โพสต์ถูกสร้างโดย NCSA_THAICERT

ตรวจพบช่องโหว่ที่มีความรุนแรงสูงสุดใน Apache Tika เป็นช่องโหว่แบบ XML External Entity (XXE) เปิดโอกาสให้ผู้โจมตีใช้ไฟล์ PDF ที่สร้างขึ้นเป็นพิเศษเพื่อเจาะระบบ โดยระบบจะประมวลผลไฟล์ดังกล่าวอัตโนมัติเมื่อมีการอัปโหลดหรือส่งเข้าไปในกระบวนการประมวลผลเอกสาร (ingest) นำไปสู่การเข้าถึงข้อมูลหรือทรัพยากรภายในที่ควรถูกป้องกันได้

กลุ่มเป้าหมายที่อาจได้รับผลกระทบจากช่องโหว่
• ใช้ Apache Tika โดยตรงในแอปพลิเคชัน (เช่น Java application, microservice ที่เรียก Tika เพื่ออ่านและแปลงข้อความจากเอกสาร)
• Apache Tika ที่ให้ผู้ใช้ อัปโหลดไฟล์ PDF จากภายนอก แล้วนำไฟล์เหล่านั้นไปประมวลผลต่อ เช่น ระบบยื่นคำร้องออนไลน์, ระบบส่งเอกสาร, ระบบรับไฟล์แนบต่าง ๆ
• ใช้ระบบค้นหาเอกสารที่ผสาน Apache Tika กับ Solr/Elasticsearch เพื่อค้นหาเนื้อหาภายในไฟล์ได้
• ใช้ระบบจัดการเอกสารหรือแพลตฟอร์มวิเคราะห์เอกสาร เช่น ECM, DMS, e-Discovery, DLP หรือระบบวิเคราะห์ข้อมูลที่อาศัย Tika ในการอ่านและแปลงเนื้อหาจากไฟล์
• ใช้ซอฟต์แวร์หรือแพลตฟอร์มที่ มี Apache Tika เป็นส่วนประกอบภายในระบบ

แพ็กเกจ/เวอร์ชันที่ต้องรีบตรวจสอบ
หากพบการใช้แพ็กเกจและเวอร์ชันต่อไปนี้ ให้ถือว่า “เข้าข่ายเสี่ยงทันที”

1. Apache Tika core
   แพ็กเกจ: org.apache.tika:tika-core
   เวอร์ชันที่มีช่องโหว่: 1.13 – 3.2.1
   ควรอัปเดตเป็น: 3.2.2 ขึ้นไป
2. Apache Tika parsers
   แพ็กเกจ: org.apache.tika:tika-parsers
   เวอร์ชันที่มีช่องโหว่: 1.13 ก่อน 2.0.0
   ควรอัปเดตเป็น: 2.0.0 ขึ้นไป (โดยรวมควรให้ core อยู่ในช่วง 3.2.2 ขึ้นไป)
3. Apache Tika PDF parser module
   แพ็กเกจ: org.apache.tika:tika-parser-pdf-module
   เวอร์ชันที่มีช่องโหว่: 2.0.0 – 3.2.1
   ควรอัปเดตเป็น: 3.2.2 ขึ้นไป
   ช่องโหว่นี้เป็นการขยายขอบเขตจาก CVE-2025-54988 และยืนยันว่าปัญหาหลักอยู่ที่ tika-core หากอัปเดตเฉพาะส่วนประกอบสำหรับประมวลผลไฟล์ PDF แต่ไม่อัปเดต tika-core เป็นเวอร์ชัน 3.2.2 ขึ้นไป ระบบยังคงมีความเสี่ยงอยู่

ข้อควรทำก่อนอัปเดต
• สำรองข้อมูลและ configuration ที่เกี่ยวข้องกับระบบก่อนทำการอัปเดต (source code, image, config)
• ทดสอบในสภาพแวดล้อมทดสอบ (staging) ก่อนนำขึ้นระบบจริง โดยเฉพาะระบบที่มีความสำคัญสูง
• ประสานงานระหว่างทีมพัฒนา ทีมโครงสร้างพื้นฐาน และทีมความมั่นคงปลอดภัย ให้เรียบร้อยก่อนวางแผนการหยุดให้บริการ (downtime) หรือ ดำเนินการปรับปรุงระบบ (deploy)

️ หากยังไม่สามารถอัปเดต
ในกรณีที่ระบบมีข้อจำกัด (เช่น ระบบเก่า, ขึ้นกับ third-party ที่ยังไม่ออกแพตช์) ให้ดำเนินการลดความเสี่ยงชั่วคราวดังนี้

1. ลดความเสี่ยงจากไฟล์ PDF
   • ปิดหรือจำกัดฟังก์ชันที่รับไฟล์ PDF ที่มาจากแหล่งภายนอก หากไม่จำเป็นต้องเปิดให้ใช้งานในช่วงที่ยังไม่สามารถอัปเดตแพตช์ได้
   • ใช้เครื่องมือ pre-process PDF เช่น qpdf, pdfid.py เพื่อตรวจจับ/บล็อกไฟล์ที่มี XFA หรือฟิลด์ /AcroForm ก่อนส่งเข้า Apache Tika
   • แยก Apache Tika ที่ใช้ประมวลผลไฟล์จากภายนอก ออกมาอยู่ในโซนที่มีการทำ sandbox และจำกัดสิทธิ์เข้มงวด
2. ควบคุมการเชื่อมต่อออกของเซิร์ฟเวอร์ที่ใช้ Apache Tika
   • กำหนดค่า Firewall/Proxy อนุญาตเฉพาะปลายทางที่จำเป็นต่อการทำงานของระบบเท่านั้น
   • บล็อกการเข้าถึง metadata service, IP ภายในที่สำคัญ หรือระบบจัดการที่ไม่ควรถูกเรียกจาก Apache Tika
3. เสริมการป้องกันในระดับโฮสต์และระบบตรวจจับ (Host / EDR)
   • กำหนดให้ Apache Tika ทำงานภายใต้บัญชีผู้ใช้ที่มีสิทธิ์จำกัด ตามหลักการ least privilege
   • ใช้ container/sandbox/AppArmor/SELinux จำกัดสิทธิ์และขอบเขตการเข้าถึง
   • ตั้ง rule ใน EDR/SIEM ให้แจ้งเตือนกรณี:
   • การที่โปรเซสของ Tika พยายามอ่านไฟล์ระบบหรือไฟล์ credential ที่ไม่ควรถูกเข้าถึง
   • การตรวจพบทราฟฟิกเชื่อมต่อออกจากเซิร์ฟเวอร์ที่รัน Apache Tika ไปยังปลายทางที่ไม่เคยอยู่ในรูปแบบการใช้งานปกติ

️ ระดับความเร่งด่วน
ช่องโหว่นี้มีศักยภาพในการนำไปสู่การรั่วไหลข้อมูลและการเข้าถึงระบบภายใน หากยังไม่ได้ดำเนินการอัปเดตหรือบรรเทาความเสี่ยง ให้ถือว่าระบบดังกล่าวอยู่ในสถานะความเสี่ยงสูง และควรเร่งดำเนินการลดความเสี่ยงโดยทันที

ด้วยความปรารถนาดี
สำนักงานคณะกรรมการการรักษาความมั่นคงปลอดภัยไซเบอร์แห่งชาติ (สกมช.) / ThaiCERT
ที่มา
[1]:NVD – CVE-2025-66516
https://nvd.nist.gov/vuln/detail/CVE-2025-66516
[2] NVD – CVE-2025-54988
https://nvd.nist.gov/vuln/detail/CVE-2025-54988
[3] Apache Tika Advisory (Mailing List)
https://lists.apache.org/thread/s5x3k93nhbkqzztp1olxotoyjpdlps9k
[4] The Hacker News – Critical XXE Bug CVE-2025-66516 (CVSS 10.0) Hits Apache Tika
https://thehackernews.com/2025/12/critical-xxe-bug-cve-2025-66516-cvss.html
[5] Upwind – Apache Tika XXE Vulnerability (CVE-2025-66516)
https://www.upwind.io/feed/apache-tika-rce-cve-2025-66516

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Industrial Sector

• • ICS Patch Tuesday: Vulnerabilities Fixed By Siemens, Rockwell, Schneider
    "Industrial giants Siemens, Rockwell Automation, Schneider Electric, and Phoenix Contact have published Patch Tuesday advisories informing customers about vulnerabilities found in their ICS/OT products. Siemens has published 14 new advisories. An overall severity rating of ‘critical’ has been assigned to three advisories covering dozens of third-party component vulnerabilities affecting Comos, Sicam T, and Ruggedcom ROX products."
    https://www.securityweek.com/ics-patch-tuesday-vulnerabilities-fixed-by-siemens-rockwell-schneider/

New Tooling

• UTMStack: Open-Source Unified Threat Management Platform
  "UTMStack is an open-source unified threat management platform that brings SIEM and XDR features into one system. The project focuses on real time correlation of log data, threat intelligence, and malware activity patterns gathered from different sources. The goal is to help organizations identify and halt complex threats that rely on stealthy techniques."
  https://www.helpnetsecurity.com/2025/12/10/utmstack-open-source-unified-threat-management-platform/
  https://github.com/utmstack/UTMStack

Vulnerabilities

• Vulnerabilities Identified In PCIe Integrity And Data Encryption (IDE) Protocol Specification
  "PCI Express Integrity and Data Encryption (PCIe IDE), introduced in the PCIe 6.0 standard, provides link-level encryption and integrity protection for data transferred across PCIe connections. Several issues were identified in the IDE specification that could allow an attacker with local access to influence data consumed on the link. The PCIe 6.0 IDE Erratum provides corrective guidance, and firmware and hardware updates are expected to address these concerns."
  https://kb.cert.org/vuls/id/404544
  https://thehackernews.com/2025/12/three-pcie-encryption-weaknesses-expose.html
  https://www.securityweek.com/intel-amd-processors-affected-by-pcie-vulnerabilities/
• CISA Adds Two Known Exploited Vulnerabilities To Catalog
  "CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2025-6218 RARLAB WinRAR Path Traversal Vulnerability
  CVE-2025-62221 Microsoft Windows Use After Free Vulnerability"
  https://www.cisa.gov/news-events/alerts/2025/12/09/cisa-adds-two-known-exploited-vulnerabilities-catalog
  https://thehackernews.com/2025/12/warning-winrar-vulnerability-cve-2025.html
  https://securityaffairs.com/185523/security/u-s-cisa-adds-microsoft-windows-and-winrar-flaws-to-its-known-exploited-vulnerabilities-catalog.html
• SOAPwn: Pwning .NET Framework Applications Through HTTP Client Proxies And WSDL
  "Welcome back! As we near the end of 2025, we are, of course, waiting for the next round of SSLVPN exploitation to occur in January (as it did in 2024 and 2025). Weeeeeeeee. Before then, we want to clear the decks and see how much research we can publish. This year at Black Hat Europe, Piotr Bazydlo presented “SOAPwn: Pwning .NET Framework Applications Through HTTP Client Proxies And WSDL”. This research ultimately led to the identification of new primitives in the .NET Framework that, while Microsoft decided deserved DONOTFIX (repeatedly), were successfully weaponized against enterprise-grade appliances to achieve Remote Code Execution."
  https://labs.watchtowr.com/soapwn-pwning-net-framework-applications-through-http-client-proxies-and-wsdl/
  https://thehackernews.com/2025/12/net-soapwn-flaw-opens-door-for-file.html
  https://www.theregister.com/2025/12/10/microsoft_wont_fix_net_rce/

Malware

• Opportunistic Pro-Russia Hacktivists Attack US And Global Critical Infrastructure
  "CISA, in partnership with Federal Bureau of Investigation, the National Security Agency, Department of Energy, Environmental Protection Agency, the Department of Defense Cyber Crime Center, and other international partners published a joint cybersecurity advisory, Pro-Russia Hacktivists Create Opportunistic Attacks Against US and Global Critical Infrastructure."
  https://www.cisa.gov/news-events/alerts/2025/12/09/opportunistic-pro-russia-hacktivists-attack-us-and-global-critical-infrastructure
  https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-343a
  https://www.darkreading.com/threat-intelligence/hactivists-target-critical-infrastructure
  https://therecord.media/doj-cisa-warn-russia-hackers-targeting-critical-infrastructure
  https://www.infosecurity-magazine.com/news/russia-hackers-target-us-critical/
• Infostealer Has Entered The Chat
  "Infostealers — malware that steals passwords, cookies, documents, and/or other valuable data from computers — have become 2025’s fastest-growing cyberthreat. This is a critical problem for all operating systems and all regions. To spread their infection, criminals use every possible trick to use as bait. Unsurprisingly, AI tools have become one of their favorite luring mechanisms this year. In a new campaign discovered by Kaspersky experts, the attackers steer their victims to a website that supposedly contains user guides for installing OpenAI’s new Atlas browser for macOS. What makes the attack so convincing is that the bait link leads to… the official ChatGPT website! But how?"
  https://www.kaspersky.co.uk/blog/share-chatgpt-chat-clickfix-macos-amos-infostealer/29796/
  https://www.bleepingcomputer.com/news/security/google-ads-for-shared-chatgpt-grok-guides-push-macos-infostealer-malware/
• • Phishers Get Creative: The NoteGPT Twist You Didn’t See Coming
    "NoteGPT is an AI-generated tool that converts lengthy lectures, meetings, or videos into concise, easy-to-read notes in just seconds. While seemingly useful, threat actors are now exploiting it to host fake files and lure victims. They upload malicious content to NoteGPT, then share what appears to be a harmless “document” or “note”. Because NoteGPT is a legitimate platform, many users let their guard down. Once victims click through, they’re redirected to credential phishing pages disguised as familiar login portals like Microsoft or Google. At this point, users are asked to sign in to access the file, unknowingly handing their credentials straight to threat actors."
    https://cofense.com/blog/phishers-get-creative-the-notegpt-twist-you-didn-t-see-coming
• AMOS Stealer Exploits AI Trust: Malware Delivered Through ChatGPT And Grok
  "On December 5, 2025, Huntress triaged an Atomic macOS Stealer (AMOS) alert that initially appeared routine: data exfiltration, standard AMOS persistence, and no unusual infection chain indicators in the telemetry. We expected to find the standard delivery vectors: a phishing link, a trojanized installer, maybe a ClickFix lure. None of those were present: no phishing email, no malicious installer, and no familiar ClickFix-style lure."
  https://www.huntress.com/blog/amos-stealer-chatgpt-grok-ai-trust
  https://www.darkreading.com/vulnerabilities-threats/clickfix-style-attack-grok-chatgpt-malware
• • Fake Leonardo DiCaprio Movie Torrent Drops Agent Tesla Through Layered PowerShell Chain
    "After noticing a spike in detections involving what looked like a movie torrent for One Battle After Another, Bitdefender researchers started an investigation and discovered that it was a complex infection chain. The film, Leonardo DiCaprio's latest, has quickly gained notoriety, making it an attractive lure for cybercriminals seeking to infect as many devices as possible."
    https://www.bitdefender.com/en-us/blog/labs/fake-leonardo-dicaprio-movie-torrent-agent-tesla-powershell
    https://hackread.com/dicaprio-one-battle-after-another-torrent-agent-tesla/
• PeerBlight Linux Backdoor Exploits React2Shell CVE-2025-55182
  "Huntress is seeing threat actors exploit a vulnerability in React Server Components (CVE-2025-55182) across several organizations in our customer base. Attackers have attempted to deploy cryptominer malware, a Linux backdoor we're tracking as PeerBlight, a reverse proxy tunnel we call CowTunnel, and a Go-based post-exploitation implant dubbed ZinFoq as part of their post-exploitation activity. We also observed a Kaiji botnet variant being distributed through this campaign. We recommend immediate patching due to the feasibility of exploitation."
  https://www.huntress.com/blog/peerblight-linux-backdoor-exploits-react2shell
  https://thehackernews.com/2025/12/react2shell-exploitation-delivers.html
• • Gogs 0-Day Exploited In The Wild
    "On July 10th, the Wiz Threat Research team observed malware findings on public-facing instances of Gogs, a popular self-hosted Git service. What began as a routine investigation into an infected machine turned into the accidental discovery of a live zero-day vulnerability. During our analysis of the exploitation attempts, we identified that the threat actor was leveraging a previously unknown flaw to compromise instances. We responsibly disclosed this vulnerability to the maintainers. They are currently working on a fix, but active exploitation continues in the wild."
    https://www.wiz.io/blog/wiz-research-gogs-cve-2025-8110-rce-exploit
    https://www.theregister.com/2025/12/10/gogs_0day_under_active_exploitation/
• 01flip: Multi-Platform Ransomware Written In Rust
  "In June 2025, we observed a new ransomware family named 01flip targeting a limited set of victims in the Asia-Pacific region. 01flip ransomware is fully written in the Rust programming language and supports multi-platform architectures by leveraging the cross-compilation feature of Rust. These financially motivated attackers likely carried this out through manual means. We have confirmed an alleged data leak from an affected organization on a dark web forum shortly after the attack. We are currently tracking this activity as CL-CRI-1036, signifying a cluster of malicious activity that is likely related to cybercrime."
  https://unit42.paloaltonetworks.com/new-ransomware-01flip-written-in-rust/
• • ClickFix Social Engineering Sparks Rise Of CastleLoader Attacks
    "A new malware campaign using a Python-based delivery chain to deploy the emerging CastleLoader family has been discovered by cybersecurity researchers. According to Blackpoint, the activity revolves around the use of ClickFix social engineering prompts that convince users to open the Windows Run dialog and execute a command that appears to be part of a harmless verification step. That single action initiates a multi-stage sequence that quietly downloads, decrypts and runs an attacker-controlled payload in memory."
    https://www.infosecurity-magazine.com/news/clickfix-rise-castleloader-attacks/
• Total Takeover: DroidLock Hijacks Your Device
  "The zLabs research team has identified a new threat campaign targeting Spanish Android users. DroidLock, a malware more accurately classified as ransomware, propagates via phishing websites. It has the ability to lock device screens with a ransomware-like overlay and illegally acquire app lock credentials, leading to a total takeover of the compromised device. It employs deceptive system update screens to trick victims and can stream and remotely control devices via VNC. The malware also exploits device administrator privileges to lock or erase data, capture the victim's image with the front camera, and silence the device. Overall, it utilizes 15 distinct commands to interact with its C2 panel."
  https://zimperium.com/blog/total-takeover-droidlock-hijacks-your-device
  https://www.bleepingcomputer.com/news/security/new-droidlock-malware-locks-android-devices-and-demands-a-ransom/
• Operation FrostBeacon: Multi-Cluster Cobalt Strike Campaign Targets Russia
  "Seqrite Labs has identified a targeted malware campaign, tracked as Operation FrostBeacon, which is delivering Cobalt Strike beacons to companies within the Russian Federation. The phishing emails indicat that the threat group is financially motivated which targets organization responsible for payments, contracts, reconciliation, legal risk. More than 20 initial infection files have been observed where the intrusion relies on a multi-layered infection chain with two different clusters; one infects through phishing archive files that contain malicious shortcut files. The second cluster leverages the legacy CVE-2017-0199 template injection vulnerability and even chains it with another old Equation Editor vulnerability CVE-2017-11882."
  https://www.seqrite.com/blog/operation-frostbeacon-multi-cluster-cobalt-strike-campaign-targets-russia/

