โพสต์ถูกสร้างโดย NCSA_THAICERT

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

เมื่อวันที่ 18 มิถุนายน 2569 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 1 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว มีรายละเอียดดังนี้

• CISA Adds One Known Exploited Vulnerability to Catalog

ทาง CISA จะปรับปรุงและเพิ่มช่องโหว่ใหม่เข้าสู่แคตตาล็อก KEV อย่างต่อเนื่อง เพื่อให้ครอบคลุมความเสี่ยงที่ตรวจพบจริงในปัจจุบันและอนาคต

อ้างอิง
https://www.cisa.gov/news-events/alerts/2026/06/12/cisa-adds-one-known-exploited-vulnerability-catalog
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) จำนวน 8 รายการ เมื่อวันที่ 18 มิถุนายน 2569 เพื่อให้ข้อมูลที่ทันเวลาเกี่ยวกับประเด็นด้านความมั่นคงปลอดภัย ช่องโหว่ และการโจมตีที่เกี่ยวข้องกับระบบ ICS โดยมีรายละเอียดดังนี้

• ICSMA-26-169-01 Apollo Pharmacy Blood Glucose Monitoring System APG-01 BT
• ICSA-26-169-01 AVer PTC cameras
• ICSA-26-169-02 AzeoTech DAQFactory
• ICSA-26-169-03 Rockwell Automation FactoryTalk Historian Site Edition
• ICSA-26-169-04 Schneider Electric EasyLogic T150 and Saitel DP
• ICSA-26-169-05 Mitsubishi Electric MELSEC iQ-F Series
• ICSA-26-169-06 Mitsubishi Electric Co.'s MELSEC iQ-F Series FX5-ENET/IP Ethernet Module
• ICSA-26-169-07 Schneider Electric Easergy, EcoStruxture, PowerLogic, and Saitel Products

อ้างอิง
https://www.cisa.gov/news-events/ics-advisories

Financial Sector

• Security Issues In The Korean & Global Financial Sector In May 2026
  "In Attack Stage 1 targeting the financial sector in May 2026, phishing had the highest score at 2.3. This is the highest figure since December 2025, indicating that Initial Breach attempts are increasingly centered on phishing. In Attack Stage 2, Dropper/Downloader had the highest rate at 1.4, while the backdoor also increased to 1.0 from 0.5 the previous month."
  https://asec.ahnlab.com/en/94179/

Industrial Sector
Experts Warn Of 'Mismatch' In US Response To OT Hacking
"A cyberattack of any significant scale against operational technology in America's vital infrastructure and services would almost immediately overwhelm the online and offline resources available to responders, experts said this week. "We have a very large mismatch between expected capacity, expected demand, and current capacity," said Josh Corman, executive in residence for public safety and resilience at the Institute for Security and Technology."
https://www.bankinfosecurity.com/experts-warn-mismatch-in-us-response-to-ot-hacking-a-32026

Vulnerabilities

• Unpatchable 'usbliter8' Exploit Breaks Apple A12 And A13 SecureROM Boot Chain
  "Security researchers at Paradigm Shift have published a working exploit, dubbed usbliter8, that achieves arbitrary code execution inside the SecureROM of Apple's A12 and A13 chips. That code is burned into the silicon at manufacture. No software update can reach it. Affected devices will carry this flaw for as long as they stay in use."
  https://thehackernews.com/2026/06/unpatchable-usbliter8-exploit-breaks.html
  https://ps.tc/pages/blog-usbliter8.html
  https://www.theregister.com/security/2026/06/19/researchers-drop-checkm8-style-bootrom-exploit-for-a12-and-a13-iphones/5259028
• AutoJack: How a Single Page Can RCE The Host Running Your AI Agent
  "Ongoing research into AI agent framework security identified an exploit chain in AutoGen Studio (AutoGen’s open-source prototyping user interface) that allows untrusted web content rendered by a browsing agent to reach a local Model Context Protocol (MCP) WebSocket and spawn arbitrary processes on the host. The technique, which we call AutoJack, jacks the agent into becoming the attacker’s last-mile delivery vehicle by crossing the localhost trust boundary that many developer tools rely on."
  https://www.microsoft.com/en-us/security/blog/2026/06/18/autojack-single-page-rce-host-running-ai-agent/
  https://thehackernews.com/2026/06/autojack-attack-lets-one-web-page.html

Malware

• People, Process, Personas: Nisos Exposes The Human Risk In DPRK Employment Fraud Schemes
  "Nisos assesses with high confidence that a Democratic People’s Republic of Korea (DPRK) state-sponsored cell conducted industrial-scale employment fraud against US companies, submitting more than 170,000 job applications that yielded 76 employment offers across 22 operatives between December 2024 and September 2025, utilizing appropriated identities, AI-driven interview assistance, and US-based facilitators to infiltrate UScompanies primarily in the technology sector."
  https://nisos.com/research/dprk-employment-fraud-operation/
  https://www.bankinfosecurity.com/north-korean-workers-try-try-try-again-a-32033
• Amazon Prime Day 2026: Bargains Begin June 23 — And So Do The Scams
  "When Amazon Prime Day returns on June 23–26, 2026, more than 25 countries will take part in one of the largest shopping windows of the year. Spanning millions of products and generating billions of dollars in transactions in just 96 hours, the event is as lucrative for cyber criminals as it is anticipated by consumers. Major retail moments bring together the three ingredients’ attackers exploit most: a globally trusted brand, time-limited urgency, and massive purchase intent at scale. The result is predictable — phishing emails, fake websites, fraudulent offers, smishing campaigns, and account takeover attempts impersonating Amazon all surge during this period. What stands out in 2026 is the scale of the infrastructure Check Point Research (CPR) has already observed in the months leading up to the event."
  https://blog.checkpoint.com/research/amazon-prime-day-2026-bargains-begin-june-23-and-so-do-the-scams/
• FIFA World Cup 2026: Hackers Target Football Fans With Fake Tickets Sites
  "With the FIFA World Cup 2026 matches in full swing, cybercriminals are targeting fans with various scams to capitalize on the tournament’s popularity, security researchers warn. Multiple scam networks have been discovered by security firms so far. These networks are designed to steal funds and personal details from people looking for tickets, hotels, and betting options."
  https://hackread.com/fifa-world-cup-2026-hackers-football-fake-tickets-sites/
• Supply-Chain Malware Is Evolving And Starting To Spread Like a Worm
  "For years, most supply-chain attacks depended on a single point of compromise. An attacker would gain access to a vendor or library and insert malicious code into a trusted update. From there, the attack would spread only as far as that distribution channel allowed. That model has changed. Emerging threats like Shai-Hulud show how attackers are moving toward self-propagating supply-chain attacks that spread through developer ecosystems without continuous attacker control. Instead of maintaining access to one source, the malware turns each new compromised environment into another distribution point."
  https://blog.barracuda.com/2026/06/18/supply-chain-malware-worm-shai-hulud
• 1.16 Billion Attacks: How The FortiBleed Crew Broke FortiGate
  "FortiBleed is not just a leak, it is an operation. A multi-operator crew has been running industrial-scale credential harvesting against Fortinet FortiGate SSL VPN appliances worldwide. The numbers are not subtle: 1.16 billion login attempts against 320,777 FortiGate targets, 2.1 billion more against 163,650 MSSQL servers, intercepted hashes cracked on a 45-GPU cluster, and live VPN sessions hijacked to pivot straight into Active Directory. This is the attack chain, the infrastructure behind it, and what it means for defenders."
  https://ransomnews.com/fortibleed-fortigate-bruteforce-operation/
  https://securityaffairs.com/193931/hacking/fortibleed-exposes-global-credential-spraying-operation.html

Breaches/Hacks/Leaks

• Texas Govt Data Breach Exposes Over 3 Million Driver’s Licenses
  "The Texas Parks and Wildlife Department (TPWD) disclosed a data breach at its license system vendor that exposed personal information for more than three million individuals. The Texas Cyber Command discovered the intrusion and launched an investigation to determine the extent and impact of the unauthorized access. The state authority found that Social Security Numbers (SSNs), dates of birth, or any financial information, such as credit cards, have not been impacted."
  https://www.bleepingcomputer.com/news/security/texas-govt-data-breach-exposes-over-3-million-drivers-licenses/
  https://www.theregister.com/security/2026/06/19/texas-gov-vendor-breach-exposes-data-of-3m-hunters-anglers/5258815
• ShinyHunters Threatens To Leak Amazon One Medical Records
  "Amazon bought One Medical for $3.9 billion in 2023 in its bid to bring transformational healthcare experiences to patients through a network of onsite and virtual primary care services. It serves employees of more than 8,500 U.S. clients. Now, prolific digital extortion gang ShinyHunters is threatening to dump 8.8 terabytes of data it allegedly stole from Amazon's One Medical business unit."
  https://www.bankinfosecurity.com/shinyhunters-threatens-to-leak-amazon-one-medical-records-a-32027
• Leak Exposes Members Of Peter Thiel’s Secretive ‘Dialog’ Society
  "A trove of internal records from a secret society for powerful figures in US politics, finance, and tech was left exposed online, WIRED has confirmed, naming participants in its events and revealing sensitive personal details they were assured would stay private. The group, called Dialog, is a private, invitation-only organization cofounded in 2006 by the billionaire tech investor Peter Thiel. It convenes US officials, foreign government figures, and Silicon Valley executives at off-the-record annual retreats. Dialog has spent two decades declining to disclose its members."
  https://www.wired.com/story/leak-exposes-members-of-peter-thiels-secretive-dialog-society/
  https://securityaffairs.com/193880/intelligence/peter-thiel-secret-society-leak-creates-a-perfect-target-list-for-espionage-influence-operations-and-blackmail.html
• 24 Billion Records, Including Usernames And Passwords, Exposed In Colossal Data Leak: What Does That Mean For You?
  "Cybernews researchers discovered an exposed database containing 24 billion records, including usernames, email addresses, plaintext passwords, and login URLs. The data appears to come from infostealer malware logs, records stolen from infected devices and collected from Telegram channels, breach compilations, and other sources."
  https://cybernews.com/security/24-billion-credentials-data-leak/
  https://securityaffairs.com/193864/security/24-billion-stolen-credentials-exposed-in-massive-data-leak.html

General News

• May 2026 Threat Trend Report On Ransomware
  "This report summarizes the quantity of new ransomware samples collected during the month of May 2026, the number of affected systems, statistics on targeted businesses, and major Korean & Global ransomware issues. Statistics on samples and affected systems are based on AhnLab’s detection names, while statistics on targeted businesses are aggregated based on the time when publicly available information from ransomware groups’ DLS (Dedicated Leaks Sites, ransomware PR sites or PR pages) was collected via the ATIP (AhnLab Threat Intelligence Platform) infrastructure."
  https://asec.ahnlab.com/en/94185/
• CISA Urges Hardening Fortinet Devices After Reports Of Credential Exposure
  "CISA is aware of global reports that malicious cyber actors have targeted internet-accessible Fortinet devices across government and private sector organizations using compromised credentials. This activity, referred to as FortiBleed, involves the exposure of leaked credentials associated with approximately 74,000 Fortinet devices, including firewalls and virtual private network (VPN) gateways."
  https://www.cisa.gov/news-events/alerts/2026/06/18/cisa-urges-hardening-fortinet-devices-after-reports-credential-exposure
  https://www.bleepingcomputer.com/news/security/cisa-warns-fortinet-users-to-secure-devices-after-fortibleed-leak/
  https://thehackernews.com/2026/06/cisa-warns-fortinet-customers-as.html
  https://www.securityweek.com/fortibleed-86000-fortinet-device-credentials-compromised/
  https://securityaffairs.com/193902/hacking/cisa-warns-of-active-exploitation-following-fortibleed-leak.html
• Stressors, AI Forcing Changes To Cybersecurity Teams
  "Chief information security officers (CISOs) are faced with overwhelming workloads, the need to keep up with the changes wrought by AI, and fears of liability if they get something wrong — causing some to leave the industry. More than two-thirds of cybersecurity and IT professionals (68%) consider their job more difficult today than two years ago, with more than half saying that the complexity and workload have both increased (55%), and that cyberthreats have become more overwhelming (52%); that's according to a survey-based report published by the Information Systems Security Association (ISSA) International and analyst firm Omdia."
  https://www.darkreading.com/cybersecurity-operations/stressors-ai-changes-cybersecurity-teams
• Analysis Of Reported Credential Compromise Of FortiGate Devices
  "Fortinet is aware of reports of malicious cyber actors targeting Fortinet devices in a credential-harvesting campaign referred to as FortiBleed. Based on our initial analysis, we believe the activity involves threat actors reusing credentials from previous incidents (FG-IR-26-060, FG-IR-25-647) and employing brute-force techniques (as described in a March blog, “Attacks at the Speed of AI”) against devices with weak password hygiene and no multi-factor authentication (MFA). Fortinet provided detailed guidance at the time of these advisories and we continue to strongly encourage all customers to ensure these remediation steps have been completed."
  https://www.fortinet.com/blog/psirt-blogs/analysis-of-reported-credential-compromise-of-fortigate-devices
• Companies Are Discarding The Logs They Need To Catch a Breach
  "Many large enterprises discard most of the log data their systems generate, and they do it on purpose to keep costs down. A Dynatrace survey of 450 senior IT leaders at large enterprises found that half of organizations drop or never collect an average of 86 percent of their logs, even after filtering and aggregation. Many also limit how long they retain the logs they do keep. That choice carries a security cost of its own."
  https://www.helpnetsecurity.com/2026/06/19/report-log-management-security-risk/
• Asia-Pacific Scam Networks Generate Nearly $40 Billion a Year
  "Cybercrime is taking a larger share of criminal activity in Asia and the Pacific. More than half of surveyed jurisdictions reported that cybercrime accounts for over 30% of all crimes recorded nationally, according to INTERPOL’s 2025/2026 Asia and South Pacific Cyberthreat Assessment Report. Rapid digital adoption has expanded the region’s digital footprint and increased exposure to cyber threats. Criminal groups target businesses, governments, and individuals through online fraud, ransomware, phishing campaigns, and credential theft."
  https://www.helpnetsecurity.com/2026/06/19/interpol-asia-cybercrime-trends-report/
• Confidence Lacks In Threat Detection Across Non-Email Channels Like Slack And Teams
  "Cybersecurity leaders are increasingly concerned about their ability to detect threats as attackers shift beyond email to collaboration platforms such as Slack and Microsoft Teams. According to new research from KnowBe4, many organizations lack confidence in their visibility across these non-email channels, despite their growing use in cyber-attacks. An in-person survey of 169 cybersecurity professionals, conducted at Infosecurity Europe 2026, found that 50% said their organization lacks strong confidence in detecting threats across messaging and social platforms."
  https://www.infosecurity-magazine.com/news/threat-detection-across-nonemail/
• Forget Data Leakage: Shadow AI's Real Threat Is Access Control
  "The first wave of enterprise AI concern was straightforward. It was simply employees pasting sensitive data into public AI tools. Security teams responded with usage policies, domain blocks, and data loss prevention rules. That response made sense at the time. It doesn't fit the problem anymore."
  https://thehackernews.com/2026/06/forget-data-leakage-shadow-ais-real.html

อ้างอิง
Electronic Transactions Development Agency (ETDA)

Healthcare Sector

• Apollo Pharmacy Blood Glucose Monitoring System APG-01 BT
  "Successful exploitation of these vulnerabilities could allow an attacker to obtain sensitive health-related information and prevent legitimate users from establishing a connection with the device."
  https://www.cisa.gov/news-events/ics-medical-advisories/icsma-26-169-01

Industrial Sector

• AVer PTC Cameras
  "Successful exploitation of this vulnerability could allow arbitrary code execution."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-169-01
• AzeoTech DAQFactory
  "Successful exploitation of this vulnerability could allow an attacker to upload malicious .ctl files that may lead to arbitrary code execution."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-169-02
• Rockwell Automation FactoryTalk Historian Site Edition
  "Successful exploitation of these vulnerabilities could allow an attacker to obtain a valid authentication token, perform a denial of service, or crash the system."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-169-03
• Schneider Electric EasyLogic T150 And Saitel DP
  "Successful exploitation this vulnerability could allow an attacker to gain unauthorized access to sensitive files"
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-169-04
• Mitsubishi Electric MELSEC iQ-F Series
  "Successful exploitation of this vulnerability could allow a remote attacker to cause a denial-of-service (DoS) condition in the affected product by rapidly establishing a large number of TCP connections to it, resulting in an inconsistency in the product's internal connection management process and triggering improper memory access."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-169-05
• Mitsubishi Electric Co.'s MELSEC iQ-F Series FX5-ENET/IP Ethernet Module
  "Successful exploitation of this vulnerability could allow a remote attacker to cause a denial-of-service (DoS) condition in the affected product by continuously sending a large number of communication packets to the Ethernet port of the product in a short period of time, increasing the processing load of the product, preventing the internal anomaly-detection processing from being performed, and causing the communication function to stop."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-169-06
• Schneider Electric Easergy, EcoStruxture, PowerLogic, And Saitel Products
  "Schneider Electric is aware of vulnerabilities in its PowerChute Serial Shutdown product. The PowerChute Serial Shutdown product is a UPS management software enabling graceful system shutdown and energy management capabilities for desktop, servers and workstations. Failure to apply the remediation provided below may risk improper input validation which could result in disruption of operations and access to system data."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-169-07
• CISA Urges OT Resilience In Dark Remarks About Cyberattacks
  "Critical U.S. infrastructure like water, power and even banking systems will be successfully hacked by enemy cyber warriors in the event of a military confrontation with a peer adversary like Russia or China, officials from the nation's civilian cyber defense agency said. That means utilities must learn to operate at some level, for some time without reliable internet connectivity or the technology it enables, they said."
  https://www.bankinfosecurity.com/cisa-urges-ot-resilience-in-dark-remarks-about-cyberattacks-a-32014
• A Brief Overview Of The Main Incidents In Industrial Cybersecurity. Q1 2026
  "In Q1 2026, 131 incidents were publicly confirmed by victims. All of these incidents are included in the table at the end of the overview, with select incidents described in detail. Several significant incidents were unveiled this quarter from the perspective of the threat landscape. Reports of attacks on Poland’s critical infrastructure – including traditional and renewable energy , in an attempt to gain access to automated control systems, as well as loud statements about attacks on nuclear power facilities, allegedly “avoided” any potential negative consequences for the facility’s operation, clearly indicate that the Overton window is shifting in a dangerous direction for society."
  https://ics-cert.kaspersky.com/publications/reports/2026/06/18/a-brief-overview-of-the-main-incidents-in-industrial-cybersecurity-q1-2026/

Vulnerabilities

• PSA: Supply Chain Compromise Targets ShapedPlugin, Backdoored Pro Plugins Distributed Via Official Channels
  "The Wordfence Threat Intelligence Team was notified on June 11th, 2026 of a potential supply chain compromise affecting ShapedPlugin, a WordPress plugin vendor with over 400,000 active free plugin installations. Fortunately, Wordfence customers have already had malware signature detection for the particular backdoor used in this attack. During our investigation, we discovered that attackers compromised the vendor’s build and distribution pipeline, injecting backdoor code into Pro plugin releases distributed through official licensed update channels. As with all supply chain compromises, this attack is particularly insidious because affected site owners followed security best practices: they purchased legitimate licenses and installed updates directly from the vendor’s official update system. Supply chain compromises are becoming significantly more common in all software, including WordPress software."
  https://www.wordfence.com/blog/2026/06/psa-supply-chain-compromise-targets-shapedplugin-backdoored-pro-plugins-distributed-via-official-channels/
  https://www.bleepingcomputer.com/news/security/shapedplugin-update-flow-hacked-to-infect-wordpress-sites/
• F5 Issues Out-Of-Band Patches For Critical NGINX Vulnerabilities
  "Cybersecurity company F5 has released out-of-band security updates to address multiple NGINX web server vulnerabilities, including two critical-severity flaws that could allow attackers to execute code on vulnerable systems. The two critical vulnerabilities were found in the ngx_http_v3_module (CVE-2026-42530) and the ngx_http_proxy_v2_module and ngx_http_grpc_module (CVE-2026-42055), and can be exploited by unauthenticated remote attackers to trigger a denial-of-service (DoS) attack or code execution on NGINX systems with non-default configurations."
  https://www.bleepingcomputer.com/news/security/f5-issues-out-of-band-patches-for-critical-nginx-vulnerabilities/
  https://thehackernews.com/2026/06/f5-patches-two-critical-nginx-open.html
  https://www.securityweek.com/f5-patches-critical-high-severity-nginx-vulnerabilities/
  https://securityaffairs.com/193842/security/f5-patches-critical-nginx-vulnerabilities-enabling-unauthenticated-code-execution.html
• Atlassian, Splunk Patch Critical Vulnerabilities
  "Atlassian and Splunk on Wednesday announced patches for multiple vulnerabilities in their products, including critical-severity flaws. Splunk resolved a critical issue in AI Toolkit that could allow authenticated attackers with admin roles to execute arbitrary OS commands on the host the Splunk Enterprise instance runs on. “The vulnerability is possible because of an unsafe shell execution pattern in the btool configuration helper, which constructs OS command strings from dynamic parameters without disabling shell interpretation,” Splunk explains."
  https://www.securityweek.com/atlassian-splunk-patch-critical-vulnerabilities/
• Critical Command Execution Vulnerability Patched In Cisco ISE
  "Cisco has released fixes for a critical-severity command execution vulnerability in Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC). Tracked as CVE-2026-20181 (CVSS score of 9.1), the issue exists because user-supplied input is improperly validated, allowing an attacker to send a crafted HTTP request and obtain user-level access to the underlying operating system. The attacker could then elevate their privileges to root."
  https://www.securityweek.com/critical-command-execution-vulnerability-patched-in-cisco-ise/
  https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-multi-G5WP8vv
  https://securityaffairs.com/193849/uncategorized/cisco-fixed-a-critical-ise-vulnerability-that-lets-attackers-to-gain-root-access.html
• CISA Adds One Known Exploited Vulnerability To Catalog
  "CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2026-20253 Splunk Enterprise Missing Authentication for Critical Function Vulnerability"
  https://www.cisa.gov/news-events/alerts/2026/06/18/cisa-adds-one-known-exploited-vulnerability-catalog
• Apple Fixes Beats Studio Buds Flaw That Let Hackers Spy On Conversations
  "Apple has released security updates to patch a high-severity flaw affecting the Beats Studio Buds wireless earbuds that could allow attackers in Bluetooth range to spy on users' conversations. "An attacker within Bluetooth range may be able to listen through the microphone of a device which is not yet paired and actively seeking pair requests," Apple explained in a Tuesday advisory. "This is a vulnerability in open source code and Apple Software is among the affected projects. The CVE-ID was assigned by a third party.""
  https://www.bleepingcomputer.com/news/security/apple-fixes-beats-studio-buds-flaw-that-let-hackers-spy-on-conversations/
  https://support.apple.com/en-us/127557
• FIFA Bug Exposes World Cup Streams To Remote Takeover
  "An egregious access control vulnerability in FIFA's Microsoft Entra environment allowed an ethical hacker to gain direct control over global World Cup television streams, match management systems, and more. Not since 1962, when USSR vice admiral Vasily Arkhipov saved the human race by refusing to consent to a nuclear missile launch, has humanity been spared such a potentially horrific fate as it was just a few days ago."
  https://www.darkreading.com/application-security/fifa-bug-world-cup-streams-remote-takeover
• Google Told Researcher 'Nice Catch!' Then Denied Bug Bounty For Flaw It Still Hasn't Fixed
  "Google has a security hole in a Kubernetes operator that could allow attackers to bypass Google Cloud Platform (GCP) identity and access protections and gain full control over any organization's cloud environment. Or it has a serious communication and transparency problem when it comes to its bug bounty programs. Maybe both. Researcher and frequent cloud bug hunter Justin O'Leary told us that he found and reported to Google a major flaw that allows any Kubernetes namespace user to bypass GCP's Identity and Access Management (IAM) controls and therefore gain root access to managing an organization's cloud resources."
  https://www.theregister.com/security/2026/06/18/google-told-researcher-nice-catch-then-denied-bug-bounty-for-flaw-it-still-hasnt-fixed/5258076
  https://olearysec.com/research/config-connector-authorization-bypass/
• PeopleSoft PeopleTools Pre-Authentication RCE: A PSIGW SSRF Chain That Executes Inside The JVM
  "Enterprise resource planning systems handle some of the most sensitive data an organization holds, but they are also deeply connected to internal infrastructure. When a pre-authentication remote code execution (RCE) chain surfaces in one of the most widely deployed ERP platforms and is already being exploited in the wild, it warrants close attention. In this blog entry, TrendAI Research details a technical analysis of an active pre-authentication exploitation chain in Oracle PeopleSoft PeopleTools, the development platform used to build and maintain PeopleSoft applications. PeopleSoft PeopleTools versions 8.61, and 8.62 are affected, per Oracle’s advisory."
  https://www.trendmicro.com/en_us/research/26/f/PeopleTools.html
• Attackers Actively Exploiting Sensitive Information Exposure Vulnerability In Gravity SMTP Plugin
  "On March 30th, 2026, we publicly disclosed a Sensitive Information Exposure vulnerability in Gravity SMTP, a WordPress plugin with an estimated 100,000 active installations. This vulnerability can be leveraged by unauthenticated attackers to retrieve detailed system configuration data and, critically, any API keys, secrets, and OAuth tokens configured for the plugin’s email integrations. The vendor released the fully patched version on March 17th, 2026, and we originally disclosed this vulnerability in the Wordfence Intelligence vulnerability database on March 30th, 2026. The Wordfence Firewall has already blocked over 17 million exploit attempts targeting this vulnerability."
  https://www.wordfence.com/blog/2026/06/attackers-actively-exploiting-sensitive-information-exposure-vulnerability-in-gravity-smtp-plugin/

Malware

• Crypto Clipper Uses Tor And Worm-Like Propagation For Persistence And Control
  "Microsoft Threat Intelligence and Microsoft Defender Experts identified a Windows-based cryptocurrency clipper that has affected users since February of 2026. Clipper malware relies on stealing clipboard data and parsing it for valuable assets. The clipper in this campaign relies on Windows Script Host and ActiveX-driven logic to launch a bundled Tor proxy and poll a hidden-service C2 server. It carries out high-frequency clipboard theft, screenshot exfiltration, and wallet-address substitution."
  https://www.microsoft.com/en-us/security/blog/2026/06/17/crypto-clipper-uses-tor-worm-like-propagation-for-persistence-control/
  https://www.bleepingcomputer.com/news/security/usb-worm-spreads-crypto-stealing-malware-via-windows-shortcut-files/
  https://thehackernews.com/2026/06/microsoft-details-windows-clipper.html
  https://securityaffairs.com/193860/uncategorized/tor-based-clipper-malware-targets-wallet-seed-phrases.html
• Klue Integration Abused In Salesforce Data Theft
  "In June 2026, ReliaQuest observed a compromised integration for Klue, a competitive-intelligence platform that syncs battlecard and win/loss data with Salesforce, being used to exfiltrate customer relationship management (CRM) data from enterprise environments. The activity follows the same third-party OAuth-abuse playbook behind the Salesloft Drift and Gainsight compromises that rattled Salesforce ecosystems throughout 2025 and 2026, reinforcing that trusted software-as-a-service (SaaS) integrations remain a high-value yet little-monitored route to reach sensitive data."
  https://reliaquest.com/blog/threat-spotlight-integration-abused-in-crm-data-theft
  https://www.bleepingcomputer.com/news/security/klue-oauth-breach-linked-to-icarus-salesforce-data-theft-attacks/
  https://www.darkreading.com/cyberattacks-data-breaches/salesforce-data-thefts-klue-app-compromise
  https://www.bankinfosecurity.com/attackers-steal-salesforce-data-from-klue-battlecards-users-a-32011
• Killing Me Gently: Inside Gentlemen’s EDR Killer Framework
  "ESET researchers analyzed the robust EDR-killing toolset of the ransomware-as-a-service gang Gentlemen. Since the beginning of 2026, Gentlemen has emerged as one of the most active gangs in the ransomware ecosystem. The group distinguishes itself through a mature, operator-maintained set of endpoint detection and response (EDR) killers, i.e., tools for disrupting security software. Additionally, unlike most top-tier gangs, Gentlemen does not exhibit a strong US-centric victimology, instead targeting victims across Southeast Asia, South America, and Western Europe."
  https://www.welivesecurity.com/en/eset-research/killing-me-gently-inside-gentlemens-edr-killer-framework/
  https://www.bleepingcomputer.com/news/security/gentlemen-ransomware-uses-multiple-edr-killers-to-disable-defenses/
  https://www.bankinfosecurity.com/gentlemen-ransomware-gang-standardizes-edr-killing-a-32007
  https://www.helpnetsecurity.com/2026/06/18/eset-gentlemen-edr-killers/
• Operation FanTrap: Inside The FIFA 2026 Fraud Ecosystem
  "The FIFA World Cup 2026 has become more than a global sporting event. It has evolved into a large-scale cybercrime opportunity exploited by threat actors through a coordinated ecosystem of fraudulent domains, social media channels, messaging platforms, pirated streaming services, and dark web activity. Since May 2026, Cyble Research and Intelligence Labs (CRIL) has identified nearly 4,000 domains impersonating FIFA-related brands, ticketing platforms, streaming services, and fan-facing resources."
  https://cyble.com/blog/operation-fantrap-fifa-2026-fraud-ecosystem/
  Operation Escaneo: Infrastructure Exposure, TTP Analysis, And Attribution Assessment Of An Advanced Intrusion * Campaign Against Mexican Federal Agencies And Financial Institutions
  "This report documents a coordinated, multi-stage campaign run by a threat actor targeting critical infrastructure across Latin America. Artifacts from the threat actor's staging server reveal a sophisticated operational toolchain spanning all phases of the MITRE ATT&CK framework, from automated reconnaissance through data exfiltration. The campaign is characterised by a proprietary distributed reconnaissance engine (Kimera), a curated exploit armory targeting enterprise perimeter devices (Fortinet, Ivanti, Cisco), portable lateral movement toolkits, and layered command-and-control infrastructure using Neo-reGeorg webshells, Chisel reverse tunnels, and compromised Cisco routers with persistent GRE tunnels."
  https://www.cloudsek.com/blog/operation-escaneo-mexican-government-financial-institutions-cyberattack
  https://www.darkreading.com/cybersecurity-operations/operation-escaneo-signals-shift-latam-threat-landscape
  https://www.infosecurity-magazine.com/news/operation-escaneo-cloudsek-latam/
• Retro Gaming Fans Are The New Target For Fake GitHub Malware
  "Retro gaming fans should be careful with GitHub projects that claim to be tools or plugins for their consoles. Attackers can disguise ordinary computer malware as homebrew software, and the technique works against any retro platform with an active modding scene, not just one console. We recently looked at one example aimed at PlayStation Vita owners: a fake project that pretends to be a free audio tool but actually runs Windows malware on your computer."
  https://www.malwarebytes.com/blog/threat-intel/2026/06/retro-gaming-fans-are-the-new-target-for-fake-github-malware
• SmartApeSG Launches Okendo Reviews Supply Chain Attack
  "On May 14, 2026, the Zscaler ThreatLabz team identified unusually high activity associated with the threat actor SmartApeSG to deploy malware. During our examination, we discovered malicious JavaScript code embedded in a legitimate reviews widget found on numerous websites. Our analysis revealed that the affected component was the Okendo Reviews widget, a popular customer review platform used by more than 18,000 brands. Because the Okendo Reviews widget is widely deployed, this compromise enabled downstream exposure across any website that utilized the widget. The widget is typically deployed on high-visibility e-commerce pages, including: storefront homepages, product information pages, and review submissions."
  https://www.zscaler.com/blogs/security-research/smartapesg-launches-okendo-reviews-supply-chain-attack
• Threat Actors Abuse Claude.ai Shared Chat For ClickFix Malvertising Campaign
  "TrendAI Research tracked a sustained malvertising campaign that abused Google Ads to deliver ClickFix social engineering attacks disguised as popular AI developer tools. The campaign impersonated at least six legitimate brand names, including ChatGPT Codex, Perplexity, Cursor IDE, JetBrains, Claude AI, and claude.ai, and simultaneously ran Mac utility scam lures."
  https://www.trendmicro.com/en_us/research/26/f/claudeai-shared-chat-abused-in-malvertising.html
• World Cup-Themed Phishing Campaign Delivers Voidrift Malware With Highly Personalized Lures
  "Cofense Intelligence has identified an active phishing campaign exploiting excitement around the FIFA World Cup 2026 to deliver a sophisticated malware family known as Voidrift. The campaign is notable for its high degree of personalization. Each email is tailored with the recipient's name, their company's name, and even the company's logo embedded directly into the image of the free t-shirt, indicating that threat actors invested meaningful reconnaissance effort before launching attacks."
  https://cofense.com/blog/world-cup-themed-phishing-campaign-delivers-voidrift-malware-with-highly-personalized-lures

Breaches/Hacks/Leaks

• Nintendo Confirms Data Stolen In WebMD Subsidiary Cyberattack
  "Nintendo of America has confirmed to BleepingComputer that threat actors stole survey data from the third-party TinyPulse service used internally, but its systems were not compromised. The company’s statement comes after claims from the Shadowbyt3$ “extortion-as-a-service” threat group that they exfiltrated sensitive data related to Nintendo of America employees. “We are aware of an issue involving TinyPulse, a third-party service used for internal employee surveys at Nintendo of America,” stated Nintendo."
  https://www.bleepingcomputer.com/news/security/nintendo-confirms-data-stolen-in-webmd-subsidiary-cyberattack/

General News

• May 2026 Infostealer Trend Report
  "This report summarizes the distribution channels, number of infostealers, number of detections, target companies, and execution types of new infostealers collected during the month of May 2026. The collected samples were analyzed based on data from AhnLab SEcurity intelligence Center (ASEC)’s automated data collection system, Email Honeypot system, automated malware C2 analysis system, and AhnLab product diagnostic logs."
  https://asec.ahnlab.com/en/94172/
• International Law Enforcement Initiate Hunt On Malware Group SocGholish
  "In Operation Endgame, a major operation this week disrupted a key infection chain used by cybercriminals. Within an international cooperation, 14.971 websites infected with SocGholish malware were remediated. This malware is used by a criminal group that plays a pivotal role in international cybercrime, namely: Evil Corp."
  https://www.politie.nl/en/news/2026/juni/18/11-international-law-enforcement-initiate-hunt-on-malware-group-socgholish.html
  https://www.proofpoint.com/us/blog/threat-insight/sayonara-socgholish-operation-endgame-disrupts-major-cybercrime-operation
  https://www.bleepingcomputer.com/news/security/law-enforcement-nukes-socgholish-malware-from-nearly-15-000-sites/
  https://cyberscoop.com/socgholish-malware-botnet-takedown-evilcorp/
  https://hackread.com/operation-endgame-disrupts-socgholish-malware/
  https://www.helpnetsecurity.com/2026/06/18/law-enforcement-socgholish-operation-endgame/
• AI Inherits People's Permissions But Not Judgment
  "Most enterprise security programs carry a quiet assumption: Whoever sits on the other side of a control is a person. Someone who can be trained, who pauses before acting and who, even with wide-ranging access, brings instinct to bear about what's worth opening, what's safe to share and what to leave untouched."
  https://www.bankinfosecurity.com/blogs/ai-inherits-peoples-permissions-but-judgment-p-4133
  https://mind.io/content/research-report-impact-of-data-trust-on-ai-success
• 5 Key Takeaways From Inside The Shape-Shifting Inbox: A Modern Playbook For Security Leaders
  "Artificial intelligence is accelerating one of the most significant shifts the cybersecurity industry has seen in years. During Cofense’s webinar, Inside the Shape-Shifting Inbox: A Modern Playbook for Security Leaders, CEO Marc Olsen and Board Advisor George Gerchow explored how AI is transforming phishing from a high-effort, tactical attack into a highly scalable, adaptive business risk."
  https://cofense.com/blog/5-key-takeaways-from-inside-the-shape-shifting-inbox-a-modern-playbook-for-security-leaders
• How Software Development’s Speed Obsession Enabled TeamPCP’s Chaos Crusade
  "TeamPCP is on a rampage through open-source software. In less than four months, the threat actor has compromised and injected malicious code into more than 1,000 software packages. The extraordinary spree has transformed how software developers and maintainers distribute and manage their code, as their dependencies and repositories have become one of the most effective and prevalent attack vectors this year."
  https://cyberscoop.com/teampcp-breaks-open-source-software-trust-model/
• Get Out Of Security Debt By Tackling The Exposure Problem
  "Security teams already know they have too many vulnerabilities. What they often underestimate is how much of that risk remains exposed. Right now, 82% of organizations carry security debt. These are vulnerabilities that have been open for more than a year. At the same time, flaws that are both severe and likely to be exploited are increasing. That combination is what turns a backlog into real risk. Vulnerabilities are not just being discovered. They are persisting in production systems long enough to be found and used."
  https://www.darkreading.com/cyber-risk/security-debt-tackle-exposure-problem
• Securing Digital Keys When Your Phone Unlocks The Car
  "In this interview with Help Net Security, Alysia Johnson, President of the Car Connectivity Consortium (CCC), explains how the CCC Digital Key has grown from a single-brand feature into a standard meant to work across phones, automakers, and suppliers. She talks through what changed with Version 4, why the team focused on interoperability and testing instead of one new threat, and how NFC fallback access stays protected. She also covers fast credential revocation when a phone is lost or stolen, and how crypto agility prepares the standard for post-quantum demands over a car’s long life."
  https://www.helpnetsecurity.com/2026/06/18/alysia-johnson-car-connectivity-consortium-securing-digital-keys/
• What Happens To Oversight When AI Agents Write a Lab’s Own Code
  "Inside the labs building frontier AI, a growing share of the coding gets done by the AI itself. These agents write, edit, and run software with light human oversight between steps, and they reach into production infrastructure, research pipelines, and potentially the systems that train and evaluate future models. A new analysis from researchers at the University of Oxford and SaferAI digs into the security risks that live in everything around those agents: the people reviewing their code, the pipelines watching them, and the policies that set the rules, along with the models themselves."
  https://www.helpnetsecurity.com/2026/06/18/research-ai-coding-agent-oversight/
  https://arxiv.org/pdf/2606.13474
• Most Agentic AI Projects In Production Have Stalled Over Data Problems
  "Enterprises are connecting AI agents to live data feeds and putting them to work on tasks that once required human review, from IT operations to software development. The number doing this in production reached 32 percent in 2026, up from 29 percent the year before, according to Confluent’s annual Data Streaming Report, which surveyed 4,625 IT leaders across 14 countries."
  https://www.helpnetsecurity.com/2026/06/18/report-agentic-ai-in-production/
• AI In The Underground: Curiosity, Claims, And Concerns
  "Counter Threat Unit (CTU) researchers have observed artificial intelligence (AI) emerging into a prominent topic in underground communities, with threat actors discussing its potential, claiming its use for malware and tool development, and expressing concerns. Many claims have not been validated, but the posts reveal perceptions about generative AI and examples of how it may be used in cybercriminal activity. In some respect, threat actors are facing the same challenge as everyone else — seeking to preserve economic viability during a technological transition while trying to identify how and when to embrace AI."
  https://www.sophos.com/en-us/blog/ai-in-the-underground-curiosity-claims-and-concerns
  https://www.infosecurity-magazine.com/news/cybercriminals-worried-ai-take/
• Hostile States Behind 75% Of Cyber-Attacks On UK Critical Infrastructure, NCSC Warns
  "Three-quarter of cyber incidents affecting UK critical infrastructure organizations over the past year originated from nation-state actors or were linked to hostile states such as Russia, China and Iran, according to Richard Horne, CEO of the UK’s National Cyber Security Centre (NCSC). Speaking at the Royal United Services Institute (RUSI) Annual Security Lecture 2026 on June 17, Horne said the agency dealt with 200 cyber incidents affecting critical nation infrastructure (CNI) between June 2025 and May 2026."
  https://www.infosecurity-magazine.com/news/hostile-states-cni-75-percent-ncsc/
• Cybercrime Surges In APAC As Digitalization Takes Hold
  "Cybercrime is taking hold in Asia and the South Pacific just as it has elsewhere in the world, with organized crime gangs exploiting the adoption of new technologies, according to Interpol. The policing network said that cybercrime now accounts for 30% of crime in over half of the countries covered by its 2025/2026 Asia and South Pacific Cyberthreat Assessment Report. The study, which is sponsored by the UK government, assessed cybercrime trends across 18 Southeast Asian countries and Pacific Island states."
  https://www.infosecurity-magazine.com/news/cybercrime-surges-apac-digitization/
  https://www.theregister.com/cyber-crime/2026/06/18/cyber-offenses-now-account-for-around-a-third-of-all-crime-across-asia-and-south-pacific/5257716
• No Exploits Required
  "Well hey y’all. I just got hooked up with this space to somewhat-routinely write about vulnerabilities, cybersecurity, and infosec history. I’m currently at runZero, where I’m the vice president of security research, which basically means that I spend most of my time hanging around with some incredibly bright and devoted people who are also cunning and shrewd. We’re all dedicated to the notion that it is, in fact, possible to secure networks by being smart and creative with your approaches to exposure management."
  https://www.securityweek.com/no-exploits-required/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Industrial Sector

• Rockwell Automation Patches Vulnerabilities In ICS Controllers And Software
  "Rockwell Automation informed customers on Tuesday that patches are available for several vulnerabilities affecting its Logix and CompactLogix controllers, Flex I/O dual-port Ethernet/IP adapters, RSLinx industrial communication software, and FactoryTalk automation suite. In FactoryTalk Historian Site Edition the industrial giant patched three high- and critical-severity vulnerabilities that can be exploited to bypass authentication and launch DoS attacks."
  https://www.securityweek.com/rockwell-automation-patches-vulnerabilities-in-ics-controllers-and-software/

New Tooling

• Microsoft AntiSSRF Open-Source Library Helps Block Server-Side Request Forgery
  "AntiSSRF is an open-source code library from Microsoft that validates URLs and network connections to reduce server-side request forgery (SSRF) risks in web applications. It supports .NET and Node.js applications and is distributed under the MIT license. The library works as a drop-in component, giving developers a way to check untrusted input before their applications make outbound requests."
  https://www.helpnetsecurity.com/2026/06/17/microsoft-antissrf-open-source-library/
  https://github.com/microsoft/AntiSSRF

Vulnerabilities

• Oracle’s Second Monthly Security Updates Deliver 245 Patches
  "Oracle on Tuesday announced the release of its June 2026 Critical Security Patch Update (CSPU), the second since it began releasing monthly patches. The company still releases its quarterly Critical Patch Updates, but it recently decided to supplement them with monthly patches to address more severe vulnerabilities. The software giant said the latest round of CSPU updates delivers 245 new patches, including for Communications, E-Business Suite, Enterprise Manager, Fusion Middleware, JD Edwards, MySQL, PeopleSoft, Siebel CRM, Supply Chain, Systems, and Virtualization products."
  https://www.securityweek.com/oracles-second-monthly-security-updates-deliver-245-patches/
• Microsoft Working On Defender Patch For RoguePlanet Zero-Day
  "Microsoft confirmed that it's working on a security patch for a Defender zero-day vulnerability named "RoguePlanet," disclosed one week ago. The security researcher who published a RoguePlanet exploit during the June 2026 Patch Tuesday (known as Nightmare Eclipse) said it affects fully patched Windows 10 and Windows 11 devices and allows attackers to spawn command prompts with SYSTEM privileges via a Microsoft Defender race condition. He shared a proof-of-concept exploit in a self-hosted Git repository, claiming that Microsoft had previously targeted and removed their repos hosting exploits on GitHub and GitLab."
  https://www.bleepingcomputer.com/news/microsoft/microsoft-working-on-defender-patch-for-rogueplanet-zero-day/
  https://thehackernews.com/2026/06/microsoft-confirms-rogueplanet-defender_02022423645.html
  https://www.securityweek.com/microsoft-working-on-patch-for-rogueplanet-zero-day/
  https://www.helpnetsecurity.com/2026/06/17/rogueplanet-zero-day-cve-2026-50656/

Malware

• FortiBleed: 75,000 Fortinet Firewalls Compromised: Global Enterprises Exposed – Claim Your Ethical Disclosure
  "Fortinet firewalls and VPN gateways serve as the primary defensive perimeter for countless organizations worldwide. However, a massive new cyber espionage campaign has silently compromised these highly trusted devices on an unprecedented global scale. Originally discovered by security researcher Volodymyr “Bob” Diachenko, with further analysis from Hudson Rock and cybersecurity expert Kevin Beaumont, this dataset exposes a massive, automated operation. Threat actors successfully targeted 73,932 unique firewall URLs across 194 countries, resulting in 21,632 unique affected domains. Astonishingly, as Beaumont highlighted, this represents roughly 50% of all Fortinet firewall devices currently facing the internet."
  https://www.infostealers.com/article/fortibleed-75000-fortinet-firewalls-compromised-global-enterprises-exposed-claim-your-ethical-disclosure/
  https://www.bleepingcomputer.com/news/security/fortibleed-leak-exposes-fortinet-vpn-credentials-for-73-000-devices/
  https://www.darkreading.com/cyberattacks-data-breaches/sweeping-credential-harvesting-heist-compromises-30k-fortinet-devices
  https://cyberscoop.com/fortinet-fortisandbox-vulnerabilities-exploits/
  https://hackread.com/fortibleed-attack-fortinet-firewalls-credentials/
  https://www.theregister.com/cyber-crime/2026/06/17/massive-password-stealing-attack-hits-75k-fortinet-firewalls/5257877
• What Is The True Nature Of The Shortcut File I Thought Was a Privacy Consent Form?
  "Evidence has recently emerged that Malicious Files posing as “Consent Forms for the Collection and Use of Personal Information” have been circulating. Threat actors use file names that are easily mistaken for work documents to trick users into running them. These files are not actual documents but shortcut files; when executed, they collect PC information through hidden commands and may lead to further malicious behavior."
  https://asec.ahnlab.com/en/94164/
• It Looks Like a Normal Resume, But The Infection Begins The Moment It Is Opened.
  "Malicious shortcut files disguised as resume files have recently been circulating, requiring corporate users to exercise caution. Threat actors name the files to resemble resume documents containing company names and job titles, and when executed, they display a legitimate decoy file alongside the malicious file to lower the user’s suspicion. The file then downloads additional malicious files and attempts to execute backdoor malware, establishing persistence through methods such as registering with the Task Scheduler, adding items to the Startup folder, and DLL side-loading."
  https://asec.ahnlab.com/en/94165/
• 144 Mastra Npm Packages Compromised Via Hijacked Contributor Account
  "As many as 144 npm packages associated with the Mastra namespace ("@mastra/*"), a popular open-source JavaScript and TypeScript framework for building artificial intelligence (AI) applications, have been compromised as part of a software supply chain attack codenamed easy-day-js, per findings from Endor Labs, JFrog, SafeDep, Socket, and StepSecurity. "A single npm account (ehindero) mass-published more than 140 malicious packages across the Mastra scope within a short window on 2026-06-17," Socket said."
  https://thehackernews.com/2026/06/144-mastra-npm-packages-compromised-via.html
  https://socket.dev/blog/mastra-npm-packages-compromised
  https://www.bankinfosecurity.com/mastra-ai-framework-poisoned-in-npm-supply-chain-attack-a-32003
• From Stars To Upvotes: The Fake Reputation Economy Behind a Crypto Clipboard Hijackers
  "Most malware campaigns try to hide. This one does the opposite, it works hard to look loved. Check Point Research analyzed a cryptocurrency clipboard hijacker (a “clipper”) hidden inside a collection of “tools” that promise users an unfair edge: Solana and Pump.fun sniper bots, an “Aviator Predictor,” and various crash-game predictors. The targets are crypto holders and online gamblers already hunting for shortcuts and quick, automated profits."
  https://blog.checkpoint.com/research/from-stars-to-upvotes-the-fake-reputation-economy-behind-a-crypto-clipboard-hijackers/
  https://research.checkpoint.com/2026/from-stars-to-upvotes-fake-reputation-fueling-a-crypto-clipboard-hijacker/
  https://thehackernews.com/2026/06/crypto-clipper-campaign-abuses-fake.html
• Elon Musk, The IRS, And Your Bank Account: Anatomy Of a Multi-Stage Financial Scam
  "Recently, the Cofense Intelligence team reported on an Internal Revenue Service (IRS)-spoofing email that claims to offer a $5,000 tax refund through an Elon Musk cryptocurrency initiative. This email instead redirects to a credential phishing page and a fake cryptocurrency market that is used to steal personally identifiable information (PII) and Bitcoin. This campaign is notable for its extensive amount of stolen PII, which would allow threat actors to easily steal identities and pivot to social engineering attacks on a victim’s financial, government, or online service accounts. This report is a follow-up from a prior report, From Tax Refund to Total Compromise: IRS-Themed Phishing Email Drives Full-Stack Financial Fraud, that covered this campaign at a high level. This report will focus more heavily on details regarding the full extent of the cryptocurrency scam website and how the threat actors are able to use stolen PII from this campaign to pivot towards other tactics."
  https://cofense.com/blog/elon-musk,-the-irs,-and-your-bank-account-anatomy-of-a-multi-stage-financial-scam
• From Emerging Threat To Top-Tier Ransomware-As-a-Service: The Evolution Of INC Ransomware
  "INC has evolved from an emerging ransomware-as-a-service (RaaS) operation into one of the most active ransomware groups in 2026, claiming more than 800 victims since 2023. The disruption of LockBit and the shutdown of BlackCat created opportunities for INC to expand as affiliates migrated to alternative ransomware operations. Both the Windows and Linux/ESXi encryptors have been rewritten in Rust, enabling cross-platform development and increasing analysis complexity."
  https://www.acronis.com/en/tru/posts/from-emerging-threat-to-top-tier-ransomware-as-a-service-the-evolution-of-inc-ransomware/
  https://www.darkreading.com/cyberattacks-data-breaches/inc-ransomware-thrives-by-mastering-the-basics
• GitBait: Phishing The Mexican Financial Sector
  "A modular phishing infrastructure targeting multiple Mexican banks has been uncovered, abusing GitHub-hosted Pages, employing obfuscated scripts, and featuring a centralized credential exfiltration via SheetBest API, indicating a scalable and persistent multi-brand phishing operation."
  https://www.group-ib.com/blog/gitbait-phishing-mexico-banking-finance/
  https://www.infosecurity-magazine.com/news/gitbait-github-pages-sheetbest/
• Roblox Developers Are Losing Entire Games To Malware Attacks
  "Account theft usually ends with someone losing a password. This one ends with hackers walking off with the entire game. Developers behind some of Roblox’s millions of games told 404 Media that attackers persuaded them to run a single file. Then they watched their group, their game, and their Robux (in-platform currency) balance vanish into someone else’s account within hours. In several cases, Roblox support didn’t help them get the games back until a reporter called the company for comment."
  https://www.malwarebytes.com/blog/scams/2026/06/roblox-developers-are-losing-entire-games-to-malware-attacks
• ClickFix Campaign Generated Via AI Delivers SmartRAT
  "In March 2026, Zscaler ThreatLabz observed multiple instances of typosquatting domains hosting malicious content generated with AI-powered website creation tools. Threat actors are leveraging website builders to create convincing lures quickly and at scale, with capabilities ranging from basic credential theft to a ClickFix campaign that delivers remote access trojans (RATs)."
  https://www.zscaler.com/blogs/security-research/clickfix-campaign-generated-ai-delivers-smartrat
• Cato CTRL Threat Research: Operation Poisson – Analyzing a Cybercriminal’s Entire Operation
  "Cato CTRL recently analyzed an operator’s command-and-control (C2) server’s entire 33 days operation, including the steps he took to preserve access after the takedown. 339 commands. Four French victims. Between March 30 and May 1, 2026, Cato CTRL studied every command issued by a French-speaking threat actor (“Poisson”) against one French automotive small business and four French individuals. With that insight, we can say with certainty, not as a prediction, that techniques like VPN-mesh-based-persistence are already in active use right now, and that taking down a C2 server is no longer sufficient for remediation."
  https://www.catonetworks.com/blog/cato-ctrl-operation-poisson-analyzing-a-cybercriminals-entire-operation/
  https://thehackernews.com/2026/06/junior-hacker-used-tailscale-and.html
• Inside a WooCommerce Payment Skimmer: How Carders Moved From Phishing Pages To Checkout Backdoors
  "For years, the entry point for stolen card data was the fake page: bogus loan portals, reward-claim sites, parcel-redelivery lures, and lookalike bank logins that tricked victims into typing their card details into an attacker-controlled form. CloudSEK's HUMINT engagements with operators active on carding marketplaces (Savastan0, Cvvhub, Jerrys, Zillion, Proton, VClub, Pepe, CVV-focused shops, and several invite-only forums) indicate a clear shift in tradecraft. The more technical actors have largely abandoned standalone phishing for direct compromise of legitimate e-commerce sites gaining web-shell access, planting a backdoor in or around the payment flow, and silently harvesting card data from real customers during genuine purchases."
  https://www.cloudsek.com/blog/woocommerce-payment-skimmer-card-data-theft-checkout-backdoor
• GoFlateLoader: A Widespread Golang Loader Delivering Multiple Infostealers
  "Not every threat that matters is technically sophisticated, and that is also the case with GoFlateLoader, which is a rather simple loader written in Go, whose sole purpose is to decode and execute the payload in memory. What stands out the most is not what the loader does but rather what it does not do – it comes without anti-debugging, anti-VM, or sandbox-evasion checks, and also lacks API hashing or CFG obfuscation, the kind of tricks that loaders almost always come with. Instead, GoFlateLoader relies on one of the simplest yet still effective tricks to stay under the radar – it appends a massive PE overlay at the end of the file, deliberately inflating the binary's size (hence the name GoFlateLoader)."
  https://www.gendigital.com/blog/insights/research/goflateloader-delivers-multiple-infostealers

Breaches/Hacks/Leaks

• Kodak Confirms Data Breach Claimed By ShinyHunters Extortion Gang
  "Kodak has confirmed that it's working with external cybersecurity experts to investigate a security breach after hackers gained access to some of the company's data. Founded in 1880 as the Eastman Kodak Company and headquartered in Rochester, New York, Kodak has 79,000 worldwide patents and provides commercial print, advanced materials, and chemical products. A company spokesperson told BleepingComputer that attackers only accessed a "limited amount" of data in the incident, but didn't reply to a subsequent email asking if they breached Kodak's internal network."
  https://www.bleepingcomputer.com/news/security/kodak-confirms-data-breach-claimed-by-shinyhunters-extortion-gang/

General News

• SpyCloud Report Finds Phishing Attacks Surge As Employee Data Is Exposed At 86% Of Fortune 100 Companies
  "SpyCloud, the leader in identity threat protection, today released its 2026 Phishing Pulse Report, revealing that phishing attacks continue to increase in both volume and sophistication for enterprise organizations as artificial intelligence and phishing-as-a-service (PhaaS) platforms enable threat actors to launch highly effective campaigns at scale. Based on a survey of security professionals at organizations with more than 1,000 employees, SpyCloud found that 78% of organizations experienced an increase in phishing volume over the past 12 months, while 84% say AI-generated phishing attacks are becoming more prevalent or harder to defend against."
  https://hackread.com/spycloud-report-finds-phishing-attacks-surge-as-employee-data-is-exposed-at-86-of-fortune-100-companies/
  https://spycloud.com/resource/report/phishing-pulse-report-2026/
• Low-Skilled Attacker Used Claude, Codex To Breach 14 Companies
  "Researchers have long warned that AI agents could lower the skill floor for offensive cyber operations, and a recent report by OALABS (Open Analysis) researchers bears that out. After recovering and analyzing over 1,000 agent sessions from a compromised server on which an attacker deployed Anthropic’s Claude Code and OpenAI’s Codex agents, the researchers discovered how easily the attacker was able to bypass most of the agents’ guardrails, and how little he actually needed to know and do himself."
  https://www.helpnetsecurity.com/2026/06/17/ai-agents-offensive-cyber-operations-claude-codex/
• The SOC’s Visibility Gap Comes Down To Staffing
  "AI has settled into security operations centers faster than any earlier wave of technology. Around four in five practitioners report reaching for AI or machine learning tools in their daily work. The catch shows up one layer down. Roughly a third of those same teams have built these tools into a defined workflow with structure, governance, and consistent validation. The rest pick up AI on their own, case by case, with no shared playbook for how it gets used or checked."
  https://www.helpnetsecurity.com/2026/06/17/sans-ai-in-the-soc/
  https://www.infosecurity-magazine.com/news/staffing-top-soc-challenge-ai/
• The Checklist Problem Behind Critical Infrastructure Cyber Safety
  "An asset owner can meet major federal cyber compliance standards and still run equipment that lacks the engineering to withstand an attack or a failure. New research from George Mason University examines how United States cyber policy defines reasonable care for systems that control physical processes, and it finds that compliance has become a stand-in for safety."
  https://www.helpnetsecurity.com/2026/06/17/usa-critical-infrastructure-cyber-safety/
• Sensitive Enterprise Data Uploads To AI Models Double In a Year
  "The amount of sensitive enterprise data which employees uploaded to AI and machine learning applications has almost doubled in the last year, putting organizations at increased risk of data breaches and cyber espionage, a new report has warned. Published on June 17, the Zscaler 2026 AI Threat Report said that there has been a 93% year-over-year increase in employees transferring enterprise data to AI tools."
  https://www.infosecurity-magazine.com/news/sensitive-ai-data-upload-doubles/
• AI Threats And Alert Fatigue Challenge Cybersecurity Teams
  "A study conducted during Infosecurity Europe 2026 has found that AI-powered attacks at scale are the biggest security concern facing many cybersecurity professionals. The survey of 168 cybersecurity leaders across various sectors conducted by Filigran during the three-day event found 41% cited AI-powered attacks as a top challenge, double that of those who cited supply chain risk (21%) or unknown threats (21%)."
  https://www.infosecurity-magazine.com/news/ai-threats-alert-fatigue-challenge/
• Cybercriminals Are Targeting EdTech: Data Breaches And Ransomware Attacks On The Rise
  "The education technology (EdTech) sector has become a prime target for cybercriminals as attacks against educational institutions and related platforms continue to escalate. With sensitive data, including student records, employee information, and payment data, stored on EdTech systems, the sector has become an appealing target for cybercriminals seeking financial gain, data exploitation, and reputational damage. Recent high-profile incidents, including attacks by groups such as ShinyHunters and FulcrumSec, highlight the vulnerability of educational organizations and the increasing sophistication of cyber extortion tactics."
  https://www.resecurity.com/blog/article/cybercriminals-are-targeting-edtech-data-breaches-and-ransomware-attacks-on-the-rise
  https://securityaffairs.com/193777/data-breach/edtech-faces-a-cybersecurity-crisis-data-breaches-surge.html
• What The ThreatLabz 2026 Phishing And Initial Access Report Means For The Public Sector
  "It only takes one click. One convincing credential page, one well-timed lure impersonating a trusted agency workflow, and an attacker gains the initial access needed to move from inbox to identity to impact. That reality sits at the center of the ThreatLabz 2026 Phishing and Initial Access Report. While overall phishing volume in the Zscaler cloud fell 20% year over year, the campaigns that remain are more targeted, more AI-powered, and harder to distinguish from legitimate activity. ThreatLabz identified 413,524 AI-generated site instances across the analysis period, flagging 9% as malicious. These were produced by platforms like Manus AI, BlackBox AI, and Anything AI that allow attackers to spin up high-fidelity phishing infrastructure in minutes rather than days."
  https://www.zscaler.com/blogs/security-research/what-threatlabz-2026-phishing-and-initial-access-report-means-public-sector
• The Top 10 Attack Surface Exposures In 2026
  "Breaches don't always start with a zero-day. An exposed admin panel can get brute-forced, or credentials reused from a previous attack. But when a vulnerability does drop — like MongoBleed earlier this year, which let attackers pull credentials and session tokens from server memory without authentication — anything internet-facing is immediately at risk. With time-to-exploit now down to a single day, the question isn't just how fast you can patch. It's why the service was exposed in the first place."
  https://thehackernews.com/2026/06/the-top-10-attack-surface-exposures-in.html
• Hostile States Behind Three-Quarters Of Attacks On Britain's Critical Infrastructure, Cyber Chief Warns
  "Britain is already fighting the opening exchanges of future conflicts in cyberspace, the country’s cyber chief warned Wednesday, as he disclosed that hostile states are responsible for three-quarters of the attacks striking the country's critical national infrastructure. Richard Horne, chief executive of the National Cyber Security Centre (NCSC), said his teams had handled more than 200 incidents affecting critical infrastructure and its supporting ecosystem in the year to May, of which about 75% were believed to be the work of state actors."
  https://therecord.media/britain-nation-state-cyberattacks-richard-horne-rusi

อ้างอิง
Electronic Transactions Development Agency (ETDA)

Industrial Sector

• Rockwell Automation FLEX I/O EtherNet/IP Adapters
  "Successful exploitation of these vulnerabilities could allow an attacker to gain unauthorized access, account takeover, and cause loss of availability."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-167-05
• Rockwell Automation FactoryTalk Analytics PavilionX
  "Successful exploitation of this vulnerability could result in an attacker executing privileged operations."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-167-01
• Rockwell Automation RSLinx
  "Successful exploitation of this vulnerability can lead to a denial of service, where the application will become unresponsive and will not recover on its own."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-167-02
• Rockwell Automation Logix 5370 & 5570 Controllers Vulnerable To Denial Of Service Via CIP
  "Successful exploitation of this vulnerability could cause a denial-of-service condition that may result in a major nonrecoverable fault (MNRF)."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-167-03
• Rockwell Automation CompactLogix
  "Successful exploitation of these vulnerabilities could allow an attacker to cause a denial-of-service condition."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-167-04
• Implementing Zero Trust In Operational Technology: A Practical Case Study
  "While zero trust guidance for enterprise information technology (EIT) systems is well established, its direct application to operational technology (OT) environments is problematic due to fundamental differences in system architecture and operational priorities. Zero trust frameworks tailored to the unique requirements of OT systems are just beginning to emerge. The Software Engineering Institute (SEI) is pioneering research into the application of zero trust principles within weapon system environments with embedded OT. In this blog post, we explore a specific case study and examine how findings from our research on weapon systems driven by embedded OT translate to the broader OT landscape."
  https://www.sei.cmu.edu/blog/implementing-zero-trust-in-operational-technology-a-practical-case-study/

Vulnerabilities

• Critical Fortinet FortiSandbox Flaws Now Exploited In Attacks
  "Attackers are now exploiting several critical vulnerabilities in Fortinet's FortiSandbox cyber threat detection platform, according to threat intelligence company Defused. Fortinet released security updates for these three critical-severity security flaws (tracked as CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089) on April 14. These flaws allow unauthenticated threat actors to escalate privileges and execute unauthorized code remotely through low-complexity command injection attacks that require no user interaction. To resolve these issues and block incoming attacks, admins must upgrade affected deployments to the latest released versions."
  https://www.bleepingcomputer.com/news/security/critical-fortinet-fortisandbox-flaws-now-exploited-in-attacks/
  https://thehackernews.com/2026/06/attackers-exploit-three-fortinet.html
  https://securityaffairs.com/193709/ai/fortinet-warned-as-three-critical-fortisandbox-bugs-come-under-attack.html
  https://www.theregister.com/security/2026/06/16/three-critical-fortinet-sandbox-bugs-splattered-by-unknown-attackers/5256461
  https://www.helpnetsecurity.com/2026/06/16/fortisandbox-vulnerabilities-cve-2026-39813-cve-2026-39808-cve-2026-25089/
• CISA Adds One Known Exploited Vulnerability To Catalog
  "CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2026-48907 Widget Factory Joomla Content Editor Improper Access Control Vulnerability"
  https://www.cisa.gov/news-events/alerts/2026/06/16/cisa-adds-one-known-exploited-vulnerability-catalog
• Emerging Threat: (CVE-2026-49975) Apache HTTP Server Denial Of Service Via HTTP/2 Memory Exhaustion
  "CVE-2026-49975 is a memory exhaustion vulnerability in the mod_http2 module of Apache HTTP Server that allows a remote attacker to cause a denial of service through maliciously crafted HTTP/2 requests. It is classified as CWE-789, Memory Allocation with Excessive Size Value, and was publicly disclosed as part of an attack technique nicknamed the “HTTP/2 Bomb.” The vulnerability carries a CVSS v3.1 base score of 7.5 (High). The Apache Software Foundation rated the issue Moderate in its own advisory, while the National Vulnerability Database scores it High. The scoring vector reflects an availability-only impact: no loss of confidentiality or integrity, but full loss of service."
  https://www.cycognito.com/blog/emerging-threat-cve-2026-49975-apache-http-server-denial-of-service-via-http-2-memory-exhaustion/
  https://www.darkreading.com/vulnerabilities-threats/http-2-bomb-attacks-telcos-healthcare

Malware

• Multiple JetBrains IDE Plugins Caught Stealing AI Keys
  "We detected a coordinated malware campaign on the JetBrains Marketplace. At least 15 IDE plugins, published under seven vendor accounts, share the same hidden behavior. Each one exfiltrates the AI provider API key that you stored into its settings, and together they have been installed close to 70,000 times. Every plugin poses as an AI coding assistant built on DeepSeek and other large language models, offering chat, commit messages, code review, bug finding, and unit tests. They function exactly as advertised. However, the AI provider API key you enter gets exfiltrated to a server controlled by the attacker."
  https://www.aikido.dev/blog/multiple-jetbrains-ide-plugins-caught-stealing-ai-keys
  https://www.bleepingcomputer.com/news/security/malicious-jetbrains-marketplace-plugins-steal-ai-api-keys-from-developers/
• Rokarolla : Android Banker With Complete Device Takeover Capabilities
  "The zLabs research team has discovered Rokarolla, a newly identified Android banking trojan named after its Command and Control (C2) infrastructure. Primarily distributed through malicious websites such as hxxps[://]infocontablidades[.]it[.]com/, where it masquerades as popular applications like TikTok or Google Chrome, this highly invasive malware is specifically designed to target and compromise 217 distinct cryptocurrency and banking applications."
  https://zimperium.com/blog/rokarolla-android-banker-with-complete-device-takeover-capabilities
  https://github.com/Zimperium/IOC/blob/master/2026-06-Rokarolla/commands.md
  https://www.bleepingcomputer.com/news/security/new-rokarolla-android-malware-targets-217-banking-crypto-apps/
  https://thehackernews.com/2026/06/new-rokarolla-android-malware-steals.html
  https://www.darkreading.com/endpoint-security/rokarolla-android-trojan
  https://www.bankinfosecurity.com/rokarolla-android-banking-trojan-enables-device-takeover-a-31996
  https://www.infosecurity-magazine.com/news/rokarolla-android-banking-trojan/
  https://hackread.com/rokarolla-android-trojan-crypto-and-banking-apps/
• Dozens Of Malicious Wallpapers Found On Steam Workshop: Gamers’ Accounts At Risk
  "Since late 2025, malware has been spreading rapidly through the Steam Workshop, the gaming platform’s built-in service for players to create and share custom content. The attackers are primarily targeting gamers in China and Russia, aiming to hijack their accounts. To pull this off, they are exploiting Wallpaper Engine – a popular live wallpaper app available on Steam – specifically leveraging its Workshop sharing feature. The malware is hidden inside the wallpaper packages users share with one another. Running one of these compromised wallpapers can lead to a stolen Steam account or leave the victim’s system infected with backdoors or crypto miners."
  https://securelist.com/dozens-of-malicious-wallpapers-found-on-steam-workshop/120186/
  https://www.bleepingcomputer.com/news/security/steam-workshop-abused-to-spread-malware-via-wallpaper-engine-app/
• GhostTree Attack Abused Recursive Windows Junctions To Hide Malware
  "Most security teams think of NTFS junctions and symbolic links as niche file system features. They let one directory point to another, like a shortcut that the OS treats as real. They exist for backward compatibility, storage management, things that rarely come up in a SOC. But they have a property that makes them interesting from an offensive perspective: any user can create them. No admin privileges are required, and no special permissions beyond write access to the target folder. We discovered that by pointing a junction back at its own parent directory, an attacker can create recursive loops that generate effectively infinite file paths. Tools that try to scan the directory recursively, including EDR products, could follow the loop and never finish."
  https://www.bleepingcomputer.com/news/security/ghosttree-attack-abused-recursive-windows-junctions-to-hide-malware/
• Hidden In Teams: DragonForce Attackers Weaponize Microsoft Teams Relays To Stay Hidden
  "Attackers deploying the DragonForce ransomware against a major U.S. services firm hid their command and-control traffic (C&C) inside Microsoft Teams’ own relay infrastructure, using a custom Go-based backdoor that Symantec is tracking as Backdoor.Turn. To network defenders, the only traffic they could see was outbound connections to legitimate Microsoft Teams servers. The attackers were on the victim network for between one and two months. Backdoor.Turn obtains an anonymous Teams visitor token from Microsoft’s Skype-backed identity services, uses a legitimate Microsoft TURN relay to set up the connection, and then runs a QUIC session to the attacker’s real command-and-control (C2) server. To our knowledge this is the first time TURN relay infrastructure has been abused this way in the wild. It is relatively unusual to see ransomware attackers using their own custom tools, and it is particularly unusual to see them using a custom tool as sophisticated as Backdoor.Turn."
  https://www.security.com/threat-intelligence/dragonforce-msteams-backdoor
  https://www.bleepingcomputer.com/news/security/ransomware-gang-abuses-microsoft-teams-relays-to-hide-malicious-traffic/
  https://www.infosecurity-magazine.com/news/dragonforce-ransomware-hidden/
  https://www.theregister.com/cyber-crime/2026/06/16/crooks-found-a-new-way-to-collaborate-using-teams-by-hiding-command-and-control-traffic/5256296
  https://www.helpnetsecurity.com/2026/06/16/dragonforce-microsoft-teams-malware-backdoor-turn/
• FishMonger’s Arsenal Upgraded: SprySOCKS For Windows
  "ESET researchers have discovered two as-yet undocumented Windows variants of SprySOCKS, a previously Linux-only backdoor reportedly used by FishMonger, the group believed to be operated by a Chinese contractor named I‑SOON. While we initially discovered the malware samples on VirusTotal, ESET telemetry shows real activity between 2023 and 2024, with several victims in Honduras, Taiwan, Thailand, and Pakistan, targeting mostly government organizations."
  https://www.welivesecurity.com/en/eset-research/fishmongers-arsenal-upgraded-sprysocks-windows/
  https://www.bleepingcomputer.com/news/security/windows-version-of-sprysocks-linux-malware-used-to-attack-govt-orgs/
  https://www.darkreading.com/threat-intelligence/sprysocks-windows-variant-kernel-drivers
  https://thehackernews.com/2026/06/china-linked-sprysocks-backdoor-expands.html
  https://www.infosecurity-magazine.com/news/sprysocks-backdoor-windows/
• Phishing Campaign Targets Banks With Fileless Phantom Stealer Malware
  "Fortra Intelligence and Research Experts (FIRE) have identified an active phishing campaign targeting high-capital organizations, particularly those operating within the banking sector. The campaign uses evasive techniques to distribute Phantom Stealer, a commercially available Malware-as-a-Service (MaaS) infostealer used to steal credentials, financial data, and sensitive information. The tool is sold under a subscription model by a threat actor operating under the alias Oldphantomoftheopera, affiliated with the Phantom Softwares group. The attack begins with phishing emails containing malicious attachments disguised as business documents. Once executed, the malware runs entirely in memory, helping it evade traditional defenses."
  https://www.fortra.com/blog/phishing-campaign-targets-banks-fileless-phantom-stealer-malware
  https://www.darkreading.com/cyberattacks-data-breaches/fileless-phantom-stealer-targets-browser-credentials
  Lorem Ipsum Revisited
  "BlueVoyant Security Operations Center (SOC) and Threat Fusion Cell (TFC) researchers have been tracking an active * ClickFix campaign that manipulates users into believing their web browser requires a security update. If the user complies, the ClickFix lure initiates a multi-stage infection chain that ultimately deploys the Lorem Ipsum Loader, a malware family BlueVoyant first documented in May 2026. The current campaign represents a notable evolution from the previous Lorem Ipsum operation, which distributed trojanized Microsoft Teams installers through SEO-poisoned and malvertised fake download portals. The pivot to ClickFix lures hosted on compromised WordPress (WP) sites significantly broadens the potential victim pool and demonstrates the operators' willingness to rapidly adapt their initial access techniques."
  https://www.bluevoyant.com/blog/orem-ipsum-clickfix-rapid-brigantine
  https://www.darkreading.com/cyberattacks-data-breaches/lorem-ipsum-malware-clickfix-delivery
  https://thehackernews.com/2026/06/clickfix-campaigns-expand-malware.html
• Inside Amos Stealer: How This Threat Targets MacOS Credentials And Keychains
  "Amos Stealer remains a prominent and highly active malware family specifically engineered to target macOS users and extract sensitive information from compromised systems. Typically distributed via deceptive software downloads, malicious websites, or sophisticated social engineering lures, this info-stealer is designed to harvest user credentials, browser data, cryptocurrency wallet configurations, and other proprietary files. The sustained activity of Amos Stealer underscores a broader cyber threat trend: threat actors are increasingly shifting their focus toward macOS environments to execute financially motivated campaigns."
  https://www.cyberproof.com/blog/inside-amos-stealer-how-this-threat-targets-macos-credentials-and-keychains/
  https://hackread.com/amos-stealer-macos-keychain-files-browser-passwords/
• Pickle In The Middle – Hijacking Vertex AI Model Uploads For Cross-Tenant RCE
  "We discovered a vulnerability in the Google Cloud Vertex AI software development kit (SDK) for Python, and responsibly disclosed it to Google. Before Google’s fix, the vulnerability would have allowed an attacker operating entirely from their own Google Cloud project to hijack a victim's model upload and poison it. By exploiting this flaw in vulnerable versions of the SDK, an attacker can achieve remote code execution (RCE) within a target’s Vertex AI serving infrastructure, with zero initial access to the victim's project. The root enabler of this attack is a predictable default bucket name, combined with a missing ownership check in the SDK's staging logic. When a Vertex AI user uploads a model without specifying a custom staging bucket, the SDK constructs a bucket name using a deterministic pattern based on the project ID and region."
  https://unit42.paloaltonetworks.com/hijacking-vertex-ai-model/
  https://thehackernews.com/2026/06/google-vertex-ai-sdk-flaw-let-attackers.html
• Analysis Of APT37 NarwhalRAT Leveraging MS-Themed Phishing And Dead-Drop C2
  "Genians Security Center recently confirmed the continued distribution of compiled Python-based malware. This threat shows strong similarities to the attack scenario and TTPs identified in the report "Python Backdoor Threat Analysis Following an AI Deepfake Impersonation Campaign", published on May 11, 2026. This attack was carried out through a spear phishing email titled "[Urgent] Security Check Notice Regarding Repeated One-Time Password (OTP) Generation". The sender was displayed as "Microsoft Account Team", making the email appear as though it had been sent by an official account security team. However, the actual sender domain was confirmed to be unrelated to Microsoft’s official domains."
  https://www.genians.co.kr/en/blog/threat_intelligence/narwhalrat
  https://thehackernews.com/2026/06/fake-microsoft-alerts-used-to-deploy.html
• EvilTokens: A Phishing Attack That Doesn’t Steal Your Password
  "Much has been written about how the days of phishing emails laden with broken grammar and crude design are numbered, largely thanks to AI. Meanwhile, EvilTokens offers a somewhat different example of how far the phishing craft has moved. EvilTokens is a phishing-as-a-service (PhaaS) kit built to compromise Microsoft 365 accounts by abusing the OAuth 2.0 device authorization grant flow. As attacks that use the kit rely on device code phishing, they sidestep the need for convincing replicas of genuine login pages where the victims would hand over their passwords. Instead, attackers get the victim to complete a legitimate authentication process – including two-factor authentication (2FA) – on a real Microsoft login page."
  https://www.welivesecurity.com/en/cybercrime/eviltokens-phishing-doesnt-steal-password/

Breaches/Hacks/Leaks

• iRhythm Discloses Data Breach, Says Hackers Stole Patient Info
  "Digital healthcare company iRhythm Holdings has disclosed a data breach after hackers stole patients' personal and health information stored on third-party-hosted business applications. The company says its cardiac monitoring service has been used to analyze more than 2 billion hours of curated heartbeat data from over 12 million patients. In a filing with the U.S. Securities and Exchange Commission (SEC) on Monday, iRhythm said it discovered the incident one day earlier, prompting it to launch an investigation with external cybersecurity experts and activate its cybersecurity response plan to contain the breach."
  https://www.bleepingcomputer.com/news/security/irhythm-discloses-data-breach-says-hackers-stole-patient-info/
  https://www.malwarebytes.com/blog/news/2026/06/cardiac-patients-medical-data-stolen-and-held-to-ransom
  https://securityaffairs.com/193721/data-breach/irhythm-hit-by-cyberattack-patient-data-stolen-and-ransom-demanded.html
  https://www.securityweek.com/irhythm-confirms-data-stolen-in-hack/
  https://www.theregister.com/cyber-crime/2026/06/16/cardiac-monitor-makers-security-skips-a-beat-as-data-thieves-go-for-the-jugular/5256038
• Scoop: FulcrumSec Leaks Novo Nordisk Data After $25M Demand Goes Unpaid (2)
  "Danish pharma giant Novo Nordisk disclosed a cybersecurity incident last week, and although the firm’s name may not be familiar to everyone, they are a major producer of insulin and semaglutide. Semaglutide is marketed as Wegovy for weight loss and Ozempic for Type 2 diabetes. In its June 11 update, the firm stated that the incident affected a limited amount of information related to patients participating in some of its clinical trials. As they described it, the information was pseudoanonymized, i.e., the information was not directly linked to any patients by name or other direct identifiers:"
  https://databreaches.net/2026/06/15/scoop-fulcrumsec-leaks-novo-nordisk-data-after-25m-demand-goes-unpaid/
  https://www.securityweek.com/cybercrime-group-claims-novo-nordisk-hack/

General News

• May 2026 Threat Trend Report On APT Group
  "The May 2026 APT Trends report identified supply chain attacks, developer environment attacks, automated Initial Breach, and exploitation of runtime environments as key developments. Lazarus, Famous Chollima, Gamaredon, MuddyWater, and Nimbus Manticore are of particular concern."
  https://asec.ahnlab.com/en/94145/
• FTC Data Show People Reported Losing $3.5 Billion To Imposter Scams In 2025
  "New data from the Federal Trade Commission reveal that people reported losing a staggering $3.5 billion to imposter scams in 2025, with reported losses increasing nearly three times since 2020. FTC data also show that people reported imposter scams more than any other fraud category in 2025—nearly one in three fraud reports were about imposter scams. These scams lured consumers through text, phone, email, social media, search engine results and other means. Some of the costliest impersonation scams start with a fake security alert, often from a bank. People are convinced to move money to “protect” it, with their losses often limited only by their available funds."
  https://www.ftc.gov/news-events/news/press-releases/2026/06/ftc-data-show-people-reported-losing-3-point-5-billion-imposter-scams-2025
  https://www.bleepingcomputer.com/news/security/ftc-warns-of-record-35-billion-losses-to-imposter-scams-in-2025/
• Phishing No Longer Looks Wrong: What Security Leaders Should Do Next
  "Traditional defenses were built around prevention. Block malicious email before delivery. Train users to recognize suspicious messages. Investigate what slips through. That model still has value, but it is under pressure from a new class of attacks that are:"
  https://cofense.com/blog/phishing-no-longer-looks-wrong-what-security-leaders-should-do-next
• Most CISOs Report Pressure To Bury Bad Security News
  "CISOs contend with increasingly advanced attacks, evolving compliance and regulation standards, and constant worry about what will happen to the company and themselves if a breach occurs. Stress, blame, and panic have become synonymous with the role. Now comes another burden. According to a recent Checkmarx report, "The Future of Application Security in the Era of AI," 95% of CISOs "feel pressured to suppress or delay compliance-related security findings.""
  https://www.darkreading.com/cyber-risk/most-cisos-report-pressure-to-bury-bad-security-news
• Reachability Makes AI Threat Modeling Worth The Trust
  "In this interview with Help Net Security, Oscar Andersson, CTO at Oplane, explains why most scanning tools fail. They cry wolf, flagging threats that cannot run in real code. The argument centers on reachability. A finding counts only when someone walks the path to impact on a working build. He shows how a chain of small design choices led to account takeover in a popular open-source project, then covers how to test a vendor’s claims, handle attacks aimed at the AI itself, and why reviewing every code change beats one yearly audit."
  https://www.helpnetsecurity.com/2026/06/16/oscar-andersson-oplane-ai-threat-modeling/
• EU Cybersecurity Act 2.0: When Good Regulation Goes Bad
  "Over recent years we’ve witnessed the EU becoming increasingly serious about cybersecurity. After years of watching high profile breaches, many resulting from supply chain attacks targeting our critical infrastructure, that seriousness is welcome. But good intentions and good policy are not the same thing, and the proposed EU Cybersecurity Act 2.0 is starting to look a lot more like the former than the latter."
  https://www.helpnetsecurity.com/2026/06/16/eu-cybersecurity-act-2-0-regulation/
• Over Two-Thirds Of Security Pros Say Cyber Is Getting Harder
  "Cybersecurity professionals say their job is harder than ever, with 68% reporting it has become more difficult over the past two years, according to a new report. The study, The Life and Times of Cybersecurity Professionals, Volume VIII, from industry body ISSA and analyst Omdia, surveyed 380 practitioners. It found that over 70% of respondents are facing workplace challenges linked to being locked out of key technology decisions."
  https://www.infosecurity-magazine.com/news/security-pros-cyber-cyber-harder/
  https://issa.org/life-and-times-of-cybersecurity-professionals-volume-viii/
• Hacker Conversations: Isira Adithya, The Evolution Of An Ethical Hacker
  "Like many hackers, Sri Lankan-born Isira Adithya was a child prodigy, building LED bulbs and selling them to his teachers when he was just 11 years old. But he has never used his skills for nefarious purposes. “Hackers,” says Adithya, “are people who refuse to take technology at face value. They probe, test, and dismantle to understand what’s inside and how it behaves. This can be used for security research, building better systems, or, in the wrong hands, for malicious gain.”"
  https://www.securityweek.com/hacker-conversations-isira-adithya-the-evolution-of-an-ethical-hacker/
• AI And Cybersecurity – Everything You Wanted To Know, But Were Afraid To Ask
  "To better understand the current state of artificial intelligence (AI) in cybersecurity, SecurityWeek spoke with dozens of security practitioners, researchers, vendors, analysts, and AI experts. The result is a comprehensive snapshot of how AI is being used across the security landscape today."
  https://www.securityweek.com/ai-and-cybersecurity-everything-you-wanted-to-know-but-were-afraid-to-ask/
• Tech Coalition ‘Athena’ Targets OSS Vulnerabilities Ahead Of Disclosure
  "Over two dozen fintech and technology organizations have formed a coalition to secure open source software (OSS) from accelerated, AI-driven exploitation. Named Athena, it has gathered industry leaders such as BNY, Chainguard, Cisco, Cloudflare, Corridor, DepthFirst, Docker, JPMorganChase, Kyndryl, LTM, PwC, and more, under a shared goal: to find vulnerabilities in OSS and to triage, fix, and protect against their exploitation even before patches arrive.
  https://www.securityweek.com/tech-coalition-athena-targets-oss-vulnerabilities-ahead-of-disclosure/
• Survey: 94% Of Incidents Involve Anonymized Infrastructure. Teams Are Still Reactive
  "Security teams have never had more IP data at their disposal. Every day, analysts ingest enrichment feeds, geolocation data, reputation scores, telemetry, and threat intelligence from a growing ecosystem of vendors and platforms. Yet despite this abundance of information, many organizations continue to face a fundamental challenge: sifting through the noise to understand who is behind an IP and what action should follow."
  https://thehackernews.com/2026/06/survey-94-of-incidents-involve.html

อ้างอิง
Electronic Transactions Development Agency (ETDA)

Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) จำนวน 5 รายการ เมื่อวันที่ 16 มิถุนายน 2569 เพื่อให้ข้อมูลที่ทันเวลาเกี่ยวกับประเด็นด้านความมั่นคงปลอดภัย ช่องโหว่ และการโจมตีที่เกี่ยวข้องกับระบบ ICS โดยมีรายละเอียดดังนี้

• ICSA-26-167-01 Rockwell Automation FactoryTalk, Analytics, PavilionX
• ICSA-26-167-02 Rockwell Automation RSLinx
• ICSA-26-167-03 Rockwell Automation Logix 5370 & 5570 Controllers Vulnerable To Denial of Service Via CIP
• ICSA-26-167-04 Rockwell Automation CompactLogix
• ICSA-26-167-05 Rockwell Automation FLEX I/O EtherNet/IP Adapters

อ้างอิง
https://www.cisa.gov/news-events/ics-advisories

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand