone. Almost no one looks at the ones on their TV. We scanned 6,038 of them across LG and Samsung; 2,058 were selling your IP address. On screen, it's a relaxing fish tank. Or a clock. Or solitaire. Or puppies. Under the hood, it is a residential proxy: software that can send other people's internet traffic out through your living room. And we found it everywhere."
https://spur.us/blog/smart-tv-apps-residential-proxy-sdks
https://www.helpnetsecurity.com/2026/06/23/tv-residential-proxy-sdk/ - Only 7% Of Companies Are Ready For The AI Agents They Deployed
"Most organizations now run or pilot AI agents that operate on company data with limited human direction at each step, a share that reaches 88% in Veeam Software’s Data and AI Trust Gap report. The systems that are supposed to keep an eye on them have not caught up. That gap is the heart of the report. Most executives say their data problems are already holding their AI back. The issues are familiar ones: data that is out of date, data that contradicts itself, and data locked away in systems that do not talk to each other. An agent acting on shaky data does more than make a single mistake. It can repeat that mistake across thousands of decisions before anyone notices."
https://www.helpnetsecurity.com/2026/06/23/ai-trust-gap-research/ - Daybreak: Tools For Securing Every Organization In The World
"We’re expanding Daybreak to help democratize patching vulnerable software at machine speed. For example, we’ve applied our models to discover and generate patches for critical vulnerabilities in major browsers, network infrastructure, and operating systems such as FreeBSD and the Linux kernel. To scale the impact of these capabilities:"
https://openai.com/index/daybreak-securing-the-world/
https://thehackernews.com/2026/06/openai-expands-daybreak-with-gpt-55.html
https://www.infosecurity-magazine.com/news/openai-daybreak-gpt-5-5-cyber/
https://www.securityweek.com/openai-refocuses-cybersecurity-efforts-on-patching-over-discovery/
https://www.helpnetsecurity.com/2026/06/23/openai-expanded-daybreak-cybersecurity-initiative/ - Scattered Spider Teens Convicted Of TfL Cyber-Attack
"Two British youngsters who hacked Transport for London (TfL) in 2024 have pleaded guilty to their crimes, according to the National Crime Agency (NCA). Thalha Jubair, 20, from East London, and Owen Flowers, 18, from Walsall, West Midlands, were teenagers when they hacked London’s transport authority between August 31 and September 3 2024. Both are said to be members of the infamous Scattered Spider collective. The incident cost TfL £29m ($38m) in loss and recovery costs, according to the NCA. It apparently impacted TfL’s customer refund system for some time, downed the application system for Oyster photocards for children and young people, and forced all 28,000 employees to attend a TfL office for a password reset."
https://www.infosecurity-magazine.com/news/scattered-spider-teens-convicted/
https://therecord.media/guilty-plea-tfl-cyberattack-scattered-spider-members
https://www.bleepingcomputer.com/news/security/scattered-spider-members-plead-guilty-to-hacking-transport-for-london/
https://hackread.com/scattered-spider-hackers-guilty-tfl-cyberattack/
https://www.bankinfosecurity.com/2-british-men-plead-guilty-to-transport-for-london-hacks-a-32048 - Algerian Man Extradited To US For Running Cybercrime Marketplaces
"Abdellah Belmili, a 26-year-old Algerian national, was recently arrested in Spain and extradited to the United States, where he faces up to 30 years in prison for allegedly running two cybercrime marketplaces. According to the US Justice Department, Belmili, also known as Dila Belmili and Spox, was the administrator of a cybercrime marketplace called Market0Day between September and December 2020. Authorities said Spox was known for developing phishing kits targeting major American financial institutions."
https://www.securityweek.com/algerian-man-extradited-to-us-for-running-cybercrime-marketplaces/
https://cyberscoop.com/algerian-man-charged-cybercrime-marketplaces/ - He Thought He Was Secure; His Phone Number Got Stolen Anyway
"Torsten George, chief cybersecurity evangelist at ID Dataweb, Inc., felt helpless as he sat with his personal cell phone up to one ear and realized he was in the throes of an active attack. The person on the other end claimed to be an AT&T customer service representative looking to give George a discount for being a loyal customer. But it didn't take long to recognize that the “representative” was a threat actor with inside information on George's account history, derived through social engineering."
https://www.darkreading.com/cyber-risk/how-a-sim-swap-attack-led-to-a-near-account-takeover - CISO Conversations: Carl Froggett – Combining CISO And CIO At Deep Instinct
"Carl Froggett combines CISO and CIO. He currently occupies both positions at Deep Instinct. Before then, he was CISO at Citi for almost 17 years. Froggett has long believed the two roles overlap, making a combined role attractive. But it doesn’t work for all companies. Citi has more than 200,000 employees. Deep Instinct has fewer than 200. Combining CISO and CIO would be too much for one person at Citi, but works well at Deep Instinct."
https://www.securityweek.com/ciso-conversations-carl-froggett-combining-ciso-and-cio-at-deep-instinct/ - Justice Department Seizes Backend Infrastructure Used By The Huione Group For Money Laundering Services
"Today, the Justice Department announced the seizure of a cloud computing account used by subsidiaries of the Huione Group, a Cambodia-based corporate conglomerate. These subsidiaries are alleged to have assisted individuals and organizations in transferring proceeds of cryptocurrency investment frauds, cyber scams, and other criminal activities on cryptocurrency blockchains and allowing for the conversion of the proceeds of these schemes to the legitimate banking sector undetected.The seized account hosted backend infrastructure for the subsidiaries."
https://www.justice.gov/opa/pr/justice-department-seizes-backend-infrastructure-used-huione-group-money-laundering-services
https://home.treasury.gov/news/press-releases/sb0538
https://therecord.media/feds-seize-alleged-cyber-scam-infrastructure-southeast-asia
https://cyberscoop.com/doj-huione-group-cybercrime-seizure/ - Using Reddit To Manipulate AI Search Results Is Surprisingly Easy
"A Reddit comment that takes only a few seconds to write can end up influencing the answers generated by AI research tools. A Cornell Tech study found that a short snippet of user-generated text, sometimes as little as 13 words, was enough to affect the output of deep-research agents, AI systems that search the web, gather information from multiple sources, and generate reports with citations. The risks of relying on community-generated content are already familiar to many internet users. Google’s AI Overviews famously recommended adding glue to pizza sauce after pulling information from an old joke Reddit post."
https://www.helpnetsecurity.com/2026/06/23/reddit-ai-search-poisoning-research/
https://arxiv.org/pdf/2605.24245 - Inside The Dark Web: Stolen Identities For 95¢, Malware, And Scams-For-Hire
"Most people have heard of the dark web, but few understand what it actually looks like or what goes on there. To separate fact from fiction, our research team spent 48 hours exploring it firsthand and documenting what we found. The dark web isn’t inherently bad. It also serves legitimate purposes, providing a layer of privacy for journalists, whistleblowers, activists, and others who need to communicate anonymously. Accessing it typically requires the Tor browser, and a number of reputable organizations operate official dark web sites."
https://www.malwarebytes.com/blog/threat-intel/2026/06/inside-the-dark-web-stolen-identities-for-95¢-malware-and-scams-for-hire - Software-Defined Warfare: Crossing The Chasm In Two Software Areas
"Software-defined warfare is today’s reality for national security, shifting the emphasis in military operations from hardware to software, “the core of every weapon and supporting system” fielded for defense. The Atlantic Council’s 2025 Commission on Software-Defined Warfare: Final Report defines software-defined warfare as the “continuous integration and delivery of cutting-edge technology and leading interoperable software into legacy and future defense systems.” The report emphasizes the need for speed through artificial intelligence (AI) by calling on national security organizations to “acquire and sustain unified, shared platforms that support and accelerate the end-to-end development, deployment, and governance of AI solutions.”"
https://www.sei.cmu.edu/blog/software-defined-warfare-crossing-the-chasm-in-two-software-areas/ - Fake AI Agent Skill Passed Security Scans And Reportedly Reached 26,000 Agents
"Security firm AIR built a fake AI agent skill, pushed it through a popular skill marketplace and an Instagram ad, and says it reached roughly 26,000 agents, including some on corporate accounts. Every skill security scanner the firm tested it against marked it safe. The payload was harmless by design: it collected the user's email address and did nothing else. The point was to show that none of the signals people lean on to trust a skill caught it: not the scanners, not the GitHub stars, not the open-source reputation."
https://thehackernews.com/2026/06/fake-ai-agent-skill-passed-security.html
อ้างอิง
Electronic Transactions Development Agency (ETDA)
- Cisco Unified CM Flaw CVE-2026-20230 Now Exploited In Attacks
-
ETDA Cyber Threat Intelligence 23 June 2026โพสต์ใน Cyber Security News
New Tooling
- Agent Beacon: Open-Source Telemetry Layer For AI Agents
"AI coding agents such as Claude Code, Codex CLI, Cursor, and Claude Cowork run on developer laptops, CI jobs, cloud environments, where they edit files, run commands, and call outside tools. Beacon, an open-source project from Asymptote Labs, configures telemetry for those runtimes and writes a normalized record of what each agent does across local, CI, and cloud-agent surfaces."
https://www.helpnetsecurity.com/2026/06/22/agent-beacon-open-source-telemetry-layer-ai-agents/
https://github.com/Asymptote-Labs/agent-beacon/ - Sniff Out Stale AI Override Advice With This Open Source CLI
"The JavaScript development ecosystem may be a security nightmare, but it's also ripe for improvement. One such tool is the CVE Lite CLI, a free open source dependency scanner that helps reduce the risk of software supply chain attacks. It runs locally and provides actionable vulnerability fixes, if any are available. The tool, endorsed by OWASP, has recently been updated to include override auditing, which has the potential to avert transitive dependency vulnerabilities such as the March 2022 node-ipc package incident."
https://www.theregister.com/security/2026/06/23/sniff-out-stale-ai-override-advice-with-this-open-source-cli/5259853
https://owasp.org/cve-lite-cli/
Vulnerabilities
- PixelSmash – Critical FFmpeg Vulnerability Turns Media Files Into Weapons
"JFrog Security Research recently discovered and disclosed a critical vulnerability in FFmpeg, the world’s most widely deployed media processing framework. The discovered vulnerability, which we’ve named PixelSmash, is CVE-2026-8461 – a heap out-of-bounds write in the MagicYUV decoder (CVSS 8.8 High). We escalated this vulnerability from a simple crash all the way to reliable remote code execution – all it takes is processing a single malicious media file."
https://jfrog.com/blog/pixelsmash-critical-ffmpeg-vulnerability-turns-media-files-into-weapons/
https://www.bleepingcomputer.com/news/security/ffmpeg-fixes-pixelsmash-flaw-in-widely-used-video-decoder/ - Squidbleed (CVE-2026-47729)
"Two weeks ago, we dropped an HTTP/2 bomb cooked up by Codex Cyber. This time, we sent Claude Mythos Preview spelunking through Squid’s guts, and it surfaced clutching a 29-year-old bug. Meet Squidbleed: a Heartbleed-style vulnerability that leaks internal memory from every version of Squid Proxy, in its default configuration."
https://blog.calif.io/p/squidbleed-cve-2026-47729
https://thehackernews.com/2026/06/29-year-old-squid-proxy-bug-squidbleed.html
https://www.securityweek.com/decades-old-squid-proxy-flaw-squidbleed-can-expose-user-data/ - DifyTap: Zafran Discovers How Attackers Can Silently Wiretap AI Data Across Tenants On a Platform Powering 1M+ Apps
"Zafran Security uncovered four vulnerabilities in Dify, the open-source AI platform powering over one million applications and used by enterprises including Volvo, Maersk, Panasonic, and Thermo Fisher. Two were critical severity, two required no authentication, and three carried cross-tenant impact on Dify's multi-tenant cloud service, allowing one customer's data to be exposed to another."
https://www.zafran.io/resources/difytap-zafran-discovers-how-attackers-can-silently-wiretap-ai-data-across-tenants-on-a-platform-powering-1m-apps
https://thehackernews.com/2026/06/researchers-detail-difytap-flaws-in.html - The Global Namespace Risk: Universal Bucket Hijacking Technique For Cloud Data Exfiltration
"We recently identified a bucket hijacking technique impacting multiple services across major cloud service providers (CSPs). The attack technique exploits a fundamental architectural flaw that is common across cloud providers and could potentially affect other cloud providers as well. Our research reveals that an attacker can silently compromise an organization's active data streams by rerouting data into an external storage bucket. Because a storage bucket name is globally unique, an attacker can simply delete the bucket and then recreate it under the attacker's own account using the same name. This therefore creates a global namespace risk. This bucket hijacking reroutes critical logs and sensitive data directly to the attacker’s environment."
https://unit42.paloaltonetworks.com/cloud-bucket-hijacking-risks/
Malware
- A VBScript Campaign Distributed Through WhatsApp Deploying RMM Software
"In June 2026, we observed a malware campaign distributing malicious VBScript files through direct messages in WhatsApp. The campaign affected users across multiple countries and territories, including Malaysia, Brazil, India, Mexico, Singapore, UK, Spain, Taiwan, Australia, Russia and Vietnam, with the highest number of victims observed in Malaysia. At the time of writing this article, the campaign is still active."
https://securelist.com/whatsapp-vbs-rmm-campaign/120290/
https://www.bleepingcomputer.com/news/security/whatsapp-phishing-attack-uses-fake-business-docs-to-hack-pcs/
https://securityaffairs.com/194031/malware/whatsapp-malware-campaign-hijacks-trust-installs-legitimate-admin-tools.html - Dismantling FortiBleed: Inside a Russian Fortinet Compromise Operation
"Dismantling FortiBleed investigates an active credential-harvesting operation identified by the SOCRadar Threat Research Unit (STRU). The report traces the campaign from large-scale reconnaissance and credential sourcing through initial access, passive sniffer deployment, offline hash cracking, and targeted exfiltration. STRU assesses the operator to be an Initial Access Broker (IAB) motivated by financial gain, with tooling comments in the Cyrillic alphabet pointing to a likely Russian origin. The investigation began with a single exposed directory flagged by researcher Volodymyr “Bob” Diachenko and expanded into more than 260 operation servers."
https://socradar.io/resources/whitepapers/dismantling-fortibleed-inside-a-russian-fortinet-compromise-operation/
https://www.bleepingcomputer.com/news/security/fortibleed-campaign-used-custom-fortigate-sniffer-to-steal-credentials/
https://securityaffairs.com/194004/hacking/fortibleed-the-most-detailed-breakdown-yet-of-an-active-russian-credential-harvesting-operation.html - More Than 4,000 Legacy Routers Compromised By AryStinger, Turned Into Global Attack Proxies For Hackers
"On May 20, 2026, the Ministry of State Security's WeChat official account published an article "Your internet is slow, and the culprit turns out to be this!", highlighting that outdated routers are becoming a key entry point for threat actors to conduct cyber espionage. Inspired by this article, we feel it is imperative to take the compromise of old routers seriously. This article introduces an unusual attack campaign observed within QiAnXin XLab's field of view, specifically targeting router devices based on the RTL819X series chips. The mainstream active period of the RTL819X series chips was concentrated around 2012 to 2015. The attackers exploited vulnerabilities disclosed 13 years ago to compromise a large number of old routers, building reconnaissance and attack clusters for use in the pre-intrusion footprinting stage. (Note: The campaign disclosed in this article has no direct relationship to what the Ministry of State Security described.)"
https://blog.xlab.qianxin.com/arystinger-botnet-hijacks-legacy-routers-for-global-attacks-en/
https://thehackernews.com/2026/06/arystinger-malware-infects-4300-legacy.html
https://www.bleepingcomputer.com/news/security/arystinger-botnet-infected-thousands-of-d-link-routers-worldwide/
https://www.bankinfosecurity.com/arystinger-botnet-converts-legacy-routers-to-global-proxies-a-32045
https://www.malwarebytes.com/blog/news/2026/06/thousands-of-d-link-routers-under-control-of-arystinger-botnet
https://securityaffairs.com/193987/security/4300-outdated-routers-hijacked-in-stealthy-spy-infrastructure-by-arystinger-malware.html - Prinz Eugen Ransomware: a Deep Dive Into a New Go-Based Encryptor
"On May 11, 2026, our research team investigated a customer infected with a brand-new ransomware family called Prinz Eugen. The encryptor is freshly built, written in Go, and more technically deliberate than many first-wave ransomware samples. It performs recursive encryption, prioritizes recently modified files, uses ChaCha20-Poly1305 with integrity checks, and leaves no ransom note on disk. The first public report related to this family is dated April 16, when a public social media post noted that a new ransomware leak portal had appeared to extort Standard Bank Group, a leading financial institution in South Africa."
https://www.threatdown.com/blog/prinz-eugen-ransomware-a-deep-dive-into-a-new-go-based-encryptor/
https://www.bleepingcomputer.com/news/security/new-prinz-eugen-ransomware-prioritizes-recent-files-for-encryption/ - From Package To Postinstall Payload: Inside The Mastra Npm Supply Chain Compromise By Sapphire Sleet
"Microsoft assesses with high confidence that this activity is attributable to Sapphire Sleet, a North Korean state actor that primarily targets the financial sector. The infrastructure and post-compromise TTPs observed in this campaign are consistent with previously documented Sapphire Sleet activity. Sapphire Sleet also conducted a separate npm supply chain compromise affecting Axios, a popular JavaScript HTTP client, in April 2026."
https://www.microsoft.com/en-us/security/blog/2026/06/17/postinstall-payload-inside-mastra-npm-supply-chain-compromise/
https://www.bleepingcomputer.com/news/security/microsoft-links-mastra-ai-supply-chain-attack-to-north-korean-hackers/
https://www.infosecurity-magazine.com/news/mastra-ai-supply-chain-attack/
https://www.securityweek.com/north-korean-hackers-blamed-for-mastra-npm-supply-chain-attack/ - Threat Hunting Beyond Alerts: Finding The Activity Detection Misses
"Threat hunting is meant to uncover malicious activity before it becomes an incident. In reality, it can easily turn into a long expedition through noisy logs, vague indicators, and detection rules that lack the context needed to separate real risk from routine activity. The issue is rarely the analyst’s skill. The real bottleneck is intelligence quality. A standalone IP address, domain, or hash may be useful for blocking, but it does not explain the campaign behind it, the behaviors it leaves on endpoints, or the infrastructure likely to appear next."
https://hackread.com/threat-hunting-alerts-finding-activity-detection-misses/ - Lost In Relocation: Analysis Of a New Loader Distributing CASTLESTEALER
"A previously undocumented Windows loader tracked as OXLOADER is delivering the CASTLESTEALER infostealer via malicious Google Ads, with low detection rates across static engines and sandbox detonations. The loader uses several obfuscation layers (control-flow flattening, opaque predicates, mixed Boolean-Arithmetic), self-modifying decryption stubs, and abuses the Windows .reloc section to stage shellcode. Elastic Security Labs identified OXLOADER in an active campaign targeting one of our customers; CIS-region and Russian-language exclusions point to a financially motivated, Russian-speaking threat actor. We have found no prior public reporting on this family."
https://www.elastic.co/security-labs/oxloader-malware-loader-infostealer
https://thehackernews.com/2026/06/new-oxloader-loader-uses-malicious.html - Gizmodo Readers Hit With ClickFix Malware Prompts After Account Compromise
"Veteran tech website Gizmodo confirmed a compromise on Saturday after readers reported ClickFix malware prompts appearing on article pages. Users posted screenshots of fake CAPTCHA windows appearing on Gizmodo's site. The attack aims to fool users into running malicious code via their terminals. According to Proofpoint threat researcher Tommy M, the attack was seemingly launched by an affiliate of ErrTraffic, a ClickFix-as-a-service program that allows attackers to deliver whichever malware they choose."
https://www.theregister.com/security/2026/06/22/gizmodo-readers-hit-with-clickfix-malware-prompts-after-account-compromise/5259226 - Analyzing SHEET#CREEP: SHEETCREEP Is Up Again With Different Config Obfuscation
"The Securonix Threat Research team has identified an ongoing espionage campaign, tracked as SHEETCREEP, where threat actors deliver a C# remote access trojan through a diplomatic-themed ISO phishing lure. Building upon the initial discovery and excellent research of the SHEETCREEP malware family by Zscaler’s ThreatLabz, we observed that the RAT abuses the Google Sheets API as its command-and-control (C2) channelauthenticating via an embedded GCP service account private key and using individual spreadsheet tabs per victim for bidirectional communication. Our team successfully extracted the embedded credentials, authenticated to the live C2 spreadsheet, and identified 91 active victim tabs including a high-confidence target located in Pakistan."
https://www.securonix.com/blog/sheetcreep-evolved-google-sheets-rat - Ababil Of Minab Exposed: LA Metro SCADA Backups And Israeli Victim Data Left Open On An Iranian Staging Server
"Ababil of Minab is a pro-Iranian threat actor that surfaced in late March 2026, claiming destructive intrusions against targets in the United States, Israel, Saudi Arabia, and Turkey, including a confirmed breach of the Los Angeles County Metropolitan Transportation Authority. On May 26, 2026, Gambit Security published a technical report documenting SQL Server deletion, VM partition wipes, Veeam backup destruction, and file system damage across four victim environments, but deliberately withheld the identities of additional targets."
https://hunt.io/blog/ababil-of-minab-iranian-hackers-exposed-la-metro-breach-open-directory
Breaches/Hacks/Leaks
- JaredFromSubway MEV Bot Hacked In $15 Million Crypto Theft
"The JaredFromSubway Ethereum MEV (Maximal Extractable Value) bot suffered a $15 million loss after an attacker manipulated the opportunity-detection logic by creating fake cryptocurrency trading opportunities. The drain was detected on Saturday by blockchain security firm Blockaid, and today, JaredFromSubway confirmed that the attacker used fake pools and tokens to trick the bot into approving helper contracts. According to Blockaid, the attacker deployed contracts designed to appear as profitable MEV opportunities to JaredFromSubway's automated execution system."
https://www.bleepingcomputer.com/news/security/jaredfromsubway-mev-bot-hacked-in-15-million-crypto-theft/ - Hundreds Of AI-Powered iOS Apps Found Exposing Credentials
"Mobile app developers are packing AI features into everything from writing assistants to productivity tools and lifestyle apps. New research shows that securing access to those services remains a challenge. Researchers from Wake Forest University analyzed 444 iOS applications with LLM features and found 282 that exposed exploitable credentials or backend access mechanisms. The affected apps covered 13 categories, including productivity, entertainment, lifestyle, education, utilities, and health and fitness. LLM-powered applications reached 17 billion downloads in 2025 and accounted for 13% of all mobile app downloads."
https://www.helpnetsecurity.com/2026/06/22/llm-api-credential-leakage-ios-apps/
https://arxiv.org/pdf/2606.12212 - Suspected Cyberattack Triggers False Emergency Alerts Across Parts Of Brazil
"Brazil suspended its mobile phone emergency alert system after a suspected cyberattack triggered false warnings on phones across several states. The incident occurred early Saturday when at least a dozen unauthorized alerts were sent through Brazil's Civil Defense Alert system, a platform designed to warn residents about imminent threats such as floods, landslides and other natural disasters."
https://therecord.media/suspected-cyberattack-triggers-false-emergency-alerts-brazil
https://www.theregister.com/security/2026/06/22/brazil-begins-investigating-emergency-alert-system-breach/5259421 - Canadian Utility Fesses Up To Data Breach, But Key Details Remain Off-Grid
"A Canadian power utility says customer data may have walked out the door during a security incident, but isn't yet saying whether the intruders got anywhere near the systems responsible for keeping the lights on. London Hydro, which distributes electricity to more than 160,000 customers in and around London, Ontario, said on Saturday that it is investigating a data security incident that "may have impacted a portion of personal information on some accounts" and has started notifying affected customers."
https://www.theregister.com/security/2026/06/22/canadian-utility-fesses-up-to-data-breach-but-key-details-remain-off-grid/5259309
General News
- Who Pays When You Gate Cyber-Capable AI Models?
"In this interview with Help Net Security, Jaya Baloo, COO & CISO at Aisle, examines the debate over restricting access to cyber-capable AI models. She lays out the strongest argument for gating these tools, then explains where it breaks down for security teams who depend on the same capabilities for defense. Baloo argues that policymakers misread how attackers and defenders operate, that open-weight models cut both ways, and that limiting access can widen the gap between well-resourced organizations and everyone else."
https://www.helpnetsecurity.com/2026/06/22/jaya-baloo-aisle-gating-cyber-capable-ai-models/ - Encrypted DNS Still Tells An Eavesdropper Where To Look
"Encrypted DNS runs across much of the Internet. DNS over TLS, HTTPS, and QUIC keep the contents of a query away from anyone watching a network link. The encryption covers the message inside each packet. The packet still carries plaintext headers, and those values mark a flow as DNS. A new study measures this gap for the Internet of Things and offers a way to close part of it."
https://www.helpnetsecurity.com/2026/06/22/research-encrypted-dns-privacy/
https://arxiv.org/pdf/2606.10097 - What The Latest ShinyHunters Breaches Reveal About Modern Cyberattacks
"The latest wave of breaches attributed to the ShinyHunters cybercrime collective (e.g., University of Nottingham, DentaQuest, 7-Eleven, Medtronic, and Wynn Resorts), reinforces a hard truth security leaders can no longer ignore: attackers are increasingly bypassing traditional perimeter defenses and targeting identities, authentication workflows, SaaS integrations, and trusted access paths instead of exploiting software vulnerabilities directly. Over the past several months, ShinyHunters has been linked to attacks involving Salesforce environments, Snowflake customers, SaaS integrations, and identity platforms such as Okta. Researchers and incident responders have consistently observed the same pattern: stolen credentials, compromised OAuth tokens, social engineering, vishing, and abuse of legitimate access privileges."
https://www.securityweek.com/what-the-latest-shinyhunters-breaches-reveal-about-modern-cyberattacks/ - Stop Your Legacy Infrastructure From Hijacking Your AI Agents
"Earlier this month, I spoke at the Gartner Security & Risk Management Summit about a blind spot most security programs are still not accounting for - how attackers are circumventing AI security programs by using legacy infrastructure to hijack AI agents. AI adoption is moving faster than security programs can account for. Roughly 71% of organizations are piloting AI agents across their enterprise applications, and 31% have already moved them into production workflows."
https://thehackernews.com/2026/06/stop-your-legacy-infrastructure-from.html - Canada’s Spy Agency Used First-Of-Its-Kind Warrant To Clean Botnet-Infected Devices
"Canada's spy service got a judge's permission to reach into infected servers, home routers, and IoT gear sitting on Canadian soil and neutralize two foreign-run botnets. The Federal Court released a public version of the ruling on June 15. It is the first time the Canadian Security Intelligence Service has used its threat reduction warrant powers this way. The warrant let CSIS alter, degrade, and destroy botnet data on the infected machines and cut the devices loose from the networks."
https://thehackernews.com/2026/06/canadas-spy-agency-used-first-of-its.html
https://www.fct-cf.ca/en/pages/media/news-bulletins/file-c-6-24 - Intel Agencies: Frontier AI Models Will Reshape Cybersecurity Faster Than Expected
"Intelligence agencies for the United States, Canada, UK, Australia and New Zealand are warning that advanced AI models capable of wreaking havoc in the cyber domain are “months away” from being publicly available. In a joint statement, the Five Eyes alliance say they expect the kind of advanced hacking capabilities provided by frontier models like Anthropic’s Fable 5 and OpenAI’s Daybreak to become broadly available the public within the year, despite efforts by AI companies to withhold them or restrict their access."
https://cyberscoop.com/five-eyes-alliance-say-advanced-ai-hacking-models-months-away/
อ้างอิง
Electronic Transactions Development Agency (ETDA)
- Agent Beacon: Open-Source Telemetry Layer For AI Agents
-
Google เพิ่มมาตรการยืนยันตัวตนนักพัฒนา Android ลดความเสี่ยงติดตั้งแอปอันตรายโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
