โพสต์ถูกสร้างโดย NCSA_THAICERT

️ ThaiCERT ได้ติดตามสถานการณ์ภัยคุกคามทางไซเบอร์ และพบประกาศด้านความมั่นคงปลอดภัยจาก WatchGuard เกี่ยวกับช่องโหว่ CVE-2026-3342 ซึ่งเป็นช่องโหว่ประเภท Out-of-bounds Write ใน WatchGuard Fireware OS โดยอาจเปิดโอกาสให้ ผู้โจมตีที่ยืนยันตัวตนแล้วและมีสิทธิ์ผู้ดูแลระดับ privileged administrator สามารถใช้ management interface ที่เปิดเข้าถึงได้ เพื่อ รันโค้ดด้วยสิทธิ์ root บนอุปกรณ์ที่ได้รับผลกระทบ ส่งผลให้มีความเสี่ยงสูงต่อการถูกยึดระบบหรือแก้ไขการตั้งค่าความมั่นคงปลอดภัยของอุปกรณ์.

1. รายละเอียดช่องโหว่
   CVE-2026-3342 - Out-of-bounds Write in WatchGuard Fireware OS (CVSS v3.1: 7.2)
   ช่องโหว่นี้เกิดจากการเขียนข้อมูลเกินขอบเขตหน่วยความจำและอาจทำให้ผู้ดูแลระบบที่ผ่านการยืนยันตัวตนแล้ว สามารถ execute arbitrary code with root permissions ผ่าน exposed management interface ได้

2. ผลิตภัณฑ์ที่ได้รับผลกระทบ

• Fireware OS 11.9 ถึง 11.12.4_Update1
• Fireware OS 12.0 ถึง 12.11.7
• Fireware OS 2025.1 ถึง 2026.1.1

3. แนวทางการแก้ไข

• อัพเดท Fireware OS 2026.1.2
• อัพเดท Fireware OS 12.11.8
• สำหรับ Fireware OS 12.5.x (T15 & T35 models) ให้อัปเดตเป็น 12.5.17
• สำหรับ Fireware OS 11.x ผู้ผลิตระบุว่าเป็น End of Life แล้ว จึงควรวางแผนอัปเกรดหรือเปลี่ยนทดแทนโดยเร็ว.

4. หากยังไม่สามารถอัปเดตได้ ควรดำเนินการดังนี้
   ไม่มี workaround สำหรับช่องโหว่นี้ควรรีบดำเนินการอัพเดทโดยด่วน

5. แหล่งอ้างอิง

• https://dg.th/m3bh0e9pfd
• https://dg.th/ehtnqcjbpk

️ ThaiCERT ได้ติดตามสถานการณ์ภัยคุกคามทางไซเบอร์ และพบประกาศด้านความปลอดภัยเกี่ยวกับช่องโหว่ CVE-2026-22886 ซึ่งกระทบต่อ Eclipse OpenMQ โดยเป็นปัญหาการใช้ ข้อมูลรับรองเริ่มต้น (default credentials) ใน TCP-based management service ชื่อ imqbrokerd ทำให้ผู้โจมตีที่สามารถเข้าถึงพอร์ตของบริการนี้ สามารถเข้าสู่ระบบด้วยบัญชีผู้ดูแลเริ่มต้น admin/admin และเข้าควบคุมความสามารถด้านการบริหารจัดการของระบบได้ทั้งหมด

1. รายละเอียดช่องโหว่
   CVE-2026-22886 - Use of Default Credentials / Default Password (CVSS v3.1: 9.8)
   ช่องโหว่นี้เกิดจากระบบมีบัญชีผู้ดูแลค่าเริ่มต้นและไม่บังคับเปลี่ยนรหัสผ่านเมื่อใช้งานครั้งแรกส่งผลให้รหัสผ่านเริ่มต้นยังคงใช้ได้อย่างต่อเนื่อง หากผู้โจมตีเข้าถึงพอร์ตของบริการ imqbrokerd ได้ ก็สามารถยืนยันตัวตนเป็นผู้ดูแลและเข้าควบคุมฟังก์ชันการบริหารจัดการของ broker ได้

2. ผลิตภัณฑ์ที่ได้รับผลกระทบ
   Eclipse OpenMQ ทุกเวอร์ชัน

3. แนวทางการแก้ไข

• เปลี่ยนรหัสผ่านเริ่มต้นของ Eclipse OpenMQ

4. แนวทางลดความเสี่ยง

• ตรวจสอบทันทีว่ามีการเปิดใช้บริการ imqbrokerd หรือไม่
• ปิด service ดังกล่าวหากไม่จำเป็น
• หากจำเป็นต้องใช้งานให้เปลี่ยนรหัสผ่านเริ่มต้นของบัญชีผู้ดูแลทันทีเป็นรหัสผ่านที่รัดกุมและไม่ซ้ำ
• จำกัดการเข้าถึงพอร์ตให้เฉพาะผู้ดูแลที่ได้รับอนุญาต

5.แหล่งอ้างอิง

• https://dg.th/1vxqlprwea
• https://dg.th/fsydbjm0rh

Industrial Sector

• APT And Financial Attacks On Industrial Organizations In Q4 2025
  "In the last quarter of 2025, information security researchers published numerous interesting reports on attacks against industrial organizations. Most of them highlight the persistence of long-standing problems: untimely installation of security updates, including on internet-accessible systems; insecure provision of remote access to internal systems; the difficulty of monitoring the security of trusted partners and suppliers; the inability to guarantee 100% protection for traditional operating systems with their inherent information security issues (DLL hijacking, BYOVD, and malware); and the lack of staff preparedness to resist basic social engineering techniques."
  https://ics-cert.kaspersky.com/publications/reports/2026/03/06/apt-and-financial-attacks-on-industrial-organizations-in-q4-2025/

New Tooling

• Codex Security: Now In Research Preview
  "Today we’re introducing Codex Security, our application security agent. It builds deep context about your project to identify complex vulnerabilities that other agentic tools miss, surfacing higher-confidence findings with fixes that meaningfully improve the security of your system while sparing you from the noise of insignificant bugs."
  https://openai.com/index/codex-security-now-in-research-preview/
  https://thehackernews.com/2026/03/openai-codex-security-scanned-12.html

Vulnerabilities

• Critical Nginx UI Flaw CVE-2026-27944 Exposes Server Backups
  "A critical vulnerability in Nginx UI, tracked as CVE-2026-27944 (CVSS score of 9.8), allows attackers to download and decrypt full server backups without authentication. The flaw poses a serious risk to organizations exposing the management interface, potentially revealing sensitive configuration data, credentials, and encryption keys. “The /api/backup endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the X-Backup-Security response header.” reads the advisory. “This allows an unauthenticated attacker to download a full system backup containing sensitive data (user credentials, session tokens, SSL private keys, Nginx configurations) and decrypt it immediately.”"
  https://securityaffairs.com/189123/security/critical-nginx-ui-flaw-cve-2026-27944-exposes-server-backups.html
  https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-g9w5-qffc-6762
• Recent Cisco Catalyst SD-WAN Vulnerability Now Widely Exploited
  "Exposure management company WatchTowr reports that a recent Cisco Catalyst SD-WAN vulnerability, initially exploited as a zero-day, is now being used more frequently by threat actors. The in-the-wild exploitation of four Cisco Catalyst SD-WAN vulnerabilities came to light in recent weeks. One of them is CVE-2026-20127, which had been exploited as a zero-day in combination with an older vulnerability, CVE-2022-20775, to bypass authentication, escalate privileges, and establish persistence on systems."
  https://www.securityweek.com/recent-cisco-catalyst-sd-wan-vulnerability-now-widely-exploited/

Malware

• InstallFix: How Attackers Are Weaponizing Malvertized Install Guides
  "There was a time, not that long ago, when pasting a command from a website straight into your terminal was something you’d only try once before some grizzled senior engineer beat it out of you. That’s because you’re effectively handing a website a blank cheque to execute whatever it wants on your system. But somehow, it’s now the default. Homebrew, Rust, nvm, Bun, oh-my-zsh and hundreds of the most widely used developer tools on the planet now ship with the same instructions."
  https://pushsecurity.com/blog/installfix/
  https://www.bleepingcomputer.com/news/security/fake-claude-code-install-guides-push-infostealers-in-installfix-attacks/
• Cyberattacks And Unpredictable Targeting Remain An Iran Risk
  "Cyberattacks launched by Iranian nation-state hackers in reprisal for what the United States has codenamed Operation Epic Fury so far have been evident mainly in their absence. Whether the regime's military or intelligence forces have the inclination or ability to launch such attacks isn't clear. The country continues to operate in a near-total internet blackout initiated for reasons unknown at the start of hostilities by the United States and Israel on Feb. 28, monitoring firm Netblocks reported early Friday."
  https://www.bankinfosecurity.com/cyberattacks-unpredictable-targeting-remain-iran-risk-a-30930
• AI As Tradecraft: How Threat Actors Operationalize AI
  "Threat actors are operationalizing AI along the cyberattack lifecycle to accelerate tradecraft, abusing both intended model capabilities and jailbreaking techniques to bypass safeguards and perform malicious activity. As enterprises integrate AI to improve efficiency and productivity, threat actors are adopting the same technologies as operational enablers, embedding AI into their workflows to increase the speed, scale, and resilience of cyber operations."
  https://www.microsoft.com/en-us/security/blog/2026/03/06/ai-as-tradecraft-how-threat-actors-operationalize-ai/
  https://www.darkreading.com/threat-intelligence/north-korean-apts-ai-it-worker-scams
  https://www.bleepingcomputer.com/news/security/microsoft-hackers-abusing-ai-at-every-stage-of-cyberattacks/
  https://cyberscoop.com/microsoft-north-korea-ai-operations/
• Fake CleanMyMac Site Installs SHub Stealer And Backdoors Crypto Wallets
  "A convincing fake version of the popular Mac utility CleanMyMac is tricking users into installing malware. The site instructs visitors to paste a command into Terminal. If they do, it installs SHub Stealer, macOS malware designed to steal sensitive data including saved passwords, browser data, Apple Keychain contents, cryptocurrency wallets, and Telegram sessions. It can even modify wallet apps such as Exodus, Atomic Wallet, Ledger Wallet, and Ledger Live so attackers can later steal the wallet’s recovery phrase."
  https://www.malwarebytes.com/blog/threat-intel/2026/03/fake-cleanmymac-site-installs-shub-stealer-and-backdoors-crypto-wallets
• Middle East Conflict Fuels Opportunistic Cyber Attacks
  "Threat actors often take advantage of major global events to fuel interest in their malicious activities. Zscaler ThreatLabz is diligently tracking a surge in cybercriminal activity that capitalizes on the elevated political climate in the Middle East. This increased malicious activity includes discoveries that are directly tied to the ongoing conflict, alongside other related findings."
  https://www.zscaler.com/blogs/security-research/middle-east-conflict-fuels-opportunistic-cyber-attacks
• Malware Brief: When The Supply Chain Becomes The Attack Surface
  "For a long time, defenders focused on hardening the perimeter: patch your systems, train your users, lock down your endpoints. But as supply-chain threats multiply, attackers are increasingly bypassing perimeter defenses and walking straight in through trusted software, services and dependencies. That’s what makes software supply‑chain attacks so effective. Instead of compromising one company at a time, threat actors target a single vendor, developer account or build system and let trust do the rest of the work for them."
  https://blog.barracuda.com/2026/03/05/malware-brief-supply-chain-attack-surface
  VOID#GEIST: Stealthy Multi-Stage Python Loader With Embedded Runtime Deployment, Startup * Persistence, And Fileless Early Bird APC Injection Into Explorer.exe
  "Securonix Threat Research analyzed a stealthy, multi-stage malware intrusion chain utilizing an obfuscated batch script (non.bat) to deliver multiple encrypted RAT shellcode payloads corresponding to XWorm, XenoRAT, and AsyncRAT. The script establishes persistence by deploying a secondary batch script (spol.bat) into the Windows Startup folder, stages a legitimate embedded Python runtime from python.org, and decrypts encrypted shellcode blobs (new.bin, pul.bin, xn.bin) at runtime using external XOR key material (a.json, p.json, n.json)."
  https://www.securonix.com/blog/voidgeist-stealthy-multi-stage-python-loader/
  https://thehackernews.com/2026/03/multi-stage-voidgeist-malware.html
• Microsoft Reveals ClickFix Campaign Using Windows Terminal To Deploy Lumma Stealer
  "Microsoft on Thursday disclosed details of a new widespread ClickFix social engineering campaign that has leveraged the Windows Terminal app as a way to activate a sophisticated attack chain and deploy the Lumma Stealer malware. The activity, observed in February 2026, makes use of the terminal emulator program instead of instructing users to launch the Windows Run dialog and paste a command into it."
  https://thehackernews.com/2026/03/microsoft-reveals-clickfix-campaign.html
  https://securityaffairs.com/189046/malware/microsoft-warns-of-clickfix-campaign-exploiting-windows-terminal-for-lumma-stealer.html
  https://www.theregister.com/2026/03/06/microsoft_spots_clickfix_campaign_abusing/
• Mobile Spyware Campaign Impersonates Israel's Red Alert Rocket Warning System
  "Acronis Threat Research Unit (TRU) has been actively monitoring malware campaigns and threat activity leveraging recent geopolitical developments across the Middle East and abusing these events to deliver malware to individuals. During our investigation, TRU identified a targeted campaign distributing a trojanized version of the Red Alert rocket warning Android app to Israeli users via SMS messages impersonating official Home Front Command communications, aimed at Israeli individuals."
  https://www.acronis.com/en/tru/posts/mobile-spyware-campaign-impersonates-israels-red-alert-rocket-warning-system/
  https://www.theregister.com/2026/03/06/spyware_disguised_as_emergency_alert/
  https://hackread.com/hackers-fake-red-alert-rocket-alert-app-spy-israel-users/
• An Investigation Into Years Of Undetected Operations Targeting High-Value Sectors
  "Since at least 2020, we have observed a cluster of activity targeting high-value organizations across South, Southeast and East Asia. The attacks focus on critical sectors such as aviation, energy, government, law enforcement, pharmaceutical, technology and telecommunications. Unit 42 is tracking this ongoing, previously undocumented activity as CL-UNK-1068. We designate the term UNK to clusters of activity whose affiliation with either nation-state or cybercrime activity we have not yet determined."
  https://unit42.paloaltonetworks.com/cl-unk-1068-targets-critical-sectors/
• Dark Web Profile: APT41
  "APT41 stands out in the threat landscape because it doesn’t stick to a single playbook. It has been repeatedly linked to both cyber espionage and financially motivated cybercrime, sometimes running those missions side by side. That dual-track model, paired with exploit-driven access and long-dwell intrusions, makes APT41 a high-signal profile for defenders looking to understand how modern operations blend strategy, stealth, and scale."
  https://socradar.io/blog/dark-web-profile-apt41/
• Iranian APT Infrastructure In Focus: Mapping State-Aligned Clusters During Geopolitical Escalation
  "Tensions between the United States, Israel, and Iran have reached a critical point following a series of diplomatic breakdowns, which led to escalating military exchanges and proxy engagements across the Middle East. History has shown that when hostilities rise to this degree, cyber operations do not lag far behind kinetic activity. They precede it. These operations, whether infrastructure reconnaissance, pre-positioning, or network intrusion, are part of the operational groundwork of modern conflict. Disrupting communications and compromising critical systems can weaken response capabilities long before physical engagement begins. Iranian state-aligned actors have historically targeted energy, financial services, government networks, and defense-related organizations across the U.S., Israel, and allied regions."
  https://hunt.io/blog/iranian-apt-infrastructure-state-aligned-clusters
• OCRFix Botnet Hides C2 In BNB Smart Chain Contracts
  "OCRFix is a three-stage botnet that stores its C2 URLs inside BNB Smart Chain testnet smart contracts. Each stage queries a contract via JSON-RPC at runtime to get the current C2 domain. To rotate infrastructure, the author updates the contract storage with a single blockchain transaction. Every infected machine follows on next check-in. No binary update required. Initial access is ClickFix -- a fake CAPTCHA that walks the victim through opening Windows Run and pasting a PowerShell command the page has placed in their clipboard."
  https://www.derp.ca/research/ocrfix-etherhiding-botnet/
• Termite Ransomware Breaches Linked To ClickFix CastleRAT Attacks
  "Ransomware threat actors tracked as Velvet Tempest are using the ClickFix technique and legitimate Windows utilities to deploy the DonutLoader malware and the CastleRAT backdoor. Researchers at cyber-deception threat intelligence firm MalBeacon observed the hackers' actions in an emulated organization environment over a period of 12 days. Velvet Tempest, also tracked as DEV-0504, is a threat group that has been involved in ransomware attacks as an affiliate for at least five years."
  https://www.bleepingcomputer.com/news/security/termite-ransomware-breaches-linked-to-clickfix-castlerat-attacks/

Breaches/Hacks/Leaks

• Cognizant TriZetto Breach Exposes Health Data Of 3.4 Million Patients
  "TriZetto Provider Solutions, a healthcare IT company that develops software and services used by health insurers and healthcare providers, has suffered a data breach that exposed the sensitive information of over 3.4 million people. The firm, which has been operating under the Cognizant umbrella since 2014, disclosed that it detected suspicious activity on a web portal on October 2, 2025, and launched an investigation with the help of external cybersecurity experts."
  https://www.bleepingcomputer.com/news/security/cognizant-trizetto-breach-exposes-health-data-of-34-million-patients/
• 2,622 Valid Certificates Exposed: A Google-GitGuardian Study Maps Private Key Leaks To Real-World Risk
  "When a private key leaks on GitHub or DockerHub, detecting it is easy. What's harder, sometimes impossible, is understanding its real-world impact. Unlike AWS keys or OpenAI tokens, which are tied to their respective service, a leaked private key is just a mathematical object without an obvious owner. Private keys are challenging to attribute at scale: they are used in many different contexts, ranging from SSH authentication to JWT signatures. When one leaks, where do you start assessing the impact? Among leaked private keys, those used in X.509 infrastructure are most critical. They authenticate web servers in HTTPS: a compromised key enables attackers to impersonate websites or intercept data. That's why GitGuardian partnered with Google's researchers to answer a deceptively simple question: what happens when private keys leak?"
  https://blog.gitguardian.com/certificates-exposed-a-google-gitguardian-study/
  https://hackread.com/certificates-fortune-500-gov-exposed-key-leaks/
• Transport For London Says 2024 Breach Affected 7M Customers, Not 5,000
  "Transport for London has confirmed that a 2024 breach exposed the data of more than 7 million people – a far larger crowd than the few thousand customers originally warned that their details might be at risk. The BBC reported on Friday that the 2024 intrusion into TfL's systems potentially gave attackers access to a database covering as many as 10 million customers who had interacted with the capital's transport network."
  https://www.theregister.com/2026/03/06/tfl_2024_breach_numbers/

General News

• Cyberattack On Mexico's Gov't Agencies Highlight AI Threat
  "For any cyber-defender continuing to deny the impact of AI on attacker efficiency, welcome to Exhibit A. Over the past few months, a small group of hacktivists compromised the computers and networks of at least nine Mexican government agencies, stealing more than 195 million identities and tax records, along with vehicle registrations and more than 2.2 million property records, startup Gambit Security stated in a blog post this week that detailed the attack."
  https://www.darkreading.com/application-security/cyberattack-mexico-government-ai-threat
• Backup Strategies Are Working, And Ransomware Gangs Are Responding With Data Theft
  "Business email compromise (BEC) and funds transfer fraud combined for 58% of all cyber insurance claims filed in 2025, according to data from Coalition covering more than 100,000 policyholders across the United States, Canada, the United Kingdom, Australia, and Germany. BEC was the single most common claim type at 31%, with frequency rising 15% year over year to 0.47%. Average losses per BEC incident dropped 28% to $27,000, a decline attributed to faster detection and response by affected organizations."
  https://www.helpnetsecurity.com/2026/03/06/cyber-claims-report-ransomware-gangs-data-theft/
• What Happens When AI Teams Compete Against Human Hackers
  "A cybersecurity competition produced what may be the largest controlled dataset comparing AI-augmented teams to human-only teams on professional-grade offensive security tasks. The event, called NeuroGrid, ran for 72 hours on the Hack The Box platform and drew 1,337 registered human-only teams and 156 registered AI-agent teams competing across 36 challenges in nine security domains at four difficulty levels. AI teams operated through Model Context Protocol with human oversight in the loop. The analysis covers 958 human teams and 120 AI-agent teams that each attempted at least one challenge."
  https://www.helpnetsecurity.com/2026/03/06/cybersecurity-competition-ai-vs-human-hackers/
• Exploits And Vulnerabilities In Q4 2025
  "The fourth quarter of 2025 went down as one of the most intense periods on record for high-profile, critical vulnerability disclosures, hitting popular libraries and mainstream applications. Several of these vulnerabilities were picked up by attackers and exploited in the wild almost immediately. In this report, we dive into the statistics on published vulnerabilities and exploits, as well as the known vulnerabilities leveraged with popular C2 frameworks throughout Q4 2025."
  https://securelist.com/vulnerabilities-and-exploits-in-q4-2025/119105/
• Viral AI, Invisible Risks: What OpenClaw Reveals About Agentic Assistants
  "The name OpenClaw might not immediately be recognizable, partly because it has undergone several name changes, from Clawdbot to Moltbot, then finally to OpenClaw. Yet one thing is certain: This new digital assistant feels genuinely groundbreaking. It remembers past interactions, keeps data on the user’s device, and adapts to individual preferences, making it feel like a leap in capabilities reminiscent of the first ChatGPT release. At the same time, its development is not without caveats, as there have been media headlines that warn of its potential as a security nightmare."
  https://www.trendmicro.com/en_us/research/26/b/what-openclaw-reveals-about-agentic-assistants.html
• AI Agents Now Help Attackers, Including North Korea, Manage Their Drudge Work
  "AI agents allow cybercriminals and nation-state hackers to outsource the "janitorial-type work" needed to plan and carry out cyberattacks, according to Sherrod DeGrippo, Microsoft's GM of global threat intelligence. North Korea is taking advantage. This includes tasks such as performing reconnaissance on compromised computers, and standing up and managing attack infrastructure - which may not sound as thrilling as plotting and carrying out digital intrusions, but are real-world criminal use cases for agentic AI that should make threat hunters sit up and take notice."
  https://www.theregister.com/2026/03/08/deploy_and_manage_attack_infrastructure/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

Vulnerabilities

• Cisco Flags More SD-WAN Flaws As Actively Exploited In Attacks
  "Cisco has flagged two Catalyst SD-WAN Manager security flaws as actively exploited in the wild, urging administrators to upgrade vulnerable devices. Catalyst SD-WAN Manager (formerly vManage) is network management software that enables admins to monitor and manage up to 6,000 Catalyst SD-WAN devices from a single centralized dashboard. "In March 2026, the Cisco PSIRT became aware of active exploitation of the vulnerabilities that are described in CVE-2026-20128 and CVE-2026-20122 only," the company warned in an update to a February 25 advisory."
  https://www.bleepingcomputer.com/news/security/cisco-flags-more-sd-wan-flaws-as-actively-exploited-in-attacks/
  https://www.securityweek.com/cisco-warns-of-more-catalyst-sd-wan-flaws-exploited-in-the-wild/
  https://www.helpnetsecurity.com/2026/03/05/cisco-cve-2026-20128-cve-2026-20122-exploited/
• User Registration & Membership <= 5.1.2 - Unauthenticated Privilege Escalation Via Membership Registration
  "The User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to improper privilege management in all versions up to, and including, 5.1.2. This is due to the plugin accepting a user-supplied role during membership registration without properly enforcing a server-side allowlist. This makes it possible for unauthenticated attackers to create administrator accounts by supplying a role value during membership registration."
  https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/user-registration/user-registration-membership-512-unauthenticated-privilege-escalation-via-membership-registration
  https://www.bleepingcomputer.com/news/security/wordpress-membership-plugin-bug-exploited-to-create-admin-accounts/
• ContextCrush Flaw Exposes AI Development Tools To Attacks
  "A critical vulnerability affecting the Context7 MCP Server, a widely used tool for delivering documentation to AI coding assistants, has been disclosed by security researchers. The issue, dubbed ContextCrush, could allow attackers to inject malicious instructions into AI development tools through a trusted documentation channel. The flaw was discovered by Noma Labs researchers in the Context7 platform operated by Upstash. Context7 is used by developers to provide AI assistants such as Cursor, Claude Code and Windsurf with up-to-date library documentation directly inside integrated development environments."
  https://www.infosecurity-magazine.com/news/contextcrush-ai-development-tools/
• CISA Adds Five Known Exploited Vulnerabilities To Catalog
  "CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2017-7921 Hikvision Multiple Products Improper Authentication Vulnerability
  CVE-2021-22681 Rockwell Multiple Products Insufficient Protected Credentials Vulnerability
  CVE-2021-30952 Apple Multiple Products Integer Overflow or Wraparound Vulnerability
  CVE-2023-41974 Apple iOS and iPadOS Use-After-Free Vulnerability
  CVE-2023-43000 Apple Multiple products Use-After-Free Vulnerability"
  https://www.cisa.gov/news-events/alerts/2026/03/05/cisa-adds-five-known-exploited-vulnerabilities-catalog

Malware

• UAT-9244 Targets South American Telecommunication Providers With Three New Malware Implants
  "AT-9244 used dynamic-link library (DLL) side-loading to activate multiple stages of their infection chain. The actor executed “wsprint[.]exe”, a benign executable that loaded the malicious DLL-based loader “BugSplatRc64[.]dll”. The DLL reads a data file named “WSPrint[.]dll” from disk, decrypts its contents, and executes them in memory to activate TernDoor, the final payload. TernDoor is a variant of CrowDoor, a backdoor deployed in recent intrusions linked to China-nexus APTs such as FamousSparrow and Earth Estries. CrowDoor is a variant of SparrowDoor, another backdoor attributed to FamousSparrow. CrowDoor has also been observed in previous Tropic Trooper intrusions, indicating a close operational relationship with FamousSparrow."
  https://blog.talosintelligence.com/uat-9244/
  https://www.bleepingcomputer.com/news/security/chinese-state-hackers-target-telcos-with-new-malware-toolkit/

• ClipXDaemon: Autonomous X11 Clipboard Hijacker Delivered Via Bincrypter-Based Loader
  "In early February 2026, Cyble Research & Intelligence Labs (CRIL) identified a new Linux malware strain delivered through a loader structure previously associated with ShadowHS activity. While ShadowHS samples deployed post-exploitation tooling, the newly observed payload is operationally different. We have named it ClipXDaemon, an autonomous cryptocurrency clipboard hijacker targeting Linux X11 environments."
  https://cyble.com/blog/clipxdaemon-autonomous-x11-clipboard-hijacker/

• New BoryptGrab Stealer Targets Windows Users Via Deceptive GitHub Pages
  "We recently found the existence of a new stealer binary that collects browser and cryptocurrency wallet data, system information, and common files, among others. We designated this new stealer BoryptGrab. Certain variants of the stealer can download a PyInstaller backdoor, which we refer to as TunnesshClient. TunnesshClient establishes a reverse Secure Shell (SSH) tunnel to enable comunication with the attacker."
  https://www.trendmicro.com/en_us/research/26/c/boryptgrab-stealer-targets-users-via-deceptive-github-pages.html

• Bing AI Promoted Fake OpenClaw GitHub Repo Pushing Info-Stealing Malware
  "Fake OpenClaw installers hosted in GitHub repositories and promoted by Microsoft Bing’s AI-enhanced search feature instructed users to run commands that deployed information stealers and proxy malware. OpenClaw is an open-source AI agent that gained popularity as a personal assistant capable of executing tasks. It has access to local files and can integrate with email, messaging apps, and online services. Due to its widespread local access, threat actors saw an opportunity to collect sensitive information by publishing malicious skills (instruction files) on the tool's official registry and GitHub."
  https://www.bleepingcomputer.com/news/security/bing-ai-promoted-fake-openclaw-github-repo-pushing-info-stealing-malware/

• Wikipedia Hit By Self-Propagating JavaScript Worm That Vandalized Pages
  "The Wikimedia Foundation suffered a security incident today after a self-propagating JavaScript worm began vandalizing pages and modifying user scripts across multiple wikis. Editors first reported the incident on Wikipedia's Village Pump (technical), where users noticed a large number of automated edits adding hidden scripts and vandalism to random pages. Wikimedia engineers temporarily restricted editing across projects while they investigated the attack and began reverting changes."
  https://www.bleepingcomputer.com/news/security/wikipedia-hit-by-self-propagating-javascript-worm-that-vandalized-pages/

• APT36: A Nightmare Of Vibeware
  "Pakistan-based threat actor APT36, also known as Transparent Tribe, has pivoted from off-the-shelf malware to "vibeware", an AI-driven development model that produces a high-volume, mediocre mass of implants. Using niche languages like Nim, Zig, and Crystal, the actor seeks to evade standard detection engines while leveraging trusted cloud services, including Slack, Discord, Supabase, and Google Sheets, for command and control."
  https://businessinsights.bitdefender.com/apt36-nightmare-vibeware
  https://www.darkreading.com/cyberattacks-data-breaches/nation-state-actor-ai-malware-assembly-line
  https://www.bankinfosecurity.com/nation-state-hackers-play-vibes-a-30920
  https://hackread.com/pakistan-apt36-indian-govt-networks-ai-vibeware/

• Seedworm: Iranian APT On Networks Of U.S. Bank, Airport, Software Company
  "The Iranian APT group Seedworm (aka MuddyWater, Temp Zagros, Static Kitten) has been active on the networks of multiple U.S. companies since the beginning of February 2026, with activity continuing in recent days following U.S. and Israeli military strikes on Iran that have sparked conflict in the region. A U.S. bank, software company and airport, and non-governmental organizations in both the U.S. and Canada, have experienced suspicious activity on their networks in recent days and weeks. The software company is a supplier to the defense and aerospace industries among others, and has a presence in Israel, with the company’s Israel operation seeming to be the target in this activity."
  https://www.security.com/threat-intelligence/iran-cyber-threat-activity-us
  https://www.theregister.com/2026/03/05/mudywater_backdoor_us_networks/

• FBI Targeted With ‘suspicious’ Activity On Its Networks
  "The FBI found evidence that its networks had been targeted in a suspected cybersecurity incident, the bureau confirmed on Thursday, without sharing any further details. “The FBI identified and addressed suspicious activities on FBI networks, and we have leveraged all technical capabilities to respond,” the agency said in a statement. “We have nothing additional to provide.”"
  https://cyberscoop.com/fbi-targeted-with-suspicious-activity-on-its-networks/

• LIMINAL PANDA: China’s Emerging Espionage Threat In The Semiconductor And Technology Sectors
  "LIMINAL PANDA, a suspected China-nexus cyber-espionage actor, has recently emerged as an active player in the global threat landscape. The group began operating around 2020 and has focused its intelligence collection on a range of high-value targets in East Asia, Southeast Asia, and Western nations engaged in research and development of advanced technologies, including semiconductors, defense technologies, and telecommunications. While not a well-known actor (yet) like APT41 or Mustang Panda, LIMINAL PANDA shows an accelerating trajectory of evolution in capabilities, experimenting with the convergence of more traditional phishing criminal enterprises with sophisticated cloud exploitation and supply chain compromise."
  https://brandefense.io/blog/liminal-panda-apt-group/

• Breaches/Hacks/Leaks

• New Jersey County Says Malware Attack Took Down Phone Lines, IT Systems
  "One of the largest counties in New Jersey is dealing with a cyberattack that disrupted the phone lines and IT systems used across government offices. Passaic County, home to nearly 600,000 people in Northern New Jersey, published a statement on Wednesday evening warning residents that it is aware of a “malware attack” affecting county IT systems and phone lines. “Our team is actively working with federal and state officials to investigate and contain the issue,” the county said."
  https://therecord.media/new-jersey-county-says-malware-attack-took-down-phones

General News

• Phobos Ransomware Admin Pleads Guilty To Wire Fraud Conspiracy
  "A Russian national pleaded guilty to a wire fraud conspiracy charge related to his role in administering the Phobos ransomware operation, which breached hundreds of victims worldwide. Phobos is a long-running ransomware-as-a-service (RaaS) operation linked to the Crysis ransomware family. Phobos has been widely distributed through many affiliates, accounting for roughly 11% of all submissions to the ID Ransomware service between May 2024 and November 2024. The U.S. Department of Justice says the ransomware gang has collected ransom payments worth more than $39 million million from over 1,000 public and private entities worldwide."
  https://www.bleepingcomputer.com/news/security/phobos-ransomware-admin-pleads-guilty-to-wire-fraud-conspiracy/
  https://therecord.media/phobos-ransomware-leader-facing-20-years
  https://www.securityweek.com/russian-ransomware-operator-pleads-guilty-in-us/
  https://cyberscoop.com/phobos-ransomware-leader-guilty/
  https://securityaffairs.com/188984/security/phobos-ransomware-admin-faces-up-to-20-years-after-guilty-plea.html
• LatAm Now Faces 2x More Cyberattacks Than US
  "Nowhere in the world has cyber threat activity been growing faster than in Latin America, thanks in part to relatively rapid digital adoption on the part of businesses in the region, combined with relatively stagnant cybersecurity growth. Last year, researchers at Check Point tracked a 53% year-over-year rise in weekly cyberattacks in Latin America, and as of 2026, they confirmed it to be the most heavily targeted region on the planet."
  https://www.darkreading.com/threat-intelligence/latam-2x-more-cyberattacks-us
• That Attractive Online Ad Might Be a Malware Trap
  "Malware increasingly travels through the infrastructure that delivers online advertising. The Media Trust’s Global Report on Digital Trust, Ad Integrity, and the Protection of People describes a digital ad ecosystem where scam campaigns, malicious redirects, and malware delivery appear alongside marketing traffic. The financial impact of these threats continues to grow. Estimated consumer and business losses in the United States tied to malware, scams, and ad-borne fraud exceeded $12.5 billion in 2025. Exposure also remains widespread among internet users. Seven in ten adults reported encountering a digital scam or phishing attempt during the previous 12 months."
  https://www.helpnetsecurity.com/2026/03/05/the-media-trust-ad-malware-risks-report/
• As AI Agents Start Making Purchases, Security Teams Must Rethink Risk
  "In this Help Net Security interview, Donald Kossmann, CTO at fintech company Chargebacks911, talks about the emerging security, fraud, and governance risks of “agentic commerce,” where AI agents can autonomously make purchasing decisions on behalf of users or organizations. He explains that as AI agents gain the ability to shop, negotiate prices, select suppliers, and execute transactions independently, traditional assumptions about digital commerce begin to break down."
  https://www.helpnetsecurity.com/2026/03/05/donald-kossmann-chargebacks911-agentic-commerce-security-risks/
• Look What You Made Us Patch: 2025 Zero-Days In Review
  "Google Threat Intelligence Group (GTIG) tracked 90 zero-day vulnerabilities exploited in-the-wild in 2025. Although that volume of zero-days is lower than the record high observed in 2023 (100), it is higher than 2024’s count (78) and remained within the 60–100 range established over the previous four years, indicating a trend toward stabilization at these levels."
  https://cloud.google.com/blog/topics/threat-intelligence/2025-zero-day-review
  https://www.bleepingcomputer.com/news/security/google-says-90-zero-days-were-exploited-in-attacks-last-year/
  https://therecord.media/google-says-90-zero-days-exploited-apt-spyware-vendors
  https://www.securityweek.com/google-half-of-2025s-90-exploited-zero-days-aimed-at-enterprises/
  https://www.theregister.com/2026/03/05/zero_day_attacks_enterprise_tech_record/
• 2026 Browser Data Reveals Major Enterprise Security Blind Spots
  "The 2026 State of Browser Security Report is now available, revealing how the browser has rapidly become the most critical and least protected control point in the enterprise. It also highlights 2025 as the tipping point when AI-native browsers shifted from experimental tools to mainstream business platforms. Over the past twelve months, the browser evolved from a gateway to SaaS into something far more powerful and far more complex. AI copilots became embedded directly into business applications. Standalone generative AI tools became daily work companions. And a new class of AI-enhanced browsers began reshaping how users search, summarize, write, code, and automate tasks."
  https://www.bleepingcomputer.com/news/security/2026-browser-data-reveals-major-enterprise-security-blind-spots/
• 62 People Indicted By Taiwanese Prosecutors Over Ties To Cyber Scam Company Prince Group
  "Prosecutors in Taipei indicted 62 people and 13 companies for their involvement in cyber scam operations organized throughout Asia by the Prince Group. The Taipei District Prosecutors Office initiated its investigation in October after Chen Zhi, the founder of the Prince Group, was indicted by U.S. prosecutors on money laundering charges."
  https://therecord.media/62-indicted-taiwan-prince-group-scams
• AI-Driven Insider Risk Now a “Critical Business Threat,” Report Warns
  "The risk of insider threats is on the rise and businesses are concerned about the cybersecurity implications of intentionally malicious or negligent employees, research by Mimecast has warned. According to the company’s State of Human Risk Report 2026, internal cybersecurity risk has grown across the board, to the extent that it should be treated as a “critical business threat.” In many cases, the additional insider risk is because of employees mishandling or actively abusing AI tools"
  https://www.infosecurity-magazine.com/news/ai-insider-risk-critical-business/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Industrial Sector

• Cybersecurity Is Now The Price Of Admission For Industrial AI
  "Industrial organizations are accelerating AI deployment across manufacturing, utilities, and transportation and running straight into a security problem. Cisco’s 2026 State of Industrial AI Report, based on responses from more than 1,000 decision-makers across 19 countries, finds that cybersecurity has become the single largest obstacle to AI adoption, outranking skills gaps, integration challenges, and budget constraints. The shift is notable. In 2024, cybersecurity ranked third among external growth obstacles. By 2026, 40% of respondents cite it as a top barrier to AI adoption specifically, and 48% name it as their biggest networking challenge overall. The rise reflects the reality that connecting more assets and systems to support AI expands the attack surface in ways that traditional security approaches were not designed to handle."
  https://www.helpnetsecurity.com/2026/03/04/cisco-industrial-ai-cybersecurity/

New Tooling

• Mquire: Open-Source Linux Memory Forensics Tool
  "Linux memory forensics has long depended on debug symbols tied to specific kernel versions. These symbols are not installed on production systems by default, and sourcing them from external repositories creates a recurring problem: repositories go stale, kernel builds diverge, and analysts working incident response often find no published symbols for the exact kernel they need to examine. Trail of Bits published mquire to address this constraint. The open-source tool analyzes Linux memory dumps without requiring any external debug information."
  https://www.helpnetsecurity.com/2026/03/04/mquire-open-source-linux-memory-forensics-tool/
  https://github.com/trailofbits/mquire

Vulnerabilities

• Cisco Warns Of Max Severity Secure FMC Flaws Giving Root Access
  "Cisco has released security updates to patch two maximum-severity vulnerabilities in its Secure Firewall Management Center (FMC) software. Secure FMC is a web or SSH-based interface for admins to manage Cisco firewalls and configure application control, intrusion prevention, URL filtering, and advanced malware protection. Both vulnerabilities can be exploited remotely by unauthenticated attackers: the authentication bypass flaw (CVE-2026-20079) allows attackers to gain root access to the underlying operating system, while the remote code execution (RCE) vulnerability (CVE-2026-20131) lets them execute arbitrary Java code as root on unpatched devices."
  https://www.bleepingcomputer.com/news/security/cisco-warns-of-max-severity-secure-fmc-flaws-giving-root-access/
  https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-onprem-fmc-authbypass-5JPp45V2
  https://securityaffairs.com/188921/security/cisco-fixes-maximum-severity-secure-fmc-bugs-threatening-firewall-security.html
• Sometimes, You Can Just Feel The Security In The Design (Juniper Junos Evolved CVE-2026-21902 Pre-Auth RCE)
  "On today’s ‘good news disguised as other things’ segment, we’re turning our gaze to CVE-2026-21902 - a recently disclosed “Incorrect Permission Assignment for Critical Resource” vulnerability affecting Juniper’s Junos OS Evolved platform. This vulnerability affects only Juniper’s PTX Series of devices, apparently."
  https://labs.watchtowr.com/sometimes-you-can-just-feel-the-security-in-the-design-junos-os-evolved-cve-2026-21902-rce/
  https://www.bankinfosecurity.com/juniper-ptx-routers-at-risk-critical-takeover-flaw-disclosed-a-30904
• Mail2Shell – CVE-2026-28289: New Zero-Click RCE On FreeScout
  "A few days ago, we published research detailing a FreeScout vulnerability that allowed authenticated attackers to achieve full system compromise via RCE – originally reported by Offensive.sa. On the same day, we discovered a patch bypass that allowed us to reproduce the same RCE on newly updated servers, demonstrating how quickly incomplete fixes can be circumvented. During our deeper analysis, we escalated the attack chain further — converting it into a Zero‑Click RCE. By sending a single crafted email to any address configured in FreeScout, an attacker can execute code on the server without authentication and without user interaction."
  https://www.ox.security/blog/freescout-rce-cve-2026-28289/
  https://www.bleepingcomputer.com/news/security/mail2shell-zero-click-attack-lets-hackers-hijack-freescout-mail-servers/
  https://www.securityweek.com/critical-freescout-vulnerability-leads-to-full-server-compromise/
• Over 1,200 IceWarp Servers Still Vulnerable To Unauthenticated RCE Flaw (CVE-2025-14500)
  "A critical RCE vulnerability (CVE-2025-14500) in IceWarp, an EU-made business communication and collaboration platform, may be exploited by attackers to gain unauthorized access to exposed unpatched servers. According to the Shadowserver Foundation, there are currently over 1,200 internet-facing instances that have yet to receive a fix, and the organization is sending out alerts to the owners, urging them to update."
  https://www.helpnetsecurity.com/2026/03/04/icewarp-rce-cve-2025-14500/

Malware

• Fake LastPass Support Email Threads Try To Steal Vault Passwords
  "Password management software provider LastPass is warning users of a phishing campaign targeting its users with fake unauthorized account access alerts. The emails impersonate a LastPass representative by spoofing the display name and use subject lines crafted to mimic forwarded internal conversations between attackers and the company’s customer support team about a request to change the account’s primary email address. The email chains are forwarded to the target in an attempt to prompt them to respond to the suspicious activity with urgency and click on links named “report suspicious activity,” “disconnect and lock vault,” and “revoke device.”"
  https://www.bleepingcomputer.com/news/security/fake-lastpass-support-email-threads-try-to-steal-vault-passwords/
  https://securityaffairs.com/188911/security/lastpass-warns-of-spoofed-alerts-aimed-at-stealing-master-passwords.html
  https://www.securityweek.com/lastpass-warns-of-new-phishing-campaign/
• Hacker Mass-Mails HungerRush Extortion Emails To Restaurant Patrons
  "Customers of restaurants using the HungerRush point-of-sale (POS) platform say they received emails from a threat actor attempting to extort the company, warning that restaurant and customer data could be exposed if HungerRush fails to respond. HungerRush is a restaurant technology provider that offers point-of-sale (POS), online ordering, delivery management, and payment processing software to help restaurants manage orders, customer information, and business operations. The company claims to work with over 16,000 restaurants, including Sbarro, Jet's Pizza, Fajita Pete's, Hungry Howie's, and many more."
  https://www.bleepingcomputer.com/news/security/hacker-mass-mails-hungerrush-extortion-emails-to-restaurant-patrons/
• How a Brute Force Attack Unmasked a Ransomware Infrastructure Network
  "To most defenders, another brute-force alert on exposed RDP is background noise — bread-and-butter activity you triage and move past. For the Huntress Tactical Response Team, one of those “routine” alerts turned into something very different. As we pulled on a single successful login, we uncovered unusual credential-hunting behavior, a web of geo-distributed infrastructure, and a shady VPN service that all pointed toward a ransomware-as-a-service ecosystem and its initial access brokers. This post walks through how a noisy brute-force campaign became our doorway into that operation."
  https://www.bleepingcomputer.com/news/security/how-a-brute-force-attack-unmasked-a-ransomware-infrastructure-network/
• Signed Malware Impersonating Workplace Apps Deploys RMM Backdoors
  "In February 2026, Microsoft Defender Experts identified multiple phishing campaigns attributed to an unknown threat actor. The campaigns used workplace meeting lures, PDF attachments, and abuse of legitimate binaries to deliver signed malware. Phishing emails directed users to download malicious executables masquerading as legitimate software. The files were digitally signed using an Extended Validation (EV) certificate issued to TrustConnect Software PTY LTD. Once executed, the applications installed remote monitoring and management (RMM) tools that enabled the attacker to establish persistent access on compromised systems."
  https://www.microsoft.com/en-us/security/blog/2026/03/03/signed-malware-impersonating-workplace-apps-deploys-rmm-backdoors/
  https://hackread.com/fake-zoom-teams-invites-malware-certificates/
• Telegram As The New Operational Layer Of Cyber Threat Activity
  "Telegram is no longer just a messaging application. It has evolved into a primary operational playground for modern threat actors. What underground forums on Tor once represented, Telegram now replicates — but faster, more scalable, and significantly more accessible. Over the past few years, elements of the cybercriminal ecosystem have progressively shifted away from traditional darknet marketplaces and closed forums toward Telegram’s hybrid architecture of public channels, private groups, and automated bots. The barriers that once required Tor access, reputation building, and escrow systems have been replaced with instant channel creation, subscription-based malware distribution, real-time broadcasting, and bot-enabled commerce."
  https://www.cyfirma.com/research/telegram-as-the-new-operational-layer-of-cyber-threat-activity/
  https://hackread.com/telegram-used-sell-access-malware-stolen-logs/
• Retaliatory Hacktivist DDoS Activity Following Operation Epic Fury/Roaring Lion
  "Since late February 2026, the Middle East has experienced unprecedented kinetic warfare. Following the collapse of nuclear negotiations and a period of internal Iranian instability, a massive, coordinated military campaign dubbed Operation Epic Fury by the United States, also known as Operation Roaring Lion in Israel, was launched on February 28, 2026. This military offensive, which resulted in the death of Iran’s supreme leader and the destruction of over 2,000 strategic targets, has acted as a primary catalyst for global hacktivist mobilization. As the physical conflict expands across many countries in the region, pro-Iranian and allied "axis of resistance" hacktivist groups have pivoted from baseline activity to aggressive, retaliatory distributed denial of service (DDoS) campaigns targeting government and financial infrastructure across the Middle East."
  https://www.radware.com/security/threat-advisories-and-attack-reports/ddos-activity-following-operation-epic-fury-roaring-lion/
  https://thehackernews.com/2026/03/149-hacktivist-ddos-attacks-hit-110.html
• Malicious Packagist Packages Disguised As Laravel Utilities Deploy Encrypted RAT
  "Socket's Threat Research Team identified a remote access trojan (RAT) distributed across multiple Packagist (PHP) packages published by the threat actor nhattuanbl (nhattuanbl@gmail[.]com). Two packages, nhattuanbl/lara-helper and nhattuanbl/simple-queue, ship an identical payload in src/helper.php. A third package, nhattuanbl/lara-swagger, carries no malicious code itself but lists nhattuanbl/lara-helper as a hard Composer dependency, meaning that installing it pulls in the RAT automatically."
  https://socket.dev/blog/malicious-packagist-packages-disguised-as-laravel-utilities
  https://thehackernews.com/2026/03/fake-laravel-packages-on-packagist.html
• Interplay Between Iranian Targeting Of IP Cameras And Physical Warfare In The Middle East
  "As highlighted in the Cyber Security Report 2026, cyber operations have increasingly become an additional tool in interstate conflicts, used both to support military operations and to enable ongoing battle damage assessment (BDA). During the 12-day conflict between Israel and Iran in June 2025, the compromise of cameras was likely used to support BDA and/or target-correction efforts. In the current Middle East conflict, Check Point Research has observed intensified targeting of cameras beginning in the first hours of hostilities, including a sharp increase in exploitation attempts against IP cameras not only in Israel but also across Gulf countries: specifically the UAE, Qatar, Bahrain, and Kuwait, as well as similar activity in Lebanon and Cyprus. This activity originated from multiple attack infrastructures that we attribute to several Iran-nexus threat actors."
  https://research.checkpoint.com/2026/interplay-between-iranian-targeting-of-ip-cameras-and-physical-warfare-in-the-middle-east/
  https://www.theregister.com/2026/03/04/iranian_hacking_attempts_ip_cameras/
• “Malware, From The Outside!”: How a Threat Actor Used Fake OpenClaw Installers To Infect Systems With GhostSocks And Information Stealers
  "Information stealers continue to be an initial access vector for severe attacks against publicly facing systems, such as the Snowflake customer database compromise in 2024, and a Romanian oil pipeline operator compromise in 2026. This blog details an investigation into malicious GitHub repositories posing as OpenClaw installers that were available between the 2nd and 10th of February 2026. The OpenClaw installers were fake with low detection rates, and distributed information stealers that used a novel packer called Stealth Packer."
  https://www.huntress.com/blog/openclaw-github-ghostsocks-infostealer
  https://www.theregister.com/2026/03/04/fake_openclaw_installers_malware/

General News

• United States Leads Dismantlement Of One Of The World’s Largest Hacker Forums
  "The Department of Justice announced today the seizure of the LeakBase database, one of the world’s largest online forums for cybercriminals to buy and sell stolen data and cybercrime tools. According to an affidavit unsealed on March 3, the LeakBase forum had over 142,000 members and more than 215,000 messages between members. Available on the open web and in English, the forum had an enormous and continuously updated archive of hacked databases including many from high profile attacks, including hundreds of millions of account credentials."
  https://www.justice.gov/opa/pr/united-states-leads-dismantlement-one-worlds-largest-hacker-forums
  https://www.bleepingcomputer.com/news/security/fbi-seizes-leakbase-cybercrime-forum-data-of-142-000-members/
  https://therecord.media/leakbase-cybercrime-fbi-europe-takedown
  https://cyberscoop.com/leakbase-cybercrime-forum-seized/
• Global Phishing-As-a-Service Platform Taken Down In Coordinated Public-Private Action
  "A major phishing-as-a-service platform used to bypass multi-factor authentication (MFA) and enable large-scale account compromise has been disrupted following a coordinated international operation supported by Europol. The service, known as Tycoon 2FA, provided cybercriminals with a subscription-based toolkit designed to intercept live authentication sessions and gain unauthorised access to online accounts, including those protected by additional security layers."
  https://www.europol.europa.eu/media-press/newsroom/news/global-phishing-service-platform-taken-down-in-coordinated-public-private-action
  https://www.trendmicro.com/en_us/research/26/c/tycoon2fa-takedown.html
  https://www.proofpoint.com/us/blog/threat-insight/disruption-targets-tycoon-2fa-popular-aitm-phaas
  https://www.bleepingcomputer.com/news/security/europol-coordinated-action-disrupts-tycoon2fa-phishing-platform/
  https://cyberscoop.com/tycoon-2fa-phishing-kit-takedown-microsoft/
  https://www.infosecurity-magazine.com/news/global-takedown-tycoon2fa-phishing/
  https://www.securityweek.com/tycoon-2fa-phishing-platform-dismantled-in-global-takedown/
• The Whitelist Illusion – When Your Trusted List Becomes a Billion Dollar Attack Path
  "When a bank or institution holds significant digital assets on a public blockchain, something unique happens: every aspect of their security posture becomes visible to attackers. On-chain balances are public. Transaction patterns are traceable. The addresses you interact with, your whitelist, are not a secret. They are broadcast to the entire world with every transaction. For professional threat groups, particularly state-sponsored actors like North Korea’s Lazarus Group (responsible for over $2B in crypto theft since 2017), this transparency is a gift. They don’t need to guess your security architecture. They can map it."
  https://blog.checkpoint.com/crypto/the-whitelist-illusion-when-your-trusted-list-becomes-a-billion-dollar-attack-path/
• The Most Common Swap Scams In 2026, And How To Avoid Them
  "Crypto swaps are fast and permissionless, which is exactly why scammers love them. Before you hit “Swap,” decide where you’ll execute: a DEX router you trust (Uniswap, 1inch) or a centralized venue where you can sanity-check tickers, fees, and withdrawals (Binance, Kraken, Coinbase). A simple way to cut risk is by reducing unknown interfaces and “too-good-to-be-true” rate widgets. If you’re comparing venues, using a low fee crypto exchange can help you avoid hidden costs scammers often mask with wide spreads or fake fee breakdowns, especially if you stick to well-known brands and consistent workflows."
  https://hackread.com/common-swap-scams-2026-how-to-avoid/
• Cybersecurity Professionals Are Burning Out On Extra Hours Every Week
  "Cybersecurity professionals in the U.S. are working an average of 10.8 extra hours per week beyond their contracted schedules, according to survey data collected from 300 cybersecurity and IT leaders by Sapio Research. That figure effectively adds a sixth working day to the standard week for a large portion of the field. Nearly half of respondents reported working 11 or more overtime hours weekly, and one in five logged more than 16 additional hours. The psychological strain is measurable. Nearly half of respondents said their job feels emotionally exhausting more often than it feels rewarding, a sentiment most pronounced among C-level executives. A significant share said they are unable to take time off without returning to a significant backlog of stress, and roughly a third reported weekly anticipatory anxiety about the upcoming work week."
  https://www.helpnetsecurity.com/2026/03/04/ciso-cybersecurity-workforce-burnout/
• Why Workforce Identity Is Still a Vulnerability, And What To Do About It
  "Most organizations believe they have workforce identity under control. New hires are verified. Accounts are provisioned. Multi-factor authentication is enforced. Audits are passed. Then a breach happens, often through an account that was “properly secured.” But the problem can be traced back to the fact that identity verification, provisioning, authentication, and recovery operate as separate events, not a continuous system of trust. When trust breaks between those checkpoints, attackers don’t need to defeat strong authentication. They simply walk around it."
  https://www.helpnetsecurity.com/2026/03/04/workforce-identity-assurance/
• Mobile Malware Evolution In 2025
  "Starting from the third quarter of 2025, we have updated our statistical methodology based on the Kaspersky Security Network. These changes affect all sections of the report except for the installation package statistics, which remain unchanged. To illustrate trends between reporting periods, we have recalculated the previous year’s data; consequently, these figures may differ significantly from previously published numbers. All subsequent reports will be generated using this new methodology, ensuring accurate data comparisons with the findings presented in this article."
  https://securelist.com/mobile-threat-report-2025/119076/
• Automate Or Orchestrate? Implementing a Streamlined Remediation Program To Shorten MTTR
  "Almost all security teams want to reduce their Mean Time to Remediate (MTTR). And for good reason: research from 2024 found that it takes an average of 4.5 months to remediate critical vulnerabilities. The problem is that most organizations are going about it all wrong. Their approaches lack nuance: some teams respond to every exposure with a fire drill, others with a simple patch. Neither approach really works."
  https://securityaffairs.com/188917/security/automate-or-orchestrate-implementing-a-streamlined-remediation-program-to-shorten-mttr.html
• Threat Spotlight: The Business Risks Of Pirate Software
  "Over the last month, Barracuda’s SOC tools and analysts have detected multiple instances of users trying to download and activate pirate or cracked versions of software and unauthorized installers onto corporate endpoints. Pirate and cracked software are traditionally associated with gaming — players looking for free upgrades, enhancements or special hacks. Pirate software refers to programs that have been illegally copied, while cracked software refers to programs that have been modified to bypass licensing or protection mechanisms designed to prevent piracy."
  https://blog.barracuda.com/2026/03/04/threat-spotlight-business-risks-pirate-software
  https://www.securityweek.com/how-pirated-software-turns-helpful-employees-into-malware-delivery-agents/
• The Five Pillars Of Software Assurance In System Acquisition
  "Today’s systems are increasingly software-intensive and complex with a growing reliance on third-party technology. Through software reuse, systems can be assembled faster with less development cost. Traditionally, systems were primarily hardware-driven, and operational risks were primarily linked to reliability. Now systems are largely software-based. They do not wear out like hardware, so critical risks are different. Software components almost without exception contain vulnerabilities that are difficult to manage directly. Inheritance of these vulnerabilities through the supply chain, as more software is acquired, increases the management challenges and magnifies the risk of potential compromise. In addition, we have seen situations where suppliers unintentionally become propagators of malware and ransomware (e.g., SolarWinds) through features that provide automatic updates. Attacks on the software supply chain (e.g., Shai-Hulud, a self-replicating worm) are increasingly frequent and devastating."
  https://www.sei.cmu.edu/blog/the-five-pillars-of-software-assurance-in-system-acquisition/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

ศูนย์ประสานการรักษาความมั่นคงปลอดภัยระบบคอมพิวเตอร์แห่งชาติ (ThaiCERT) ได้ติดตามสถานการณ์ด้านความมั่นคงปลอดภัยทางไซเบอร์ โดยทีมนักวิจัย Team Cymru ได้ตรวจพบกลุ่มผู้ไม่ประสงค์ดีนำเครื่องมือปัญญาประดิษฐ์แบบโอเพนซอร์สที่มีชื่อว่า "CyberStrikeAI" มาใช้ในการสแกนและโจมตีอุปกรณ์เครือข่าย FortiGate ของบริษัท Fortinet แบบอัตโนมัติ
เครื่องมือ CyberStrikeAI เป็นซอฟต์แวร์ทดสอบความปลอดภัยเชิงรุก (Offensive Security Tool - OST) ที่พัฒนาโดยนักพัฒนา (นามแฝง Ed1s0nZ) โดยเครื่องมือนี้ได้ผสานรวมความสามารถของ Generative AI (เช่น Claude และ DeepSeek) เข้ากับเครื่องมือด้านความปลอดภัยกว่า 100 รายการ ส่งผลให้สามารถดำเนินการดังต่อไปนี้ได้อย่างมีประสิทธิภาพ
• สแกนหาช่องโหว่ของระบบเครือข่ายได้โดยอัตโนมัติและรวดเร็ว
• วิเคราะห์ห่วงโซ่การโจมตี (Attack-chain analysis) เพื่อค้นหาจุดอ่อนที่สามารถเจาะระบบได้ง่ายที่สุด
• ประมวลผลการค้นคืนข้อมูลและสร้างภาพจำลองผลลัพธ์เพื่อวางแผนการโจมตีในขั้นถัดไป
นอกจากนี้ บัญชีของผู้พัฒนารายดังกล่าวยังมีการเผยแพร่เครื่องมืออันตรายอื่นๆ เช่น มัลแวร์เรียกค่าไถ่ (Ransomware) ที่พัฒนาด้วยภาษา Go และเครื่องมือสำหรับหลบเลี่ยงมาตรการรักษาความปลอดภัย (Jailbreak) ของโมเดล AI ชั้นนำ
ข้อแนะนำด้านความมั่นคงปลอดภัยสำหรับองค์กรและผู้ดูแลระบบเครือข่าย
เพื่อเป็นการป้องกันและลดความเสี่ยงจากการโจมตีด้วยเทคโนโลยี AI หน่วยงานควรพิจารณาดำเนินการดังต่อไปนี้โดยเร่งด่วน:

1. อัปเดตระบบปฏิบัติการ (Firmware Update) ตรวจสอบอุปกรณ์ FortiGate ภายในองค์กร และดำเนินการติดตั้งแพตช์รักษาความปลอดภัยเวอร์ชันล่าสุดทันที
2. เฝ้าระวังการเข้าถึงระบบ (Log Monitoring) ตรวจสอบบันทึกการใช้งาน (Log) อย่างใกล้ชิด โดยเฉพาะการเชื่อมต่อที่มาจากหมายเลข IP ต้องสงสัย
3. จำกัดสิทธิ์การเข้าถึงหน้าการจัดการ (Access Control) ปิดกั้นการเข้าถึงหน้า Management Portal จากอินเทอร์เน็ตสาธารณะ หากมีความจำเป็นต้องใช้งาน ควรตั้งค่าให้เข้าถึงผ่านระบบ VPN ที่มีการเข้ารหัสและมีความปลอดภัยเท่านั้น
4. บังคับใช้การยืนยันตัวตนแบบหลายปัจจัย (MFA) กำหนดให้ผู้ดูแลระบบทุกรายต้องยืนยันตัวตนแบบ Multi-Factor Authentication ก่อนเข้าถึงระบบที่สำคัญ
   ในปัจจุบัน เทคโนโลยีปัญญาประดิษฐ์ (AI) ไม่ได้ถูกจำกัดสิทธิ์ไว้เพียงการป้องกันระบบเท่านั้น แต่ยังถูกนำมาประยุกต์ใช้เพื่อเพิ่มศักยภาพในการโจมตีทางไซเบอร์ หน่วยงานจึงควรยกระดับมาตรการรักษาความปลอดภัยและเฝ้าระวังภัยคุกคามรูปแบบใหม่อย่างต่อเนื่อง

แหล่งอ้างอิง: https://dg.th/0tv6njgql3

#CyberSecurity #CyberStrikeAI #FortiGate #เตือนภัยไซเบอร์ #ความมั่นคงปลอดภัยไซเบอร์ #AIThreats #ITSecurity

ศูนย์ประสานการรักษาความมั่นคงปลอดภัยระบบคอมพิวเตอร์แห่งชาติ (ThaiCERT) ได้ติดตามสถานการณ์ภัยคุกคามทางไซเบอร์ พบรายงานเกี่ยวการใช้ประโยชน์จากการเปลี่ยนเส้นทาง OAuth ทำการโจมตีแบบฟิชชิ่งและส่งมัลแวร์ เพื่อหลอกให้ผู้ใช้งานคลิกลิงก์และถูกนำไปยังเว็บไซต์ที่ผู้โจมตีควบคุม ซึ่งอาจทำให้ผู้ใช้งานถูกหลอกให้ดาวน์โหลดไฟล์อันตรายหรือทำให้เครื่องคอมพิวเตอร์ติดมัลแวร์ได้

1. รายละเอียดช่องโหว่
   • แคมเปญการโจมตีดังกล่าวเกี่ยวข้องกับการใช้ประโยชน์จากกลไกการเปลี่ยนเส้นทางของระบบ OAuth โดยผู้โจมตีจะสร้างลิงก์ OAuth ที่มีพารามิเตอร์ผิดปกติหรือไม่ถูกต้อง ซึ่งทำให้กระบวนการยืนยันตัวตนของระบบเข้าสู่ขั้นตอนการจัดการข้อผิดพลาด และเกิดการเปลี่ยนเส้นทางผู้ใช้งานไปยังเว็บไซต์ที่ผู้โจมตีควบคุมได้

เนื่องจากลิงก์ดังกล่าวมีโดเมนที่เกี่ยวข้องกับผู้ให้บริการระบบตัวตนที่น่าเชื่อถือ จึงอาจทำให้ผู้ใช้งานเข้าใจผิดว่าลิงก์ดังกล่าวมีความปลอดภัย และหลีกเลี่ยงการตรวจจับจากระบบป้องกัน Phishing บางประเภทได้

2. พฤติกรรมการโจมตี
   • ผู้โจมตีสร้างลิงก์ OAuth โดยใช้พารามิเตอร์ที่ผิดพลาด (เช่น invalid scope หรือ prompt=none) ทำให้ระบบ OAuth ของผู้ให้บริการ เช่น Microsoft Entra ID หรือ Google Workspace เปลี่ยนเส้นทางตามที่ผู้โจมตีกำหนด
   • ลิงก์โจมตีจะถูกส่งผ่านอีเมลในรูปแบบของฟิชชิงที่ออกแบบให้ดูเหมือนข้อความจริงจากองค์กร เช่น การแจ้งเตือนลายเซ็นต์อิเล็กทรอนิกส์ คำเชิญประชุม หรือคำขอรีเซ็ตรหัสผ่าน โดยลิงก์อาจอยู่ในเนื้อหาอีเมลโดยตรงหรือซ่อนไว้ในไฟล์แนบ PDF
   • หน้าให้ดาวน์โหลดไฟล์ ZIP ที่มีมัลแวร์ และเมื่อเปิดไฟล์ ระบบจะรันคำสั่ง PowerShell เพื่อดาวน์โหลดและติดตั้งมัลแวร์อันตราย

แคมเปญนี้พบว่า มุ่งเป้าไปที่องค์กรภาครัฐ โดยใช้เทคนิคนี้เพื่อข้ามระบบป้องกัน Phishing ทั่วไปในอีเมลและเว็บเบราว์เซอร์ ด้วยการใช้ URL ที่ดูเหมือนถูกต้องและปลอดภัยจากผู้ให้บริการที่เชื่อถือได้

3. แนวทางป้องกันและลดความเสี่ยง
   • ตรวจสอบและควบคุมแอปพลิเคชัน OAuth ที่อนุญาตให้เข้าถึงบัญชี
   • ลบแอปที่ไม่จำเป็นหรือมีสิทธิ์มากเกินความจำเป็น
   • ใช้มาตรการป้องกัน เช่น Cloud Email Security, Identity Protection, Conditional Access Policies หรือ Monitoring Cross-Domain Activity ทั้งในอีเมล ระบบยืนยันตัวตน และอุปกรณ์ปลายทาง

4. แหล่งอ้างอิง (References)
   • https://dg.th/3ktm176h9j

เมื่อวันที่ 3 มีนาคม 2569 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 2 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว ดังนี้

• CVE-2026-21385 Qualcomm Multiple Chipsets Memory Corruption Vulnerability
• CVE-2026-22719 Broadcom VMware Aria Operations Command Injection Vulnerability

อ้างอิง
https://www.cisa.gov/news-events/alerts/2026/03/03/cisa-adds-two-known-exploited-vulnerabilities-catalog
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) จำนวน 9 รายการ เมื่อวันที่ 3 มีนาคม 2569 เพื่อให้ข้อมูลที่ทันเวลาเกี่ยวกับประเด็นด้านความมั่นคงปลอดภัย ช่องโหว่ และการโจมตีที่เกี่ยวข้องกับระบบ ICS โดยมีรายละเอียดดังนี้

• ICSA-26-062-01 Mitsubishi Electric MELSEC iQ-F Series EtherNet/IP module and Ethernet Module
• ICSA-26-062-02 Hitachi Energy Relion REB500
• ICSA-26-062-03 Hitachi Energy RTU500 Product
• ICSA-26-062-04 Portwell Engineering Toolkits
• ICSA-26-062-05 Labkotec LID-3300IP
• ICSA-26-062-06 Mobiliti e-mobi.hu
• ICSA-26-062-07 ePower epower.ie
• ICSA-26-062-08 Everon api.everon.io
• ICSA-25-023-02 Hitachi Energy RTU500 Series Product (Update B)

CISA แนะนำให้ผู้ใช้งานและผู้ดูแลระบบ ตรวจสอบคำแนะนำ ICS ที่เผยแพร่ล่าสุด เพื่อศึกษารายละเอียดทางเทคนิคและแนวทางการลดความเสี่ยง (mitigations)

อ้างอิง
https://www.cisa.gov/news-events/ics-advisories
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Healthcare Sector

• Healthcare Organizations Are Accepting Cyber Risk To Cut Costs
  "Healthcare organizations are cutting cybersecurity budgets under financial pressure even as the threats targeting their systems intensify. A PwC survey of 381 global healthcare executives, conducted between May and July 2025, puts numbers to the gap between the risks the sector faces and the controls it has in place. Data protection ranks as the single biggest driver of cybersecurity spending in the sector, yet only 35% of healthcare organizations have implemented data risk controls across the entire data life cycle. The global average across all sectors is 44%."
  https://www.helpnetsecurity.com/2026/03/03/pwc-healthcare-cybersecurity-threats-2026/

Industrial Sector

• Honeywell Trend IQ4xx BMS Controller Unauthenticated Remote Web-HMI Control And Lockout
  "The Honeywell IQ4 (Trend IQ4) is a line of intelligent building-management controllers designed to provide advanced unitary control, HVAC integration, and scalable I/O expansion for commercial environments. These controllers use Ethernet and TCP/IP networking with embedded XML, support BACnet over IP, and can expand up to 192 I/O points depending on the model, making them suitable for a wide range of plant-control applications. They offer multiple communication ports (Ethernet, USB, RS232, Wallbus), optional Trend current-loop neworking, and seamless compatability with other Trend IQ controllers - enabling unified, energy-efficient building automation across devices."
  https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5979.php
  https://www.securityweek.com/honeywell-researcher-clash-over-impact-of-building-controller-vulnerability/

Vulnerabilities

• CISA Adds Two Known Exploited Vulnerabilities To Catalog
  "CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2026-21385 Qualcomm Multiple Chipsets Memory Corruption Vulnerability
  CVE-2026-22719 Broadcom VMware Aria Operations Command Injection Vulnerability"
  https://www.cisa.gov/news-events/alerts/2026/03/03/cisa-adds-two-known-exploited-vulnerabilities-catalog
  https://www.bleepingcomputer.com/news/security/cisa-flags-vmware-aria-operations-rce-flaw-as-exploited-in-attacks/
• Zenity Labs Discloses PleaseFix Vulnerability Family In Perplexity Comet And Other Agentic Browsers
  "Zenity Labs today disclosed PleaseFix, a family of critical vulnerabilities affecting agentic browsers, including Perplexity Comet, that allow attackers to silently hijack AI agents, access local files and steal credentials within authenticated user sessions. The vulnerabilities can be triggered through malicious content embedded in routine workflows, enabling unauthorized actions without user awareness. The disclosure includes PerplexedBrowser, a subfamily of vulnerabilities in the Perplexity Comet browser that consists of two distinct exploit paths."
  https://zenity.io/company-overview/newsroom/company-news/zenity-labs-discloses-pleasefix-perplexedagent-vulnerability
  https://cyberscoop.com/agentic-ai-browsers-allow-hijacking-zenity-labs-comet/
  https://www.theregister.com/2026/03/03/perplexity_comet_browser_hole_cal_invite/
• New ‘AirSnitch’ Attack Shows Wi-Fi Client Isolation Could Be a False Sense Of Security
  "Researchers from UC Riverside developed attacks able to bypass client isolation in Wi-Fi networks used at home, at work, in airports, and in coffee shops. Four computer scientists from Riverside, and one from KU Leuven (Belgium) found that every router and network they tested was vulnerable to at least one attack. Their findings are detailed in a paper (AirSnitch: Demystifying and Breaking Client Isolation in Wi-Fi Networks) presented at the NDSS Symposium 2026."
  https://www.securityweek.com/new-airsnitch-attack-shows-wi-fi-client-isolation-could-be-a-false-sense-of-security/
  https://www.ndss-symposium.org/wp-content/uploads/2026-f1282-paper.pdf
• CVE-2026–2256: From AI Prompt To Full System Compromise
  "AI agents are amazing coworkers. They read logs at 3 a.m., automate boring tasks, and never complain about documentation. Unfortunately, they also share one small flaw: when given too much autonomy, they can become exceptionally obedient — including obedient to attacker-controlled input. This research demonstrates how an MS-Agent, while simply doing what it was designed to do, can be quietly manipulated into executing arbitrary system commands and compromising its own host."
  https://medium.com/@itamar.yochpaz/cve-2026-2256-from-ai-prompt-to-full-system-compromise-a4114c718326
  https://www.securityweek.com/vulnerability-in-ms-agent-ai-framework-can-allow-full-system-compromise/

Malware

• Exposing a Russian Campaign Targeting Ukraine Using New Malware Duo: BadPaw And MeowMeow
  "ClearSky Team has identified a targeted Russian cyber campaign against Ukraine utilizing two novel malware strains, BadPaw and MeowMeow. The attack chain initiates with a phishing email containing a link to a ZIP archive. Once extracted, an initial HTA file displays a lure document written in Ukrainian concerning border crossing appeals to deceive the victim. Simultaneously, the infection triggers the download of BadPaw, a .NET-based loader. Upon establishing command-and-control (C2) communication, the loader deploys MeowMeow, a sophisticated backdoor."
  https://www.clearskysec.com/russian-campaign-targeting-ukraine-badpaw-and-meowmeow/
• Silver Dragon: China Nexus Cyber Espionage Group Targeting Governments In Asia And Europe
  "Check Point Research has identified and tracked a cyber espionage campaign targeting government organizations across Southeast Asia and parts of Europe. We designate this activity cluster as Silver Dragon, which has been active since at least mid-2024. The campaign combines server exploitation, phishing, custom malware, and cloud-based command infrastructure to establish long-term access in targeted environments. Based on multiple converging indicators, Check Point Research assesses with high confidence that Silver Dragon is a China nexus threat actor, likely operating within the umbrella of APT41."
  https://blog.checkpoint.com/research/silver-dragon-china-nexus-cyber-espionage-group-targeting-governments-in-asia-and-europe/
• Coruna: The Mysterious Journey Of a Powerful iOS Exploit Kit
  "Google Threat Intelligence Group (GTIG) has identified a new and powerful exploit kit targeting Apple iPhone models running iOS version 13.0 (released in September 2019) up to version 17.2.1 (released in December 2023). The exploit kit, named “Coruna” by its developers, contained five full iOS exploit chains and a total of 23 exploits. The core technical value of this exploit kit lies in its comprehensive collection of iOS exploits, with the most advanced ones using non-public exploitation techniques and mitigation bypasses."
  https://cloud.google.com/blog/topics/threat-intelligence/coruna-powerful-ios-exploit-kit
  https://iverify.io/press-releases/first-known-mass-ios-attack
  https://cyberscoop.com/coruna-ios-exploit-kit-leaked-us-framework/
  https://www.helpnetsecurity.com/2026/03/03/coruna-ios-exploit-kit/
• Middle East On The Brink: Iran-US-Israel Hostilities Trigger Cyber-Kinetic Conflict
  "The geopolitical landscape of the Middle East has entered one of its most volatile phases in decades. On February 28, 2026, tensions that had been simmering for years erupted into a full‑blown conflict involving the Islamic Republic of Iran, the United States, and Israel. A confluence of diplomatic stalemate, military posturing, and covert cyber preparations set the stage for what would evolve from a localized confrontation into an expansive, multi‑domain campaign."
  https://cyble.com/blog/middle-east-iran-us-israel-hybrid-conflict/
• Abusing .arpa: The TLD That Isn’t Supposed To Host Anything
  "Phishing email campaigns are so common that it takes something fundamentally different to stand out. We recently found campaigns using a novel, previously unreported method to get around security controls. Actors are abusing the .arpa top-level domain (TLD), in conjunction with IPv6 tunnels, to host phishing content on domains that should not resolve to an IP address. Unlike familiar TLDs like .com and .net, that are used for domains that host web content, the .arpa TLD has a special role in the domain name system (DNS): it’s primarily used to map IP addresses to domains, providing reverse records. Threat actors have discovered a feature in the DNS record management control of certain providers, which allows them to add IP address records for .arpa domains. From there, they can do whatever they like at the hosting provider. It’s a pretty clever trick."
  https://www.infoblox.com/blog/threat-intelligence/abusing-arpa-the-tld-that-isnt-supposed-to-host-anything/
  https://hackread.com/hackers-arpa-top-level-domain-phishing-scams/
• RedAlert Trojan Campaign: Fake Emergency Alert App Spread Via SMS Spoofing Israeli Home Front Command
  "CloudSEK has uncovered a malicious SMS spoofing campaign spreading a fake version of Israel’s “Red Alert” emergency app amid the ongoing conflict. Disguised as a trusted warning platform, the trojanized Android app can steal SMS, contacts, and location data while appearing legitimate. The report highlights how cybercriminals are weaponising public fear during crises to deploy mobile spyware with serious security and real-world implications."
  https://www.cloudsek.com/blog/redalert-trojan-campaign-fake-emergency-alert-app-spread-via-sms-spoofing-israeli-home-front-command
  https://www.infosecurity-magazine.com/news/redalert-israel-spyware-campaign/
• Fake Tech Support Spam Deploys Customized Havoc C2 Across Organizations
  "Threat hunters have called attention to a new campaign as part of which bad actors masqueraded as fake IT support to deliver the Havoc command-and-control (C2) framework as a precursor to data exfiltration or ransomware attack. The intrusions, identified by Huntress last month across five partner organizations, involved the threat actors using email spam as lures, followed by a phone call from an IT desk that activates a layered malware delivery pipeline."
  https://thehackernews.com/2026/03/fake-tech-support-spam-deploys.html
• Fooling AI Agents: Web-Based Indirect Prompt Injection Observed In The Wild
  "Large language models (LLMs) and AI agents are becoming deeply integrated into web browsers, search engines and automated content-processing pipelines. While these integrations can expand functionality, they also introduce a new and largely underexplored attack surface. One particularly concerning class of threats is indirect prompt injection (IDPI), in which adversaries embed hidden or manipulated instructions within website content that is later ingested by an LLM. This article shares in-the-wild observations from our telemetry, including our first observed case of AI-based ad review evasion."
  https://unit42.paloaltonetworks.com/ai-agent-prompt-injection/
• Active Reconnaissance Campaign Targets SonicWall Firewalls Through Commercial Proxy Infrastructure
  "GreyNoise observed 84,142 scanning sessions targeting SonicWall SonicOS infrastructure between February 22 and February 25, 2026. The activity originated from 4,305 unique IP addresses across 20 autonomous systems, with three operationally distinct infrastructure clusters executing coordinated VPN enumeration. Ninety-two percent of sessions probed a single API endpoint to determine whether SSL VPN is enabled — the prerequisite check before credential attacks. A commercial proxy service delivered 32% of campaign volume through 4,102 rotating exit IPs in two surgical bursts totaling 16 hours. CVE exploitation was negligible, confirming this as systematic attack surface mapping."
  https://www.greynoise.io/blog/active-reconnaissance-campaign-targets-sonicwall-firewalls-through-commercial-proxy-infrastructure

Breaches/Hacks/Leaks

• Paint Maker Giant AkzoNobel Confirms Cyberattack On U.S. Site
  "The multinational Dutch paint company AkzoNobel has confirmed to BleepingComputer that hackers breached the network of one of its U.S. sites. Following a data leak from the Anubis ransomware gang, a company spokesperson said that the intrusion has been contained and that the impact is limited. “AkzoNobel has identified a security incident at one of our sites in the United States. The incident was limited to the respective site and was already contained,” the company told BleepingComputer."
  https://www.bleepingcomputer.com/news/security/paint-maker-giant-akzonobel-confirms-cyberattack-on-us-site/
• LexisNexis Confirms Data Breach As Hackers Leak Stolen Files
  "American data analytics company LexisNexis Legal & Professional has confirmed to BleepingComputer that hackers breached its servers and accessed some customer and business information. The company's data breach confirmation comes as a threat actor named FulcrumSec leaked 2GB of files on various underground forums and sites. LexisNexis L&P is a global provider of legal, regulatory, and business information, research tools, and analytics used by lawyers, corporations, governments, and academic institutions in more than 150 countries worldwide."
  https://www.bleepingcomputer.com/news/security/lexisnexis-confirms-data-breach-as-hackers-leak-stolen-files/
  https://therecord.media/lexisnexis-says-hackers-accessed-legacy-data
• Star Citizen Game Dev Discloses Breach Affecting User Data
  "Cloud Imperium Games (CIG), the game company behind Star Citizen and Squadron 42, says attackers breached systems containing some users' personal information in January. The California-based publisher and video game developer was founded in 2012 by game developer Chris Roberts (of Wing Commander fame), and it operates five game studios with a crew of over 700 employees. In 2012, it announced the multiplayer space-simulation game Star Citizen. However, despite a Kickstarter campaign that raised over $2 million from backers, the game has still not exited its "early access" phase 14 years later."
  https://www.bleepingcomputer.com/news/security/star-citizen-game-dev-discloses-breach-affecting-user-data/
• Cyber Battlefield: Ariomex, Iran-Based Crypto Exchange, Suffers Data Leak
  "Cyber operations against Iran are used not only to disrupt military capabilities but also to pressure senior regime officials and their associates to defect, and to accelerate regime change from within. Current events affect multiple layers of the Iranian regime, including the financial system, where the Iranian government invests substantial efforts in building tools to evade sanctions and finance illegal activity, including via cryptocurrencies. In January 2026, the Central Bank of Iran (CBI) acquired more than half a billion dollars (about $507 million) worth of Tether’s USDT, with indications that the stablecoins were used to prop up the country’s fiat currency."
  https://www.resecurity.com/blog/article/cyber-battlefield-ariomex-iran-based-crypto-exchange-suffers-data-leak
  https://www.infosecurity-magazine.com/news/iranian-crypto-leaked-database/
  https://securityaffairs.com/188848/digital-id/ariomex-iran-based-crypto-exchange-suffers-data-leak.html
• Cybercriminals Swipe 15.8M Medical Records From French Doctors Ministry
  "Around 15.8 million administrative files were stolen after attackers breached a software supplier to France's health ministry. The supplier, Cegedim Santé, confirmed the data was compromised in late 2025. Approximately 165,000 of these files contained notes penned by doctors, which in "very limited cases" contained sensitive information about an individual's medical history. According to broadcaster France 24, which first reported the news, these medical histories included, in some cases, details of conditions such as HIV/AIDS and individuals' sexual orientations. Top politicians were reportedly among the individuals whose info was extracted."
  https://www.theregister.com/2026/03/03/french_medical_leak/

General News

• Compromised Site Management Panels Are a Hot Item In Cybercrime Markets
  "Threat actors are openly advertising access to hacked websites as part of the underground economy. One of the most promising products is a compromised cPanel credential. They are sold in the thousands across at commodity-level pricing and marketed as plug-and-play infrastructure for and scam campaigns. In new research, Flare security researchers analyzed activity across monitored fraudulent groups over a seven-day period, showing a structured ecosystem operating at scale."
  https://www.bleepingcomputer.com/news/security/compromised-site-management-panels-are-a-hot-item-in-cybercrime-markets/
• AI Agent Overload: How To Solve The Workload Identity Crisis
  "Authenticating workloads is becoming more and more complex, particularly given things like AI agents and the wide range of identity permissions they need. Organizations need to be thinking ahead on securing workloads in complicated modern environments, but it's not an easy task. Researchers at Zscaler hope to explore this evolution in an upcoming RSAC 2026 Conference session entitled, "What Are You, Really? Authenticating Workloads in a Zero Trust World.""
  https://www.darkreading.com/cloud-security/ai-agent-workload-identity-crisis
• The Tug-Of-War Over Firewall Backlogs In The AI-Driven Development Era
  "The relationship between application developers and security teams has always been fraught with tension. At the core lies an ongoing battle — speed versus security — and that tug of war has been further exacerbated by mounting firewall backlog challenges driven by increased reliance on artificial intelligence and automation. Traditionally, developers submit a firewall rule request before deploying a new application, service, or tool inside an enterprise environment."
  https://www.darkreading.com/cloud-security/tug-of-war-firewall-backlogs-ai-driven-development
• 5 Years Of Shifting Cybersecurity Behavior
  "Online security is built through routine decisions made across devices and accounts. People choose how to create passwords, how often to reuse them, and how much effort to invest in protecting personal data. The National Cybersecurity Alliance and CybSafe’s Oh, Behave! The Cybersecurity Attitudes and Behaviors Report: 2021–2025 follows those patterns over five years, drawing on responses from more than 24,000 adults and documenting how attitudes and behaviors shift over time."
  https://www.helpnetsecurity.com/2026/03/03/national-cybersecurity-alliance-cybsafe-cybersecurity-behavior-trends-report/
• Introducing The 2026 Cloudflare Threat Report
  "Today’s threat landscape is more varied and chilling than ever: Sophisticated nation-state actors. Hyper-volumetric DDoS attacks. Deepfakes and fraudsters interviewing at your company. Even stealth attacks via trusted internal tools like Google Calendar, Dropbox, and GitHub. After spending the last year translating trillions of network signals into actionable intelligence, Cloudforce One has identified a fundamental evolution in the threat landscape: the era of brute force entry is fading. In its place is a model of high-trust exploitation that prioritizes results at all costs. In order to equip defenders with a strategic roadmap for this new era, today we are releasing the inaugural 2026 Cloudflare Threat Report. This report provides the intelligence organizations need to navigate the rise of industrialized cyber threats."
  https://blog.cloudflare.com/2026-threat-report/
  https://www.infosecurity-magazine.com/news/ai-deepfakes-supercharge/
  https://www.helpnetsecurity.com/2026/03/03/cloudflare-cyber-threat-report-2026/
• Half Of US CISOs Work The Equivalent Of a Six-Day Week
  "US cybersecurity leaders are being put under increasing pressure to compensate for process gaps and tackle escalating threats, with many working the equivalent of six or seven days a week, according to Seemplicity. The security vendor polled 300 CISOs and their equivalents to produce its State of the Cybersecurity Workforce Report. It revealed that 45% of respondents work 11+ extra hours per week – equivalent to an additional day – and 20% work an extra 16+ hours weekly."
  https://www.infosecurity-magazine.com/news/half-us-cisos-work-equivalent/
• Huge “Shadow Layer” Of Organizations Hit By Supply Chain Attacks
  "Security experts have claimed that the blast radius of third-party data breach incidents is far larger than at first thought, with more than 433 million individuals impacted by 136 events last year. Black Kite compiled its seventh annual Third-Party Breach Report from analysis of verified public breach disclosures in 2025, external cyber risk telemetry and supply chain intelligence. It said 136 verified breaches had 5.28 publicly named downstream victims per vendor, amounting to 719 companies and 433 million individual end customers."
  https://www.infosecurity-magazine.com/news/shadow-layer-organizations-supply/
  https://content.blackkite.com/ebook/2026-third-party-breach-report/
• Quantum Decryption Of RSA Is Much Closer Than Expected
  "There’s a new contender in quantum cryptanalysis. The Jesse-Victor-Gharabaghi (JVG) quantum decryption algorithm is faster and requires fewer quantum resources than Shor’s algorithm. Breaking business and the internet has long been the accepted result of combining quantum computers and Shor’s algorithm to solve the factorization problem employed by Rivest-Shamir-Adleman (RSA) and Elliptic Curve Cryptography (ECC). But Shor’s algorithm requires a relatively large quantum computer (comprising an estimated one million qubits); and that is still believed to be at least a decade away."
  https://www.securityweek.com/quantum-decryption-of-rsa-is-much-closer-than-expected/
  https://www.preprints.org/manuscript/202510.1649
• Turns Out Most Cybercriminals Are Old Enough To Know Better
  "Contrary to what some believe, cybercrime is not a kids' game. Middle-aged adults, not teenagers, now make up the biggest chunk of people getting busted. That's according to new analysis of 418 publicly announced law enforcement actions between 2021 and mid-2025, which shows offenders aged 35 to 44 account for 37 percent of cases, making it the largest single age group. Add in those aged 25 to 34, who make up another 30 percent, and nearly six in ten cases involve people between 25 and 44. By contrast, the much-hyped 18-24 bracket accounts for 21 percent, while under-18s barely register at under 5 percent."
  https://www.theregister.com/2026/03/03/turns_out_most_cybercriminals_are/
• CISOs In a Pinch: A Security Analysis Of OpenClaw
  "Anthropic's Claude Code Security is a legitimate leap forward for pre-deployment vulnerability detection - and the market sell-off (Cybersecurity ETF at a 2+ year low) is an overreaction based on a category error. AI-powered code scanning doesn't replace runtime threat detection, identity governance, or endpoint protection. More importantly, the fastest-growing enterprise attack surface is the AI agents themselves. Poisoned model supply chains, runtime behavior drift, and zero observability into autonomous agent actions are threats that live entirely outside the code layer. Claude Code Security is a welcome addition to the defender's toolkit, but a toolkit isn't a security strategy. Enterprises still need the governance, runtime visibility, and platform integration that only a full-lifecycle approach can deliver."
  https://www.trendmicro.com/en_us/research/26/c/cisos-in-a-pinch-security-analysis-of-openclaw.html

อ้างอิง
Electronic Transactions Development Agency (ETDA)

Healthcare Sector

• Iran Conflict Elevates Cyber Risk For Healthcare
  "United States and Israel military strikes on Iran could erupt into cyberattacks against the healthcare sector in the U.S. and elsewhere by Iranian sympathizers and proxies, experts warned Monday. The life-and-death sensitivity of the healthcare sector, as well as its relative vulnerability to cyber incidents, makes it a target for rising attacks ranging from distributed denial of service, wiper malware, ransomware, data theft and other such assaults."
  https://www.bankinfosecurity.com/iran-conflict-elevates-cyber-risk-for-healthcare-a-30894

New Tooling

• BlacksmithAI: Open-Source AI-Powered Penetration Testing Framework
  "BlacksmithAI is an open-source penetration testing framework that uses multiple AI agents to execute different stages of a security assessment lifecycle. BlacksmithAI runs as a hierarchical system in which an orchestrator coordinates task execution across specialized agents. Each agent maps to a common penetration testing function. The recon agent handles attack surface mapping and information gathering. The scan and enumeration agent performs service discovery. A vulnerability analysis agent evaluates weaknesses and potential exposure. An exploit agent executes proof of concept activity. A post-exploitation agent examines impact and potential lateral movement."
  https://www.helpnetsecurity.com/2026/03/02/blacksmithai-open-source-ai-powered-penetration-testing-framework/
  https://github.com/yohannesgk/blacksmith

Vulnerabilities

• Google Addresses Actively Exploited Qualcomm Zero-Day In Fresh Batch Of 129 Android Vulnerabilities
  "Google disclosed one actively exploited zero-day vulnerability Monday, warning that the high-severity defect affecting an open-source Qualcomm display component for Android devices “may be under limited, targeted exploitation.” The memory-corruption vulnerability — CVE-2026-21385 — which Google’s Android security team reported to Qualcomm Dec. 18, affects 234 chipsets, Qualcomm said in a security bulletin. Qualcomm said it notified customers of the vulnerability Feb. 2."
  https://cyberscoop.com/android-security-update-march-2026/

Malware

• A Fake FileZilla Site Hosts a Malicious Download
  "A trojanized copy of the open-source FTP client FileZilla 3.69.5 is circulating online. The archive contains the legitimate FileZilla application, but with a single malicious DLL added to the folder. When someone downloads this tampered version, extracts it, and launches FileZilla, Windows loads the malicious library first. From that moment on, the malware runs inside what appears to be a normal FileZilla session. Because the infected copy looks and behaves like the real software, victims may not realize anything is wrong. Meanwhile, the malware can access saved FTP credentials, contact its command-and-control server, and potentially remain active on the system. The risk does not stop with the local computer. Stolen credentials could expose the web servers or hosting accounts the user connects to."
  https://www.malwarebytes.com/blog/threat-intel/2026/03/a-fake-filezilla-site-hosts-a-malicious-download
• Purchase Order Attachment Isn’t a PDF. It’s Phishing For Your Password
  "An attachment named New PO 500PCS.pdf.hTM, posing as a purchase order in PDF form, turned out to be something entirely different: a credential-harvesting web page that quietly sent passwords and IP/location data straight to a Telegram bot controlled by an attacker. Imagine you’re in accounts payable, sales, or operations. Your day is a steady flow of invoices, purchase orders, and approvals. An email like this may look like just another item in your daily queue."
  https://www.malwarebytes.com/blog/threat-intel/2026/03/purchase-order-attachment-isnt-a-pdf-its-phishing-for-your-password
• US-Israel And Iran Trade Cyberattacks: Pro-West Hacks Cause Disruption As Tehran Retaliates
  "The escalating conflict between the United States, Israel, and Iran has unfolded alongside extensive cyber operations, with reports of widespread internet disruptions, hacking of Iranian sites and apps, and infrastructure interference, while Western entities brace for potential Iranian cyberattacks. The conflict erupted on February 28, when the United States and Israel initiated coordinated airstrikes across Iran, targeting military installations, missile facilities, nuclear sites, and high-level officials, resulting in the deaths of Supreme Leader Ali Khamenei and several other leaders."
  https://www.securityweek.com/us-israel-and-iran-trade-cyberattacks-pro-west-hacks-cause-disruption-as-tehran-retaliates/
  https://therecord.media/iran-cyber-us-command-attack
  https://www.bankinfosecurity.com/iranian-cyber-proxies-active-but-nation-state-hackers-a-30892
  https://www.infosecurity-magazine.com/news/iran-cyber-attacks-global-google/
  https://www.theregister.com/2026/03/02/cyber_warfighters_iran/
• Inside The Fix: Analysis Of In-The-Wild Exploit Of CVE-2026-21513
  "Microsoft’s February 2026 Patch Tuesday addressed 59 vulnerabilities, including six actively exploited zero-days. CVE-2026-21513 stands out because of its active exploitation, high impact, and ability to bypass browser security boundaries and trigger arbitrary file execution. We used the multi-agent system called PatchDiff-AI to analyze CVE-2026-21513 and its patch. PatchDiff-AI generated a detailed report that reveals insights about the vulnerable component and the attack vector."
  https://www.akamai.com/blog/security-research/2026/feb/inside-the-fix-cve-2026-21513-mshtml-exploit-analysis
  https://thehackernews.com/2026/03/apt28-tied-to-cve-2026-21513-mshtml-0.html
  https://securityaffairs.com/188782/security/russia-linked-apt28-exploited-mshtml-zero-day-cve-2026-21513-before-patch.html
• Novel DPRK Stager Using Pastebin And Text Steganography
  "This is a quick one as FAMOUS CHOLLIMA has been keeping me busy this week by testing Google Drive as a stager and my longer write-up on tracking their IP addresses through temporary mailboxes. I just cannot help writing about this one as it’s really fun — it also helps that having a sleeping baby strapped to the chest for three hours makes for idle hands, and you know what they say about idle hands!"
  https://kmsec.uk/blog/dprk-text-steganography/
  https://thehackernews.com/2026/03/north-korean-hackers-publish-26-npm.html
• Situation Report: Middle East Escalation (February 27–1st March, 2026)
  "The report examines the sharp escalation following the 28 February 2026 joint Israel–U.S. strikes on Iran, triggering a hybrid conflict blending kinetic attacks with unprecedented cyber operations. Iran faced near-total internet disruption, while retaliatory missile and cyber activity spread across Israel, the Gulf, and beyond. Over 150 hacktivist incidents were recorded, with global spillover risks to energy, finance, IT, and critical infrastructure sectors"
  https://www.cloudsek.com/blog/middle-east-escalation-israel-iran-us-cyber-war-2026
  https://www.infosecurity-magazine.com/news/middle-east-conflict-surge-global/
• Dust Specter APT Targets Government Officials In Iraq
  "In January 2026, Zscaler ThreatLabz observed activity by a suspected Iran-nexus threat actor targeting government officials in Iraq. ThreatLabz discovered previously undocumented malware including SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM. Due to significant overlap in tools, techniques, and procedures (TTPs), as well as victimology, between this campaign and activity associated with Iran-nexus APT groups, ThreatLabz assesses with medium-to-high confidence that an Iran-nexus threat actor conducted this operation. ThreatLabz tracks this group internally as Dust Specter. As additional high-confidence indicators become available, ThreatLabz will update our attribution accordingly."
  https://www.zscaler.com/blogs/security-research/dust-specter-apt-targets-government-officials-iraq
• Alleged India-Linked Espionage Campaign Targeted Pakistan, Bangladesh, Sri Lanka
  "An espionage campaign last year targeted government agencies and critical infrastructure operators in Pakistan, Bangladesh and Sri Lanka, researchers at the cybersecurity firm Arctic Wolf said Monday. The researchers attributed the campaign to an India-nexus threat actor they call SloppyLemming and said it was an expansion of threat activity previously identified by Cloudflare in September 2024."
  https://therecord.media/india-pakistan-cyber-campaign-apt
• Tracking CyberStrikeAI Usage
  "Team Cymru is continuously monitoring our global netflow visibility to uncover patterns of adversary activity, identify malicious operations, and gain actionable intelligence. In this post, we are diving into CyberStrikeAI, an open-source artificial intelligence (AI) offensive security tool (OST) developed by a China-based developer who we assess has some ties to the Chinese government."
  https://www.team-cymru.com/post/tracking-cyberstrikeai-usage
  https://www.bleepingcomputer.com/news/security/cyberstrikeai-tool-adopted-by-hackers-for-ai-powered-attacks/
• OAuth Redirection Abuse Enables Phishing And Malware Delivery
  "Microsoft observed phishing-led exploitation of OAuth’s by-design redirection mechanisms. The activity targets government and public-sector organizations and uses silent OAuth authentication flows and intentionally invalid scopes to redirect victims to attacker-controlled infrastructure without stealing tokens. Microsoft Defender flagged malicious activity across email, identity, and endpoint signals. Microsoft Entra disabled the observed OAuth applications; however, related OAuth activity persists and requires ongoing monitoring."
  https://www.microsoft.com/en-us/security/blog/2026/03/02/oauth-redirection-abuse-enables-phishing-malware-delivery/
  https://www.theregister.com/2026/03/03/microsoft_oauth_scams/

Breaches/Hacks/Leaks

• Pakistan’s Top News Channels Hacked And Hijacked With Anti-Military Messages
  "Several of Pakistan’s most-watched news channels, including Geo News, ARY News, and Samaa TV, faced a serious security breach on Sunday evening, 1 March 2026. Viewers across the country were left confused when regular programming was suddenly interrupted by unauthorized messages. These disruptions happened shortly after Iftar (the meal served at sunset to break the daily fast during the holy month of Ramadan) and continued into the high-traffic 9 pm news bulletins, which is when these channels usually see their largest global audiences."
  https://hackread.com/pakistan-news-channels-hacked-anti-military-messages/
• Madison Square Garden Data Breach Confirmed Months After Hacker Attack
  "Madison Square Garden has confirmed being impacted by a data breach stemming from a cybercrime campaign targeting customers of Oracle’s E-Business Suite (EBS) solution. In the Oracle EBS hacking campaign, the Cl0p ransomware and extortion group exploited zero-day vulnerabilities to gain access to data stored by more than 100 organizations in the enterprise management software. Madison Square Garden (MSG), the world-famous arena located in New York City, was named by the hackers as a victim of the campaign in November 2025."
  https://www.securityweek.com/madison-square-garden-data-breach-confirmed-months-after-hacker-attack/
• Cyberattack Briefly Disrupts Russian Internet Regulator And Defense Ministry Websites
  "Russia’s internet regulator and defense ministry said their servers were hit by a large distributed denial-of-service (DDoS) attack that briefly disrupted access to several government websites late last week. The Russian communications watchdog, Roskomnadzor, said in a statement to several local media outlets on Friday that the attack was a “complex multi-vector” operation originating from servers and botnets located mainly in Russia, as well as in the United States, China, the United Kingdom and the Netherlands."
  https://therecord.media/cyberattack-briefly-takes-down-russian-government-websites
• University Of Hawaiʻi Cancer Center Confirms Data Leak Following Ransomware Attack
  "The University of Hawaiʻi Cancer Center said up to 1.2 million people had information leaked as a result of a ransomware attack on its epidemiology division last year. Hackers accessed records containing Social Security numbers (SSNs) and driver’s license numbers collected from the Hawaiʻi State Department of Transportation as well as City and County of Honolulu voter registration records from 1998, according to a statement released by the organization last week."
  https://therecord.media/university-of-hawaii-ransomware-data-breach

General News

• How Threat Intelligence And Multi-Source Data Drive Smarter Vulnerability Prioritization
  "For years, CVSS scores have been the default metric for vulnerability severity. But severity does not equal risk. A CVSS 9.8 vulnerability that is never exploited is less dangerous than a CVSS 6.5 actively used in ransomware campaigns. Yet many organizations still chase the highest scores first, wasting time and leaving real threats exposed. KEV lists help, but they are reactive and often lag behind active exploitation. Attackers move faster than static scoring systems. If your prioritization strategy starts and ends with CVSS, you are playing catch-up."
  https://blog.checkpoint.com/executive-insights/how-threat-intelligence-and-multi-source-data-drive-smarter-vulnerability-prioritization/
• How ‘silent Probing’ Can Make Your Security Playbook a Liability
  "For years, cyberattacks followed a familiar pattern: reconnaissance, exploitation, persistence, impact. Defenders built their strategies around that cycle, patching vulnerabilities, monitoring indicators, and working to reduce dwell time. But a quieter shift is underway. Today’s most sophisticated adversaries are using AI to study how organizations defend themselves. They run what we call “silent probing campaigns:” long-term, subtle operations designed to map how a team detects threats, escalates issues, and responds under pressure. These campaigns focus on learning the defender’s habits, workflow and decision points so attackers can time and tailor follow-on actions to evade detection. This reframes cyber risk, turning it from a technical problem into a behavioral one."
  https://cyberscoop.com/ai-silent-probing-cyber-risk-behavioral-defense-op-ed/
• Taming Agentic Browsers: Vulnerability In Chrome Allowed Extensions To Hijack New Gemini Panel
  "We uncovered a High severity security vulnerability CVE-2026-0628 in Google's implementation of the new Gemini feature in Chrome. This vulnerability allows the attacker to tap into the browser environment and access files on the local operating system. Specifically, this vulnerability could have allowed malicious extensions with basic permissions to hijack the new Gemini Live in Chrome browser panel. Such an attack could have led to privilege escalation, enabling actions including:"
  https://unit42.paloaltonetworks.com/gemini-live-in-chrome-hijacking/
  https://nvd.nist.gov/vuln/detail/CVE-2026-0628
  https://www.darkreading.com/endpoint-security/bug-google-gemini-ai-panel-hijacking
  https://thehackernews.com/2026/03/new-chrome-vulnerability-let-malicious.html
  https://www.securityweek.com/vulnerability-allowed-hijacking-chromes-gemini-live-ai-assistant/
• Link11 Releases European Cyber Report 2026: DDoS Attacks Become a Constant Threat
  "Link11 has published its European Cyber Report 2026, revealing that DDoS attacks reached a new level in 2025 and have become a permanent stress factor for digital infrastructures. The report shows that the number of documented attacks in the Link11 network rose by 75% in 2025, following explosive growth in the previous year (+137%). This establishes DDoS attacks as a permanent structural burden for companies and critical infrastructures in Europe."
  https://hackread.com/link11-releases-european-cyber-report-2026-ddos-attacks-become-a-constant-threat/
• Your Dependencies Are 278 Days Out Of Date And Your Pipelines Aren’t Protected
  "Applications continue to ship with known weaknesses even as development workflows speed up. A new Datadog State of DevSecOps 2026 report examines how dependency management and pipeline practices are influencing exposure across cloud native environments. Across the environments studied, 87% of organizations run at least one exploitable vulnerability in production services, affecting 40% of those services. This condition points to a persistent accumulation of security debt inside deployed software stacks."
  https://www.helpnetsecurity.com/2026/03/02/devsecops-supply-chain-risk-security-debt/
• AI Risk Moves Into The Security Budget Spotlight
  "Enterprises are pushing AI deeper into workflows that touch sensitive data across cloud platforms and SaaS apps. The 2026 Thales Data Threat Report, based on a survey of 3,120 respondents in 20 countries, places that shift alongside growing pressure on data protection, identity controls, and cloud security. A dedicated budget for AI security is becoming more common. Thirty percent of respondents report having a dedicated AI security budget, up from 20% in the prior year. Many organizations continue to fund AI initiatives through existing security allocations, which keeps AI risk management closely tied to broader cyber programs."
  https://www.helpnetsecurity.com/2026/03/02/ai-security-spending-budget-2026/
• Alert: NCSC Advises UK Organisations To Take Action Following Conflict In The Middle East
  "In response to the evolving events in the Middle East, the NCSC is advising that UK organisations review their cyber security posture. As a result of the ongoing conflict in the Middle East, there is likely no current significant change in the direct cyber threat from Iran to the UK, however due to the fast-evolving nature of the conflict, this assessment may be subject to change."
  https://www.ncsc.gov.uk/news/ncsc-advises-uk-organisations-take-action-following-conflict-in-middle-east
  https://www.bleepingcomputer.com/news/security/uk-warns-of-iranian-cyberattack-risks-amid-middle-east-conflict/
  https://securityaffairs.com/188800/apt/middle-east-crisis-prompts-uk-warning-on-potential-iranian-cyber-activity.html
  https://www.theregister.com/2026/03/02/ncsc_security_iran/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

ศูนย์ประสานการรักษาความมั่นคงปลอดภัยระบบคอมพิวเตอร์แห่งชาติ (ThaiCERT) แจ้งเตือนช่องโหว่ความปลอดภัยระดับสูงในระบบปฏิบัติการ Android หมายเลข CVE-2026-21385 ส่งผลกระทบต่ออุปกรณ์ที่ใช้ชิปเซ็ต Qualcomm และมีรายงานว่าถูกนำไปใช้ในการโจมตี
1.รายละเอียดสำคัญ
CVE-2026-21385 เป็นช่องโหว่ระดับสูง ( CVSS v3.1 : 7.8 ) ในส่วนประมวลผลกราฟิกของชิป Qualcomm บนอุปกรณ์ Android ที่อาจถูกใช้เพื่อรันคำสั่งอันตราย ทำให้ระบบหยุดทำงาน หรือยกระดับสิทธิ์การเข้าถึงภายในเครื่องได้ และมีรายงานว่าถูกนำไปใช้ในการโจมตีแล้ว
2.อุปกรณ์ที่ได้รับผลกระทบ
• สมาร์ทโฟนและแท็บเล็ตที่ใช้ระบบปฏิบัติการ Android โดยเฉพาะรุ่นที่ใช้ชิปเซ็ต Qualcomm
3.วิธีป้องกันและลดความเสี่ยง
3.1 อัปเดต Security Patch ให้เป็นเวอร์ชันล่าสุด
3.2 เปิดใช้งาน “Safe Browsing” บน Google Chrome
4.หากยังไม่สามารถอัปเดตได้ทันที
4.1 หลีกเลี่ยงการติดตั้งไฟล์ .APK จากแหล่งที่ไม่น่าเชื่อถือ
4.2 ระวังลิงก์จาก SMS หรืออีเมลที่ไม่รู้จัก
4.3 หลีกเลี่ยงการใช้ Wi-Fi สาธารณะที่ไม่ปลอดภัย
4.4 งดใช้อุปกรณ์ที่ยังไม่ได้อัปเดตเข้าถึงระบบสำคัญขององค์กร เช่น VPN หรือฐานข้อมูล
5. วิธีตรวจสอบโทรศัพท์ใช้ชิปอะไร
5.1 ค้นหาข้อมูลรุ่นโทรศัพท์ผ่านเว็บไซต์ที่น่าเชื่อถือ โดยพิมพ์ “ชื่อรุ่นโทรศัพท์ + สเปก” จากนั้นตรวจสอบหัวข้อ Processor หรือ Chipset
5.2 ดาวน์โหลดแอป CPU-Z จาก Google Play Store แล้วตรวจสอบหัวข้อ SoC หากปรากฏคำว่า “Snapdragon” แสดงว่าอุปกรณ์ใช้ชิปของ Qualcomm
ขอให้ผู้ใช้งาน Android ตรวจสอบและอัปเดตอุปกรณ์โดยเร็ว เพื่อลดความเสี่ยงจากการถูกโจมตี
อ้างอิง
1.https://dg.th/tn0cra8kop
2.https://dg.th/ydlx0wf8g2
3.https://dg.th/ael42ci38h
4.https://dg.th/nq8wycjdhe

#ThaiCERT #CyberSecurity #AndroidSecurity #CVE202621385

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

ThaiCERT ติดตามข่าวสารภัยคุกคามทางไซเบอร์ พบช่องโหว่บนเว็บไซต์ WordPress ในปลั๊กอิน Worry Proof Backup ผู้โจมตีสามารถอัปโหลดไฟล์และรันโค้ดอันตราย

1. รายละเอียดเหตุการณ์
   • CVE-2026-1311 (CVSS:v3.1: 8.8) เป็นช่องโหว่ความปลอดภัย WordPress ในปลั๊กอิน Worry Proof Backup โดยพบช่องโหว่ที่ Path Traversal ผ่านฟังก์ชันอัปโหลดไฟล์สำรองข้อมูล ทำให้ผู้โจมตีที่มีสิทธิ์ในระดับ Subscriber หรือสูงกว่า สามารถอัปโหลดไฟล์ ZIP ที่มีการจัดการ path traversal และผู้โจมตีจะทำการเขียนไฟล์บนเซิร์ฟเวอร์ได้
   • หากผู้โจมตีทำการเขียนไฟล์ลงเซิร์ฟเวอร์ ผู้โจมตีจะสามารถรันโค้ดอันตรายได้ (Remote Code Execution: RCE)

2. เวอร์ชันที่ได้รับผลกระทบ
   • WordPress ทุกเวอร์ชัน ถึง 0.2.4

3. พฤติกรรมการโจมตี
   • ผู้โจมตีที่มีบัญชีผู้ใช้ WordPress ในระดับ Subscriber หรือระดับที่สามารถเข้าถึงฟังก์ชันของปลั๊กอินได้
   • ใช้ฟังก์ชัน backup upload ของปลั๊กอินเพื่อส่งไฟล์ ZIP ที่ path traversal
   • เมื่อระบบแตกไฟล์ ZIP จะเกิดการเขียนไฟล์ไปยังไดเรกทอรีสำคัญของเซิร์ฟเวอร์
   • วางไฟล์สคริปต์ เช่น PHP, web shell และรันโค้ดอันตราย

4. แนวทางการป้องกันและลดความเสี่ยง
   4.1 อัปเดตปลั๊กอินและปฏิบัติตามคำแนะนำของผู้พัฒนาอย่างเคร่งครัด
   4.2 ตรวจสอบสิทธิ์ผู้ใช้และลดจำนวนบัญชีที่ไม่จำเป็น
   4.3 จำกัดการอัปโหลดไฟล์ ดำเนินการปิดฟังก์ชันอัปโหลดไฟล์สำหรับผู้ใช้ที่มีสิทธิ์ต่ำกว่า Editor หรือ Administrator (ถ้าไม่จำเป็น)
   4.4 ตั้งค่าการสแกนไฟล์อัตโนมัติ โดยการใช้ระบบป้องกันมัลแวร์และตรวจจับการเปลี่ยนแปลงไฟล์ (File Integrity Monitoring)
   4.5 ปิด execution สำหรับ Directory ที่ไม่จำเป็น
   4.6 ใช้ Web Application Firewall (WAF) เพื่อบล็อก payload ที่มี path traversal patterns

5. มาตรการชั่วคราว (กรณียังไม่สามารถอัปเดตได้ทันที)
   5.1 ปิดการใช้งานฟีเจอร์ “Upload Backup” ในปลั๊กอินเป็นการชั่วคราว
   5.2 จำกัดสิทธิ์ผู้ใช้ โดยการลดสิทธิ์ของผู้ใช้ทั่วไป ไม่ให้สามารถเข้าถึงฟังก์ชันที่มีความเสี่ยง และใช้ Two-Factor Authentication (2FA) สำหรับบัญชีที่มีสิทธิ์ระดับสูง

6. แหล่งอ้างอิง (References)
   6.1 https://dg.th/uckbt9hwdz
   6.1 https://dg.th/kta7ohgmu8

ทั้งนี้ หน่วยงานสามารถตรวจสอบ Plugin Directory ได้ที่ https://dg.th/jte7m0or6k และ https://dg.th/e2fp5it7bo

ศูนย์ประสานการรักษาความมั่นคงปลอดภัยระบบคอมพิวเตอร์แห่งชาติ (ThaiCERT) ได้ติดตามสถานการณ์ช่องโหว่ด้านความมั่นคงปลอดภัยเกี่ยวกับช่องโหว่ OS Command Injection ในอุปกรณ์เครือข่าย Totolink N300RH หากถูกโจมตีสำเร็จ อาจนำไปสู่การยึดควบคุมอุปกรณ์ การแก้ไขค่าการตั้งค่าโดยไม่ได้รับอนุญาต การดักฟังหรือแก้ไขทราฟฟิกเครือข่าย ตลอดจนกระทบต่อความลับ ความถูกต้อง และความพร้อมใช้งานของระบบเครือข่ายโดยรวม

1. รายละเอียดช่องโหว่

พบช่องโหว่ประเภท OS Command Injection (CWE-78) หมายเลขช่องโหว่ CVE-2026-3301 (มีคะแนน CVSSv3.1: 8.9) ภายในฟังก์ชัน setWebWlanIdx ของไฟล์ /cgi-bin/cstecgi.cgi ในส่วน Web Management Interface ของอุปกรณ์ Totolink N300RH โดยผู้โจมตีสามารถปรับแต่งพารามิเตอร์ webWlanIdx เพื่อแทรกคำสั่งระบบปฏิบัติการ (OS commands) และทำให้อุปกรณ์ประมวลผลคำสั่งดังกล่าวได้โดยตรง ช่องโหว่นี้สามารถถูกโจมตีได้จากระยะไกล โดยไม่ต้องยืนยันตัวตน และไม่ต้องอาศัยการโต้ตอบจากผู้ใช้ ปัจจุบันมีการเผยแพร่โค้ดตัวอย่างโจมตี (Proof-of-Concept) ต่อสาธารณะแล้ว ทำให้มีความเสี่ยงสูงต่อการถูกนำไปใช้โจมตีจริง

2. หากถูกโจมตีสำเร็จ ผู้ไม่หวังดีสามารถดำเนินการได้ดังนี้

2.1 รันคำสั่งบนระบบปฏิบัติการของเราเตอร์
2.2 เปลี่ยนแปลงค่าการตั้งค่าโดยไม่ได้รับอนุญาต
2.3 ดักฟังหรือแก้ไขทราฟฟิกเครือข่าย
2.4 ใช้อุปกรณ์เป็นจุดเริ่มต้นในการโจมตีระบบภายใน (Lateral Movement)
2.5 ฝัง backdoor เพื่อคงอยู่ในระบบ

3. ผลิตภัณฑ์ที่ได้รับผลกระทบ: Totolink N300RH Firmware เวอร์ชัน 6.1c.1353_B20190305

4. แนวทางการแก้ไข

4.1 ตรวจสอบเวอร์ชันเฟิร์มแวร์ของอุปกรณ์ทั้งหมดทันที
4.2 จำกัดการเข้าถึง Web Management Interface เฉพาะเครือข่ายภายในที่เชื่อถือได้
4.3 ปิดการใช้งาน Remote Management หากไม่จำเป็น
4.4 ติดตามประกาศด้านความปลอดภัยเพิ่มเติมจากผู้ผลิต
4.5 หากไม่มีแพตช์ในระยะเวลาอันเหมาะสม ควรพิจารณาเปลี่ยนอุปกรณ์ในสภาพแวดล้อมที่มีความสำคัญสูง

5. คำแนะนำด้านความปลอดภัยเพิ่มเติม

5.1 ใช้ Firewall จำกัดการเข้าถึงพอร์ตบริหารจัดการจากภายนอก
5.2 แยกเครือข่ายบริหารจัดการ (Management Network Segmentation)
5.3 เปิดใช้งานและตรวจสอบ Log อย่างสม่ำเสมอ
5.4 ใช้ IDS/IPS เพื่อตรวจจับพฤติกรรมผิดปกติที่เกี่ยวข้องกับการโจมตี Command Injection
5.5 ดำเนินการประเมินความเสี่ยงของอุปกรณ์เครือข่ายอื่น ๆ ที่มีลักษณะการจัดการผ่าน Web Interface

6.แหล่งอ้างอิง

6.1 https://dg.th/hcqag6v4yp
6.2 https://dg.th/1f4r6siao5
6.3 https://dg.th/b20eg835pa
6.4 https://dg.th/2d9pntayli