Breaches/Hacks/Leaks

• Thousands Of Exposed Secrets Found On Docker Hub, Putting Organizations At Risk
  "For years, there’s been a saying in the security world: hackers don’t need to hack anymore – the keys are handed to them on a silver platter. But is that really true? That question is what sparked our research into exposed secrets on Docker Hub. We designed a methodology to analyze leaked credentials, validate which were real, and investigate their origin: who they belonged to, the environments they granted access to, and the potential blast radius to both the affected organizations and the wider ecosystem."
  https://flare.io/learn/resources/docker-hub-secrets-exposed/
  https://www.bleepingcomputer.com/news/security/over-10-000-docker-hub-images-found-leaking-credentials-auth-keys/
• Russia’s Flagship Airline Hacked Through Little-Known Tech Vendor, According To New Report
  "A cyberattack that forced Russia’s flagship airline to cancel dozens of flights this summer was linked to a little-known Moscow software developer that had maintained access to the carrier’s internal systems, according to a new investigation. The report by the independent outlet The Bell, which is designated a “foreign agent” in Russia, is based on interviews with anonymous sources close to the company and involved in the incident’s investigation. It offers the most detailed account to date of what has become one of the largest cyberattacks in Russia since the full-scale invasion of Ukraine began."
  https://therecord.media/russia-flagship-airline-hacked-through-little-known-vendor

General News

• Stranger Threats Are Coming: Group-IB Cyber Predictions For 2026 And Beyond
  "The speed, nature, and intent of cybercrime have been evolving faster than we can keep up with. With the use of AI, we’ve all been anticipating it, but the extent has been underestimated. The cybersecurity landscape is becoming hyperactive – AI, evolving adversary ambitions, geopolitical shifts, and changing business dynamics, all combine to play a role in this acceleration."
  https://www.group-ib.com/blog/cyber-predictions-2026/

• Henkel CISO On The Messy Truth Of Monitoring Factories Built Across Decades
  "In this Help Net Security interview, Stefan Braun, CISO at Henkel, discusses how smart manufacturing environments introduce new cybersecurity risks. He explains where single points of failure hide, how attackers exploit legacy systems, and why monitoring must adapt to mixed-generation equipment. His insights show why resilience depends on visibility, autonomy, and disciplined vendor accountability."
  https://www.helpnetsecurity.com/2025/12/10/stefan-braun-henkel-smart-manufacturing-cybersecurity/

• The Hidden Dynamics Shaping Who Produces Influential Cybersecurity Research
  "Cybersecurity leaders spend much of their time watching how threats and tools change. A new study asks a different question, how has the research community itself changed over the past two decades. Researchers from the University of Southampton examined two long running conference communities, SOUPS and Financial Cryptography and Data Security, to see how teams form, who contributes, and which kinds of work gain attention. The result is a rare look at the structure behind the papers that influence security practice."
  https://www.helpnetsecurity.com/2025/12/10/interesting-cybersecurity-research-trends/

• LLMs Are Everywhere In Your Stack And Every Layer Brings New Risk
  "LLMs are moving deeper into enterprise products and workflows, and that shift is creating new pressure on security leaders. A new guide from DryRun Security outlines how these systems change long standing assumptions about data handling, application behavior, and internal boundaries. It is built around the OWASP Top 10 for LLM Applications, which the company uses as the structure for a full risk model and a reference architecture for teams building with LLMs."
  https://www.helpnetsecurity.com/2025/12/10/enterprise-llm-security-risks-analysis/

• UK Sanctions Russian And Chinese Firms Suspected Of Being ‘Malign Actors’ In Information Warfare
  "Britain announced sanctions against Russian media and ideas outlets on Tuesday as the U.K’s top diplomat warned Western nations must raise their game to combat information warfare from “malign foreign states. Foreign Secretary Yvette Cooper said the U.K. was imposing sanctions on the microblogging Telegram channel Rybar and its co-owner Mikhail Sergeevich Zvinchuk, the Foundation for the Support and Protection of the Rights of Compatriots Living Abroad — also known as Pravfond and described by Estonian intelligence as a front for the GRU spy agency — and the Center for Geopolitical Expertise, a think-tank run by Russian ultranationalist ideologue Alexander Dugin."
  https://www.securityweek.com/uk-sanctions-russian-and-chinese-firms-suspected-of-being-malign-actors-in-information-warfare/
  https://therecord.media/uk-sanctions-russia-china-entities-information-warfare

• The Big Catch: How Whaling Attacks Target Top Executives
  "When a hedge fund manager opened up an innocuous Zoom meeting invite, he had little idea of the corporate carnage that was to follow. That invite was booby-trapped with malware, enabling threat actors to hijack his email account. From there they moved swiftly, authorizing money transfers on Fagan’s behalf for fake invoices they sent to the hedge fund. In total, they approved $8.7 million worth of invoices in this way. The incident was ultimately the undoing of Levitas Capital, after it forced the exit of one of the firm’s biggest clients."
  https://www.welivesecurity.com/en/business-security/big-catch-how-whaling-attacks-target-top-executives/

• • Ukrainian Hacker Charged With Helping Russian Hacktivist Groups
    "U.S. prosecutors have charged a Ukrainian national for her role in cyberattacks targeting critical infrastructure worldwide, including U.S. water systems, election systems, and nuclear facilities, on behalf of Russian state-backed hacktivist groups. On Tuesday, 33-year-old Victoria Eduardovna Dubranova (also known as Vika, Tory, and SovaSonya) was arraigned on charges related to her alleged role in NoName057(16), after being extradited to the U.S. earlier this year for supporting CyberArmyofRussia_Reborn (CARR)."
    https://www.bleepingcomputer.com/news/security/ukrainian-hacker-charged-with-helping-russian-hacktivist-groups/
    https://therecord.media/us-extradites-member-of-russian-hacking-groups-critical-infrastructure
    https://cyberscoop.com/us-charges-russian-backed-hacker-critical-infrastructure-attacks-carr-noname05716/
    https://hackread.com/ukraine-woman-us-custody-russia-noname057-hackers/
    https://www.securityweek.com/us-indicts-extradited-ukrainian-on-charges-of-aiding-russian-hacking-groups/
    https://www.theregister.com/2025/12/10/pro_russia_hacktivist_charged/
• • Experience Really Matters - But Now You're Fighting AI Hacks
    "When Anthropic disclosed a cyberespionage campaign conducted largely through an artificial intelligence system, it provided a detailed view of how offensive operations can unfold when an autonomous tool performs most of the technical work. The Cumberland County, Pennsylvania, intrusion still needed human direction, but the operational tasks were executed by an AI system that performed reconnaissance, generated exploits, escalated privileges and moved laterally through the network."
    https://www.bankinfosecurity.com/blogs/experience-really-matters-but-now-youre-fighting-ai-hacks-p-3996
• • Ransomware Victim Warning: The Streisand Effect May Apply
    "Paying off ransomware hackers to avoid notoriety is a losing proposition, finds a study of LockBit victims that identified a correlation between unwanted attention and succumbing to extortionists, as opposed to standing firm. "It seems that paying the ransom doesn't at all appear to reduce public exposure - if anything, it increases it," Max Smeets, co-director of Virtual Routes - formerly known as the European Cyber Conflict Research Initiative - said in a keynote presentation at the Black Hat Europe conference in London."
    https://www.bankinfosecurity.com/ransomware-victim-warning-streisand-effect-may-apply-a-30247

• Global Cyber Attacks Increase In November 2025 Driven By Ransomware Surge And GenAI Risks
  "In November 2025, global cyber activity continued its upward trend, with organizations experiencing an average of 2,003 cyber-attacks per week. This represents a 3% increase from October, and a 4% rise compared to November 2024. Check Point Research data shows that this steady escalation reflects a threat landscape shaped by intensified ransomware activity, expanded attack surfaces, and the growing exposure risks associated with generative AI tools inside organizations."
  https://blog.checkpoint.com/research/global-cyber-attacks-increase-in-november-2025-driven-by-ransomware-surge-and-genai-risks/

• • list itemOverconfident And Underprepared: IT Leaders Misjudge AI Cyber Risk
    "AI-generated malware is exploding in volume and sophistication. Legacy cyber tools, built on signatures, heuristics, and aging machine learning, are failing spectacularly in this new era of Dark AI. Yet confidence in these legacy cyber tools remains remarkably high, creating a widening disconnect between perception and reality. In this blog, we dig into the results from our new study of 500 U.S. IT professionals, which clearly highlights that IT professionals, especially in management positions, don’t realize just how quickly the new AI-driven threat landscape is shifting beneath their feet."
    https://www.deepinstinct.com/blog/overconfident-and-underprepared-it-leaders-misjudge-ai-cyber-risk
• • HTTPS Certificate Industry Phasing Out Less Secure Domain Validation Methods
    "Secure connections are the backbone of the modern web, but a certificate is only as trustworthy as the validation process and issuance practices behind it. Recently, the Chrome Root Program and the CA/Browser Forum have taken decisive steps toward a more secure internet by adopting new security requirements for HTTPS certificate issuers."
    https://security.googleblog.com/2025/12/https-certificate-industry-phasing-out.html

• Log4Shell Downloaded 40 Million Times In 2025
  "Tens of millions of downloads of the popular Java logging library Log4j this year were vulnerable to a CVSS 10.0-rated vulnerability that first surfaced four years ago, according to Sonatype. The security vendor claimed 13% of Log4j downloads in 2025 were still vulnerable to Log4Shell, hinting at the challenge of persistent risks in the open source ecosystem. “On one side, there’s unfixed risk: vulnerabilities that never get patched upstream. On the other, there’s corrosive risk: vulnerabilities that do have fixes, but continue to spread because consumers don’t move,” it explained."
  https://www.infosecurity-magazine.com/news/log4shell-downloaded-40-million/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

Financial Sector

• Russian Police Bust Bank-Account Hacking Gang That Used NFCGate-Based Malware
  "Russian police said they have dismantled a criminal group that stole millions from bank customers using malware built on NFCGate, a legitimate open-source tool increasingly exploited by cybercriminals worldwide. According to Russia’s Interior Ministry, police detained several suspected members of the group — including the developer and main administrator of the malicious tool — late last week. The ministry did not identify the malware variant."
  https://therecord.media/russian-police-bust-banking-hackers-nfcgate-based-malware

New Tooling

• The Bastion: Open-Source Access Control For Complex Infrastructure
  "Operational teams know that access sprawl grows fast. Servers, virtual machines and network gear all need hands-on work and each new system adds more identities to manage. A bastion host tries to bring order to this problem. It acts as a single entry point for sysadmins and developers who connect to infrastructure through ssh. This model is old in theory, but The Bastion open-source project shows how far a purpose-built access layer can go."
  https://www.helpnetsecurity.com/2025/12/08/open-source-bastion-host-security/
  https://github.com/ovh/the-bastion

Vulnerabilities

• Attackers Actively Exploiting Critical Vulnerability In Sneeit Framework Plugin
  "On June 10th, 2025, we received a submission for a Remote Code Execution vulnerability in Sneeit Framework, a WordPress plugin with an estimated 1,700 active installations. The plugin is bundled in multiple premium themes. This vulnerability can be leveraged to execute code remotely. The vendor released the patched version on August 5th, 2025, and we publicly disclosed this vulnerability in the Wordfence Intelligence Vulnerability Database on November 24th, 2025. Our records indicate that attackers started exploiting the issue the same day on November 24th, 2025. The Wordfence Firewall has already blocked over 131,000 exploit attempts targeting this vulnerability."
  https://www.wordfence.com/blog/2025/12/attackers-actively-exploiting-critical-vulnerability-in-sneeit-framework-plugin/
  https://thehackernews.com/2025/12/sneeit-wordpress-rce-exploited-in-wild.html
• CISA Adds Two Known Exploited Vulnerabilities To Catalog
  "CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2022-37055 D-Link Routers Buffer Overflow Vulnerability
  CVE-2025-66644 Array Networks ArrayOS AG OS Command Injection Vulnerability"
  https://www.cisa.gov/news-events/alerts/2025/12/08/cisa-adds-two-known-exploited-vulnerabilities-catalog
• Prompt Injection Is Not SQL Injection (it May Be Worse)
  "The term ‘prompt injection’ was coined in 2022 to describe a new class of application vulnerability in genAI applications. Prompt injection is where developers concatenate their own instructions with untrusted content in a single prompt, and then treat the model’s response as if there were a robust boundary between ‘what the app asked for’ and anything in the untrusted content. Whilst initially reported as command execution, the underlying issue has turned out to be more fundamental than classic client/server vulnerabilities. Current large language models (LLMs) simply do not enforce a security boundary between instructions and data inside a prompt."
  https://www.ncsc.gov.uk/blog-post/prompt-injection-is-not-sql-injection
  https://cyberscoop.com/uk-warns-ai-prompt-injection-unfixable-security-flaw/

Malware

• The VS Code Malware That Captures Your Screen
  "Over the past year we've detected dozens of malicious VS Code extensions. Most steal credentials or mine crypto. But this malware goes further - it captures your screen and sends it to the attacker. Your code. Your emails. Your Slack DMs. Whatever's on your screen, they're seeing it too. And that's just the start. It also steals your WiFi passwords, reads your clipboard, and hijacks your browser sessions. All delivered through two extensions - a color theme and an AI coding assistant. Both from the same publisher."
  https://www.koi.ai/blog/the-vs-code-malware-that-captures-your-screen
  https://www.bleepingcomputer.com/news/security/malicious-vscode-extensions-on-microsofts-registry-drop-infostealers/
• Cydome Research Team Identified "Broadside", A New Mirai Botnet Variant, Active In The Wild
  "Cydome’s Cybersecurity Research Team has identified an active campaign of a new variant of the Mirai botnet, designated as “Broadside”. This campaign targets the maritime logistics sector, exploiting a critical-severity vulnerability (CVE-2024-3721) in TBK DVR (Digital Video Recorders) devices in use by shipping companies on vessels (among others). Cydome has been tracking the associated infrastructure over the past months, observing that active IPs rise and fall in alignment with the campaign’s activity."
  https://cydome.io/cydome-identifies-broadside-a-new-mirai-botnet-variant-targeting-maritime-iot/
  https://www.darkreading.com/threat-intelligence/broadside-mirai-variant-maritime-logistics
• Inside Shanya, a Packer-As-a-Service Fueling Modern Attacks
  "We have covered packer-as-a-service offerings from the computer underworld in the past, previously dissecting impersonation campaigns and the rise of HeartCrypt, both popular among ransomware groups. However, it is a fast-changing landscape, and now we are watching a new incarnation of the same type of service: the Shanya crypter — already favored by ransomware groups and taking over (to some degree) the role that HeartCrypt has played in the ransomware toolkit. We’ll look at its apparent origins, unpack the code, and examine a targeted infection leveraging this tool. Sophos protections against this specific packer are covered at the end of the article."
  https://news.sophos.com/en-us/2025/12/06/inside-shanya-a-packer-as-a-service-fueling-modern-attacks/
  https://www.bleepingcomputer.com/news/security/ransomware-gangs-turn-to-shanya-exe-packer-to-hide-edr-killers/
• Bellerophon Could Never Have Imagined. The ChimeraWire Trojan Boosts Website Popularity By Skillfully Pretending To Be Human
  "While analyzing one of the affiliate programs, Doctor Web’s experts discovered a unique piece of malware with clicker functionality and dubbed it Trojan.ChimeraWire. This malware targets computers running Microsoft Windows and is based on the open-source projects zlsgo and Rod for automated website and web application management. Trojan.ChimeraWire allows cybercriminals to simulate user actions and boost the behavioral factor of websites by artificially increasing their rankings in search engine results. For this, the malicious app searches target Internet resources in the Google and Bing search engines and then loads them."
  https://news.drweb.com/show/?i=15090&lng=en
  https://hackread.com/chrimerawire-trojan-fakes-chrome-search-activity/
• JS#SMUGGLER: Multi-Stage - Hidden Iframes, Obfuscated JavaScript, Silent Redirectors & NetSupport RAT Delivery
  "The Securonix Threat Research team has analyzed a sophisticated web-based multi-stage malware campaign. The attack chain unfolds across three distinct stages: (1) an obfuscated JavaScript loader injected into a compromised website, (2) a stealthy HTA (HTML Application) that executes encrypted PowerShell stagers via mshta.exe, and (3) a final PowerShell payload that downloads, extracts, executes, and establishes persistence for a Windows-based remote access Trojan."
  https://www.securonix.com/blog/jssmuggler-multi-stage-hidden-iframes-obfuscated-javascript-silent-redirectors-netsupport-rat-delivery/
  https://thehackernews.com/2025/12/experts-confirm-jssmuggler-uses.html
  https://hackread.com/jssmuggler-netsupport-rat-infected-sites/
• How Phishers Hide Banking Scams Behind Free Cloudflare Pages
  "During a recent investigation, we uncovered a phishing operation that combines free hosting on developer platforms with compromised legitimate websites to build convincing banking and insurance login portals. These fake pages don’t just grab a username and password–they also ask for answers to secret questions and other “backup” data that attackers can use to bypass multi-factor authentication and account recovery protections."
  https://www.malwarebytes.com/blog/news/2025/12/how-phishers-hide-banking-scams-behind-free-cloudflare-pages
• AI-Automated Threat Hunting Brings GhostPenguin Out Of The Shadows
  "Hunting high-impact, advanced malware is a difficult task. It becomes even harder and more time-consuming when defenders focus on low-detection or zero-detection samples. Every day, a huge number of files are sent to platforms like VirusTotal, and the relevant ones often get lost in all that noise. Identifying malware with low or no detections is a particularly challenging process, especially when the malware is new, undocumented, and built largely from scratch. When threat actors avoid publicly available libraries, known GitHub code, or code borrowed from other malware families, they create previously unseen samples that can evade detection and make hunting them significantly harder."
  https://www.trendmicro.com/en_us/research/25/l/ghostpenguin.html
• LockBit 5.0 Infrastructure Exposed In New Server, IP, And Domain Leak
  "LockBit 5.0 key infrastructure exposed, revealing the IP address 205[.]185[.]116[.]233, and the domain karma0[.]xyz is hosting the ransomware group’s latest leak site. According to researcher Rakesh Krishnan, hosted under AS53667 (PONYNET, operated by FranTech Solutions), a network frequently abused for illicit activities, the server displays a DDoS protection page branded with “LOCKBITS.5.0,” confirming its role in the group’s operations. This operational security lapse arrives amid LockBit’s resurgence with enhanced malware capabilities.​"
  https://cybersecuritynews.com/lockbit-5-0-infrastructure-exposed/

Breaches/Hacks/Leaks

• Space Bears Ransomware Claims Comcast Data Theft Through Quasar Breach
  "Space Bears ransomware group is claiming that it obtained internal Comcast material by exploiting a breach at Quasar Inc., a telecommunications engineering contractor based in Georgia. The claims were published on the group’s dark web leak site. The same leak site also lists Quasar as an independent victim, which indicates the group is presenting two connected incidents rather than a single combined breach."
  https://hackread.com/space-bears-ransomware-comcast-quasar-breach/
• Tri-Century Eye Care Data Breach Impacts 200,000 Individuals
  "A recently disclosed Tri-Century Eye Care data breach affects roughly 200,000 individuals, according to the healthcare data breach tracker maintained by the US Department of Health and Human Services (HHS). Tri-Century Eye Care provides comprehensive eye care services at several locations in Bucks County, Pennsylvania. In a data security incident notice posted on its website in late October, Tri-Century Eye Care informed patients and employees that their personal and protected health information may have been compromised as a result of a breach detected on September 3."
  https://www.securityweek.com/tri-century-eye-care-data-breach-impacts-200000-individuals/

General News

• FinCEN Says Ransomware Gangs Extorted Over $2.1B From 2022 To 2024
  "A new report by the Financial Crimes Enforcement Network (FinCEN) shows that ransomware activity peaked in 2023 before falling in 2024, following a series of law enforcement actions targeting the ALPHV/BlackCat and LockBit ransomware gangs. From thousands of Bank Secrecy Act filings, the report documents 4,194 ransomware incidents between January 2022 and December 2024. These reports show that organizations paid more than $2.1 billion in ransom payments, nearly reaching the total reported over 8 years from 2013 to 2021."
  https://www.bleepingcomputer.com/news/security/fincen-says-ransomware-gangs-extorted-over-21b-from-2022-to-2024/
  https://www.fincen.gov/system/files/2025-12/FTA-Ransomware.pdf
  https://therecord.media/fincen-treasury-2-billion-ransomware-payments-report
  https://www.darkreading.com/cyberattacks-data-breaches/us-treasury-45b-ransom-payments-2013
  https://cyberscoop.com/ransomware-payments-decline-2024-fincen/
  https://www.securityweek.com/ransomware-payments-surpassed-4-5-billion-us-treasury/
  https://securityaffairs.com/185465/cyber-crime/fincen-data-shows-4-5b-in-ransomware-payments-record-spike-in-2023.html
• Poland Arrests Ukrainians Utilizing 'advanced' Hacking Equipment
  "The police in Poland arrested three Ukrainian nationals for allegedly attempting to damage IT systems in the country using hacking equipment and for obtaining "computer data of particular importance to national defense." The three men, aged between 39 and 43, could not explain why they were carrying the electronic devices. They now face charges of fraud, computer fraud, and possession of devices and software intended for criminal activity. According to the police, the Ukrainians "were visibly nervous" when officers stopped them and said they were heading to Lithuania while traveling around Europe."
  https://www.bleepingcomputer.com/news/security/poland-arrests-ukrainians-utilizing-advanced-hacking-equipment/
• Cyber Threats To The U.S.: What Policymakers Need To Know For 2026
  "Cyber attacks against the United States are no longer isolated events or technical headaches. They are now powerful tools of national strategy used by foreign governments, criminal networks, and ideological groups. A new report explains how these attacks have changed from simple hacks into coordinated campaigns aimed at shaping global politics, weakening U.S. institutions, and putting pressure on American decision-makers. This blog highlights the key takeaways for leaders responsible for national security, public policy, and critical infrastructure resilience."
  https://blog.checkpoint.com/executive-insights/cyber-threats-to-the-u-s-what-policymakers-need-to-know-for-2026/
  https://l.cyberint.com/threats-to-the-homeland-report
• NVIDIA Research Shows How Agentic AI Fails Under Attack
  "Enterprises are rushing to deploy agentic systems that plan, use tools, and make decisions with less human guidance than earlier AI models. This new class of systems also brings new kinds of risk that appear in the interactions between models, tools, data sources, and memory stores. A research team from NVIDIA and Lakera AI has released a safety and security framework that tries to map these risks and measure them inside real workflows. The work includes a new taxonomy, a dynamic evaluation method, and a detailed case study of NVIDIA’s AI-Q Research Assistant. The authors also released a dataset with more than ten thousand traces from attack and defense runs to support outside research."
  https://www.helpnetsecurity.com/2025/12/08/nvidia-agentic-ai-security-framework/
  https://arxiv.org/pdf/2511.21990
• Invisible IT Is Becoming The Next Workplace Priority
  "IT leaders want their employees to work without running into digital hurdles, but many still struggle with fragmented systems that slow teams down. A new report from Lenovo sheds light on how widespread the problem has become and what organizations can do to reduce workplace friction. Hybrid work pushed companies to adopt new tools, devices and management platforms at speed. According to the research, enterprises now manage an average of 897 applications, but only 28 percent are integrated. The report notes that this patchwork environment strains both workers and support teams, since employees must move across several systems before they can resolve problems or complete simple tasks."
  https://www.helpnetsecurity.com/2025/12/08/invisible-it-workplace-priority/
• CISOs Are Spending Big And Still Losing Ground
  "Security leaders are entering another budget cycle with more money to work with, but many still feel no safer. A new benchmark study from Wiz shows a widening gap between investment and impact. Budgets keep rising, cloud programs keep expanding, and AI is reshaping both threats and defenses. Still, CISOs say the fundamentals of risk reduction are not improving fast enough."
  https://www.helpnetsecurity.com/2025/12/08/wiz-cybersecurity-spending-priorities-report/
• CISO Conversations: Keith McCammon, CSO And Co-Founder At Red Canary
  "Keith McCammon was a technologist first and security guru second. He has never received any formal training in cybersecurity; but a love of technology and pleasure in solving puzzles naturally led into the subject, learning on the journey. Kyrus Tech, now owned by Sixgen, was the source of both Carbon Black and Red Canary (now a Zscaler company)."
  https://www.securityweek.com/ciso-conversations-keith-mccammon-cso-and-co-founder-at-red-canary/
• Three Hacking Groups, Two Vulnerabilities And All Eyes On China
  "On the main stage at the Pwn2Own hacking competition in Berlin this March, researchers demonstrated it was possible to remotely compromise sensitive information via Microsoft’s on-premise SharePoint software — the first glimpse that the world got of two dangerous software vulnerabilities threatening governments and enterprises around the globe."
  https://therecord.media/three-hacking-groups-two-vulnerabilities-china-microsoft
• Officials Offer $10M Reward For Information On IRGC-Linked Leader And Close Associate
  "The State Department is seeking help to locate a pair of hackers allegedly working for Shahid Shushtari, a malicious cyber unit operating under Iran’s Revolutionary Guard Corps Cyber-Electronic Command. Officials are offering a reward up to $10 million for information about Mohammad Bagher Shirinkar and Fatemeh Sedighian Kashi. “Help us take the smile off their faces,” the State Department’s Rewards for Justice program posted in a bulletin about the reward on social media last week."
  https://cyberscoop.com/shahid-shushtari-iran-cyber-electronic-command-10m-reward/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

Financial Sector

• Russian Police Bust Bank-Account Hacking Gang That Used NFCGate-Based Malware
  "Russian police said they have dismantled a criminal group that stole millions from bank customers using malware built on NFCGate, a legitimate open-source tool increasingly exploited by cybercriminals worldwide. According to Russia’s Interior Ministry, police detained several suspected members of the group — including the developer and main administrator of the malicious tool — late last week. The ministry did not identify the malware variant."
  https://therecord.media/russian-police-bust-banking-hackers-nfcgate-based-malware

New Tooling

• The Bastion: Open-Source Access Control For Complex Infrastructure
  "Operational teams know that access sprawl grows fast. Servers, virtual machines and network gear all need hands-on work and each new system adds more identities to manage. A bastion host tries to bring order to this problem. It acts as a single entry point for sysadmins and developers who connect to infrastructure through ssh. This model is old in theory, but The Bastion open-source project shows how far a purpose-built access layer can go."
  https://www.helpnetsecurity.com/2025/12/08/open-source-bastion-host-security/
  https://github.com/ovh/the-bastion

Vulnerabilities

• Attackers Actively Exploiting Critical Vulnerability In Sneeit Framework Plugin
  "On June 10th, 2025, we received a submission for a Remote Code Execution vulnerability in Sneeit Framework, a WordPress plugin with an estimated 1,700 active installations. The plugin is bundled in multiple premium themes. This vulnerability can be leveraged to execute code remotely. The vendor released the patched version on August 5th, 2025, and we publicly disclosed this vulnerability in the Wordfence Intelligence Vulnerability Database on November 24th, 2025. Our records indicate that attackers started exploiting the issue the same day on November 24th, 2025. The Wordfence Firewall has already blocked over 131,000 exploit attempts targeting this vulnerability."
  https://www.wordfence.com/blog/2025/12/attackers-actively-exploiting-critical-vulnerability-in-sneeit-framework-plugin/
  https://thehackernews.com/2025/12/sneeit-wordpress-rce-exploited-in-wild.html
• CISA Adds Two Known Exploited Vulnerabilities To Catalog
  "CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2022-37055 D-Link Routers Buffer Overflow Vulnerability
  CVE-2025-66644 Array Networks ArrayOS AG OS Command Injection Vulnerability"
  https://www.cisa.gov/news-events/alerts/2025/12/08/cisa-adds-two-known-exploited-vulnerabilities-catalog
• Prompt Injection Is Not SQL Injection (it May Be Worse)
  "The term ‘prompt injection’ was coined in 2022 to describe a new class of application vulnerability in genAI applications. Prompt injection is where developers concatenate their own instructions with untrusted content in a single prompt, and then treat the model’s response as if there were a robust boundary between ‘what the app asked for’ and anything in the untrusted content. Whilst initially reported as command execution, the underlying issue has turned out to be more fundamental than classic client/server vulnerabilities. Current large language models (LLMs) simply do not enforce a security boundary between instructions and data inside a prompt."
  https://www.ncsc.gov.uk/blog-post/prompt-injection-is-not-sql-injection
  https://cyberscoop.com/uk-warns-ai-prompt-injection-unfixable-security-flaw/

Malware

• The VS Code Malware That Captures Your Screen
  "Over the past year we've detected dozens of malicious VS Code extensions. Most steal credentials or mine crypto. But this malware goes further - it captures your screen and sends it to the attacker. Your code. Your emails. Your Slack DMs. Whatever's on your screen, they're seeing it too. And that's just the start. It also steals your WiFi passwords, reads your clipboard, and hijacks your browser sessions. All delivered through two extensions - a color theme and an AI coding assistant. Both from the same publisher."
  https://www.koi.ai/blog/the-vs-code-malware-that-captures-your-screen
  https://www.bleepingcomputer.com/news/security/malicious-vscode-extensions-on-microsofts-registry-drop-infostealers/
• Cydome Research Team Identified "Broadside", A New Mirai Botnet Variant, Active In The Wild
  "Cydome’s Cybersecurity Research Team has identified an active campaign of a new variant of the Mirai botnet, designated as “Broadside”. This campaign targets the maritime logistics sector, exploiting a critical-severity vulnerability (CVE-2024-3721) in TBK DVR (Digital Video Recorders) devices in use by shipping companies on vessels (among others). Cydome has been tracking the associated infrastructure over the past months, observing that active IPs rise and fall in alignment with the campaign’s activity."
  https://cydome.io/cydome-identifies-broadside-a-new-mirai-botnet-variant-targeting-maritime-iot/
  https://www.darkreading.com/threat-intelligence/broadside-mirai-variant-maritime-logistics
• Inside Shanya, a Packer-As-a-Service Fueling Modern Attacks
  "We have covered packer-as-a-service offerings from the computer underworld in the past, previously dissecting impersonation campaigns and the rise of HeartCrypt, both popular among ransomware groups. However, it is a fast-changing landscape, and now we are watching a new incarnation of the same type of service: the Shanya crypter — already favored by ransomware groups and taking over (to some degree) the role that HeartCrypt has played in the ransomware toolkit. We’ll look at its apparent origins, unpack the code, and examine a targeted infection leveraging this tool. Sophos protections against this specific packer are covered at the end of the article."
  https://news.sophos.com/en-us/2025/12/06/inside-shanya-a-packer-as-a-service-fueling-modern-attacks/
  https://www.bleepingcomputer.com/news/security/ransomware-gangs-turn-to-shanya-exe-packer-to-hide-edr-killers/
• Bellerophon Could Never Have Imagined. The ChimeraWire Trojan Boosts Website Popularity By Skillfully Pretending To Be Human
  "While analyzing one of the affiliate programs, Doctor Web’s experts discovered a unique piece of malware with clicker functionality and dubbed it Trojan.ChimeraWire. This malware targets computers running Microsoft Windows and is based on the open-source projects zlsgo and Rod for automated website and web application management. Trojan.ChimeraWire allows cybercriminals to simulate user actions and boost the behavioral factor of websites by artificially increasing their rankings in search engine results. For this, the malicious app searches target Internet resources in the Google and Bing search engines and then loads them."
  https://news.drweb.com/show/?i=15090&lng=en
  https://hackread.com/chrimerawire-trojan-fakes-chrome-search-activity/
• JS#SMUGGLER: Multi-Stage - Hidden Iframes, Obfuscated JavaScript, Silent Redirectors & NetSupport RAT Delivery
  "The Securonix Threat Research team has analyzed a sophisticated web-based multi-stage malware campaign. The attack chain unfolds across three distinct stages: (1) an obfuscated JavaScript loader injected into a compromised website, (2) a stealthy HTA (HTML Application) that executes encrypted PowerShell stagers via mshta.exe, and (3) a final PowerShell payload that downloads, extracts, executes, and establishes persistence for a Windows-based remote access Trojan."
  https://www.securonix.com/blog/jssmuggler-multi-stage-hidden-iframes-obfuscated-javascript-silent-redirectors-netsupport-rat-delivery/
  https://thehackernews.com/2025/12/experts-confirm-jssmuggler-uses.html
  https://hackread.com/jssmuggler-netsupport-rat-infected-sites/
• How Phishers Hide Banking Scams Behind Free Cloudflare Pages
  "During a recent investigation, we uncovered a phishing operation that combines free hosting on developer platforms with compromised legitimate websites to build convincing banking and insurance login portals. These fake pages don’t just grab a username and password–they also ask for answers to secret questions and other “backup” data that attackers can use to bypass multi-factor authentication and account recovery protections."
  https://www.malwarebytes.com/blog/news/2025/12/how-phishers-hide-banking-scams-behind-free-cloudflare-pages
• AI-Automated Threat Hunting Brings GhostPenguin Out Of The Shadows
  "Hunting high-impact, advanced malware is a difficult task. It becomes even harder and more time-consuming when defenders focus on low-detection or zero-detection samples. Every day, a huge number of files are sent to platforms like VirusTotal, and the relevant ones often get lost in all that noise. Identifying malware with low or no detections is a particularly challenging process, especially when the malware is new, undocumented, and built largely from scratch. When threat actors avoid publicly available libraries, known GitHub code, or code borrowed from other malware families, they create previously unseen samples that can evade detection and make hunting them significantly harder."
  https://www.trendmicro.com/en_us/research/25/l/ghostpenguin.html
• LockBit 5.0 Infrastructure Exposed In New Server, IP, And Domain Leak
  "LockBit 5.0 key infrastructure exposed, revealing the IP address 205[.]185[.]116[.]233, and the domain karma0[.]xyz is hosting the ransomware group’s latest leak site. According to researcher Rakesh Krishnan, hosted under AS53667 (PONYNET, operated by FranTech Solutions), a network frequently abused for illicit activities, the server displays a DDoS protection page branded with “LOCKBITS.5.0,” confirming its role in the group’s operations. This operational security lapse arrives amid LockBit’s resurgence with enhanced malware capabilities.​"
  https://cybersecuritynews.com/lockbit-5-0-infrastructure-exposed/

Breaches/Hacks/Leaks

• Space Bears Ransomware Claims Comcast Data Theft Through Quasar Breach
  "Space Bears ransomware group is claiming that it obtained internal Comcast material by exploiting a breach at Quasar Inc., a telecommunications engineering contractor based in Georgia. The claims were published on the group’s dark web leak site. The same leak site also lists Quasar as an independent victim, which indicates the group is presenting two connected incidents rather than a single combined breach."
  https://hackread.com/space-bears-ransomware-comcast-quasar-breach/
• Tri-Century Eye Care Data Breach Impacts 200,000 Individuals
  "A recently disclosed Tri-Century Eye Care data breach affects roughly 200,000 individuals, according to the healthcare data breach tracker maintained by the US Department of Health and Human Services (HHS). Tri-Century Eye Care provides comprehensive eye care services at several locations in Bucks County, Pennsylvania. In a data security incident notice posted on its website in late October, Tri-Century Eye Care informed patients and employees that their personal and protected health information may have been compromised as a result of a breach detected on September 3."
  https://www.securityweek.com/tri-century-eye-care-data-breach-impacts-200000-individuals/

General News

• FinCEN Says Ransomware Gangs Extorted Over $2.1B From 2022 To 2024
  "A new report by the Financial Crimes Enforcement Network (FinCEN) shows that ransomware activity peaked in 2023 before falling in 2024, following a series of law enforcement actions targeting the ALPHV/BlackCat and LockBit ransomware gangs. From thousands of Bank Secrecy Act filings, the report documents 4,194 ransomware incidents between January 2022 and December 2024. These reports show that organizations paid more than $2.1 billion in ransom payments, nearly reaching the total reported over 8 years from 2013 to 2021."
  https://www.bleepingcomputer.com/news/security/fincen-says-ransomware-gangs-extorted-over-21b-from-2022-to-2024/
  https://www.fincen.gov/system/files/2025-12/FTA-Ransomware.pdf
  https://therecord.media/fincen-treasury-2-billion-ransomware-payments-report
  https://www.darkreading.com/cyberattacks-data-breaches/us-treasury-45b-ransom-payments-2013
  https://cyberscoop.com/ransomware-payments-decline-2024-fincen/
  https://www.securityweek.com/ransomware-payments-surpassed-4-5-billion-us-treasury/
  https://securityaffairs.com/185465/cyber-crime/fincen-data-shows-4-5b-in-ransomware-payments-record-spike-in-2023.html
• Poland Arrests Ukrainians Utilizing 'advanced' Hacking Equipment
  "The police in Poland arrested three Ukrainian nationals for allegedly attempting to damage IT systems in the country using hacking equipment and for obtaining "computer data of particular importance to national defense." The three men, aged between 39 and 43, could not explain why they were carrying the electronic devices. They now face charges of fraud, computer fraud, and possession of devices and software intended for criminal activity. According to the police, the Ukrainians "were visibly nervous" when officers stopped them and said they were heading to Lithuania while traveling around Europe."
  https://www.bleepingcomputer.com/news/security/poland-arrests-ukrainians-utilizing-advanced-hacking-equipment/
• Cyber Threats To The U.S.: What Policymakers Need To Know For 2026
  "Cyber attacks against the United States are no longer isolated events or technical headaches. They are now powerful tools of national strategy used by foreign governments, criminal networks, and ideological groups. A new report explains how these attacks have changed from simple hacks into coordinated campaigns aimed at shaping global politics, weakening U.S. institutions, and putting pressure on American decision-makers. This blog highlights the key takeaways for leaders responsible for national security, public policy, and critical infrastructure resilience."
  https://blog.checkpoint.com/executive-insights/cyber-threats-to-the-u-s-what-policymakers-need-to-know-for-2026/
  https://l.cyberint.com/threats-to-the-homeland-report
• NVIDIA Research Shows How Agentic AI Fails Under Attack
  "Enterprises are rushing to deploy agentic systems that plan, use tools, and make decisions with less human guidance than earlier AI models. This new class of systems also brings new kinds of risk that appear in the interactions between models, tools, data sources, and memory stores. A research team from NVIDIA and Lakera AI has released a safety and security framework that tries to map these risks and measure them inside real workflows. The work includes a new taxonomy, a dynamic evaluation method, and a detailed case study of NVIDIA’s AI-Q Research Assistant. The authors also released a dataset with more than ten thousand traces from attack and defense runs to support outside research."
  https://www.helpnetsecurity.com/2025/12/08/nvidia-agentic-ai-security-framework/
  https://arxiv.org/pdf/2511.21990
• Invisible IT Is Becoming The Next Workplace Priority
  "IT leaders want their employees to work without running into digital hurdles, but many still struggle with fragmented systems that slow teams down. A new report from Lenovo sheds light on how widespread the problem has become and what organizations can do to reduce workplace friction. Hybrid work pushed companies to adopt new tools, devices and management platforms at speed. According to the research, enterprises now manage an average of 897 applications, but only 28 percent are integrated. The report notes that this patchwork environment strains both workers and support teams, since employees must move across several systems before they can resolve problems or complete simple tasks."
  https://www.helpnetsecurity.com/2025/12/08/invisible-it-workplace-priority/
• CISOs Are Spending Big And Still Losing Ground
  "Security leaders are entering another budget cycle with more money to work with, but many still feel no safer. A new benchmark study from Wiz shows a widening gap between investment and impact. Budgets keep rising, cloud programs keep expanding, and AI is reshaping both threats and defenses. Still, CISOs say the fundamentals of risk reduction are not improving fast enough."
  https://www.helpnetsecurity.com/2025/12/08/wiz-cybersecurity-spending-priorities-report/
• CISO Conversations: Keith McCammon, CSO And Co-Founder At Red Canary
  "Keith McCammon was a technologist first and security guru second. He has never received any formal training in cybersecurity; but a love of technology and pleasure in solving puzzles naturally led into the subject, learning on the journey. Kyrus Tech, now owned by Sixgen, was the source of both Carbon Black and Red Canary (now a Zscaler company)."
  https://www.securityweek.com/ciso-conversations-keith-mccammon-cso-and-co-founder-at-red-canary/
• Three Hacking Groups, Two Vulnerabilities And All Eyes On China
  "On the main stage at the Pwn2Own hacking competition in Berlin this March, researchers demonstrated it was possible to remotely compromise sensitive information via Microsoft’s on-premise SharePoint software — the first glimpse that the world got of two dangerous software vulnerabilities threatening governments and enterprises around the globe."
  https://therecord.media/three-hacking-groups-two-vulnerabilities-china-microsoft
• Officials Offer $10M Reward For Information On IRGC-Linked Leader And Close Associate
  "The State Department is seeking help to locate a pair of hackers allegedly working for Shahid Shushtari, a malicious cyber unit operating under Iran’s Revolutionary Guard Corps Cyber-Electronic Command. Officials are offering a reward up to $10 million for information about Mohammad Bagher Shirinkar and Fatemeh Sedighian Kashi. “Help us take the smile off their faces,” the State Department’s Rewards for Justice program posted in a bulletin about the reward on social media last week."
  https://cyberscoop.com/shahid-shushtari-iran-cyber-electronic-command-10m-reward/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

Telecom Sector

• The Largest Telecommunications Attack In U.S. History: What Really Happened—And How We Fight Back
  "When Senator Ben Ray Luján warned that the United States was facing “the largest telecommunications hack in our nation’s history,” it marked a turning point in how we understand national cyber risk. On December 4, 2024, the White House confirmed a sprawling cyber-espionage campaign targeting 80 global telecom providers across dozens of countries¹. A joint task force—the Operation Enduring Security Framework—was launched by the NSA, Pentagon, and CISA to contain the damage. The adversary behind it: a sophisticated nation-state threat actor Microsoft calls Salt Typhoon, also tracked as Ghost Emperor, FamousSparrow, Earth Estrie, UNC2286, and earlier as LightBasin / UNC1945 / LIMINAL PANDA²⁻⁴."
  https://blog.checkpoint.com/security/the-largest-telecommunications-attack-in-u-s-history-what-really-happened-and-how-we-fight-back/

Vulnerabilities

• Critical XXE Bug CVE-2025-66516 (CVSS 10.0) Hits Apache Tika, Requires Urgent Patch
  "A critical security flaw has been disclosed in Apache Tika that could result in an XML external entity (XXE) injection attack. The vulnerability, tracked as CVE-2025-66516, is rated 10.0 on the CVSS scoring scale, indicating maximum severity. "Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF," according to an advisory for the vulnerability."
  https://thehackernews.com/2025/12/critical-xxe-bug-cve-2025-66516-cvss.html
  https://securityaffairs.com/185363/security/maximum-severity-xxe-vulnerability-discovered-in-apache-tika.html
• React2Shell Flaw Exploited To Breach 30 Orgs, 77k IP Addresses Vulnerable
  "Over 77,000 Internet-exposed IP addresses are vulnerable to the critical React2Shell remote code execution flaw (CVE-2025-55182), with researchers now confirming that attackers have already compromised over 30 organizations across multiple sectors. React2Shell is an unauthenticated remote code execution vulnerability that can be exploited via a single HTTP request and affects all frameworks that implement React Server Components, including Next.js, which uses the same deserialization logic."
  https://www.bleepingcomputer.com/news/security/react2shell-flaw-exploited-to-breach-30-orgs-77k-ip-addresses-vulnerable/
• CISA Adds One Known Exploited Vulnerability To Catalog
  "CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2025-55182 Meta React Server Components Remote Code Execution Vulnerability"
  https://www.cisa.gov/news-events/alerts/2025/12/05/cisa-adds-one-known-exploited-vulnerability-catalog
  https://thehackernews.com/2025/12/critical-react2shell-flaw-added-to-cisa.html
• PromptPwnd: Prompt Injection Vulnerabilities In GitHub Actions Using AI Agents
  "Aikido Security discovered a new class of vulnerabilities, which we have named PromptPwnd, in GitHub Actions or GitLab CI/CD pipelines when combined with AI agents like Gemini CLI, Claude Code, OpenAI Codex, and GitHub AI Inference in CI/CD pipelines. At least 5 Fortune 500 companies are impacted, with early indicators suggesting the same flaw is likely present in many others."
  https://www.aikido.dev/blog/promptpwnd-github-actions-ai-agents
  https://cyberscoop.com/ai-coding-tools-can-be-turned-against-you-aikido-github-prompt-injection/
  https://hackread.com/promptpwnd-vulnerabilit-ai-systems-data-theft/
• From Inbox To Wipeout: Perplexity Comet’s AI Browser Quietly Erasing Google Drive
  "Polite emails are supposed to keep work civil, not wipe your Google Drive. In this blog, we’re going to unpack a new zero click agentic browser attack on Perplexity Comet that turns a friendly “please organize our shared Drive” email into a quiet Google Drive wiper, driven entirely by a single trusted prompt to an AI browser assistant. We’ll walk through how the attack works, why tone and task sequencing matter for LLM-driven agents, and what security teams should change now to protect Gmail and Google Drive workflows. This research continues Straiker’s STAR Labs work on agentic AI security and opens our agentic browser series with a focus on browser harm. It builds on prior findings showing how a single email could trigger zero click Drive exfiltration. In this attack we’ll cover, Perplexity Comet followed the polite, step by step instructions as valid workflow, allowing the deletion sequence to run unchecked."
  https://www.straiker.ai/blog/from-inbox-to-wipeout-perplexity-comets-ai-browser-quietly-erasing-google-drive
  https://thehackernews.com/2025/12/zero-click-agentic-browser-attack-can.html
• Novel Clickjacking Attack Relies On CSS And SVG
  "Security researcher Lyra Rebane has devised a novel clickjacking attack that relies on Scalable Vector Graphics (SVG) and Cascading Style Sheets (CSS). Rebane demonstrated the technique at BSides Tallinn in October and has now published a summary of her approach. The attack, which has yet to be fully mitigated, relies on the fact that SVG filters can leak information across origins, in violation of the web's same-origin policy."
  https://www.theregister.com/2025/12/05/css_svg_clickjacking/
• Attacking LINE Cryptography For Fun And .. Forensics
  "The pursuit of obscure knowledge offers some of the greatest enjoyment, to understand something deeply. That understanding itself is the reward all researchers seek. Sometimes understanding comes with new insights! While looking at End-To-End-Encryption (e2ee) in the LINE messaging application I identified a few key issues in the Key Derivation Function (KDF) used by LINE and found that it had some cascading effects beyond e2ee."
  https://think.501.team/research/Attacking+LINE+Cryptography+for+Fun+and+..+Forensics
• IDEsaster: A Novel Vulnerability Class In AI IDEs
  "We all know AI reshaped how we build software. Autocomplete evolved into AI agents that can autonomously act on behalf of the user. As vendors compete on “productivity” they add additional capabilities that significantly affect the security posture of their products. Around 6 months ago, I decided to dig into the world of AI IDEs and coding assistants because they were gaining popularity and it was clear they are here to stay. The first vulnerabilities I found were focused on narrow components - a vulnerable tool, writeable agent configuration or writeable MCP configuration that leads to anything from data exfiltration to remote code execution. Those issues are serious, but they only affect a single application at a time (and were publicly disclosed multiple times)."
  https://maccarita.com/posts/idesaster/
  https://thehackernews.com/2025/12/researchers-uncover-30-flaws-in-ai.html

Malware

• FBI Warns Of Virtual Kidnapping Scams Using Altered Social Media Photos
  "The FBI warns of criminals altering images shared on social media and using them as fake proof of life photos in virtual kidnapping ransom scams. This is part of a public service announcement published today about criminals contacting victims via text message, claiming to have kidnapped a family member and demanding ransom payments. However, as the FBI explained, virtual kidnapping scams involve no actual abduction. Instead, criminals use manipulated images found on social networks and publicly available information to create convincing scenarios designed to pressure victims into paying ransoms before verifying that their loved ones are safe."
  https://www.bleepingcomputer.com/news/security/fbi-warns-of-virtual-kidnapping-ransom-scams-using-altered-social-media-photos/
  http://www.ic3.gov/PSA/2025/PSA251205
  https://www.theregister.com/2025/12/05/virtual_kidnapping_scam/
• China-Nexus Cyber Threat Groups Rapidly Exploit React2Shell Vulnerability (CVE-2025-55182)
  "Within hours of the public disclosure of CVE-2025-55182 (React2Shell) on December 3, 2025, Amazon threat intelligence teams observed active exploitation attempts by multiple China state-nexus threat groups, including Earth Lamia and Jackpot Panda. This critical vulnerability in React Server Components has a maximum Common Vulnerability Scoring System (CVSS) score of 10.0 and affects React versions 19.x and Next.js versions 15.x and 16.x when using App Router. While this vulnerability doesn’t affect AWS services, we are sharing this threat intelligence to help customers running React or Next.js applications in their own environments take immediate action."
  https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/
  https://thehackernews.com/2025/12/chinese-hackers-have-started-exploiting.html
  https://www.bleepingcomputer.com/news/security/react2shell-critical-flaw-actively-exploited-in-china-linked-attacks/
  https://therecord.media/chinese-hackers-exploiting-react2shell-vulnerability-amazon
  https://www.darkreading.com/vulnerabilities-threats/react2shell-under-attack-china-nexus-groups
  https://www.bankinfosecurity.com/chinese-nation-state-groups-tied-to-react2shell-targeting-a-30201
  https://cyberscoop.com/attackers-exploit-react-server-vulnerability/
  https://www.securityweek.com/chinese-hackers-exploiting-react2shell-vulnerability/
  https://www.theregister.com/2025/12/05/aws_beijing_react_bug/
• Return Of ClayRat: Expanded Features And Techniques
  "In October, the zLabs team first identified the ClayRat Android spyware, a malware capable of stealing SMS messages, call logs, capturing victim photos, initiating calls, and sending mass SMS messages to the victim's contact list. Our continuous monitoring of this malware family has since uncovered a new variant with significantly upgraded capabilities. This updated ClayRat strain now leverages Accessibility Services in addition to exploiting Default SMS privileges. Misusing Accessibility services enables a range of actions, including:"
  https://zimperium.com/blog/return-of-clayrat-expanded-features-and-techniques
  https://hackread.com/clayrat-android-spyware-variant-device-control/
• Unveiling WARP PANDA: A New Sophisticated China-Nexus Adversary
  "Throughout 2025, CrowdStrike has identified multiple intrusions targeting VMware vCenter environments at U.S.-based entities, in which newly identified China-nexus adversary WARP PANDA deployed BRICKSTORM malware. WARP PANDA exhibits a high level of technical sophistication, advanced operations security (OPSEC) skills, and extensive knowledge of cloud and virtual machine (VM) environments. In addition to BRICKSTORM, WARP PANDA has also deployed JSP web shells and two new implants for ESXi environments — now named Junction and GuestConduit — during their operations."
  https://www.crowdstrike.com/en-us/blog/warp-panda-cloud-threats/
  https://www.infosecurity-magazine.com/news/chinalinked-warp-panda/
  https://www.securityweek.com/us-organizations-warned-of-chinese-malware-used-for-long-term-persistence/
• Sanctioned But Still Spying: Intellexa’s Prolific Zero-Day Exploits Continue
  "Despite extensive scrutiny and public reporting, commercial surveillance vendors continue to operate unimpeded. A prominent name continues to surface in the world of mercenary spyware, Intellexa. Known for its “Predator” spyware, the company was sanctioned by the US Government. New Google Threat Intelligence Group (GTIG) analysis shows that Intellexa is evading restrictions and thriving. Intellexa has adapted, evaded restrictions, and continues selling digital weapons to the highest bidders. Alongside research published by our colleagues from Recorded Future and Amnesty, this blog post will shed light on Intellexa’s recent activities, unveil the real-world impact of their surveillance tools, and detail the actions we are taking against this industry."
  https://cloud.google.com/blog/topics/threat-intelligence/intellexa-zero-day-exploits-continue
  https://www.infosecurity-magazine.com/news/predator-spyware-intellexa-evades/
  https://www.malwarebytes.com/blog/news/2025/12/leaks-show-intellexa-burning-zero-days-to-keep-predator-spyware-running
• New Prompt Injection Attack Vectors Through MCP Sampling
  "This article examines the security implications of the Model Context Protocol (MCP) sampling feature in the context of a widely used coding copilot application. MCP is a standard for connecting large language model (LLM) applications to external data sources and tools. We show that, without proper safeguards, malicious MCP servers can exploit the sampling feature for a range of attacks. We demonstrate these risks in practice through three proof-of-concept (PoC) examples conducted within the coding copilot, and discuss strategies for effective prevention."
  https://unit42.paloaltonetworks.com/model-context-protocol-attack-vectors/
• Sharpening The Knife: GOLD BLADE’s Strategic Evolution
  "Between February 2024 and August 2025, Sophos analysts investigated nearly 40 intrusions related to STAC6565, a campaign the analysts assess with high confidence is associated with the GOLD BLADE threat group (also known as RedCurl, RedWolf, and Earth Kapre). This campaign reflects an unusually narrow geographic focus for the group, with almost 80% of the attacks targeting Canadian organizations. Once focused primarily on cyberespionage, GOLD BLADE has evolved its activity into a hybrid operation that blends data theft with selective ransomware deployment via a custom locker named QWCrypt."
  https://news.sophos.com/en-us/2025/12/05/sharpening-the-knife-gold-blades-strategic-evolution/
• A Hidden Pattern Within Months Of Credential-Based Attacks Against Palo Alto GlobalProtect
  "On 2 December 2025, GreyNoise observed a concentrated spike of 7,000+ IPs attempting to log into Palo Alto Networks GlobalProtect portals. All activity originated from infrastructure operated by 3xK GmbH and targeted two Palo Alto profiles in GreyNoise’s Global Observation Grid (GOG)."
  https://www.greynoise.io/blog/hidden-pattern-credential-based-attacks-palo-alto-sonicwall
  https://www.bleepingcomputer.com/news/security/new-wave-of-vpn-login-attempts-targets-palo-alto-globalprotect-portals/
  https://securityaffairs.com/185382/hacking/attackers-launch-dual-campaign-on-globalprotect-portals-and-sonicwall-apis.html

Breaches/Hacks/Leaks

• Barts Health NHS Discloses Data Breach After Oracle Zero-Day Hack
  "Barts Health NHS Trust, a major healthcare provider in England, announced that Clop ransomware actors have stolen files from one of its databases after exploiting a vulnerability in its Oracle E-business Suite software. The stolen data are invoices spanning several years that expose the full names and addresses of individuals who paid for treatment or other services at Barts Health hospital. Information of former employees who owed money to the trust, and suppliers whose data is already public, has also been exposed, the organization says."
  https://www.bleepingcomputer.com/news/security/barts-health-nhs-discloses-data-breach-after-oracle-zero-day-hack/
  https://hackread.com/barts-health-nhs-cl0p-ransomware-data-breach/
• Data Brokers Are Exposing Medical Professionals, And Turning Their Personal Lives Into Open Files
  "Large amounts of personal information about medical professionals are available on people search sites. A new analysis by Incogni’s researchers shows how much data about doctors appears online and how easily it can be found. The findings should concern healthcare leaders who support staff safety, workforce protection, and clinical operations."
  https://www.helpnetsecurity.com/2025/12/05/incogni-healthcare-staff-data-exposure-report/

General News

• React Flaw Mitigation Leads To Cloudflare Outage
  "Content delivery network giant Cloudflare is investigating a brief outage early Friday that took down multiple websites. The incident marks the second outage in the span of a month, although the company said the causes are unrelated. The incident affected social media platforms LinkedIn and X as well as Zoom and online design platform Canva. Multiple users took to X on Friday morning to report that they were prompted with an internal server error when they visited these websites. Impacted services have since been restored."
  https://www.bankinfosecurity.com/react-flaw-mitigation-leads-to-cloudflare-outage-a-30207
  https://www.securityweek.com/cloudflare-outage-caused-by-react2shell-mitigations/
  https://www.bleepingcomputer.com/news/technology/cloudflare-down-websites-offline-with-500-internal-server-error/
  https://www.theregister.com/2025/12/05/react2shell_pocs_exploitation/
• Rethinking The CIO-CISO Dynamic In The Age Of AI
  "As artificial intelligence and digital transformation become table stakes for today's enterprises, CIOs and CISOs are being pulled into the spotlight, and the way these two leaders operate is changing. Organizations are beginning to reimagine how these leadership roles should be structured, aligned and empowered as they grapple with regulatory pressures, the unpredictable nature of AI systems and the need for operational resilience in an uncertain business climate."
  https://www.bankinfosecurity.com/rethinking-cio-ciso-dynamic-in-age-ai-a-30211
• Threat Landscape Grows Increasingly Dangerous For Manufacturers
  "Manufacturers continued to be a top target — if not the top target — of financially motivated cyberattacks in 2025, with their sensitivity to operational disruptions and their shortage of expertise and well-designed protections causing issues for the business sector as a whole, experts say. In 2025, half of manufacturers (51%) fell prey to ransomware and paid a ransom, with the average ransom costing $1 million and the average recovery cost (excluding the ransom) approaching $1.3 million, according to data that cybersecurity firm Sophos collected from more than 330 manufacturing organizations."
  https://www.darkreading.com/cyberattacks-data-breaches/threat-landscape-increasingly-dangerous-manufacturers
• CISOs Should Be Asking These Quantum Questions Today
  "This isn't a pitch for a new box or black box. It's a look at how security, compliance, and engineering teams need to evolve as quantum methods quietly move into production workflows. What follows focuses on the practical questions chief information security officers (CISOs), SecOps leaders, and engineering teams should be asking about visibility, validation, and compliance, rather than hardware specs or vendor road maps. Most enterprises aren't running quantum computers. So why should security operations teams care today?"
  https://www.darkreading.com/cybersecurity-operations/cisos-should-be-asking-these-quantum-questions-today
• Building The Missing Layers For An Internet Of Agents
  "Cybersecurity teams are starting to think about how large language model agents might interact at scale. A new paper from Cisco Research argues that the current network stack is not prepared for this shift. The work proposes two extra layers on top of the application transport layer to help agents communicate in a structured way and agree on shared meaning before they act."
  https://www.helpnetsecurity.com/2025/12/05/cisco-research-internet-of-agents-architecture/
  https://arxiv.org/pdf/2511.19699
• Maryland Man Sentenced For N. Korea IT Worker Scheme Involving US Government Contracts
  "A 40-year-old Maryland man has been sentenced to 15 months in prison for his role in a scheme where he allowed North Korean nationals to use his identity to work in software development roles at several U.S. government agencies, including the Federal Aviation Administration (FAA). Minh Phuong Ngoc Vong will also have to serve three years of supervised release as part of his plea agreement with the Justice Department."
  https://therecord.media/north-korea-it-worker-scheme-maryland-man-sentenced
• CheatSheet – A Practical Guide For Securely Using Third-Party MCP Servers 1.0
  "The Practical Guide for Securely Using Third-Party MCP Servers from the OWASP GenAI Security Project provides a detailed framework for safely deploying and managing external Model Context Protocol (MCP) servers. It outlines the unique security risks introduced by connecting AI models to third-party tools and data sources, including tool poisoning, prompt injection, memory poisoning, and tool interference. The guide offers actionable mitigations covering authentication, authorization, client sandboxing, secure server discovery, and governance workflows, emphasizing least-privilege access and human-in-the-loop oversight."
  https://genai.owasp.org/resource/cheatsheet-a-practical-guide-for-securely-using-third-party-mcp-servers-1-0/
  https://www.scworld.com/feature/mcp-servers-emerge-as-new-supply-chain-risk-as-real-attacks-accelerate
• A Tale Of Two CISOs: Why An Engineering-Focused CISO Can Be a Liability
  "QUESTION: What is the difference between an engineering-focused CISO and a holistic CISO, and what does it mean for the organization? David Schwed, COO at SovereignAI: Right now, there is a global CISO hiring spree. AI labs, cryptocurrency exchanges, and financial institutions are competing over the same small pool of security leaders. Also right now, 2025 is on track to be the worst year for digital asset theft, with over $2 billion stolen by midyear and a single $1.5 billion hack of exchange Bybit dominating the losses."
  https://www.darkreading.com/cyber-risk/why-an-engineering-focused-ciso-can-be-a-liability

อ้างอิง
Electronic Transactions Development Agency (ETDA)

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

ตรวจพบช่องโหว่ร้ายแรงในกลไก React Server Components (RSC) และ Flight Protocol ซึ่งเป็นส่วนที่ทำให้ React ประมวลผล UI และดึงข้อมูลบนฝั่ง server ก่อนส่งผลลัพธ์ไปประกอบบนฝั่งผู้ใช้ หากถูกโจมตี ผู้ไม่หวังดีสามารถส่ง HTTP Request ที่ถูกปรับแต่งพิเศษเพื่อทำให้ server รันโค้ดที่ไม่พึงประสงค์ได้ทันที (Unauthenticated RCE) โดยไม่ต้องล็อกอินหรือมีสิทธิ์ใด ๆ

กลุ่มระบบที่ “เข้าข่ายเสี่ยง”
•เว็บไซต์หรือระบบที่ใช้ React ในการพัฒนาโปรแกรม และรองรับ RSC
•โปรเจกต์ที่ติดตั้งแพ็กเกจในตระกูล react-server-dom-*
•แม้ไม่ได้สร้าง Server Functions เอง แต่หาก Framework รองรับ RSC → ยังเสี่ยงอยู่
•แอปพลิเคชันฝั่ง Client-only หรือไม่ใช้ RSC → ไม่เข้าข่าย

แพ็กเกจ/เวอร์ชันที่ต้องรีบตรวจสอบ
หากพบแพ็กเกจด้านล่าง และเวอร์ชันเป็น 19.0.0 / 19.1.0 / 19.1.1 / 19.2.0
ถือว่า เสี่ยงทันที
1.react-server-dom-webpack
2.react-server-dom-parcel
3.react-server-dom-turbopack

แนวทางตรวจสอบและบรรเทาความเสี่ยง

1. ตรวจสอบว่ามีแพ็กเกจเสี่ยงหรือไม่
   ใช้คำสั่ง:
   npm ls react-server-dom-webpack react-server-dom-parcel react-server-dom-turbopack
   คำสั่งนี้จะค้นหาแพ็กเกจในตระกูล react-server-dom-* ซึ่งเป็นตัวบ่งชี้ความเสี่ยงสำคัญ
2. ผู้ใช้ Next.js ให้ตรวจสอบเพิ่มเติม
   Next.js มีเครื่องมือช่วยสแกนความเสี่ยง:
   npx fix-react2shell-next
3. วิธีตรวจสอบในสภาพแวดล้อมจริง (สำคัญมาก)
   โดยเฉพาะระบบที่ใช้ Docker / Container
   ควรตรวจสอบว่า:
   •dependency ภายใน container เป็นเวอร์ชันเดียวกับใน source code
   •ไม่มี build layer เก่าค้างอยู่ใน image
   •CI/CD pipeline build image ใหม่ทุกครั้งหลังอัปเดตแพ็กเกจ
   •ใช้ image ที่ผ่านการ build และ patch เวอร์ชันล่าสุดแล้ว
   หลายระบบพบว่า container ที่รันจริงใช้แพ็กเกจเก่า แม้ source code จะ update แล้ว
4. อัปเดตแพตช์เป็นเวอร์ชันที่ปลอดภัย ได้แก่:
   React
   •19.0.1
   •19.1.2
   •19.2.1
   Next.js
   •15.0.5 / 15.1.9 / 15.2.6 / 15.3.6 / 15.4.8 / 15.5.7
   •16.0.7
   แนะนำให้อัปเดต ทั้ง React + Framework เพื่อความปลอดภัยสูงสุด
   สำหรับผู้ใช้งานทั่วไป
   ช่องโหว่นี้กระทบ ผู้ให้บริการเว็บไซต์และทีมพัฒนา ไม่ได้กระทบผู้ใช้โดยตรง หากเว็บไซต์บางแห่งปิดปรับปรุงหรือให้บริการช้าลงในช่วงนี้ เป็นเพราะผู้ดูแลอยู่ระหว่างอัปเดตแพตช์เพื่อความปลอดภัย
   ️ ระดับความเร่งด่วน
   มีรายงานว่าเริ่มพบการโจมตีจริงแล้วหลังเปิดเผยช่องโหว่ไม่นาน
   ขอให้ผู้ดูแลระบบรีบตรวจสอบแพ็กเกจของตน อัปเดตแพตช์ และตรวจสอบความผิดปกติของระบบทันที

ด้วยความปรารถนาดี สำนักงานคณะกรรมการการรักษาความมั่นคงปลอดภัยไซเบอร์แห่งชาติ (สกมช.) / ThaiCERT

ที่มา
[1]: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components "Critical Security Vulnerability in React Server Components – React"
[2]: https://nextjs.org/blog/CVE-2025-66478 "Security Advisory: CVE-2025-66478 | Next.js"
[3]: https://unit42.paloaltonetworks.com/cve-2025-55182-react-and-cve-2025-66478-next/ "Critical Vulnerabilities in React Server Components and Next.js"
[4]: https://github.com/facebook/react/security/advisories/GHSA-fv66-9v8q-g76r "Critical Security Vulnerability in React Server Components · Advisory · facebook/react · GitHub"
[5]: https://thehackernews.com/2025/12/chinese-hackers-have-started-exploiting.html?utm_source=chatgpt.com "Chinese Hackers Have Started Exploiting the Newly Disclosed React2Shell Vulnerability"

ตรวจพบช่องโหว่ร้ายแรงในระบบภายในของชิปโทรศัพท์มือถือ เสี่ยงถูกแฮกโดยไม่ต้องกดหรือโต้ตอบใด ๆ รีบอัปเดตระบบด่วน️

สำนักงานคณะกรรมการการรักษาความมั่นคงปลอดภัยไซเบอร์แห่งชาติ (สกมช.) / ThaiCERT ขอแจ้งเตือนภัยเกี่ยวกับช่องโหว่หมายเลข CVE-2025-21483 ระดับ Critical คะแนน CVSS 9.8 ซึ่งส่งผลกระทบต่อสมาร์ตโฟน Android ที่ใช้ชิปเซ็ต Qualcomm Snapdragon

ช่องโหว่นี้ถูกตรวจพบและเผยแพร่ข้อมูลในปี 2568
• ผู้ผลิตชิปและผู้ผลิตมือถือออกแพตช์รักษาความปลอดภัย ตั้งแต่ช่วง พฤศจิกายน - ธันวาคม 2568
• ผู้ใช้งานที่ยังไม่ได้อัปเดตเป็นปัจจุบัน ยังเสี่ยงต่อการถูกโจมตี

ช่องทางที่อาจถูกใช้ในการโจมตี
แฮกเกอร์สามารถโจมตีผ่านการส่งข้อมูลจากอินเทอร์เน็ตสู่โทรศัพท์ ซึ่งระบบจะประมวลผลข้อมูลโดยอัตโนมัติ เช่น
• SMS/MMS โดยเฉพาะข้อความแนบภาพหรือวิดีโอ
• แอปพลิเคชันแชทที่มีการโทรผ่านอินเทอร์เน็ต เช่น WhatsApp, LINE, Messenger — การประมวลผลสัญญาณ "การโทรเข้า" อาจเรียกใช้ระบบที่มีช่องโหว่
• ข้อมูลจากอินเทอร์เน็ตบางรูปแบบ ที่ทำให้ระบบในเครื่องเริ่มทำงานอัตโนมัติ (เป็นข้อมูลที่ถูกทำขึ้นมาเฉพาะเพื่อโจมตีระบบ)
เมื่อข้อมูลเหล่านี้เข้ามา เครื่องจะประมวลผลเองทันที หากยังมีช่องโหว่ อาจถูกโจมตีได้โดยที่ผู้ใช้ไม่รู้ตัว

ทำไมไม่ต้องกดลิงก์ก็โดนได้
รูปแบบการโจมตี Zero-Click ผู้ใช้งาน ไม่ต้องกด ไม่ต้องเปิด และไม่ต้องโต้ตอบใด ๆ ระบบก็สามารถถูกโจมตีได้
• โทรศัพท์มือถือจะประมวลผลข้อมูลบางส่วนโดยอัตโนมัติ เพื่อแสดงการแจ้งเตือน เช่น มีคนโทรเข้าหรือได้รับ MMS
• แฮกเกอร์แนบคำสั่งอันตรายไว้ในข้อมูลเหล่านั้น
• ระหว่างที่ระบบกำลังประมวลผลข้อมูล คำสั่งอันตรายนั้นจะทำงานทันที โดยผู้ใช้ไม่ต้องกดลิงก์ รับสาย หรือโต้ตอบใด ๆ

ผู้ที่ได้รับผลกระทบ
• ผู้ที่ใช้สมาร์ตโฟนระบบ Android ทุกยี่ห้อ ควรจะตรวจสอบหากพบว่ายังไม่ได้อัปเดตแพตช์ความปลอดภัยล่าสุด ควรรีบดำเนินการ

️ สัญญาณที่อาจบ่งบอกว่าอาจจะถูกโจมตีแล้ว
· เครื่องร้อนผิดปกติขณะไม่ได้ใช้งาน
· แบตเตอรี่ลดลงรวดเร็วผิดปกติในช่วงเวลาสั้น ๆ
· การใช้อินเทอร์เน็ตพุ่งสูงผิดปกติ
· มีการแจ้งเตือนการโทรเข้า หรือข้อความ แปลก ๆ ที่ไม่ทราบที่มา
หากพบอาการเหล่านี้ร่วมกับการยังไม่ได้อัปเดตแพตช์ความปลอดภัย ถือว่ามีความเสี่ยง

️ วิธีป้องกัน (ควรทำทันที!)
อัปเดตแพตช์ความปลอดภัยเป็นเวอร์ชันล่าสุด
ขั้นตอนการอัปเดต

1. ไปที่ การตั้งค่า (Settings)
2. เลือก อัปเดตซอฟต์แวร์ / เกี่ยวกับโทรศัพท์ (Software Update / About Phone)
3. กด ดาวน์โหลดและติดตั้ง (Download and Install)
4. หากมีอัปเดต ให้ติดตั้งทันที
5. ตรวจสอบว่าแพตช์ความปลอดภัยเป็นเดือน พฤศจิกายน หรือ ธันวาคม 2568

ข้อควรทำก่อนอัปเดต (สำคัญมาก)

1. เชื่อมต่อ Wi-Fi เพื่อความเสถียรและประหยัดเน็ต
2. ชาร์จแบตเตอรี่ให้มีอย่างน้อย 75% ป้องกันเครื่องดับระหว่างดำเนินการ

️ หากอัปเดตไม่ได้/ไม่สำเร็จ
• เช็กพื้นที่จัดเก็บข้อมูล: หากพื้นที่ว่างไม่พอ ระบบอาจไม่ดาวน์โหลดไฟล์อัปเดต ให้ลบไฟล์ที่ไม่จำเป็นออกก่อน
• อุปกรณ์รุ่นเก่า: โทรศัพท์รุ่นเก่าบางรุ่นอาจไม่รองรับ Android เวอร์ชันใหม่หรือแพตช์ความปลอดภัยล่าสุด โปรดตรวจสอบกับผู้ผลิตโทรศัพท์ของท่าน
• สำหรับผู้ที่ยังไม่มีให้อัปเดต หรือใช้เครื่องรุ่นเก่า หากเช็กแล้วยังไม่มีแพตช์ใหม่มา ให้ทำดังนี้เพื่อลดความเสี่ยงชั่วคราว:

1. ปิดการรับ MMS อัตโนมัติ: ไปที่แอปข้อความ (Messages) > การตั้งค่า > ปิด "ดาวน์โหลด MMS อัตโนมัติ" (Auto-retrieve MMS)
2. หลีกเลี่ยงการเปิดไฟล์แปลกปลอมจากคนที่ไม่รู้จักในทุกช่องทาง

ย้ำ! การอัปเดตนี้ฟรีและข้อมูลในเครื่องไม่หาย (เช่น รูปภาพ, รายชื่อผู้ติดต่อ) รีบดำเนินการอัปเดตโดยเร็วที่สุด เพื่อความปลอดภัยของข้อมูลส่วนบุคคลของท่าน

ด้วยความปรารถนาดี
สำนักงานคณะกรรมการการรักษาความมั่นคงปลอดภัยไซเบอร์แห่งชาติ (สกมช.) / ThaiCERT

ที่มา 1.: https://support.google.com/android/answer/7680439
2. https://source.android.com/docs/security/bulletin/2025-11-01?utm&hl=th
3. https://nvd.nist.gov/vuln/detail/CVE-2025-21483

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

เมื่อวันที่ 3 ธันวาคม 2025 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 1 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว ดังนี้

• CVE-2021-26828 OpenPLC ScadaBR Unrestricted Upload of File with Dangerous Type Vulnerability

ทั้งนี้ คำสั่ง BOD 22-01 ของ CISA กำหนดให้มี แคตตาล็อก Known Exploited Vulnerabilities (KEV) เพื่อรวบรวมช่องโหว่ (CVEs) ที่มีความเสี่ยงสูงและถูกใช้งานโจมตีจริง หน่วยงาน Federal Civilian Executive Branch (FCEB) ต้องดำเนินการแก้ไขช่องโหว่ที่ระบุภายในเวลาที่กำหนด เพื่อปกป้องเครือข่ายจากภัยคุกคาม

ทาง CISA จะปรับปรุงและเพิ่มช่องโหว่ใหม่เข้าสู่แคตตาล็อก KEV อย่างต่อเนื่อง เพื่อให้ครอบคลุมความเสี่ยงที่ตรวจพบจริงในปัจจุบันและอนาคต

อ้างอิง
https://www.cisa.gov/news-events/alerts/2025/12/03/cisa-adds-one-known-exploited-vulnerability-catalog
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Industrial Sector

• CISA, Australia, And Partners Author Joint Guidance On Securely Integrating Artificial Intelligence In Operational Technology
  "CISA and the Australian Signals Directorate’s Australian Cyber Security Centre, in collaboration with federal and international partners, have released new cybersecurity guidance: Principles for the Secure Integration of Artificial Intelligence in Operational Technology. This guidance aims to help critical infrastructure owners and operators integrate artificial intelligence (AI) into operational technology (OT) systems securely, balancing the benefits of AI—such as increased efficiency, enhanced decision-making, and cost savings—with the unique risks it poses to the safety, security, and reliability of OT environments."
  https://www.cisa.gov/news-events/alerts/2025/12/03/cisa-australia-and-partners-author-joint-guidance-securely-integrating-artificial-intelligence
  https://www.cisa.gov/resources-tools/resources/principles-secure-integration-artificial-intelligence-operational-technology
  https://www.cisa.gov/sites/default/files/2025-12/joint-guidance-principles-for-the-secure-integration-of-artificial-intelligence-in-operational-technology-508c.pdf

New Tooling

• Portmaster: Open-Source Application Firewall
  "Portmaster is a free and open source application firewall built to monitor and control network activity on Windows and Linux. The project is developed in the EU and is designed to give users stronger privacy without asking them to manage every rule by hand."
  https://www.helpnetsecurity.com/2025/12/03/portmaster-open-source-application-firewall/
  https://github.com/safing/portmaster

Vulnerabilities

• Attackers Actively Exploiting Critical Vulnerability In King Addons For Elementor Plugin
  "On July 24th, 2025, we received a submission for a Privilege Escalation vulnerability in King Addons for Elementor, a WordPress plugin with more than 10,000 active installations. This vulnerability makes it possible for an unauthenticated attacker to grant themselves administrative privileges by specifying the administrator user role during registration. The vendor released the patched version on September 25th, 2025, and we originally disclosed this vulnerability in the Wordfence Intelligence vulnerability database on October 30th, 2025. Our records indicate that attackers started exploiting the issue the next day, on October 31st, 2025. The Wordfence Firewall has already blocked over 48,400 exploit attempts targeting this vulnerability."
  https://www.wordfence.com/blog/2025/12/attackers-actively-exploiting-critical-vulnerability-in-king-addons-for-elementor-plugin/
  https://www.bleepingcomputer.com/news/security/critical-flaw-in-wordpress-add-on-for-elementor-exploited-in-attacks/
  https://thehackernews.com/2025/12/wordpress-king-addons-flaw-under-active.html
  https://securityaffairs.com/185286/hacking/king-addons-flaw-lets-anyone-become-wordpress-admin.html
  https://www.securityweek.com/critical-king-addons-vulnerability-exploited-to-hack-wordpress-sites/
• Critical Security Vulnerability In React Server Components
  "On November 29th, Lachlan Davidson reported a security vulnerability in React that allows unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints. Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components. This vulnerability was disclosed as CVE-2025-55182 and is rated CVSS 10.0."
  https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
  https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182
  https://thehackernews.com/2025/12/critical-rsc-bugs-in-react-and-nextjs.html
  https://www.darkreading.com/vulnerabilities-threats/critical-react-flaw-triggers-immediate-action
  https://cyberscoop.com/react-server-vulnerability-critical-severity-security-update/
  https://www.theregister.com/2025/12/03/exploitation_is_imminent_react_vulnerability/
• Chrome 143 Patches High-Severity Vulnerabilities
  "Google on Tuesday promoted Chrome 143 to the stable channel with patches for 13 vulnerabilities reported by external researchers. The fresh round of Chrome patches resolves four high-severity flaws, including a type confusion issue in the V8 JavaScript and WebAssembly engine, tracked as CVE-2025-13630. The remaining high-severity defects include inappropriate implementation bugs in Google Updater (CVE-2025-13631) and DevTools (CVE-2025-13632), and a use-after-free flaw in Digital Credentials (CVE-2025-13633)."
  https://www.securityweek.com/chrome-143-patches-high-severity-vulnerabilities/
• CISA Adds One Known Exploited Vulnerability To Catalog
  "CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2021-26828 OpenPLC ScadaBR Unrestricted Upload of File with Dangerous Type Vulnerability"
  https://www.cisa.gov/news-events/alerts/2025/12/03/cisa-adds-one-known-exploited-vulnerability-catalog
• Microsoft "mitigates" Windows LNK Flaw Exploited As Zero-Day
  "Microsoft has silently "mitigated" a high-severity Windows LNK vulnerability exploited by multiple state-backed and cybercrime hacking groups in zero-day attacks. Tracked as CVE-2025-9491, this security flaw allows attackers to hide malicious commands within Windows LNK files, which can be used to deploy malware and gain persistence on compromised devices. However, the attacks require user interaction to succeed, as they involve tricking potential victims into opening malicious Windows Shell Link (.lnk) files. Threat actors distribute these files in ZIP or other archives because email platforms commonly block .lnk attachments due to their risky nature."
  https://www.bleepingcomputer.com/news/microsoft/microsoft-mitigates-windows-lnk-flaw-exploited-as-zero-day/
  https://thehackernews.com/2025/12/microsoft-silently-patches-windows-lnk.html
  https://www.securityweek.com/microsoft-silently-mitigated-exploited-lnk-vulnerability/

Malware

• Shai-Hulud V2 Poses Risk To NPM Supply Chain
  "On November 24, 2025, security researchers detected a second wave of the Shai-Hulud malware campaign targeting the npm ecosystem. Dubbed The Second Coming by its operators, Shai-Hulud V2 builds upon its predecessor, Shai-Hulud V1, and has established itself as an aggressive software supply chain attack. Within hours of its initial detection, the campaign had compromised over 700 npm packages, created more than 27,000 malicious GitHub repositories, and exposed approximately 14,000 secrets across 487 organizations."
  https://www.zscaler.com/blogs/security-research/shai-hulud-v2-poses-risk-npm-supply-chain
• Technical Analysis Of Matanbuchus 3.0
  "Matanbuchus is a malicious downloader, written in C++, which has been offered as a Malware-as-a-Service (MaaS) since 2020. Over this time, Matanbuchus has undergone several development stages. In July 2025, version 3.0 of Matanbuchus was identified in-the-wild. Matanbuchus offers threat actors the option to deploy additional payloads and perform hands-on keyboard activity via shell commands. Despite its simplicity, Matanbuchus has been more recently associated with ransomware operations."
  https://www.zscaler.com/blogs/security-research/technical-analysis-matanbuchus-3-0
• Hook For Gold: Inside GoldFactory's Сampaign That Turns Apps Into Goldmines
  "In February 2024, Group-IB uncovered sophisticated mobile threat campaigns that show how fast banking malware is evolving across the Asia-Pacific region. Ongoing monitoring of this evolving threat revealed a surge of aggressive mobile Trojans targeting both iOS and Android users, all operated by a single threat actor tracked as GoldFactory. Since releasing our initial report, we have continued to monitor the group’s activity and our latest research sheds light on how cybercriminals have evolved in their tactics and tools."
  https://www.group-ib.com/blog/turning-apps-into-gold/
• V3G4 Botnet Evolves: From DDoS To Covert Cryptomining
  "Cyble Research & Intelligence Labs (CRIL) has identified an active Linux-targeting campaign that deploys a Mirai-derived botnet, paired with a stealthy, fileless-configured cryptominer. The threat actor employs a multi-stage infection chain starting with a downloader that delivers architecture-specific V3G4 binaries across x86_64, ARM, and MIPS systems. Once active, the bot masquerades as systemd-logind, performs environment reconnaissance, conducts large-scale raw-socket SSH scanning, maintains persistent C2 communication, and ultimately launches a concealed XMRig-based Monero miner dynamically configured at runtime."
  https://cyble.com/blog/v3g4-mirai-botnet-evolves/
• DIANNA Explains 4: Nimbus Manticore—Monstrous Malware
  "Hey humans, DIANNA here. I’m back again with another malware teardown. This time, we're looking at a piece of malware called Nimbus Manticore, and I'll say this upfront—whoever named this malware has a flair for the dramatic. The capabilities, though? All business. Nimbus Manticore represents a serious challenge for organizations because it's not just designed to compromise a single endpoint. It's built to move laterally through your network, escalate privileges, and establish a persistent presence across multiple systems."
  https://www.deepinstinct.com/blog/dianna-explains-4-nimbus-manticore-monstrous-malware
• How a Fake ChatGPT Installer Tried To Steal My Password
  "Over the Thanksgiving holiday, I embarked on a small project to evaluate AI browsers, including the buzzy ChatGPT Atlas. Like most people, I clicked the first result I saw: a sponsored link. The page looked nearly identical to the real Atlas site: same layout, design, copy. The only subtle giveaway was the domain: a Google Sites URL. That’s increasingly common in modern phishing kits—tools like v0.dev make it trivial to clone a legitimate site in minutes, and hosting on Google Sites adds a false sense of credibility for anyone who thinks Google = trustworthy. Given our work here at Fable, I was pretty excited to have stumbled on this, and decided to give it a whirl and see just how much damage I could cause."
  https://fablesecurity.com/blog-chatgpt-installer-stole-my-password/
  https://hackread.com/fake-chatgpt-atlas-clickfix-steal-passwords/
• French NGO Reporters Without Borders Targeted By Calisto In Recent Campaign
  "In May and June 2025, TDR team analysts were contacted by two organisations — including the French NGO Reporters Without Borders (RSF) — over suspicions of a new spear phishing attempts by the intrusion set Calisto (also known as ColdRiver or Star Blizzard). Calisto is a Russia-nexus intrusion set active since at least April 2017, attributed by the USA, the UK, New Zealand and Australia to the Russian intelligence service FSB, more specifically to the Center 18 for Information Security (TsIB), military unit 64829, also known to operate the intrusion set Gamaredon. Sekoia.io concurs with such attribution as past Calisto operations investigated by TDR analyst showed objectives and victimology that align closely with Russian strategic interests."
  https://blog.sekoia.io/ngo-reporters-without-borders-targeted-by-calisto-in-recent-campaign/
  https://www.infosecurity-magazine.com/news/star-blizzard-targets-reporters/
• The $9M yETH Exploit: How 16 Wei Became Infinite Tokens
  "On November 30, 2025, Check Point Research detected a critical exploit targeting Yearn Finance’s yETH pool on Ethereum. Within hours, approximately $9 million was stolen from the protocol. The attacker achieved this by minting an astronomical number of tokens—235 septillion yETH (a 41-digit number)—while depositing only 16 wei, worth approximately $0.000000000000000045. This represents one of the most capital-efficient exploits in DeFi history."
  https://research.checkpoint.com/2025/16-wei/
  https://www.infosecurity-magazine.com/news/yearn-finance-yeth-pool-exploit/
• DNS Uncovers Infrastructure Used In SSO Attacks
  "We recently received a tip from a customer that their institution was under recurring attacks that targeted their student single sign-on (SSO) portal. The threat actor leveraged Evilginx (likely version 3.0), an open source, advanced phishing adversary-in-the-middle (AITM, aka MITM) framework designed to steal login credentials and session cookies. Evilginx is widely used by cybercriminals to undermine multi-factor authentication (MFA) security, and this actor has used it to target at least 18 universities and educational institutions across the United States since April 2025. The campaigns were delivered through email and the phishing domains used subdomains that mimicked the legitimate SSO sites. Figure 1 shows a timeline of attack volumes, based on DNS, against the schools."
  https://blogs.infoblox.com/threat-intelligence/dns-uncovers-infrastructure-used-in-sso-attacks/
  https://www.malwarebytes.com/blog/news/2025/12/attackers-have-a-new-way-to-slip-past-your-mfa
• How Attackers Use Real IT Tools To Take Over Your Computer
  "A new wave of attacks is exploiting legitimate Remote Monitoring and Management (RMM) tools like LogMeIn Resolve (formerly GoToResolve) and PDQ Connect to remotely control victims’ systems. Instead of dropping traditional malware, attackers trick people into installing these trusted IT support programs under false pretenses–disguising them as everyday utilities. Once installed, the tool gives attackers full remote access to the victim’s machine, evading many conventional security detections because the software itself is legitimate."
  https://www.malwarebytes.com/blog/news/2025/12/how-attackers-use-real-it-tools-to-take-over-your-computer
• Shai Hulud 2.0, Now With a Wiper Flavor
  "In September, a new breed of malware distributed via compromised Node Package Manager (npm) packages made headlines. It was dubbed “Shai-Hulud”, and we published an in-depth analysis of it in another post. Recently, a new version was discovered. Shai Hulud 2.0 is a type of two-stage worm-like malware that spreads by compromising npm tokens to republish trusted packages with a malicious payload. More than 800 npm packages have been infected by this version of the worm. According to our telemetry, the victims of this campaign include individuals and organizations worldwide, with most infections observed in Russia, India, Vietnam, Brazil, China, Türkiye, and France."
  https://securelist.com/shai-hulud-2-0/118214/
• Malicious Rust Crate Evm-Units Serves Cross-Platform Payloads For Silent Execution
  "The Socket Threat Research Team recently discovered a malicious Rust package named evm-units, written by ablerust, with over 7,000 all-time downloads. Based on the victim’s OS and whether Qihoo360 antivirus is running, the package downloads a payload, writes it to the system temp directory, and silently executes it. The package appears to return the Ethereum version number, so the victim is none the wiser. The package names and code behavior (EVM utilities, genuine Uniswap helper library), combined with the Qihoo360 targeting and multi-OS loader pattern, make it likely that the payload steals cryptocurrency. The targeting of Qihoo360 also suggests that the threat actor is focusing on Asian markets, as Qihoo360 is a Chinese-made antivirus with dominant marketshare throughout Asia."
  https://socket.dev/blog/malicious-rust-crate-evm-units-serves-cross-platform-payloads
  https://thehackernews.com/2025/12/malicious-rust-crate-delivers-os.html
• ValleyRAT Campaign Targets Job Seekers, Abuses Foxit PDF Reader For DLL Side-Loading
  "Cybercriminal operations continue to escalate in both aggressiveness and sophistication, achieving greater impact through the strategic integration of multiple methods. The campaign investigated in this article demonstrates a layered application of tried-and-tested techniques: social‑engineering lures targeting job seekers, obfuscation through deeply nested directory paths, and execution via DLL sideloading."
  https://www.trendmicro.com/en_us/research/25/l/valleyrat-campaign.html
• Massive Gambling Network Doubles As Hidden C2 And Anonymity Infrastructure, Researchers Say
  "A sprawling network that’s seemingly maintained to serve (illegal) online gambling opportunities and deliver malware to Indonesian citizens is likely also being used to provide threat actors command and control (C2) and anonymity services. “The infrastructure has been active for at least 14 years and currently spans 328,039 domains: 236,433 purchased domains, 90,125 hacked websites, and 1,481 hijacked subdomains, including subdomains of government websites,” says Kobi Ben Naim, CEO and Head of Research at Malanta."
  https://www.helpnetsecurity.com/2025/12/03/indonesian-online-gambling-network/

Breaches/Hacks/Leaks

• Marquis Data Breach Impacts Over 74 US Banks, Credit Unions
  "Financial software provider Marquis Software Solutions is warning that it suffered a data breach that impacted dozens of banks and credit unions across the US. Marquis Software Solutions provides data analytics, CRM tools, compliance reporting, and digital marketing services to over 700 banks, credit unions, and mortgage lenders. In data breach notifications filed with US Attorney General offices, Marquis says it suffered a ransomware attack on August 14, 2025, after its network was breached through its SonicWall firewall."
  https://www.bleepingcomputer.com/news/security/marquis-data-breach-impacts-over-74-us-banks-credit-unions/
  https://www.bankinfosecurity.com/marketing-compliance-software-vendor-to-banks-breached-a-30184
• French DIY Retail Giant Leroy Merlin Discloses a Data Breach
  "French home improvement and gardening retailer Leroy Merlin is notifying customers that their personal info has been compromised in a data breach. Leroy Merlin operates in multiple European countries as well as in South Africa and Brazil, employs 165,000 people, and has an annual revenue of $9.9 billion."
  https://www.bleepingcomputer.com/news/security/french-diy-retail-giant-leroy-merlin-discloses-a-data-breach/
• Freedom Mobile Discloses Data Breach Exposing Customer Data
  "Freedom Mobile, the fourth-largest wireless carrier in Canada, has disclosed a data breach after attackers hacked into its customer account management platform and stole the personal information of an undisclosed number of customers. Founded in 2008 as Wind Mobile by telecommunications provider Globalive, Freedom has over 2,2 million subscribers and now says it provides coverage to 99% of Canadians."
  https://www.bleepingcomputer.com/news/security/freedom-mobile-discloses-data-breach-exposing-customer-data/
• University Of Phoenix Discloses Data Breach After Oracle Hack
  "The University of Phoenix (UoPX) has joined a growing list of U.S. universities breached in a Clop data theft campaign targeting vulnerable Oracle E-Business Suite instances in August 2025. Founded in 1976 and headquartered in Phoenix, Arizona, UoPX is a private for-profit university with nearly 3,000 academic staff and over 100,000 enrolled students. The university disclosed the data breach on its official website on Tuesday, while its parent company, Phoenix Education Partners, filed an 8-K form with the U.S. Securities and Exchange Commission (SEC)."
  https://www.bleepingcomputer.com/news/security/university-of-phoenix-discloses-data-breach-after-oracle-hack/
  https://therecord.media/university-of-phoenix-data-breach
  https://www.securityweek.com/penn-and-phoenix-universities-disclose-data-breach-after-oracle-hack/
  https://securityaffairs.com/185279/data-breach/university-of-pennsylvania-and-university-of-phoenix-disclose-data-breaches.html

General News

• Chinese Researchers Simulate Large-Scale Electronic Warfare Against Elon Musk’s Starlink
  "When Russian forces rolled into Ukraine in early 2022, one of the first moves by Kyiv was sending a post to Elon Musk on X: Ukraine needs satellite internet. Within days, thousands of Starlink terminals arrived, restoring command and control across the battlefield despite Russia’s best efforts to black out communications. Moscow initially tried to jam the signals – and reportedly had some success. But when SpaceX quietly updated its software and reconfigured the constellation, many Russian jammers went silent. The battlefield advantage shifted."
  https://www.scmp.com/news/china/science/article/3333523/chinese-researchers-simulate-large-scale-electronic-warfare-against-elon-musks-starlink
  https://www.darkreading.com/cyberattacks-data-breaches/china-researches-ways-disrupt-satellite-internet
• CISOs Are Questioning What a Crisis Framework Should Look Like
  "CISOs increasingly assume the next breach is coming. What concerns them most is whether their teams will understand the incident quickly enough to limit the fallout. A recent report by Binalyze looks at how investigation practices are holding up across large US enterprises."
  https://www.helpnetsecurity.com/2025/12/03/binalyze-crisis-management-framework-report/
• Threat Intelligence Programs Are Broken, Here Is How To Fix Them
  "Security teams often gather large amounts of threat data but still struggle to improve detection or response. Analysts work through long lists of alerts, leaders get unclear insights, and executives see costs that do not lead to better outcomes. A recent report from ISACA notes that this gap remains wide across enterprises, and explains that organizations collect information at a pace that makes it hard to understand what matters."
  https://www.helpnetsecurity.com/2025/12/03/isaca-threat-intelligence-programs-report/
  DOJ Takes Down Myanmar Scam Center Website Spoofing TickMill Trading Platform
  "The Department of Justice announced the dismantling of a website used by a scam center in Myanmar to siphon thousands of dollars from multiple victims. An affidavit filed this week supported the domain seizure of tickmilleas.com — a spoof of legitimate forex and commodities trading platform TickMill. The recently created Scam Center Strike Force tracked the fake website back to the prominent Tai Chang scam compound in Kyaukhat, Myanmar. This is the third domain taken down by U.S. officials in connection with the Tai Chang scam compound — which international law enforcement agencies raided three weeks ago."
  https://therecord.media/doj-takes-down-myanmar-scam-site-trickmill-spoof
  https://www.helpnetsecurity.com/2025/12/03/law-enforcement-agencies-cybercrime-efforts-2025/
• Cloudflare's 2025 Q3 DDoS Threat Report -- Including Aisuru, The Apex Of Botnets
  "Welcome to the 23rd edition of Cloudflare’s Quarterly DDoS Threat Report. This report offers a comprehensive analysis of the evolving threat landscape of Distributed Denial of Service (DDoS) attacks based on data from the Cloudflare network. In this edition, we focus on the third quarter of 2025. The third quarter of 2025 was overshadowed by the Aisuru botnet with a massive army of an estimated 1–4 million infected hosts globally. Aisuru unleashed hyper-volumetric DDoS attacks routinely exceeding 1 terabit per second (Tbps) and 1 billion packets per second (Bpps). The number of these attacks surged 54% quarter-over-quarter (QoQ), averaging 14 hyper-volumetric attacks daily. The scale was unprecedented, with attacks peaking at 29.7 Tbps and 14.1 Bpps."
  https://blog.cloudflare.com/ddos-threat-report-2025-q3/
  https://www.bleepingcomputer.com/news/security/aisuru-botnet-behind-new-record-breaking-297-tbps-ddos-attack/
• Seasonal Surge: Why HR Phishing Peaks In Q4 And The Seven Themes Behind It
  "Q3 and Q4 of each year tend to see the most Human Resources (HR) task-related phishing threats, but the specific theme used by threat actors changes based on current events. This has led to the explosion of termination as a phishing lure, particularly during Q3 2025. By exploiting fear, threat actors can lower an employee’s guard and increase their likelihood of falling victim to an attack. Such malicious emails can appear legitimate as they spoof trusted and generally known entities, like the HR department."
  https://cofense.com/blog/seasonal-surge-why-hr-phishing-peaks-in-q4-and-the-seven-themes-behind-it
• Ransomware And Supply Chain Attacks Neared Records In November
  "Ransomware attacks hit their second-highest levels on record in November, as the number of attacks rose for the seventh consecutive month. The 640 ransomware attacks recorded by Cyble in November 2025 are second only to February 2025’s record totals (chart below)."
  https://cyble.com/blog/ransomware-attacks-november-2025/
• While ECH Adoption Is Low, Risks Remain For Enterprises, End Users
  "Two years ago, the introduction of Encrypted Client Hello (ECH) divided enterprise cybersecurity professionals and privacy advocates. An extension to the Transport Layer Security (TLS) 1.3 Internet encryption standard, ECH protects communications between an endpoint device and a Web server. While ECH increased user privacy, it reduced visibility, which is not so great for security. You are already familiar with TLS: The padlock symbol and https designation in the address bar of your browser indicate the website uses this Internet standard. However, this only means that the content between the client machine and the server is encrypted after the connection has been established."
  https://www.darkreading.com/data-privacy/while-ech-adoption-is-low-risks-remain-for-enterprises-end-users
• The Ransomware Holiday Bind: Burnout Or Be Vulnerable
  "There's never a good time to get hit by ransomware, but fallout can be even more devastating when attacks hit during off-hours, weekends or holidays. That's the time when threat actors strike, knowing enterprises are understaffed. Ransomware gangs are a steady, rising threat that reports show operate as legitimate businesses, complete with customer service and help desk personnel. That reflects in well-thought out attack steps, including timing which commonly correlates with organizations' weekend and holiday downtime, an important tool against staffer burnout."
  https://www.darkreading.com/cyberattacks-data-breaches/the-ransomware-holiday-bind-burnout-or-be-vulnerable
• UK's Cyber Service For Telcos Blocks 1 Billion Malicious Site Attempts
  "Almost one billion early-stage cyber-attacks have been prevented in the past year in the UK thanks to a recent service deployed by the National Cyber Security Agency (NCSC). The results were announced by British Security Minister, Dan Jarvis, during the Financial Times’ Cyber Resilience Summit: Europe, held in London on December 3. On the morning of the event Jarvis had come from a visit to telecommunications firm, BT, which is a partner of the NCSC’s Share and Defend service."
  https://www.infosecurity-magazine.com/news/uk-cyber-service-blocks-billion/
• Exploits And Vulnerabilities In Q3 2025
  "In the third quarter, attackers continued to exploit security flaws in WinRAR, while the total number of registered vulnerabilities grew again. In this report, we examine statistics on published vulnerabilities and exploits, the most common security issues impacting Windows and Linux, and the vulnerabilities being leveraged in APT attacks that lead to the launch of widespread C2 frameworks. The report utilizes anonymized Kaspersky Security Network data, which was consensually provided by our users, as well as information from open sources."
  https://securelist.com/vulnerabilities-and-exploits-in-q3-2025/118197/
• The Most Interesting Cybercrime Takedowns Of 2025
  "Every year seems to bring with it the next “biggest data breach in history.” But in an encouraging turn of events, more and more of the world’s most prolific attackers are being caught and arrested. 2024 saw a record-setting data breach that compromised over 2.9 billion sensitive files around the world, but it also saw the swift arrest of the person responsible, an attacker going by the alias USDoD. A new trend shows that data breaches from external threats might be the least of your worries, though."
  https://blog.barracuda.com/2025/12/03/cybercrime-takedowns-2025
• Disinformation And Cyber-Threats Among Top Global Exec Concerns
  "Business leaders in the world’s most important economies have ranked misinformation/disinformation, cyber insecurity and the adverse effects of AI among the biggest threats to their respective countries, according to the World Economic Forum (WEF). The WEF Executive Opinion Survey 2025 was compiled from interviews with 11,000 executives across 116 economies. They were asked to select the top five risks most likely to pose the biggest threat to their respective countries in the next two years, out of a total of 34 risks."
  https://www.infosecurity-magazine.com/news/disinformation-cyberthreats-global/
• Twins With Hacking History Charged In Insider Data Breach Affecting Multiple Federal Agencies
  "Twin brothers Muneeb and Sohaib Akhter were arrested in Alexandria, Va., Wednesday for allegedly stealing and destroying government data held by a government contractor minutes after they were fired from the company earlier this year, the Justice Department said. Prosecutors accuse the 34-year-old brothers of the crimes during a weeklong spree in February, compromising data from multiple federal agencies including the Department of Homeland Security, Internal Revenue Service and the Equal Employment Opportunity Commission."
  https://cyberscoop.com/muneeb-sohaib-akhter-government-contractors-insider-attack/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) จำนวน 5 รายการ เมื่อวันที่ 2 ธันวาคม 2025 พื่อให้ข้อมูลที่ทันเวลาเกี่ยวกับประเด็นด้านความมั่นคงปลอดภัย ช่องโหว่ และการโจมตีที่เกี่ยวข้องกับระบบ ICS โดยมีรายละเอียดดังนี้

• ICSA-25-336-01 Industrial Video & Control Longwatch
• ICSA-25-336-02 Iskra iHUB and iHUB Lite
• ICSMA-25-336-01 Mirion Medical EC2 Software NMIS BioDose
• ICSA-25-201-01 Mitsubishi Electric CNC Series (Update A)
• ICSA-23-157-02 Mitsubishi Electric MELSEC iQ-R Series/iQ-F Series (Update C)

CISA แนะนำให้ผู้ใช้งานและผู้ดูแลระบบ ตรวจสอบคำแนะนำ ICS ที่เผยแพร่ล่าสุด เพื่อศึกษารายละเอียดทางเทคนิคและแนวทางการลดความเสี่ยง (mitigations)

อ้างอิง
https://www.cisa.gov/news-events/alerts/2025/12/02/cisa-releases-five-industrial-control-systems-advisories

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Healthcare Sector

• Mirion Medical EC2 Software NMIS BioDose
  "Successful exploitation of these vulnerabilities could allow an attacker to modify program executables, gain access to sensitive information, gain unauthorized access to the application, and execute arbitrary code."
  https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-336-01

Industrial Sector

• Industrial Video & Control Longwatch
  "Successful exploitation of this vulnerability could allow an unauthenticated attacker to gain remote code execution with elevated privileges."
  https://www.cisa.gov/news-events/ics-advisories/icsa-25-336-01
• Iskra iHUB And iHUB Lite
  "Successful exploitation of this vulnerability could allow a remote attacker to reconfigure devices, update firmware, and manipulate connected systems without any credentials."
  https://www.cisa.gov/news-events/ics-advisories/icsa-25-336-02

Vulnerabilities

• PyTorch Users At Risk: Unveiling 3 Zero-Day PickleScan Vulnerabilities
  "JFrog Security Research found 3 zero-day critical vulnerabilities in PickleScan, which would allow attackers to bypass the most popular Pickle model scanning tool. PickleScan is a widely used, industry-standard tool for scanning ML models and ensuring they contain no malicious content. Each discovered vulnerability enables attackers to evade PickleScan’s malware detection and potentially execute a large-scale supply chain attack by distributing malicious ML models that conceal undetectable malicious code. In this blog post, we will explain how PickleScan works and why, despite using model scanning tools, Pickle is still unsafe given these recently discovered zero-day vulnerabilities."
  https://jfrog.com/blog/unveiling-3-zero-day-vulnerabilities-in-picklescan/
  https://www.infosecurity-magazine.com/news/picklescan-flaws-expose-ai-supply/
• CISA Adds Two Known Exploited Vulnerabilities To Catalog
  "CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2025-48572 Android Framework Privilege Escalation Vulnerability
  CVE-2025-48633 Android Framework Information Disclosure Vulnerability"
  https://www.cisa.gov/news-events/alerts/2025/12/02/cisa-adds-two-known-exploited-vulnerabilities-catalog
  https://securityaffairs.com/185252/security/u-s-cisa-adds-android-framework-flaws-to-its-known-exploited-vulnerabilities-catalog.html
• CVE-2025-61260 — OpenAI Codex CLI: Command Injection Via Project-Local Configuration
  "OpenAI Codex CLI is OpenAI’s command-line tool that brings AI model-backed reasoning into developer workflows. It can read, edit, and run code directly from the terminal, making it possible to interact with projects using natural language commands, automate tasks, and streamline day-to-day development One of its key features is MCP (Model Context Protocol) – a standardized way to integrate external tools and services into the Codex environment, allowing developers to extend the CLI’s capabilities with custom functionality and automated workflows."
  https://research.checkpoint.com/2025/openai-codex-cli-command-injection-vulnerability/
  https://www.securityweek.com/vulnerability-in-openai-coding-agent-could-facilitate-attacks-on-developers/

Malware

• Shai-Hulud 2.0 Aftermath: Trends, Victimology And Impact
  "Wiz Research and Wiz CIRT have been responding to the Shai-Hulud 2.0 incident (aka Sha1-Hulud) since news first broke on November 24, 2025. As of now we’re continuing to observe active spread, albeit at a significantly lower pace. This gives us an opportunity to step back and share what we’ve learned throughout this incident, and reflect on the future. This blog post assumes familiarity with the phases of Sha1-Hulud. For a detailed account of the initial incident, and our recommendations on response, refer to our previous blog post."
  https://www.wiz.io/blog/shai-hulud-2-0-aftermath-ongoing-supply-chain-attack
  https://www.bleepingcomputer.com/news/security/shai-hulud-20-npm-malware-attack-exposed-up-to-400-000-dev-secrets/
• North Korea Lures Engineers To Rent Identities In Fake IT Worker Scheme
  "In an unprecedented intelligence operation, security researchers exposed how North Korean IT recruiters target and lure developers into renting their identities for illicit fundraising. Famous Chollima (also known as WageMole), part of North Korea’s state-sponsored Lazarus group, is known for social-engineering campaigns to infiltrate Western companies for espionage and revenue generation for the regime."
  https://www.bleepingcomputer.com/news/security/north-korea-lures-engineers-to-rent-identities-in-fake-it-worker-scheme/
  https://thehackernews.com/2025/12/researchers-capture-lazarus-apts-remote.html
• Uncovering a Calendly-Themed Phishing Campaign Targeting Business Ad Manager Accounts
  "We recently investigated a sophisticated phishing campaign targeting Google Workspace and Facebook Business accounts with Calendly-themed phishing lures, based around a fake job opportunity. We were first alerted to the campaign when a Push customer was hit with a highly targeted email-based attack, where the attacker used an Attacker-in-the-Middle (AiTM) phishing toolkit to target the customer’s Google Workspace account."
  https://pushsecurity.com/blog/uncovering-a-calendly-themed-phishing-campaign
  https://www.bleepingcomputer.com/news/security/fake-calendly-invites-spoof-top-brands-to-hijack-ad-manager-accounts/
• MuddyWater: Snakes By The Riverbank
  "ESET researchers have identified new MuddyWater activity primarily targeting organizations in Israel, with one confirmed target in Egypt. MuddyWater, also referred to as Mango Sandstorm or TA450, is an Iran-aligned cyberespionage group known for its persistent targeting of government and critical infrastructure sectors, often leveraging custom malware and publicly available tools. In this campaign, the attackers deployed a set of previously undocumented, custom tools with the objective of improving defense evasion and persistence. Among these tools is a custom Fooder loader designed to execute MuddyViper, a C/C++ backdoor. Several versions of Fooder masquerade as the classic Snake game, and its internal logic includes a custom delay function inspired by the game’s mechanics, combined with frequent use of Sleep API calls."
  https://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/
  https://thehackernews.com/2025/12/iran-linked-hackers-hits-israeli_2.html
  https://www.darkreading.com/cyberattacks-data-breaches/irans-muddywater-levels-up-muddyviper-backdoor
  https://therecord.media/iran-linked-hackers-target-israel-egypt-phishing
  https://www.bankinfosecurity.com/iran-hackers-take-inspiration-from-snake-video-game-a-30177
  https://securityaffairs.com/185244/apt/muddywater-strikes-israel-with-advanced-muddyviper-malware.html
  https://www.helpnetsecurity.com/2025/12/02/eset-muddywater-cyber-campaign/
• New eBPF Filters For Symbiote And BPFdoor Malware
  "eBPF—extended Berkeley Packet Filter—is a very interesting kernel technology that lets users load tiny, sandboxed programs into the Linux kernel to inspect or modify network packets, system calls, and more. The technology was introduced in 2015 to renovate the “old” BPF technology of 1992, which was no longer adapted to modern computer architectures (e.g., 64-bit). As usual, the technology was quickly noticed by malware authors, resulting in the Bvp47 malware in 2015, as well as a collection of rootkits, such as Ebpfkit and TripleCross. However, due to the required skills needed to use or exploit eBPF, the malware remains rare (in number). Today, the malware scene mostly consists of two families: Symbiote and BPFDoor, both from 2021."
  https://www.fortinet.com/blog/threat-research/new-ebpf-filters-for-symbiote-and-bpfdoor-malware
• Dragons In Thunder
  "During investigations into two incidents at Russian companies, we identified malicious activity that involved the exploitation of RCE vulnerabilities, including CVE-2025-53770 in Microsoft SharePoint, as well as CVE-2025-4427 and CVE-2025-4428 in Ivanti Endpoint Manager Mobile. In addition to the exploitation of vulnerabilities, we discovered samples of the KrustyLoader and Sliver malware, as well as traces of the Tactical RMM and MeshAgent tools. Detailed analysis showed the presence of at least two groups: QuietCrabs (also known as UTA0178 and UNC5221) and Thor. QuietCrabs were seen exploiting these vulnerabilities within just a few hours of PoC code being published."
  https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/dragons-in-thunder/
  https://www.helpnetsecurity.com/2025/12/02/threat-research-ransomware-espionage-attack/
• Unraveling Water Saci's New Multi-Format, AI-Enhanced Attacks Propagated Via WhatsApp
  "Brazil has seen a recent surge of threats delivered via WhatsApp. As observed in our previously published research on the SORVEPOTEL malware and the broader Water Saci campaign, this popular platform has been used to launch sophisticated campaigns. Unsuspecting users receive convincing messages from trusted contacts, often crafted to exploit social engineering tactics and encourage interaction with malicious content. While the core objectives of these campaigns remain consistent, this wave showcases advanced techniques in infection, persistence, and evasion, underscoring how legitimate platforms are increasingly being exploited to reach Brazilian targets more effectively."
  https://www.trendmicro.com/en_us/research/25/l/water-saci.html
• CastleLoader & CastleRAT: Behind TAG150’s Modular Malware Delivery System
  "TAG-150, a MaaS operator active since March 2025, uses CastleLoader and CastleRAT in multi-stage attacks. CastleLoader acts as a loader that retrieves and executes additional malware through deceptive domains and malicious GitHub repositories, while CastleRAT functions as a remote access trojan providing attackers with system control, command execution, and data theft capabilities. Darktrace detected and blocked early attack activity, leveraging Autonomous Response to prevent further compromise and protect enterprise networks."
  https://www.darktrace.com/blog/castleloader-castlerat-behind-tag150s-modular-malware-delivery-system
• APT36 Python Based ELF Malware Targeting Indian Government Entities
  "CYFIRMA has uncovered an active cyber-espionage campaign conducted by APT36 (Transparent Tribe), a Pakistan-based threat actor known for persistent targeting of Indian government and strategic sectors. The latest activity demonstrates the group’s growing technical maturity and adaptability, as it deploys tailored malware specifically crafted to compromise Linux-based BOSS operating environments. The intrusion begins with spear-phishing emails designed to lure recipients into opening weaponized Linux shortcut files. Once executed, these files silently download and run malicious components in the background while presenting benign content to the user, thereby facilitating stealthy initial access and follow-on exploitation."
  https://www.cyfirma.com/research/apt36-python-based-elf-malware-targeting-indian-government-entities/

Breaches/Hacks/Leaks

• University Of Pennsylvania Confirms New Data Breach After Oracle Hack
  "The University of Pennsylvania (Penn) has announced a new data breach after attackers stole documents containing personal information from its Oracle E-Business Suite servers in August. The private Ivy League research university was founded in 1740 and has 5,827 faculty members and 29,109 students, with an 8:1 student-to-faculty ratio. It also has an academic operating budget of $4.7 billion and an endowment of $24.8 billion as of June 30, 2025."
  https://www.bleepingcomputer.com/news/security/university-of-pennsylvania-confirms-data-theft-after-oracle-ebs-hack/
  https://cyberscoop.com/university-pennsylvania-oracle-e-business-suite-clop-attacks/
  https://www.theregister.com/2025/12/02/clop_university_of_pennsylvania/
• Everest Ransomware Claims ASUS Breach And 1TB Data Theft
  "A new claim by the Everest ransomware group suggests that ASUS, one of the world’s largest hardware and electronics companies, has been compromised. According to a post on the group’s dark web leak site, they are in possession of more than 1TB of stolen data, which they say includes camera source code. In this case, “Camera Source Code” likely refers to proprietary firmware or software used in ASUS devices with built-in cameras, such as laptops or smartphones. This could include low-level control code for camera modules, internal drivers, or even entire applications tied to image processing or device integration."
  https://hackread.com/everest-ransomware-asus-breach-1tb-data/

General News

• The Collapse Of Trust At The Identity Layer
  "Identity verification has become the latest front in the fight against industrialized fraud, according to a new report from Regula. The shift is visible across sectors that once relied on predictable verification routines. Criminals have learned to target the identity step itself, and the impact is spreading through financial services, healthcare, telecoms, crypto platforms, and aviation."
  https://www.helpnetsecurity.com/2025/12/02/regula-identity-verification-threats-report/
• Creative Cybersecurity Strategies For Resource-Constrained Institutions
  "In this Help Net Security interview, Dennis Pickett, CISO at RTI International, talks about how research institutions can approach cybersecurity with limited resources and still build resilience. He discusses the tension between open research and the need to protect sensitive information, noting that workable solutions come from understanding how people get their jobs done. Pickett explains how security teams can partner with researchers to set guardrails that support innovation rather than slow it. He also shares observations on emerging risks, state interest in advanced technologies, and the challenge of managing data across diverse disciplines."
  https://www.helpnetsecurity.com/2025/12/02/dennis-pickett-rti-international-research-institutions-cybersecurity/
• Attackers Keep Finding New Ways To Fool AI
  "AI development keeps accelerating while the safeguards around it move on uneven ground, according to The International AI Safety Report. Security leaders are being asked to judge exposure without dependable benchmarks. Across the AI ecosystem, developers are adopting layered controls throughout the lifecycle. They combine training safeguards, deployment filters, and post release tracking tools. A model may be trained to refuse harmful prompts. After release, its inputs and outputs may pass through filters. Provenance tags and watermarking can support incident reviews."
  https://www.helpnetsecurity.com/2025/12/02/ai-safety-risks-report/
• Korea Arrests Suspects Selling Intimate Videos From Hacked IP Cameras
  "The Korean National Police have arrested four individuals suspected of hacking over 120,000 IP cameras across the country and then selling stolen footage to a foreign adult site. Although the suspects or the websites haven’t been named, the police are already taking action against viewers of the illicitly gained content, as well as the operators of the website, through international collaboration."
  https://www.bleepingcomputer.com/news/security/korea-arrests-suspects-selling-intimate-videos-from-hacked-ip-cameras/
• Researchers Use Poetry To Jailbreak AI Models
  "Three years into the "AI future," researchers' creative jailbreaking efforts never cease to amaze. Researchers from the Sapienza University of Rome, the Sant’Anna School of Advanced Studies, and large language model (LLM) safety and compliance consultancy Dexai showed how one can jailbreak leading AI models by framing prompts as a rhyming poem. The group published their findings in a white paper Nov. 19."
  https://www.darkreading.com/threat-intelligence/researchers-use-poetry-to-jailbreak-ai-models
  https://arxiv.org/html/2511.15304v1
  https://www.malwarebytes.com/blog/news/2025/12/whispering-poetry-at-ai-can-make-it-break-its-own-rules
• Most Companies Fear State-Sponsored Cyber-Attacks And Want More Government Help
  "The vast majority of British and American cybersecurity professionals are worried about state-sponsored cyber-attacks, and a quarter (23%) say their biggest concern for the year ahead is a lack of preparedness for “geopolitical escalation or wartime cyber operations," according to research by IO. The compliance software vendor polled 3000 cybersecurity managers in the US and UK to compile its State of Information Security Report 2025."
  https://www.infosecurity-magazine.com/news/companies-fear-state-attacks-more/
• The Great Disconnect: Unmasking The ‘Two Separate Conversations’ In Security
  "It is often the case that I witness a conversation that is actually two separate conversations. What do I mean by that? If you are an astute listener and observer, you have probably noticed how often two people are having two completely different conversations. It is seldom the case that either person realizes it, and thus, more often than not, people have difficulty communicating effectively with one another. Quite simply put, they are not having the same conversation."
  https://www.securityweek.com/the-great-disconnect-unmasking-the-two-separate-conversations-in-security/
• SOC Threat Radar — December 2025
  "The SOC team recently noticed a rise in the suspicious use of ScreenConnect. This includes attackers attempting to connect endpoints to targets’ ScreenConnect deployments, and attackers deploying ScreenConnect themselves to control hosts remotely. ScreenConnect is a trusted and popular remote device management tool used by many organizations and their managed service providers. As a result, the detection of ScreenConnect does not immediately arouse suspicion."
  https://blog.barracuda.com/2025/12/02/soc-threat-radar-december-2025
• The Browser Defense Playbook: Stopping The Attacks That Start On Your Screen
  "The predominance of cloud-based apps and the trend towards remote work have made the browser the place where most work happens. In fact, about 85% of daily work takes place there. In many ways, it’s a win for all involved. Users can work from a wider range of locations and devices, accessing full “desktops” inside a browser tab. Organizations can manage apps and browser access easier than through localized desktop software. This all allows for greater central management, lower costs and better flexibility."
  https://unit42.paloaltonetworks.com/browser-defense-playbook/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand