โพสต์ถูกสร้างโดย NCSA_THAICERT

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Industrial Sector

• Operational Technology Security Poses Inherent Risks For Manufacturers
  "From supply chain risks and breaches to employees' physical safety, the manufacturing industry is no stranger to operational technology (OT) security challenges. The good news? Experts say awareness has increased among manufacturers. But whether that will lead to improvements is difficult to say. OT controls the processes and equipment necessary for manufacturers. It's built to last, but that also means there's legacy technology — unsupported and difficult to update — on the factory floor. A lack of visibility around an overwhelming number of assets presents heightened concerns as well. And then comes the human factor."
  https://www.darkreading.com/ics-ot-security/operational-technology-security-poses-inherent-risks-for-manufacturers

New Tooling

• Decrypted: Midnight Ransomware
  "In the ever-evolving landscape of cyber threats, a new ransomware strain known as Midnight has emerged, echoing the notorious tactics of its predecessor, Babuk. First detected by Gen researchers, Midnight blends familiar ransomware mechanics with novel cryptographic modifications – some of which unintentionally open the door to file recovery. This blog dives into the technical anatomy of Midnight, its lineage from Babuk, and the critical indicators of infection. Most importantly, it offers a practical guide to decrypting affected files, empowering victims with a rare opportunity to reclaim their data without paying a ransom."
  https://www.gendigital.com/blog/insights/research/midnight-ransomware
  https://hackread.com/norton-midnight-ransomware-free-decryptor/
• VulnRisk: Open-Source Vulnerability Risk Assessment Platform
  "VulnRisk is an open-source platform for vulnerability risk assessment. It goes beyond basic CVSS scoring by adding context-aware analysis that reduces noise and highlights what matters. The tool is free to use and designed for local development and testing. The platform’s scoring engine cuts up to 90 percent of noise by applying contextual factors such as exploit likelihood and asset importance. Every score comes with a full calculation breakdown, so users can see exactly how each risk level is determined. VulnRisk’s transparent methodology makes it easier for teams to trust the results and adjust their security priorities."
  https://www.helpnetsecurity.com/2025/11/05/vulnrisk-open-source-vulnerability-risk-assessment-platform/
  https://github.com/GurkhaShieldForce/VulnRisk_Public

Vulnerabilities

• PromptJacking: The Critical RCEs In Claude Desktop That Turn Questions Into Exploits
  "Hi again. This is a reminder that while we often write about malicious extensions from unknown developers, or large scale supply chain compromises, sometimes, even the most trusted developers can make mistakes that may wreak havoc on your enterprise... We’ve identified severe RCE vulnerabilities in three extensions that were written, published, and promoted by Anthropic themselves - the Chrome, iMessage, and Apple Notes connectors, and are sitting at the very top of Claude Desktop's extension marketplace."
  https://www.koi.ai/blog/promptjacking-the-critical-rce-in-claude-desktop-that-turn-questions-into-exploits
  https://www.infosecurity-magazine.com/news/claude-desktop-extensions-prompt/
• AMD Red-Faced Over Random-Number Bug That Kills Cryptographic Security
  "AMD will issue a microcode patch for a high-severity vulnerability that could weaken cryptographic keys across Epyc and Ryzen CPUs. The flaw, tracked as CVE-2025-62626 (7.2), affects Zen 5 chips with the 16-bit and 32-bit instruction variants. The bug involves RDSEED, a function that generates high-quality random numbers used by security keys. RDSEED provides the true entropy that's required by apps generating high-strength cryptographic keys."
  https://www.theregister.com/2025/11/05/amd_promises_to_fix_chips/

Malware

• Gootloader Is Back (Back Again)
  "Before I start, I have to give credit, where it’s due. A Major shout-out to RussianPanda and the team at Huntress for catching this new Gootloader campaign in the wild. As the title suggests — yes, Gootloader is back. Back again. I was (like many others) hoping that after the disruptions my April blog caused, they’d finally hang up their hats and retire. But here we are. For over five years, the threat actor behind Gootloader has been using legal-themed bait — terms like “contract”, “form” and “agreement” — to draw victims into their traps. (There was that brief detour into PDF converters.)"
  https://gootloader.wordpress.com/2025/11/05/gootloader-is-back-back-again/
  https://www.bleepingcomputer.com/news/security/gootloader-malware-is-back-with-new-tricks-after-7-month-break/
• International Threats – Infection URLs Used In Regional Phishing Campaigns
  "Cofense Intelligence relies on over 35 million trained employees from around the world, and a considerable number of analyzed campaigns are written in languages other than English. This report focuses on the URLs embedded in emails that bypassed email security controls like secure email gateways (SEGs) to deliver malware. The URLs that are the focus of this report are commonly referred to as “infection URLs” as they are the source for an infection by malware. Infection URLs, especially the services hosting them, are important as they represent the first step in a chain of events that can be broken with proper preparations and tools. This report is part of a series of reports covering different trends in phishing campaigns that are delivered by the top five non-English languages that Cofense sees. Other topics include the malware families and delivery mechanisms seen in different languages, as well as the themes seen in various languages."
  https://cofense.com/blog/international-threats-infection-urls-used-in-regional-phishing-campaigns
• Crossed Wires: a Case Study Of Iranian Espionage And Attribution
  "In June, Proofpoint Threat Research began investigating a benign email discussing economic uncertainty and domestic political unrest in Iran. While coinciding with the escalations in the Iran-Israel conflict, there was no indication that the observed activity was directly correlated with Israel’s attacks on Iranian nuclear facilities or Iran’s actions in response. Initial analysis of the activity found tactics, techniques, and procedures (TTP) overlaps with multiple Iranian aligned groups, including TA455 (C5 Agent, Smoke Sandstorm), TA453 (Mint Sandstorm, Charming Kitten), and TA450 (MuddyWater, Mango Sandstorm). Given a lack of high confidence links to any one established threat group, we designated the activity as a temporary cluster called UNK_SmudgedSerpent."
  https://www.proofpoint.com/us/blog/threat-insight/crossed-wires-case-study-iranian-espionage-and-attribution
  https://thehackernews.com/2025/11/mysterious-smudgedserpent-hackers.html
  https://www.darkreading.com/cyberattacks-data-breaches/iranian-apt-phishes-us-policy-wonks
  https://www.infosecurity-magazine.com/news/unksmudgedserpent-targets-academics/
• Voice Of SecOps Spotlight: Tis The Season For Online Sales — And AI-Fueled Cyberattacks
  "With Black Friday, Cyber Monday, and peak holiday shopping just weeks away, retailers anticipate record-breaking sales volumes — paired with a sharp surge in cyber risk. The massive flow of sensitive data, cloud file transfers, and third-party integrations makes this the most dangerous time of year. Deep Instinct recently released the sixth edition of its Voice of SecOps Report, Cybersecurity & AI – Promises, Pitfalls, and Prevention Paradise, which sheds light on how leaders across seven industries, including the retail and eCommerce sector, are bracing for this challenge. The report reveals a clear warning: while AI is driving unprecedented productivity gains for retail security teams, it’s also exposing new vulnerabilities that legacy defenses can’t handle."
  https://www.deepinstinct.com/blog/voice-of-secops-spotlight-tis-the-season-for-online-sales-and-ai-fueled-cyberattacks
• Ghosts In /proc: Manipulation And Timeline Corruption
  "In our previous blog, “Hiding in plain sight: Techniques and defenses against /proc filesystem manipulation in Linux” we explored techniques for concealing malicious processes from forensics triage tools. Forensic analysts often rely on the Linux virtual filesystem /proc to enumerate processes, reconstruct timelines, and attribute activity to specific executables. Utilities such as ps, top, and various triage scripts extract process metadata from files located under /proc//, including cmdline and stat. The integrity of these files is therefore critical to many incident response workflows."
  https://www.group-ib.com/blog/ghosts-in-proc/
• HackedGPT: Novel AI Vulnerabilities Open The Door For Private Data Leakage
  "Tenable Research has discovered seven vulnerabilities and attack techniques in ChatGPT, including unique indirect prompt injections, exfiltration of personal user information, persistence, evasion, and bypass of safety mechanisms. Prompt injections are a weakness in how large language models (LLMs) process input data. An attacker can manipulate the LLM by injecting instructions into any data it ingests, which can cause the LLM to ignore the original instructions and perform unintended or malicious actions instead. Specifically, indirect prompt injection occurs when an LLM finds unexpected instructions in an external source, such as a document or website, rather than a direct prompt from the user."
  https://www.tenable.com/blog/hackedgpt-novel-ai-vulnerabilities-open-the-door-for-private-data-leakage
  https://thehackernews.com/2025/11/researchers-find-chatgpt.html
• PHP Cryptomining Campaign: October/November 2025
  "From August through October 2025, we observed (GreyNoise Visualizer) a clear ramp-up in exploitation attempts against PHP and PHP-based frameworks as actors push to deploy cryptominers. The query below captures a range of attempts (ThinkPHP, PHP CGI, PHPUnit, the recent PHP CVE-2024-4577, etc.), and the telemetry shows seven distinct attack patterns that move in parallel: steady in August–September, then spiking into October and November."
  https://www.greynoise.io/blog/php-cryptomining-campaign

Breaches/Hacks/Leaks

• Hyundai AutoEver America Data Breach Exposes SSNs, Drivers Licenses
  "Hyundai AutoEver America is notifying individuals that hackers breached the company's IT environment and gained access to personal information. The company discovered the intrusion on March 1 but the investigation revealed that the attacker had access to the systems since February 22nd. Hyundai AutoEver America (HAEA) is an affiliate of Hyundai Motor Group that provides IT consulting, managed services, and helpdesk support for the entire lifecycle of automotive IT from production to retirement."
  https://www.bleepingcomputer.com/news/security/hyundai-autoever-america-data-breach-exposes-ssns-drivers-licenses/
• SonicWall Says State-Sponsored Hackers Behind September Security Breach
  "SonicWall's investigation into the September security breach that exposed customers' firewall configuration backup files concludes that state-sponsored hackers were behind the attack. The network security company says that incident responders from Mandiant confirmed that the malicious activity had no impact on SonicWall's products, firmware, systems, tools, source code, or customer networks. “The Mandiant investigation is now complete. Their findings confirm that the malicious activity – carried out by a state-sponsored threat actor - was isolated to the unauthorized access of cloud backup files from a specific cloud environment using an API call,” SonicWall states."
  https://www.bleepingcomputer.com/news/security/sonicwall-says-state-sponsored-hackers-behind-security-breach-in-september/
  https://www.sonicwall.com/blog/cloud-backup-security-incident-investigation-complete-and-strengthened-cyber-resilience
  https://securityaffairs.com/184258/security/sonicwall-blames-state-sponsored-hackers-for-september-security-breach.html

General News

• GTIG AI Threat Tracker: Advances In Threat Actor Usage Of AI Tools
  "Based on recent analysis of the broader threat landscape, Google Threat Intelligence Group (GTIG) has identified a shift that occurred within the last year: adversaries are no longer leveraging artificial intelligence (AI) just for productivity gains, they are deploying novel AI-enabled malware in active operations. This marks a new operational phase of AI abuse, involving tools that dynamically alter behavior mid-execution. This report serves as an update to our January 2025 analysis, "Adversarial Misuse of Generative AI," and details how government-backed threat actors and cyber criminals are integrating and experimenting with AI across the industry throughout the entire attack lifecycle. Our findings are based on the broader threat landscape."
  https://cloud.google.com/blog/topics/threat-intelligence/threat-actor-usage-of-ai-tools
  https://www.bleepingcomputer.com/news/security/google-warns-of-new-ai-powered-malware-families-deployed-in-the-wild/
  https://thehackernews.com/2025/11/google-uncovers-promptflux-malware-that.html
  https://therecord.media/new-malware-uses-ai-to-adapt
  https://www.bankinfosecurity.com/malware-developers-test-ai-for-adaptive-code-generation-a-29932
  https://www.securityweek.com/malware-now-uses-ai-during-execution-to-mutate-and-collect-data-google-warns/
  https://www.helpnetsecurity.com/2025/11/05/malware-using-llms/
  https://www.theregister.com/2025/11/05/attackers_experiment_with_gemini_ai/
• Operation Chargeback: 4.3 Million Cardholders Affected, EUR 300 Million In Damages
  "On 4 November 2025, an international coordinated action day targeted three major fraud and money laundering networks as part of Operation “Chargeback.” Led by the Cybercrime Department (Landeszentralstelle Cybercrime) of the General Prosecutor's Office (Generalstaatsanwaltschaft) in Koblenz, Germany, and the German Federal Criminal Police Office (Bundeskriminalamt), the operation has been investigating these networks since December 2020. More than 60 house searches were conducted and a total of 18 arrest warrants executed. The criminal networks are suspected of misusing credit card data from over 4.3 million cardholders across 193 countries. In total, the estimated damage from the fraud scheme exceeds EUR 300 million, with attempted damages amounting to over EUR 750 million."
  https://www.europol.europa.eu/media-press/newsroom/news/operation-chargeback-43-million-cardholders-affected-eur-300-million-in-damages
  https://www.eurojust.europa.eu/news/eurojust-coordinates-major-operation-against-eur-300-million-global-credit-card-fraud-18
  https://www.bleepingcomputer.com/news/security/europol-credit-card-fraud-rings-stole-eur-300-million-from-43-million-cardholders/
  https://therecord.media/europe-police-bust-global-fraud-ring-payment-firms
  https://www.bankinfosecurity.com/cops-cuff-18-suspects-over-345m-credit-card-fraud-scheme-a-29935
  https://www.infosecurity-magazine.com/news/operation-chargeback-uncovers/
  https://www.helpnetsecurity.com/2025/11/05/global-credit-card-fraud-arrests/
• Closing The AI Execution Gap In Cybersecurity — A CISO Framework
  "Artificial intelligence (AI) is a present-day reality reshaping the cybersecurity landscape. For chief information security officers (CISOs), the integration of AI into security frameworks is a double-edged sword. AI promises enhanced efficiency, predictive capabilities, and automation for internal security teams. Simultaneously, it also endows bad actors with new tools to exploit vulnerabilities across complex ICT supply chains."
  https://www.darkreading.com/cybersecurity-operations/closing-ai-execution-gap-cybersecurity-ciso-framework
• Risk 'Comparable' To SolarWinds Incident Lurks In Popular Software Update Tool
  "Researchers have discovered a supply chain risk in a popular installer authoring tool, which they've described as potentially leading to cyberattacks "comparable in scope to supply chain incidents like SolarWinds." Its developers, however, say it's working as intended. The tool, Advanced Installer, is used for building application installers. After developing their software, vendors turn to it to bundle all the many files, dependencies, drivers, configurations, and so on that allow their software to install smoothly on customers' systems."
  https://www.darkreading.com/application-security/risk-solarwinds-popular-software-tool-update
• Threat Spotlight: How Automation, Customization, And Tooling Signal Next Ransomware Front Runners
  "In the competitive ransomware-as-a-service (RaaS) ecosystem, a group’s success—defined here as victim count on its data-leak sitei—depends on the sophistication of its platform and its unique offerings. Such bespoke platforms attract the most skilled affiliates, who can often bypass stronger defenses to compromise higher-revenue organizations, increasing the likelihood of a successful extortion payment."
  https://reliaquest.com/blog/threat-spotlight-how-automation-customization-and-tooling-signal-ransomware
  https://www.darkreading.com/cyberattacks-data-breaches/inside-the-playbook-of-ransomware-s-most-profitable-players
• Credentials And Misconfigurations Behind Most Cloud Breaches, Says AWS
  "Businesses are rapidly moving into the public cloud, a change confirmed by the “Building Cloud Trust” report from Amazon Web Services (AWS) and UK-based research firm Vanson Bourne. This report is based on a survey of 2,800 technology and security firms across 13 countries conducted during September and October. The findings show that while the public cloud is now central to how organisations operate, given its agility, they are simultaneously facing unexpected threats that demand continuous caution."
  https://hackread.com/aws-credentials-misconfigurations-cloud-breaches/
  https://d1.awsstatic.com/onedam/marketing-channels/website/aws/en_US/whitepapers/compliance/Cloud_Trust_Report.pdf
• PortGPT: How Researchers Taught An AI To Backport Security Patches Automatically
  "Keeping older software versions secure often means backporting patches from newer releases. It is a routine but tedious job, especially for large open-source projects such as the Linux kernel. A new research effort has built a tool that uses a large language model to do that work automatically. A team of researchers from China, the United States, and Canada created PortGPT, an AI system designed to automate the process of migrating security patches from mainline branches to older versions of software. They describe their method as an attempt to replicate the reasoning steps that developers use when they manually adapt patches."
  https://www.helpnetsecurity.com/2025/11/05/portgpt-ai-backport-security-patches-automatically/
• AI Can Flag The Risk, But Only Humans Can Close The Loop
  "In this Help Net Security interview, Dilek Çilingir, Global Forensic & Integrity Services Leader at EY, discusses how AI is transforming third-party assessments and due diligence. She explains how machine learning and behavioral analytics help organizations detect risks earlier, improve compliance, and strengthen accountability. As oversight grows, Çilingir explains why human judgment still matters in every AI-supported decision."
  https://www.helpnetsecurity.com/2025/11/05/dilek-cilingir-ey-ai-third-party-assessments/

อ้างอิง
Electronic Transactions Development Agency(ETDA)

Industrial Sector

• Cyber Physical Systems Face Rising Geopolitical Risks
  "Global conflicts, civil unrest and tariff wars provide new opportunities for cyber adversaries, especially those targeting operational technology systems. Attackers are now focusing on fragile supply chains affected by geopolitical conflicts. Researchers predict this heightened threat environment will result in at least one major cyber-physical breach in the next 12 months. Geopolitical risks are creating instability in the sourcing, manufacturing and delivery of critical hardware and software components, said Sean Tufts, field CTO at Claroty, which recently released Global State of CPS Security 2025, a report based on a global survey of 1,100 cybersecurity professionals responsible for the protection of cyber-physical systems."
  https://www.bankinfosecurity.com/cyber-physical-systems-face-rising-geopolitical-risks-a-29931
  https://claroty.com/resources/reports/the-global-state-of-cps-security-2025-navigating-risk-in-an-uncertain-economic-landscape

Vulnerabilities

• Jobmonster - Job Board WordPress Theme <= 4.8.1 - Authentication Bypass
  "The Noo JobMonster theme for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 4.8.1. This is due to the check_login() function not properly verifying a user's identity prior to successfully authenticating them This makes it possible for unauthenticated attackers to bypass standard authentication and access administrative user accounts. Please note social login needs to be enabled in order for a site to be impacted by this vulnerability."
  https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-themes/noo-jobmonster/jobmonster-job-board-wordpress-theme-481-authentication-bypass
  https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-auth-bypass-flaw-in-jobmonster-wordpress-theme/
• Radiometrics VizAir
  "Successful exploitation of these vulnerabilities could allow attackers to manipulate critical weather parameters and runway settings, mislead air traffic control and pilots, extract sensitive meteorological data, and cause significant disruption to airport operations, leading to hazardous flight conditions."
  https://www.cisa.gov/news-events/ics-advisories/icsa-25-308-04
• 400,000 WordPress Sites Affected By Account Takeover Vulnerability In Post SMTP WordPress Plugin
  "On October 11th, 2025, we received a submission for an Account Takeover via Email Log Disclosure vulnerability in Post SMTP, a WordPress plugin with more than 400,000 active installations. This vulnerability makes it possible for an unauthenticated attacker to view email logs, including password reset emails, and change the password of any user, including an administrator, which allows them to take over the account and the website."
  https://www.wordfence.com/blog/2025/11/400000-wordpress-sites-affected-by-account-takeover-vulnerability-in-post-smtp-wordpress-plugin/
  https://www.bleepingcomputer.com/news/security/hackers-exploit-wordpress-plugin-post-smtp-to-hijack-admin-accounts/
• Critical RCE Vulnerability CVE-2025-11953 Puts React Native Developers At Risk
  "The JFrog Security Research team recently discovered and disclosed CVE-2025-11953 – a critical (CVSS 9.8) security vulnerability affecting the extremely popular @react-native-community/cli NPM package that has approximately 2M weekly downloads. The vulnerability allows remote unauthenticated attackers to easily trigger arbitrary OS command execution on the machine running react-native-community/cli’s development server, posing a significant risk to developers."
  https://jfrog.com/blog/cve-2025-11953-critical-react-native-community-cli-vulnerability/
  https://thehackernews.com/2025/11/critical-react-native-cli-flaw-exposed.html
  https://www.securityweek.com/critical-flaw-in-popular-react-native-npm-package-exposes-developers-to-attacks/
• Android Update Patches Critical Remote Code Execution Flaw
  "Google on Monday announced a fresh set of security updates for the Android platform, to address two vulnerabilities in the System component. The November 2025 Android fixes mark another shift from the monthly updates the internet giant has been rolling out since 2015, as they come with a single security patch level, the 2025-11-01 patch level. For nearly a decade, the update was split into two security patch levels, to make it easier for vendors to address vulnerabilities specific to their devices. The second security patch level of each month contained patches for all the bugs described in that month’s security bulletin."
  https://www.securityweek.com/android-update-patches-critical-remote-code-execution-flaw/
  https://securityaffairs.com/184208/security/google-fixed-a-critical-remote-code-execution-in-android.html
• Survision License Plate Recognition Camera
  "Successful exploitation of this vulnerability could allow an attacker to fully access the system without requiring authentication."
  https://www.cisa.gov/news-events/ics-advisories/icsa-25-308-02
• Delta Electronics CNCSoft-G2
  "Successful exploitation of this vulnerability could allow attackers to execute arbitrary code in the context of the current process."
  https://www.cisa.gov/news-events/ics-advisories/icsa-25-308-03
• IDIS ICM Viewer
  "Successful exploitation of this vulnerability could result in an attacker executing arbitrary code."
  https://www.cisa.gov/news-events/ics-advisories/icsa-25-308-05
• Apple Patches 19 WebKit Vulnerabilities
  "Apple on Monday announced the release of security updates for iOS and macOS to resolve over 100 vulnerabilities. iOS 26.1 and iPadOS 26.1 were rolled out with patches for 56 security defects, including 19 issues that affect the WebKit browser engine. Successful exploitation of the flaws, Apple notes in its advisory, could allow websites to exfiltrate data cross-origin, could lead to unexpected process crashes and memory corruption, and could allow applications to monitor keystrokes."
  https://www.securityweek.com/apple-patches-19-webkit-vulnerabilities/
  https://thehackernews.com/2025/11/googles-ai-big-sleep-finds-5-new.html
  https://securityaffairs.com/184184/security/google-big-sleep-found-five-vulnerabilities-in-safari.html
  https://cyberscoop.com/apple-security-update-november-2025/
• CISA Adds Two Known Exploited Vulnerabilities To Catalog
  "CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2025-11371 Gladinet CentreStack and Triofox Files or Directories Accessible to External Parties Vulnerability
  CVE-2025-48703 CWP Control Web Panel OS Command Injection Vulnerability"
  https://www.cisa.gov/news-events/alerts/2025/11/04/cisa-adds-two-known-exploited-vulnerabilities-catalog
• Fuji Electric Monitouch V-SFT-6
  "Successful exploitation of these vulnerabilities could crash the accessed device; a buffer overflow condition may allow remote code execution."
  https://www.cisa.gov/news-events/ics-advisories/icsa-25-308-01
• Exploiting Trust In Collaboration: Microsoft Teams Vulnerabilities Uncovered
  "Trust alone isn’t a security strategy. That’s the key lesson from new research by Check Point Research, which uncovered multiple vulnerabilities in Microsoft Teams that could allow attackers to impersonate executives, manipulate messages, and spoof notifications. With more than 320 million monthly active users, Microsoft Teams has become the backbone of modern workplace communication. From boardroom meetings to quick one-to-one chats, it powers the daily interactions of enterprises, small businesses, and governments worldwide. But Check Point Research’s latest findings show how attackers can twist the very trust mechanisms that make Teams effective, turning collaboration into an attack vector."
  https://blog.checkpoint.com/research/exploiting-trust-in-collaboration-microsoft-teams-vulnerabilities-uncovered/
  https://thehackernews.com/2025/11/microsoft-teams-bugs-let-attackers.html
  https://www.theregister.com/2025/11/04/microsoft_teams_bugs_could_let/
• TruffleHog, Fade In And BSAFE Crypto-C Vulnerabilities
  "Cisco Talos’ Vulnerability Discovery & Research team recently disclosed three vulnerabilities in Dell BSAFE, two in Fade In screenwriting software, and one in Trufflehog. The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy. For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website."
  https://blog.talosintelligence.com/trufflehog-fade-in-and-bsafe-crypto-c-vulnerabilities/
• Zscaler Discovers Vulnerability In Keras Models Allowing Arbitrary File Access And SSRF (CVE-2025-12058)
  "Zscaler uncovered a vulnerability in Keras that exposed AI and machine learning environments to file access and network exploitation risks, highlighting the urgent need to secure the AI model supply chain. Through responsible disclosure and ongoing research, Zscaler helps enterprises stay protected from emerging AI threats with a Zero Trust approach."
  https://www.zscaler.com/blogs/security-research/zscaler-discovers-vulnerability-keras-models-allowing-arbitrary-file-access

Malware

• Curly COMrades: Evasion And Persistence Via Hidden Hyper-V Virtual Machines
  "This investigation, conducted with support from the Georgian CERT functioning under the Operative-Technical Agency of Georgia, uncovered new tools and techniques used by the Curly COMrades threat actor. They established covert, long-term access to victim networks by abusing virtualization features (Hyper-V) on compromised Windows 10 machines to create a hidden remote operating environment. We first documented the Curly COMrades threat actor, operating to support Russian interests in geopolitical hotbeds, in August 2025. Since that initial discovery, subsequent forensics and incident response efforts have revealed critical new tools and techniques."
  https://businessinsights.bitdefender.com/curly-comrades-evasion-persistence-hidden-hyper-v-virtual-machines
  https://www.bleepingcomputer.com/news/security/russian-hackers-abuse-hyper-v-to-hide-malware-in-linux-vms/
  https://www.darkreading.com/endpoint-security/pro-russian-hackers-linux-vms-hide-windows
  https://www.theregister.com/2025/11/04/russian_spies_pack_custom_malware/
• Inside The Rise Of AI-Powered Pharmaceutical Scams
  "Over the past few months, we identified an emerging online threat that combines fraud, social engineering, and genuine health risks. Scammers are now impersonating licensed physicians and medical clinics to promote counterfeit or unsafe medications, frequently leveraging AI and deepfake technology to generate convincing fake photos, videos, and endorsements. The stakes extend beyond financial theft. Victims are persuaded to purchase and consume unapproved or potentially dangerous substances marketed as legitimate prescriptions. This convergence of digital deception and physical harm makes the threat particularly insidious – Criminals exploit the trust inherent in healthcare relationships to generate revenue while amplifying their reach through fraudulent social proof."
  https://blog.checkpoint.com/healthcare/inside-the-rise-of-ai-powered-pharmaceutical-scams/
• Scattered LAPSUS$ Hunters: Anatomy Of a Federated Cybercriminal Brand
  "Trustwave SpiderLabs’ Cyber Threat Intelligence team is tracking the recent emergence of what appears to be the consolidation of three well-known threat groups into a “federated alliance” that offers, among its activities, Extortion-as-a-Service (EaaS). The collective comprises Scattered Spider, ShinyHunters, and LAPSUS$. The group heavily uses a public encryption communication service as its primary operating base and allows its EaaS affiliates to use the member’s very well-known names to create fear, which it claims will generate a higher financial return."
  https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/scattered-lapsuss-hunters-anatomy-of-a-federated-cybercriminal-brand/
  https://thehackernews.com/2025/11/a-cybercrime-merger-like-no-other.html
  https://www.infosecurity-magazine.com/news/scattered-spider-shinyhunters/
• The DragonForce Cartel: Scattered Spider At The Gate
  "Acronis Threat Research Unit (TRU) analyzed recent activity linked to the DragonForce ransomware group and identified a new malware variant in the wild. The latest sample uses vulnerable drivers such as truesight.sys and rentdrv2.sys to disable security software, terminate protected processes and correct encryption flaws previously associated with Akira ransomware. The updated encryption scheme addresses weaknesses publicly detailed in a Habr article cited on DragonForce’s leak site."
  https://www.acronis.com/en/tru/posts/the-dragonforce-cartel-scattered-spider-at-the-gate/
  https://www.infosecurity-magazine.com/news/dragonforce-cartel-conti-derived/
• LABScon25 Replay | LLM-Enabled Malware In The Wild
  "This presentation explores the emerging threat of LLM-enabled malware, where adversaries embed Large Language Model capabilities directly into malicious payloads. Unlike traditional malware, these threats generate malicious code at runtime rather than embedding it statically, creating significant detection challenges for security teams. SentinelLABS’ Alex Delamotte and Gabriel Bernadett-Shapiro present their team’s research on how LLMs are weaponized in the wild, distinguishing between various adversarial uses, from AI-themed lures to genuine LLM-embedded malware. The research focused on malware that leverages LLM capabilities as a core operational component, exemplified by notable cases like PromptLock ransomware and APT28’s LameHug/PROMPTSTEAL campaigns."
  https://www.sentinelone.com/labs/labscon25-replay-llm-enabled-malware-in-the-wild/

Breaches/Hacks/Leaks

• Apache OpenOffice Disputes Data Breach Claims By Ransomware Gang
  "The Apache Software Foundation disputes claims that its OpenOffice project suffered an Akira ransomware attack, after the threat actors claimed to have stolen 23 GB of corporate documents. Apache OpenOffice is a free, open-source office suite that includes word processing, spreadsheets, presentations, graphics, and database tools. It's compatible with major file formats, such as Word and Excel, and runs on multiple operating systems. On October 30th, the Akira ransomware gang claimed it had breached Apache OpenOffice and stolen 23 GB of data, including employee and financial information, as well as internal files."
  https://www.bleepingcomputer.com/news/security/apache-openoffice-disputes-data-breach-claims-by-ransomware-gang/
• Data Breach At Major Swedish Software Supplier Impacts 1.5 Million
  "The Swedish Authority for Privacy Protection (IMY) is investigating a cyberattack on IT systems supplier Miljödata that exposed data belonging to 1.5 million people. Miljödata is an IT systems supplier for roughly 80% of Sweden's municipalities. The company disclosed the incident on August 25, saying that the attackers stole data and demanded 1.5 Bitcoin to not leak it. The attack caused operational disruptions that affected citizens in multiple regions in the country, including Halland, Gotland, Skellefteå, Kalmar, Karlstad, and Mönsterås."
  https://www.bleepingcomputer.com/news/security/data-breach-at-major-swedish-software-supplier-impacts-15-million/
• Media Giant Nikkei Reports Data Breach Impacting 17,000 People
  "Japanese publishing giant Nikkei announced earlier today that its Slack messaging platform had been compromised, exposing the personal information of over 17,000 employees and business partners. Nikkei is one of the largest media corporations worldwide, owns the Financial Times and The Nikkei, the world's largest financial newspaper. It has approximately 3.7 million digital paid subscriptions, as well as over 40 affiliated companies involved in publishing, broadcasting, events, database services, and the index business."
  https://www.bleepingcomputer.com/news/security/media-giant-nikkei-reports-data-breach-impacting-17-000-people/
• Polish Loan Platform Hacked; Mobile Payment System And Other Businesses Disrupted
  "Polish authorities are investigating a series of cyberattacks that disrupted digital services and exposed personal data from several major companies, including a leading online lender and the country’s top mobile payment system. Digital Affairs Minister Krzysztof Gawkowski said cyberattacks targeting Poland’s public and private infrastructure are becoming “commonplace.” “We’re seeing thousands of incidents reported daily,” he added."
  https://therecord.media/poland-hacks-loan-platform-mobile-payments-system-travel-agency

General News

• How Nations Build And Defend Their Cyberspace Capabilities
  "In this Help Net Security interview, Dr. Bernhards Blumbergs, Lead Cyber Security Expert at CERT.LV, discusses how cyberspace has become an integral part of national and military operations. He explains how countries develop capabilities to act and defend in this domain, often in coordination with activities in other areas of conflict. Dr. Blumbergs also explains that, despite progress in forensics and AI, identifying who is responsible for cyberspace operations remains difficult and often uncertain."
  https://www.helpnetsecurity.com/2025/11/04/bernhards-blumbergs-cert-lv-cyberspace-operations-attribution/
• Cybercriminals Have Built a Business On YouTube’s Blind Spots
  "The days when YouTube was just a place for funny clips and music videos are behind us. With 2.53 billion active users, it has become a space where entertainment, information, and deception coexist. Alongside everyday videos, the site has seen more scams, deepfakes, and promotions hiding harmful links behind familiar logos. Malware found in tutorials, hijacked creator accounts, and fraudulent investment content have become recurring issues."
  https://www.helpnetsecurity.com/2025/11/04/youtube-video-scams-cybercrime/
  https://www.arxiv.org/abs/2509.23418
• Financial Services Can’t Shake Security Debt
  "In financial services, application security risk is becoming a long game. Fewer flaws appear in new code, but old ones linger longer, creating a kind of software “interest” that keeps growing, according to Veracode’s 2025 State of Software Security report. Researchers analyzed data from more than 1.3 million applications and 126 million security findings. Financial institutions perform better than average at preventing severe vulnerabilities, but they are slower to fix them and carry more long-term security debt than most other sectors."
  https://www.helpnetsecurity.com/2025/11/04/veracode-financial-services-security-debt/
  https://www.veracode.com/resources/analyst-reports/state-of-software-security-2025/
• Decisive Actions Against Cryptocurrency Scammers Earning Over EUR 600 Million
  "Nine people suspected of money laundering have been arrested during a synchronised operation that took place in three countries at the same time. The suspects set up a cryptocurrency money laundering network that scammed victims out of over EUR 600 million. Eurojust, the EU’s judicial cooperation hub, ensured that French, Belgian, Cypriot, German and Spanish authorities worked together to take the network down."
  https://www.eurojust.europa.eu/news/decisive-actions-against-cryptocurrency-scammers-earning-over-eur-600-million
  https://www.bleepingcomputer.com/news/security/european-police-dismantles-600-million-crypto-investment-fraud-ring/
  https://therecord.media/9-arrested-europe-crypto-platform-takedown
  https://thehackernews.com/2025/11/europol-and-eurojust-dismantle-600.html
  https://www.infosecurity-magazine.com/news/french-police-seize-16m-euros/
  https://www.helpnetsecurity.com/2025/11/04/europe-crypto-scam-arrests/
• Treasury Sanctions DPRK Bankers And Institutions Involved In Laundering Cybercrime Proceeds And IT Worker Funds
  "Today, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned eight individuals and two entities for their role in laundering funds derived from a variety of illicit Democratic People’s Republic of Korea (DPRK) schemes, including cybercrime and information technology (IT) worker fraud. “North Korean state-sponsored hackers steal and launder money to fund the regime’s nuclear weapons program,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence John K. Hurley. “By generating revenue for Pyongyang’s weapons development, these actors directly threaten U.S. and global security. Treasury will continue to pursue the facilitators and enablers behind these schemes to cut off the DPRK’s illicit revenue streams.”"
  https://home.treasury.gov/news/press-releases/sb0302
  https://therecord.media/north-korea-us-sanctions-it-worker-scams-cybercrime
  https://cyberscoop.com/north-korean-companies-people-sanctioned-for-money-laundering-from-cybercrime-it-worker-schemes/
• Software Supply Chain Attacks Surge To Record High In October 2025
  "Software supply chain attacks hit a new record in October that was more than 30% higher than the previous record set in April 2025. Cyble’s data – based on attacks claimed by threat actors on dark web data leak sites – shows that threat actors claimed 41 supply chain attacks in October, 10 more than the previous high seen in April. Supply chain attacks have remained elevated since April, averaging more than 28 a month since then, a rate that is more than twice as high as the 13 attacks per month seen between early 2024 and March 2025 (chart below)."
  https://cyble.com/blog/record-surge-in-software-supply-chain-attacks/
• CISO Predictions For 2026
  "At the end of every year, Fortinet publishes the Global Threat Landscape Report, which details the year’s activity and makes cybersecurity predictions for the coming year. This year will be no different. However, as part of our CISO Collective, we have also inaugurated an annual CISO Predictions Report for 2026 this year. Here is a selection of issues we expect CISOs to be dealing with in 2026 and beyond."
  https://www.fortinet.com/blog/ciso-collective/ciso-predictions-for-2026
• 2025 INSIDER RISK REPORT – The Shift To Predictive Whole-Person Insider Risk Management
  "The new 2025 Insider Risk Report [download], produced by Cybersecurity Insiders in collaboration with Cogility, highlights that nearly all security leaders (93%) say insider threats are as difficult or harder to detect than external cyberattacks. Yet only 23% express strong confidence in stopping them before serious damage occurs. The report warns that most organizations remain reactive despite a surge in AI-driven risks and the increasing prevalence of decentralized workforces."
  https://www.cybersecurity-insiders.com/2025-insider-risk-report-the-shift-to-predictive-whole-person-insider-risk-management/
• Malicious Android Apps On Google Play Downloaded 42 Million Times
  "Hundreds of malicious Android apps on Google Play were downloaded more than 40 million times between June 2024 and May 2025, notes a report from cloud security company Zscaler. During the same period, the company observed a 67% year-over-year growth in malware targeting mobile devices, with spyware and banking trojans being a prevalent risk. Telemetry data shows that threat actors are shifting from traditional card fraud to exploiting mobile payments using phishing, smishing, SIM-swapping, and payment scams."
  https://www.bleepingcomputer.com/news/security/malicious-android-apps-on-google-play-downloaded-42-million-times/
• Preparing For Threats To Come: Cybersecurity Forecast 2026
  "Every November, we make it our mission to equip organizations with the knowledge needed to stay ahead of threats we anticipate in the coming year. The Cybersecurity Forecast 2026 report, released today, provides comprehensive insights to help security leaders and teams prepare for those challenges. This report does not contain "crystal ball" predictions. Instead, our forecasts are built on real-world trends and data we are observing right now. The information contained in the report comes directly from Google Cloud security leaders, and dozens of experts, analysts, researchers, and responders directly on the frontlines."
  https://cloud.google.com/blog/topics/threat-intelligence/cybersecurity-forecast-2026

อ้างอิง
Electronic Transactions Development Agency(ETDA)

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

*สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Energy Sector

• Let's Get Physical: A New Convergence For Electrical Grid Security
  "US energy industry regulators and analysts are increasingly repeating the same message: Grid operators need to unify their cybersecurity and physical security strategies. Power plants and transmission/distribution system operators (TSOs and DSOs) have long focused on maintaining uptime and enhancing the resilience of their services; keeping the lights on is always the goal. That's especially true as the past few years have seen the rise of OT/OT convergence, wherein formerly siloed equipment that runs physical processes for critical infrastructure (operational technology, or OT) has been hooked up to the IT network and the Internet in some cases, exposing it to more cyberthreats. Now, another type of convergence been forcing a new conversation."
  https://www.darkreading.com/cybersecurity-operations/physical-convergence-electrical-grid-cybersecurity
• The Race To Shore Up Europe’s Power Grids Against Cyberattacks And Sabotage
  "It was a sunny morning in late April when a massive power outage suddenly rippled across Spain, Portugal, and parts of southwestern France, leaving tens of millions of people without electricity for hours. Cities were plunged into darkness. Trains stopped and metro lines had to be evacuated. Flights were cancelled. Mobile networks and internet providers went down. Roads were gridlocked as traffic lights stopped working. It took 10 hours for power to be restored and 23 hours before the entire national grid in Spain was back up and running, with the incident being deemed the most severe blackout to have affected Europe in the last two decades."
  https://www.theregister.com/2025/11/03/europe_power_grid_security/

Industrial Sector

• Hackers Are Attacking Britain’s Drinking Water Suppliers
  "Hackers have launched five cyberattacks against Britain's drinking water suppliers since the beginning of last year, according to reports filed with the drinking water watchdog and partially disclosed to Recorded Future News under freedom of information laws. None of the attacks impacted the safe supply of drinking water itself, but instead affected the organizations behind those supplies. The incidents, a record number in any two-year period, highlight what British intelligence warns is an increasing threat posed by malicious cyber actors to the country’s critical infrastructure."
  https://therecord.media/britain-water-supply-cybersecurity-incident-reports-dwi-nis

New Tooling

• Heisenberg: Open-Source Software Supply Chain Health Check Tool
  "Heisenberg is an open-source tool that checks the health of a software supply chain. It analyzes dependencies using data from deps.dev, Software Bills of Materials (SBOMs), and external advisories to measure package health, detect risks, and generate reports for individual dependencies or entire projects. “We wanted a practical way to catch and block risky changes before they reached the main branch,” Max Feldman, Head of Application Security at AppOmni, told Help Net Security. “The turning point was when we stopped treating SBOMs as static paperwork and started using them as live, actionable data.”"
  https://www.helpnetsecurity.com/2025/11/03/heisenberg-open-source-software-supply-chain-health-check-tool/
  https://github.com/AppOmni-Labs/heisenberg-ssc-health-check

Vulnerabilities

• Microsoft: Patch For WSUS Flaw Disabled Windows Server Hotpatching
  "An out-of-band (OOB) security update that patches an actively exploited Windows Server Update Service (WSUS) vulnerability has broken hotpatching on some Windows Server 2025 devices. KB5070881, the emergency update causing this issue, was released on the same day that several cybersecurity companies confirmed the critical-severity CVE-2025-59287 remote code execution (RCE) flaw was being exploited in the wild. The Netherlands National Cyber Security Centre (NCSC-NL) confirmed the companies' findings, warning IT admins of the increased risk given that a PoC exploit is already available."
  https://www.bleepingcomputer.com/news/microsoft/microsoft-patch-for-wsus-flaw-disabled-windows-server-hotpatching/
• Drawn To Danger: Windows Graphics Vulnerabilities Lead To Remote Code Execution And Memory Exposure
  "Check Point Research (CPR) identified three security vulnerabilities in the Graphics Device Interface (GDI) in Windows. We promptly reported these issues to Microsoft, and they were addressed in the Patch Tuesday updates in May, July, and August 2025. Vulnerability disclosures such as these highlight the need for proactive measures to mitigate potential risks. Our purpose in publishing this blog after security fixes were implemented is to further raise awareness of these vulnerabilities and provide Windows users with defensive insights and mitigation recommendations. In the following sections, we detail the findings of our fuzzing campaign, which targeted Windows GDI using the EMF format and led to the discovery of these security vulnerabilities."
  https://research.checkpoint.com/2025/drawn-to-danger-windows-graphics-vulnerabilities-lead-to-remote-code-execution-and-memory-exposure/
  https://www.infosecurity-magazine.com/news/gdi-flaws-enable-rce-windows/
• Claude Pirate: Abusing Anthropic's File API For Data Exfiltration
  "Recently, Anthropic added the capability for Claude’s Code Interpreter to perform network requests. This is obviously very dangerous as we will see in this post. At a high level, this post is about a data exfiltration attack chain, where an adversary (either the model or third-party attacker via indirect prompt injection) can exfiltrate data the user has access to. The interesting part is that this is not via hyperlink rendering as we often see, but by leveraging the built-in Anthropic Claude APIs! Let’s explore."
  https://embracethered.com/blog/posts/2025/claude-abusing-network-access-and-anthropic-api-for-data-exfiltration/
  https://www.securityweek.com/claude-ai-apis-can-be-abused-for-data-exfiltration/

Malware

• SesameOp: Novel Backdoor Uses OpenAI Assistants API For Command And Control
  "Microsoft Incident Response – Detection and Response Team (DART) researchers uncovered a new backdoor that is notable for its novel use of the OpenAI Assistants Application Programming Interface (API) as a mechanism for command-and-control (C2) communications. Instead of relying on more traditional methods, the threat actor behind this backdoor abuses OpenAI as a C2 channel as a way to stealthily communicate and orchestrate malicious activities within the compromised environment. To do this, a component of the backdoor uses the OpenAI Assistants API as a storage or relay mechanism to fetch commands, which the malware then runs."
  https://www.microsoft.com/en-us/security/blog/2025/11/03/sesameop-novel-backdoor-uses-openai-assistants-api-for-command-and-control/
  https://www.bleepingcomputer.com/news/security/microsoft-sesameop-malware-abuses-openai-assistants-api-in-attacks/
• Hacker Steals Over $120 Million From Balancer DeFi Crypto Protocol
  "The Balancer Protocol announced that hackers had targeted its v2 pools, with losses reportedly estimated to be more than $128 million. Balancer is a decentralized finance (DeFi) protocol built on the Ethereum blockchain as an automated market maker and liquidity infrastructure layer. It provides flexible pools with custom token mixes, allowing users to deposit assets, earn fees, and let traders swap assets, and it is governed by the BAL token, which had a market cap of $65 million right before the incident."
  https://www.bleepingcomputer.com/news/cryptocurrency/hacker-steals-over-120-million-from-balancer-defi-crypto-protocol/
  https://therecord.media/crypto-heist-balancer-exploit
• SleepyDuck Malware Invades Cursor Through Open VSX
  "A new remote access trojan called SleepyDuck has appeared in the Open VSX IDE extension marketplace, the registry which code editors like Cursor and Windsurf install extensions from, squatting on the same name as another well known solidity extension. The extension juan-bianco.solidity-vlang version 0.0.7 was originally published on October 31st as a harmless extension and only later updated to version 0.0.8 on November 1st to include new malicious capabilities after 14,000 downloads. The malware includes sandbox evasion techniques and utilizes an Ethereum contract to update its command and control address in case the original address is taken down."
  https://secureannex.com/blog/sleepyduck-malware/
  https://www.bleepingcomputer.com/news/security/fake-solidity-vscode-extension-on-open-vsx-backdoors-developers/
  https://thehackernews.com/2025/11/malicious-vsx-extension-sleepyduck-uses.html
• Remote Access, Real Cargo: Cybercriminals Targeting Trucking And Logistics
  "Proofpoint is tracking a cluster of cybercriminal activity that targets trucking and logistics companies and infects them with RMM tooling for financial gain. Based on our ongoing investigations paired with open-source information, Proofpoint assesses with high confidence that the threat actors are working with organized crime groups to compromise entities in the surface transportation industry — in particular trucking carriers and freight brokers — to hijack cargo freight, leading to the theft of physical goods. The stolen cargo most likely is sold online or shipped overseas. Such crimes can create massive disruptions to supply chains and cost companies millions, with criminals stealing everything from energy drinks to electronics."
  https://www.proofpoint.com/us/blog/threat-insight/remote-access-real-cargo-cybercriminals-targeting-trucking-and-logistics
  https://www.bleepingcomputer.com/news/security/hackers-use-rmm-tools-to-breach-freighters-and-steal-cargo-shipments/
  https://thehackernews.com/2025/11/cybercriminals-exploit-remote.html
  https://www.darkreading.com/identity-access-management-security/hackers-weaponize-remote-tools-hijack-cargo-freight
  https://therecord.media/cargo-theft-hackers-remote-monitoring-tools
  https://www.infosecurity-magazine.com/news/hackers-organized-crime-cargo/
  https://www.theregister.com/2025/11/03/cybercriminals_team_up_with_ocgs/
• Cracking XLoader With AI: How Generative Models Accelerate Malware Analysis
  "XLoader has been evolving since 2020 as a successor to the FormBook malware family. It specializes in stealing information, hiding its code behind multiple encryption layers, and constantly morphing to evade antivirus tools and sandboxes. Traditional malware analysis is slow and manual—requiring experts to unpack binaries, trace functions, and build decryption scripts by hand. Even sandboxing (running malware in a controlled environment) doesn’t help much, because XLoader decrypts itself only while running and detects when it’s being monitored, keeping its real code hidden."
  https://blog.checkpoint.com/research/cracking-xloader-with-ai-how-generative-models-accelerate-malware-analysis/
• Investigation Report: Android/BankBot-YNRK Mobile Banking Trojan
  "This report covers the analysis and findings related to three Android application packages (APKs) assessed for malicious behavior. The objective of this assessment was to determine whether the samples exhibited any malicious functionality, assess their potential impact on mobile devices or user data, and identify indicators of compromise (IOCs) relevant to the client’s environment. Each sample was examined using static and dynamic analysis techniques. Detailed behavioral findings and technical indicators are provided in the subsequent sections of this report."
  https://www.cyfirma.com/research/investigation-report-android-bankbot-ynrk-mobile-banking-trojan/
  https://thehackernews.com/2025/11/researchers-uncover-bankbot-ynrk-and.html
  https://www.darkreading.com/vulnerabilities-threats/android-malware-mutes-alerts-drains-crypto-wallets
• Interview With The Chollima III
  "We all picture the future in different ways, some more optimistic, others not so much. Many people wrote about it, some foretelling great inventions or warning about social problems, whilst others chose more unrealistic fiction (at least for that time), like Philip K. Dick. He wrote about “andys”, androids whose synthetic existence mimicked that of natural humans, trying to deceive observers into accepting them as such. I know for sure that many would have giggled at the idea at the time, but that future eventually caught up with us in a certain way. Today, it’s become commonplace to see AI being abused to generate deepfakes of influential people and to use them as puppets to promote scams or to video call their employees asking for gift cards or wire transfers."
  https://quetzal.bitso.com/p/interview-with-the-chollima-iii
  https://hackread.com/north-korean-hackers-video-ai-filter-fake-job-interview/
• DPRK’s Playbook: Kimsuky’s HttpTroy And Lazarus’s New BLINDINGCAN Variant
  "In recent weeks, our Threat Labs researchers have uncovered two new toolsets that show just how adaptive the DPRK’s operations have become. Kimsuky, known for its espionage-style campaigns, deployed a new backdoor we’ve named HttpTroy, while Lazarus introduced an upgraded version of its BLINDINGCAN remote access tool. Both attacks reveal the same underlying pattern: stealthy code and layered obfuscation. In this post, we’ll break down how these tools work, what they target and what defenders can learn from the latest moves inside the DPRK playbook."
  https://www.gendigital.com/blog/insights/research/dprk-kimsuky-lazarus-analysis
  https://thehackernews.com/2025/11/new-httptroy-backdoor-poses-as-vpn.html
• SnakeStealer: How It Preys On Personal Data – And How You Can Protect Yourself
  "Infostealers remain one of the most persistent threats on today’s threat landscape. They’re built to quietly siphon off valuable information, typically login credentials and financial and cryptocurrency details, from compromised systems and send it to adversaries. And they do so with great success. ESET researchers have tracked numerous campaigns recently where an infostealer was the final payload. Agent Tesla, Lumma Stealer, FormBook and HoudRAT continue to make the rounds in large numbers, but according to the ESET Threat Report H1 2025, one family surged ahead of the rest in the first half of this year: SnakeStealer."
  https://www.welivesecurity.com/en/malware/snakestealer-personal-data-stay-safe/
• Operation SkyCloak: Tor Campaign Targets Military Of Russia & Belarus
  "SEQRITE Labs has identified a campaign targeting military personnel of both Russia and Belarus, especially the Russian Airborne Forces and Belarusian Special Forces. The infection chain leads to exposing multiple local services via Tor using obfs4 bridges, allowing the attacker to anonymously communicate via an onion address. In this blog, we will explore the infection chain that uses multiple stages through PowerShell, decoys used to lure the victims, and exposing SSH as a hidden service to unblock traffic for Tor while maintaining persistence."
  https://www.seqrite.com/blog/operation-skycloak-tor-campaign-targets-military-of-russia-belarus/
• Tycoon 2FA Phishing Kit Analysis
  "The Tycoon 2FA phishing kit is a sophisticated Phishing-as-a-Service (PhaaS) platform that emerged in August 2023, designed to bypass two-factor authentication (2FA) and multi-factor authentication (MFA) protections, primarily targeting Microsoft 365 and Gmail accounts. Utilizing an Adversary-in-the-Middle (AiTM) approach, it employs a reverse proxy server to host deceptive phishing pages that mimic legitimate login interfaces, capturing user credentials and session cookies in real-time. According to the Any.run malware trends tracker, Tycoon 2FA leads with over 64,000 reported incidents this year."
  https://www.cybereason.com/blog/tycoon-phishing-kit-analysis

Breaches/Hacks/Leaks

• Data Theft Hits Behavioral Health Network In 3 States
  "A Florida-based firm that operates in-patient mental health and addiction recovery treatment facilities in three states is notifying more than 92,000 patients that their personal and sensitive health information may have been compromised in a data theft hack discovered in June. Oglethorpe Inc., which on Friday reported the data security incident to the Maine attorney general, on its website describes itself as a provider of management solutions for health centers, wellness clinics and hospitals that specialize in psychiatric services, drug and alcohol detoxification and rehabilitation, eating disorder therapy and behavioral health counseling."
  https://www.bankinfosecurity.com/data-theft-hits-behavioral-health-network-in-3-states-a-29920
• Japanese Retailer Askul Confirms Data Leak After Cyberattack Claimed By Russia-Linked Group
  "Japanese office and household goods retailer Askul confirmed that customer and supplier data was leaked following a ransomware attack earlier in October, which disrupted operations across its e-commerce platforms. The company said the breach exposed contact information and inquiry details from users of its online stores — Askul, Lohaco and Soloel Arena — as well as supplier data stored on its internal servers. “We sincerely apologize for the inconvenience and concern caused to our customers, business partners, and other related parties,” Askul said in a statement on Friday."
  https://therecord.media/askul-confirms-data-breach-ransomware-incident

General News

• Securing Real-Time Payments Without Slowing Them Down
  "In this Help Net Security interview, Arun Singh, CISO at Tyro, discusses what it takes to secure real-time payments without slowing them down. He explains how analytics, authentication, and better industry cooperation can help stay ahead of fraud. Singh also touches on how digital identity and accountability are transforming how trust is built in payments."
  https://www.helpnetsecurity.com/2025/11/03/arun-singh-tyro-securing-real-time-payments/
• Employees Keep Finding New Ways Around Company Access Controls
  "AI, SaaS, and personal devices are changing how people get work done, but the tools that protect company systems have not kept up, according to 1Password. Tools like SSO, MDM, and IAM no longer align with how employees and AI agents access data. The result is what researchers call the “access-trust gap,” a growing distance between what organizations think they can control and how employees and AI systems access company data. The survey tracks four areas where this gap is widening: AI governance, SaaS and shadow IT, credentials, and endpoint security. Each shows the same pattern of rapid adoption and limited oversight."
  https://www.helpnetsecurity.com/2025/11/03/1password-access-trust-gap-report/
• US Cybersecurity Experts Indicted For BlackCat Ransomware Attacks
  "Three former employees of cybersecurity incident response companies DigitalMint and Sygnia have been indicted for allegedly hacking the networks of five U.S. companies in BlackCat (ALPHV) ransomware attacks between May 2023 and November 2023. 28-year-old Kevin Tyler Martin of Roanoke, Texas (who pleaded not guilty), 33-year-old Ryan Clifford Goldberg of Watkinsville, Georgia (in federal custody since September 2023), and an unnamed accomplice face charges of conspiracy to interfere with interstate commerce by extortion, and intentional damage to protected computers. If convicted, the defendants could face up to 20 years in prison for extortion and 10 years for damage to computer systems."
  https://www.bleepingcomputer.com/news/security/us-cybersecurity-experts-indicted-for-blackcat-ransomware-attacks/
  https://cyberscoop.com/incident-response-ransomware-professionals-charged-attacks/
  https://www.theregister.com/2025/11/03/rogue_ransomware_negotiators/
• Nation-State, Cyber And Hacktivist Threats Pummel Europe
  "Cyberattacks targeting European organizations shape and are shaped by geopolitical events, whether they involve nation-state hackers, financially motivated cybercriminals or opportunistic hacktivists. Many attacks stem from Russia's invasion of Ukraine in February 2022, lately including coordinated operations with North Korea, says cybersecurity firm CrowdStrike in an assessment of continental cyberthreats over a 21-month period from January 2024 through September."
  https://www.bankinfosecurity.com/nation-state-cyber-hacktivist-threats-pummel-europe-a-29914
  https://www.crowdstrike.com/en-us/resources/reports/2025-european-threat-landscape-report/
  https://www.infosecurity-magazine.com/news/leak-site-ransomware-victims-spike/
• A New Way To Think About Zero Trust For Workloads
  "Static credentials have been a weak point in cloud security for years. A new paper by researchers from SentinelOne takes direct aim at that issue with a practical model for authenticating workloads without long-lived secrets. Instead of relying on static keys, the team proposes using temporary, verifiable tokens that expire within minutes."
  https://www.helpnetsecurity.com/2025/11/03/research-zero-trust-workload-authentication/
  https://arxiv.org/pdf/2510.16067
• Alleged Jabber Zeus Coder ‘MrICQ’ In U.S. Custody
  "A Ukrainian man indicted in 2012 for conspiring with a prolific hacking group to steal tens of millions of dollars from U.S. businesses was arrested in Italy and is now in custody in the United States, KrebsOnSecurity has learned. Sources close to the investigation say Yuriy Igorevich Rybtsov, a 41-year-old from the Russia-controlled city of Donetsk, Ukraine, was previously referenced in U.S. federal charging documents only by his online handle “MrICQ.” According to a 13-year-old indictment (PDF) filed by prosecutors in Nebraska, MrICQ was a developer for a cybercrime group known as “Jabber Zeus.”"
  https://krebsonsecurity.com/2025/11/alleged-jabber-zeus-coder-mricq-in-u-s-custody/
  https://securityaffairs.com/184158/cyber-crime/jabber-zeus-developer-mricq-extradited-to-us-from-italy.html
  https://www.securityweek.com/ukrainian-extradited-to-us-faces-charges-in-jabber-zeus-cybercrime-case/
• How Software Development Teams Can Securely And Ethically Deploy AI Tools
  "At this point, artificial intelligence (AI)/large language models (LLMs) have emerged as a superpower of sorts for software developers, enabling them to work faster and more prolifically. But teams deploying these tech tools should keep in mind that – regardless of the supersized boost in capabilities – human oversight must take the lead when it comes to security accountability."
  https://www.securityweek.com/how-software-development-teams-can-securely-and-ethically-deploy-ai-tools/
• CISO Burnout – Epidemic, Endemic, Or Simply Inevitable?
  "CISO burnout is increasing. Are we simply more aware of the condition? Or have demands on the CISO grown and burnout is now the inevitable result? In 2019, burnout was defined by the World Health Organization as an occupational phenomenon rather than a medical condition. In 2025, this non-medical condition, initially given the same symptoms as a bad headache (exhaustion, negativism, and reduced efficacy) has become endemic within cybersecurity, affecting team members and CISOs alike."
  https://www.securityweek.com/ciso-burnout-epidemic-endemic-or-simply-inevitable/

อ้างอิง
Electronic Transactions Development Agency(ETDA)

Industrial Sector

• Hacktivist Attacks On Critical Infrastructure Surge: Cyble Report
  "Hacktivist attacks on critical infrastructure grew throughout the third quarter of 2025, and by September, accounted for 25% of all hacktivist attacks. If that trend continues, it would represent a near-doubling of attacks on industrial control systems (ICS) from the second quarter of 2025. Cyble’s assessment of the hacktivism threat landscape in the third quarter of 2025 found that while DDoS attacks and website defacements continue to comprise a majority of hacktivist activity, their share continues to decline, as ideologically-motivated threat groups expand their focus to include ICS attacks, data breaches, unauthorized access, and even ransomware."
  https://cyble.com/blog/hacktivist-attacks-critical-infrastructure-q3-2025/
• Japan Issues OT Security Guidance For Semiconductor Factories
  "Japan’s Ministry of Economy, Trade and Industry has published new operational technology (OT) security guidance for semiconductor factories. The 130-page document is available in both Japanese and English. While the guidance is aimed at semiconductor device makers in Japan, it may be useful to organizations worldwide, particularly as it leverages not only Japan’s Cyber/Physical Security Framework (CPSF) but also internationally used frameworks such as the NIST Cybersecurity Framework (CSF) 2.0. It’s worth noting that in the United States NIST is also working on a CSF 2.0 variant that is specifically aimed at semiconductor manufacturing."
  https://www.securityweek.com/japan-issues-ot-security-guidance-for-semiconductor-factories/
  https://www.meti.go.jp/policy/netsecurity/wg1/semiconductor_systems_guideline_ver1.0_eng.pdf
  https://www.meti.go.jp/policy/netsecurity/wg1/semiconductor_systems_guideline_gaiyou_eng.pdf

Vulnerabilities

• Update Chrome Now: 20 Security Fixes Just Landed
  "Google has released an update for its Chrome browser that includes 20 security fixes, several of which are classed as high severity. Most of these flaws were found in Chrome’s V8 engine—the part of Chrome (and other Chromium-based browsers) that runs JavaScript. Chrome is by far the world’s most popular browser, used by an estimated 3.4 billion people. That scale means when Chrome has a security flaw, billions of users are potentially exposed until they update. These vulnerabilities are serious because they affect the code that runs almost every website you visit. Every time you load a page, your browser executes JavaScript from all sorts of sources, whether you notice it or not. Without proper safety checks, attackers can sneak in malicious instructions that your browser then runs—sometimes without you clicking anything. That could lead to stolen data, malware infections, or even a full system compromise."
  https://www.malwarebytes.com/blog/news/2025/10/update-chrome-now-20-security-fixes-just-landed
• CISA: High-Severity Linux Flaw Now Exploited By Ransomware Gangs
  "CISA confirmed on Thursday that a high-severity privilege escalation flaw in the Linux kernel is now being exploited in ransomware attacks. While the vulnerability (tracked as CVE-2024-1086) was disclosed on January 31, 2024, as a use-after-free weakness in the netfilter: nf_tables kernel component and was fixed via a commit submitted in January 2024, it was first introduced by a decade-old commit in February 2014. Successful exploitation enables attackers with local access to escalate privileges on the target system, potentially resulting in root-level access to compromised devices."
  https://www.bleepingcomputer.com/news/security/cisa-linux-privilege-escalation-flaw-now-exploited-in-ransomware-attacks/
  https://securityaffairs.com/184076/security/old-linux-kernel-flaw-cve-2024-1086-resurfaces-in-ransomware-attacks.html
• An 18-Year-Old Codebase Left Smart Buildings Wide Open
  "When security researcher Gjoko Krstic finally came up for air from his research, he hadn't slept for a week. "I was dizzy. I couldn't stop finding new bugs," he says. "That’s why I called [this research] Project Brainfog." The name stuck — fitting for a research effort that uncovered more than 800 vulnerabilities, many of them zero-day, across building automation systems operating in over 30 countries and 220 cities worldwide. These aren't theoretical flaws: they affect real-world infrastructure — everything from hospitals and high schools to airports, stadiums, and government buildings."
  https://www.darkreading.com/vulnerabilities-threats/18-year-old-codebase-left-smart-buildings-wide-open

Malware

• Don’t Take BADCANDY From Strangers – How Your Devices Could Be Implanted And What To Do About It
  "Cyber actors are installing an implant dubbed ‘BADCANDY’ on Cisco IOS XE devices that are vulnerable to CVE-2023-20198. Variations of the BADCANDY implant have been observed since October 2023, with renewed activity notable throughout 2024 and 2025. BADCANDY is a low equity Lua-based web shell, and cyber actors have typically applied a non-persistent patch post-compromise to mask the device’s vulnerability status in relation to CVE-2023-20198. In these instances, the presence of the BADCANDY implant indicates compromise of the Cisco IOS XE device, via CVE-2023-20198."
  https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/badcandy
  https://www.bleepingcomputer.com/news/security/australia-warns-of-badcandy-infections-on-unpatched-cisco-devices/
  https://thehackernews.com/2025/11/asd-warns-of-ongoing-badcandy-attacks.html
  https://securityaffairs.com/184095/hacking/badcandy-webshell-threatens-unpatched-cisco-ios-xe-devices-warns-australian-government.html
• Weaponized Military Documents Deliver Advanced SSH-Tor Backdoor To Defense Sector
  "In October 2025, Cyble Research and Intelligence Labs (CRIL) identified malware that distributed a weaponized ZIP archive masquerading as a military document titled “ТЛГ на убытие на переподготовку.pdf” (TLG for departure for retraining.pdf). Notably, the attack utilized a Belarusian military lure document targeting Special Operations Command personnel specializing in UAV/Drone operations, suggesting intelligence collection operations focused on regional military capabilities."
  https://cyble.com/blog/weaponized-military-documents-deliver-backdoor/
• Cloud Abuse At Scale
  "Identity compromise remains one of the most pressing threats to cloud infrastructure today. When attackers gain access to valid credentials, they can often bypass the traditional security controls designed to protect those environments. In AWS, this type of compromise frequently manifests through abuse of the Simple Email Service (SES), one of the most common tactics observed in real-world intrusions. SES offers adversaries a convenient and scalable way to conduct illicit email operations once they’ve obtained valid AWS access keys."
  https://www.fortinet.com/blog/threat-research/cloud-abuse-at-scale
• Detecting The NPM Supply Chain Compromise Before It Spread
  "Most major supply chain attacks start with a single compromised account — often through one well-crafted phishing email. In the NPM ecosystem, where developers routinely exchange code and credentials, one successful compromise can cascade into thousands of vulnerable applications. In this article, we analyze a simulated supply chain compromise targeting NPM developers and show how Group-IB’s Business Email Protection (BEP) could have detected the very first phishing message that triggered the incident. By flagging anomalies in sender behavior, domain spoofing, and malicious attachments, BEP would have stopped the attacker before they ever reached the developer’s inbox — cutting off the infection chain before it began."
  https://www.group-ib.com/blog/detect-npm-supply-chain-attack/
• BRONZE BUTLER Exploits Japanese Asset Management Software Vulnerability
  "In mid-2025, Counter Threat Unit (CTU) researchers observed a sophisticated BRONZE BUTLER campaign that exploited a zero-day vulnerability in Motex LANSCOPE Endpoint Manager to steal confidential information. The Chinese state-sponsored BRONZE BUTLER threat group (also known as Tick) has been active since 2010 and previously exploited a zero-day vulnerability in Japanese asset management product SKYSEA Client View in 2016. JPCERT/CC published a notice about the LANSCOPE issue on October 22, 2025."
  https://news.sophos.com/en-us/2025/10/30/bronze-butler-exploits-japanese-asset-management-software-vulnerability/
  https://thehackernews.com/2025/10/china-linked-tick-group-exploits.html
  https://www.bleepingcomputer.com/news/security/china-linked-hackers-exploited-lanscope-flaw-as-a-zero-day-in-attacks/
• When AI Agents Go Rogue: Agent Session Smuggling Attack In A2A Systems
  "We discovered a new attack technique, which we call agent session smuggling. This technique allows a malicious AI agent to exploit an established cross-agent communication session to send covert instructions to a victim agent. Here, we discuss the issues that can arise in a communication session using the Agent2Agent (A2A) protocol, which is a popular option for managing the connections between agents. The A2A protocol’s stateful behavior lets agents remember recent interactions and maintain coherent conversations. This attack exploits this property to inject malicious instructions into a conversation, hiding them among otherwise benign client requests and server responses."
  https://unit42.paloaltonetworks.com/agent-session-smuggling-in-agent2agent-systems/
• Chinese Hackers Scanning, Exploiting Cisco ASA Firewalls Used By Governments Worldwide
  "China-based hackers are scanning for and exploiting a popular line of Cisco firewalls used by governments in the U.S., Europe and Asia. Incident responders from Palo Alto Networks’ Unit 42 have been tracking the targeting of Cisco Adaptive Security Appliances (ASA) — popular devices used by governments and large businesses to consolidate several different security tasks into a single appliance. In addition to acting as firewalls, the appliances also prevent some intrusions, handle spam, conduct antivirus checks and more. In a report shared with Recorded Future News, Unit 42 attributed the targeting of Cisco ASA devices to Storm-1849 — a China-based threat group that Cisco previously said has been attacking the tools since 2024."
  https://therecord.media/chinese-hackers-scan-exploit-firewalls-government

Breaches/Hacks/Leaks

• ‘We Got Hacked’ Emails Threaten To Leak University Of Pennsylvania Data
  "The University of Pennsylvania suffered a cybersecurity incident on Friday, where students and alumni received a series of offensive emails from various University email addresses, claiming that data was stolen in a breach. The emails have a subject line of "We got hacked (Action Required)" and claim that data was stolen during an alleged breach, also calling out the University over its security practices and admission policies. "The University of Pennsylvania is a dog**** elitist institution full of woke retards. We have terrible security practices and are completely unmeritocratic," reads the email seen by BleepingComputer."
  https://www.bleepingcomputer.com/news/security/offensive-we-got-hacked-emails-sent-in-penn-security-incident/
  https://www.bleepingcomputer.com/news/security/university-of-pennsylvania-hacker-claims-1.2-million-donor-data-breach/
  https://therecord.media/upenn-hacker-email-affirmative
• Eclipse Foundation Revokes Leaked Open VSX Tokens Following Wiz Discovery
  "Eclipse Foundation, which maintains the open-source Open VSX project, said it has taken steps to revoke a small number of tokens that were leaked within Visual Studio Code (VS Code) extensions published in the marketplace. The action comes following a report from cloud security company Wiz earlier this month, which found several extensions from both Microsoft's VS Code Marketplace and Open VSX to have inadvertently exposed their access tokens within public repositories, potentially allowing bad actors to seize control and distribute malware, effectively poisoning the extension supply chain."
  https://thehackernews.com/2025/10/eclipse-foundation-revokes-leaked-open.html
  https://www.bleepingcomputer.com/news/security/open-vsx-rotates-tokens-used-in-supply-chain-malware-attack/
  https://www.securityweek.com/open-vsx-downplays-impact-from-glassworm-campaign/

General News

• Alleged Meduza Stealer Malware Admins Arrested After Hacking Russian Org
  "The Russian authorities have arrested three individuals in Moscow who are believed to be the creators and operators of the Meduza Stealer information-stealing malware. The action was announced on Telegram by Irina Volk, a police general and official from the Russian Ministry of Internal Affairs. "A group of hackers who created the infamous 'Meduza' virus have been detained by my colleagues from the Department for Combating Cybercrime (UBK) of the Russian Ministry of Internal Affairs, together with police officers from the Astrakhan region," stated Volk."
  https://www.bleepingcomputer.com/news/security/alleged-meduza-stealer-malware-admins-arrested-after-hacking-russian-org/
  https://therecord.media/meduza-stealer-malware-suspected-developers-arrested-russia
  https://www.bankinfosecurity.com/russian-police-bust-suspected-meduza-infostealer-developers-a-29901
  https://hackread.com/russia-arrests-meduza-stealer-developers/
  https://www.theregister.com/2025/10/31/russia_arrests_three_meduza_cyber_suspects/
• Ukrainian National Extradited From Ireland In Connection With Conti Ransomware
  "Following his extradition from Ireland, a Ukrainian man had his initial appearance today in the Middle District of Tennessee on a 2023 indictment charging him with conspiracy to deploy Conti, a ransomware variant that infected victim computers and networks, encrypting their data. According to court documents, from in or around 2020 and continuing until about June 2022, Oleksii Oleksiyovych Lytvynenko, 43, of Cork, Ireland, conspired with others to deploy Conti ransomware to extort victims and steal their data. Court filings allege the conspirators hacked into victims’ computer networks, encrypted their data, and demanded a ransom to restore the victims’ access to their files and avoid public disclosure of the hacked information. The conspirators allegedly extorted more than $500,000 in cryptocurrency from two victims in the Middle District of Tennessee, and published information stolen from a third victim in that District."
  https://www.justice.gov/opa/pr/ukrainian-national-extradited-ireland-connection-conti-ransomware
  https://www.bleepingcomputer.com/news/security/ukrainian-extradited-from-ireland-on-conti-ransomware-charges/
  https://therecord.media/alleged-conti-ransomware-affiliate-extradited-ireland-tennessee
  https://cyberscoop.com/ukrainian-oleksii-lytvynenko-conti-ransomware-extradited/
  https://hackread.com/ukraine-conti-ransomware-extradite-us-ireland/
  https://www.securityweek.com/ukrainian-man-extradited-from-ireland-to-us-over-conti-ransomware-charges/
  https://securityaffairs.com/184106/security/ukrainian-extradited-to-us-over-conti-ransomware-involvement.html
• Arizona Leader Of Violent Extremist Network ‘764’ Charged With Running a Child Exploitation Enterprise, Supporting Terrorists, Producing And Distributing Child Pornography, And Other Crimes
  "A federal grand jury in the District of Arizona has returned a 29-count superseding indictment against Baron Cain Martin, known online as “Convict” (among other monikers), 21, of Tucson, Arizona. The superseding indictment charges Martin with participating in a child exploitation enterprise, conspiring to provide material support to terrorists, conspiring to kill, kidnap or maim persons in a foreign country, producing child pornography (five counts), distributing child pornography (11 counts), coercing and enticing minors to engage in sexual activity (three counts), cyberstalking (three counts), animal crushing and distribution of animal crush videos, and conspiracy to commit wire fraud. Martin has been in federal custody since his arrest on federal charges on December 11, 2024."
  https://www.justice.gov/opa/pr/arizona-leader-violent-extremist-network-764-charged-running-child-exploitation-enterprise
  https://cyberscoop.com/baron-cain-martin-764-leader-arrested-charged/
• Dark Reading Confidential: Cyber's Role In The Rapid Rise Of Digital Authoritarianism
  "Hello and welcome to Dark Reading Confidential. It's a podcast from the editors of Dark Reading, bringing you real world stories straight from the cyber trenches. Today, we are thrilled to welcome two experts right on the heels of the 10th anniversary of the discovery of the Pegasus Zero Click commercial spyware and the current ratcheting up of digital authoritarianism across the globe. We are joined by Ronald Diebert, professor of Political Science and Director of the Citizen Lab at the University of Toronto; David Green, senior staff attorney, civil liberties director at the Electronic Frontier Foundation (EFF); and we are joined by Alex Culafi, who is a reporter extraordinaire for Dark Reading and who has been covering this topic very deeply for quite some time. Welcome to all of you. Thank you for joining us."
  https://www.darkreading.com/cyber-risk/cybers-role-rapid-rise-digital-authoritarianism
• Cloud Outages Highlight The Need For Resilient, Secure Infrastructure Recovery
  "An Amazon Web Services (AWS) outage on Oct 19 caused significant disruptions to numerous websites and online services. Error messages splashed across users’ screens as they attempted to access popular sites like Amazon itself, as well as Snapchat and Disney+. The outage lasted two days, but spillover effects sprawled across industries. On Wednesday, the Microsoft Azure cloud platform and the Microsoft 365 service experienced a multi-hour outage due to what Microsoft described as an "an inadvertent configuration change." The Azure outage crippled critical business applications, bringing many organizations to a standstill."
  https://www.darkreading.com/cloud-security/cloud-outages-highlight-need-resilient-secure-infrastructure-recovery
• Zombie Projects Rise Again To Undermine Security
  "A variety of old, abandoned projects, long considered dead, continue to rise up and undermine the cybersecurity posture of the companies who created them. From code to infrastructure to APIs, these so-called "zombie" assets continue to cause security headaches for companies, and sometimes, lead to breaches. Oracle's "obsolete" servers, abandoned Amazon S3 buckets used by attackers to distribute malware, and the unmonitored API connecting Optus' customer-identity database to the Internet are all variations of the zombies plaguing enterprises."
  https://www.darkreading.com/cyber-risk/zombie-projects-rise-again-undermine-security
• Passwordless Adoption Moves From Hype To Habit
  "With the average person juggling more than 300 credentials and credential abuse still the top attack vector, the password’s decline is long overdue. Across every major sector, organizations are changing how users log in, and new data shows the shift is picking up speed. The 2025 Dashlane Passkey Power 20 report, based on millions of anonymized web and mobile authentications, tracks which services are leading the move to passkeys worldwide."
  https://www.helpnetsecurity.com/2025/10/31/passkey-adoption-trends-2025/
• Keys To The Kingdom: A Defender's Guide To Privileged Account Monitoring
  "Privileged access stands as the most critical pathway for adversaries seeking to compromise sensitive systems and data. Its protection is not only a best practice, it is a fundamental imperative for organizational resilience. The increasing complexity of modern IT environments, exacerbated by rapid cloud migration, has led to a surge in both human and non-human identities, comprising privileged accounts and virtual systems [compute workloads such as virtual machines (VMs), containers, and serverless functions, plus their control planes], significantly expanding the overall attack surface. This environment presents escalating challenges in identity and access management, cross-platform system security, and effective staffing, making the establishment and maintenance of a robust security posture increasingly challenging."
  https://cloud.google.com/blog/topics/threat-intelligence/privileged-account-monitoring

อ้างอิง
Electronic Transactions Development Agency(ETDA)

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

เมื่อวันที่ 30 ตุลาคม 2025 Cybersecurity and Infrastructure Security Agency (CISA) CISA เผยแพร่คำแนะนำใหม่เกี่ยวกับแนวทางปฏิบัติที่ดีที่สุดด้านความปลอดภัยของ Microsoft Exchange Server เพื่อป้องกันการโจมตีจากผู้ไม่หวังดี

แนวโน้มการโจมตีที่มุ่งเป้าไปยัง Microsoft Exchange Server ยังคงเกิดขึ้นอย่างต่อเนื่อง โดยองค์กรหรือหน่วยงานที่ยังคงใช้งานเซิร์ฟเวอร์ Exchange ที่ไม่ได้รับการป้องกันอย่างเหมาะสม หรือมีการตั้งค่าที่ผิดพลาด ยังคงมีความเสี่ยงสูงที่จะถูกโจมตีหรือถูกบุกรุกระบบได้

แนวทางปฏิบัติเอกสารฉบับนี้มุ่งเน้นไปที่การเสริมความมั่นคงปลอดภัยของกระบวนการยืนยันตัวตนและการเข้าถึง (user authentication and access) การเข้ารหัสข้อมูลบนเครือข่ายให้มีความแข็งแกร่ง (strong network encryption) และการลดพื้นที่การโจมตีของแอปพลิเคชัน (minimizing application attack surfaces) เพื่อจำกัดโอกาสที่ผู้ไม่หวังดีจะสามารถเจาะระบบได้

CISA (Cybersecurity and Infrastructure Security Agency) จึงแนะนำให้องค์กรต่าง ๆ ดำเนินการยุติการใช้งานเซิร์ฟเวอร์ Exchange แบบ on-premises หรือแบบไฮบริด (hybrid) ที่หมดอายุการสนับสนุน (end-of-life) หลังจากที่ได้ย้ายระบบไปใช้ Microsoft 365 แล้ว เนื่องจากการคงไว้ซึ่ง "เซิร์ฟเวอร์ Exchange เครื่องสุดท้าย" อาจเปิดช่องให้องค์กรตกเป็นเป้าของการโจมตีอย่างต่อเนื่องได้

ทั้งนี้ CISA เน้นย้ำให้องค์กรปฏิบัติตามแนวทาง Microsoft Exchange Server Best Practices และดำเนินการถอดถอน (decommission) ระบบ Exchange ที่หมดอายุการสนับสนุนในสภาพแวดล้อมแบบไฮบริด เพื่อช่วยลดความเสี่ยงจากภัยคุกคามทางไซเบอร์ได้อย่างมีนัยสำคัญ.

อ้างอิง
https://www.cisa.gov/news-events/alerts/2025/10/30/new-guidance-released-microsoft-exchange-server-security-best-practices
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) จำนวน 2 รายการ เมื่อวันที่ 30 ตุลาคม 2025 พื่อให้ข้อมูลที่ทันเวลาเกี่ยวกับประเด็นด้านความมั่นคงปลอดภัย ช่องโหว่ และการโจมตีที่เกี่ยวข้องกับระบบ ICS โดยมีรายละเอียดดังนี้

• ICSA-25-303-01 International Standards Organization ISO 15118-2
• ICSA-25-303-02 Hitachi Energy TropOS

CISA แนะนำให้ผู้ใช้งานและผู้ดูแลระบบ ตรวจสอบคำแนะนำ ICS ที่เผยแพร่ล่าสุด เพื่อศึกษารายละเอียดทางเทคนิคและแนวทางการลดความเสี่ยง (mitigations)

อ้างอิง
https://www.cisa.gov/news-events/alerts/2025/10/30/cisa-releases-two-industrial-control-systems-advisories
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

เมื่อวันที่ 30 ตุลาคม 2025 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 2 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว ดังนี้

• CVE-2025-24893 XWiki Platform Eval Injection Vulnerability
• CVE-2025-41244 Broadcom VMware Aria Operations and VMware Tools Privilege Defined with Unsafe Actions Vulnerability

ช่องโหว่ประเภทนี้มักถูกใช้เป็นช่องทางการโจมตีโดยผู้ไม่หวังดี และก่อให้เกิดความเสี่ยงร้ายแรงต่อเครือข่ายของหน่วยงานรัฐบาลกลาง

ทั้งนี้ คำสั่ง BOD 22-01 ของ CISA กำหนดให้มี แคตตาล็อก Known Exploited Vulnerabilities (KEV) เพื่อรวบรวมช่องโหว่ (CVEs) ที่มีความเสี่ยงสูงและถูกใช้งานโจมตีจริง หน่วยงาน Federal Civilian Executive Branch (FCEB) ต้องดำเนินการแก้ไขช่องโหว่ที่ระบุภายในเวลาที่กำหนด เพื่อปกป้องเครือข่ายจากภัยคุกคาม

ทาง CISA จะปรับปรุงและเพิ่มช่องโหว่ใหม่เข้าสู่แคตตาล็อก KEV อย่างต่อเนื่อง เพื่อให้ครอบคลุมความเสี่ยงที่ตรวจพบจริงในปัจจุบันและอนาคต

อ้างอิง
https://www.cisa.gov/news-events/alerts/2025/10/30/cisa-adds-two-known-exploited-vulnerabilities-catalog

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Industrial Sector

• Hitachi Energy TropOS
  "Successful exploitation of these vulnerabilities could allow command injections and privilege escalation."
  https://www.cisa.gov/news-events/ics-advisories/icsa-25-303-02
• Breaching The OT-Perimeter: Authentication Bypass In Claroty Secure Remote Access (CVE-2025-54603)
  "Remote access solutions represent one of the most critical attack vectors in OT environments. While organizations use solutions ranging from simple jump hosts to dedicated OT-aware platforms, the security of these gateways directly impacts the security of industrial components and networks. Claroty Secure Remote Access (SRA) is a premium solution specifically designed for OT environments, managing access to critical industrial assets. During a routine security assessment, Limes Security discovered CVE-2025-54603 – a critical authentication bypass vulnerability in the OpenID Connect (OIDC) implementation affecting on-premise deployments."
  https://limessecurity.com/en/breaching-the-ot-perimeter-authentication-bypass-in-claroty-secure-remote-access-cve-2025-54603/
  https://www.darkreading.com/ics-ot-security/claroty-patches-authentication-bypass-flaw
• International Standards Organization ISO 15118-2
  "Successful exploitation of this vulnerability could result in man-in-the-middle attacks."
  https://www.cisa.gov/news-events/ics-advisories/icsa-25-303-01
• “Security Researchers Are The Main Factor Motivating Automakers To Invest In Protecting Their Products”
  "Industrial system vulnerability research experts Sergey Anufrienko and Alexander Kozlov discuss threats associated with over-the-air data transmission technologies, attack vectors targeting electric vehicles specifically, the evolution of transportation systems from a cybersecurity perspective, and the role of artificial intelligence in ensuring cybersecurity."
  https://ics-cert.kaspersky.com/publications/blog/2025/10/30/security-researchers-are-the-main-factor-motivating-automakers-to-invest-in-protecting-their-products/

Vulnerabilities

• King Addons For Elementor <= 51.1.36 - Unauthenticated Arbitrary File Upload
  "The King Addons for Elementor – 4,000+ ready Elementor sections, 650+ templates, 70+ FREE widgets for Elementor plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 51.1.36. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible."
  https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/king-addons/king-addons-for-elementor-51136-unauthenticated-arbitrary-file-upload
  https://www.infosecurity-magazine.com/news/critical-flaws-elementor-king/
• Attackers Actively Exploiting Critical Vulnerability In WP Freeio Plugin
  "On September 25th, 2025, we received a submission for a Privilege Escalation vulnerability in WP Freeio, a WordPress plugin bundled in the Freeio premium theme with more than 1,700 sales. This vulnerability makes it possible for an unauthenticated attacker to grant themselves administrative privileges by specifying user role during registration. The vendor released the patched version on October 9th, 2025, and we originally disclosed this vulnerability in the Wordfence Intelligence vulnerability database on October 10th, 2025. Our records indicate that attackers started exploiting the issue on the same day, on October 10th, 2025. The Wordfence Firewall has already blocked over 33,200 exploit attempts targeting this vulnerability."
  https://www.wordfence.com/blog/2025/10/attackers-actively-exploiting-critical-vulnerability-in-wp-freeio-plugin/
• CVE-2025-62725: From “docker Compose Ps” To System Compromise
  "Docker Compose powers millions of workflows, from CI/CD runners and local development stacks to cloud workspaces and enterprise build pipelines. It’s trusted by developers as the friendly layer above Docker Engine that turns a few YAML lines into a running application. In early October 2025, while exploring Docker Compose’s new support for OCI-based Compose artifacts, I discovered a high-severity path traversal vulnerability. The flaw allowed attackers to escape Compose’s cache directory and write arbitrary files on the host system, simply by tricking a user into referencing a malicious remote artifact. The issue was patched by the Docker team and assigned CVE-2025-62725, rated High (CVSS 8.9)."
  https://www.imperva.com/blog/cve-2025-62725-from-docker-compose-ps-to-system-compromise/
  https://www.theregister.com/2025/10/30/docker_compose_desktop_flaws/
• CISA Adds Two Known Exploited Vulnerabilities To Catalog
  "CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2025-24893 XWiki Platform Eval Injection Vulnerability
  CVE-2025-41244 Broadcom VMware Aria Operations and VMware Tools Privilege Defined with Unsafe Actions Vulnerability"
  https://www.cisa.gov/news-events/alerts/2025/10/30/cisa-adds-two-known-exploited-vulnerabilities-catalog
  https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-patch-vmware-tools-flaw-exploited-since-october-2024/
  https://securityaffairs.com/184051/hacking/u-s-cisa-adds-xwiki-platform-and-broadcom-vmware-aria-operations-and-vmware-tools-flaws-to-its-known-exploited-vulnerabilities-catalog.html

Malware

• Case Of ActiveMQ Vulnerability Exploitation To Install Sharpire (Kinsing)
  "AhnLab SEcurity intelligence Center (ASEC) has confirmed that the Kinsing threat actor is still distributing malware by exploiting known vulnerabilities. Since the disclosure of the CVE-2023-46604 vulnerability in ActiveMQ, the threat actor has been exploiting it to install malware on both Linux and Windows systems. [1] Aside from the well-known XMRig and Stager, the latest attack cases also involved Sharpire. Sharpire is a .NET backdoor that supports PowerShell Empire. During the process of taking control of the infected system, the threat actor uses CobaltStrike, Meterpreter, and PowerShell Empire together."
  https://asec.ahnlab.com/en/90811/
• New Phishing Campaign Identified Targeting LinkedIn Users
  "Push recently detected and blocked a high-risk LinkedIn phishing attack that demonstrated a number of crafty (and increasingly common) detection evasion techniques. Phishing via LinkedIn is increasingly common, although it often goes undetected and unreported. This is to be expected when most of the industry’s data on phishing attacks comes from email security vendors and tools."
  https://pushsecurity.com/blog/new-phishing-campaign-identified-targeting-linkedin-users
  https://www.bleepingcomputer.com/news/security/linkedin-phishing-targets-finance-execs-with-fake-board-invites/
• Hezi Rash: Rising Kurdish Hacktivist Group Targets Global Sites
  "A new ideologically-motivated threat actor has emerged and growing technical capabilities: Hezi Rash. This Kurdish nationalist hacktivist group, founded in 2023, has rapidly escalated its presence through a series of distributed denial-of-service (DDoS) attacks targeting countries perceived as hostile to Kurdish or Muslim communities."
  https://blog.checkpoint.com/research/hezi-rash-rising-kurdish-hacktivist-group-targets-global-sites/
• Dynamic Binary Instrumentation (DBI) With DynamoRio
  "Binary instrumentation involves inserting code into compiled executables to monitor, analyze, or modify their behavior — either at runtime (dynamic) or before execution (static) — without altering the original source code. Tools like DynamoRIO, Intel PIN, Valgrind, Frida, and QDBI are commonly used in the field. Static binary instrumentation (SBI) injects code before a binary runs, typically by modifying the file on disk, whereas dynamic binary instrumentation (DBI) operates in memory while the program runs. These techniques are widely used for profiling, debugging, tracing, security analysis, and reverse engineering."
  https://blog.talosintelligence.com/dynamic-binary-instrumentation-dbi-with-dynamorio/
• LotL Attack Hides Malware In Windows Native AI Stack
  "A researcher has demonstrated that Windows' native artificial intelligence (AI) stack can serve as a vector for malware delivery. In a year where clever and complex prompt injection techniques have been growing on trees, security researcher hxr1 identified a much more traditional way of weaponizing rampant AI. In a proof-of-concept (PoC) shared exclusively with Dark Reading, he described a living-off-the-land attack (LotL) using trusted files from the Open Neural Network Exchange (ONNX) to bypass security engines."
  https://www.darkreading.com/vulnerabilities-threats/lotl-attack-malware-windows-native-ai-stack
• All Clones Aren't Equal: Harmless ChatGPT Wrappers Vs. Malicious Fakes
  "A quick search for “ChatGPT” or “DALL·E” on a mobile app store today reveals dozens of lookalikes. Each promises “AI chat,” “image generation,” or “smart assistance.” Yet beneath these polished logos lies a troubling truth — not all clones are created equal. Some are harmless wrappers that simply connect to genuine APIs. Others are opportunistic adware disguised as AI tools. And a few conceal sophisticated spyware, capable of stealing data and surveilling users."
  https://www.appknox.com/blog/fake-ai-apps-vs-legit-clones
  https://hackread.com/spyware-chatgpt-dalle-whatsapp-apps-us-users/
• Silent Push Unearths AdaptixC2's Ties To Russian Criminal Underworld, Tracks Threat Actors Harnessing Open-Source Tool For Malicious Payloads
  "AdaptixC2 is a new and emerging extensible post-exploitation and adversarial emulation framework designed for penetration testers. Security researchers and red teams (groups of security experts authorized to act as adversaries, performing simulated attacks against an organization to identify vulnerabilities and test defensive capabilities) frequently utilize this open-source tool, which can be downloaded for free from GitHub."
  https://www.silentpush.com/blog/adaptix-c2/
  https://thehackernews.com/2025/10/russian-ransomware-gangs-weaponize-open.html
  https://therecord.media/open-source-adaptixc2-red-teaming-tool-russian-cybercrime
  https://www.infosecurity-magazine.com/news/adaptixc2-malicious-payload/
  https://hackread.com/russian-hackers-adaptix-pentest-ransomware/
• Attackers Exploiting WSUS Vulnerability Drop Skuld Infostealer (CVE-2025-59287)
  "Attackers have been spotted exploiting the recently patched WSUS vulnerability (CVE-2025-59287) to deploy infostealer malware on unpatched Windows servers. Last week’s release of an emergency fix for CVE-2025-59287, a Windows Server Update Services (WSUS) remote code execution vulnerability, was almost immediately followed by reports of in-the-wild exploitation. With a PoC exploit that’s been made public a few days before the fix and a patch that could be reverse-engineered, attackers had enough to create exploits of their own and start targeting unpatched internet-facing Windows Server machines with the WSUS Server role enabled."
  https://www.helpnetsecurity.com/2025/10/30/wsus-vulnerability-infostealer-cve-2025-59287/
• Fake PayPal Invoice From Geek Squad Is a Tech Support Scam
  "One of our employees received this suspicious email and showed it to me. Although it’s a pretty straightforward attempt to lure targets into calling the scammers, it’s worth writing up because it looks like it was sent out in bulk. Let’s look at the red flags."
  https://www.malwarebytes.com/blog/news/2025/10/fake-paypal-invoice-from-geek-squad-is-a-tech-support-scam
• New "Brash" Exploit Crashes Chromium Browsers Instantly With a Single Malicious URL
  "A severe vulnerability disclosed in Chromium's Blink rendering engine can be exploited to crash many Chromium-based browsers within a few seconds. Security researcher Jose Pino, who disclosed details of the flaw, has codenamed it Brash. "It allows any Chromium browser to collapse in 15-60 seconds by exploiting an architectural flaw in how certain DOM operations are managed," Pino said in a technical breakdown of the shortcoming."
  https://thehackernews.com/2025/10/new-brash-exploit-crashes-chromium.html
  https://github.com/jofpin/brash
  https://securityaffairs.com/184035/hacking/brush-exploit-can-cause-any-chromium-browser-to-collapse-in-15-60-seconds.html
• UNC6384 Weaponizes ZDI-CAN-25373 Vulnerability To Deploy PlugX Against Hungarian And Belgian Diplomatic Entities
  "Arctic Wolf Labs has identified an active cyber espionage campaign by Chinese-affiliated threat actor UNC6384 targeting European diplomatic entities in Hungary, Belgium, and additional European nations during September and October 2025. The campaign represents a tactical evolution incorporating the exploitation of ZDI-CAN-25373, a Windows shortcut vulnerability disclosed in March 2025, alongside refined social engineering leveraging authentic diplomatic conference themes."
  https://arcticwolf.com/resources/blog/unc6384-weaponizes-zdi-can-25373-vulnerability-to-deploy-plugx/
  https://therecord.media/belgium-hungary-diplomatic-entities-hacked-unc6384
  https://www.theregister.com/2025/10/30/suspected_chinese_snoops_abuse_unpatched/

Breaches/Hacks/Leaks

• Major Telecom Services Provider Ribbon Breached By State Hackers
  "Ribbon Communications, a provider of telecommunications services to the U.S. government and telecom companies worldwide, revealed that nation-state hackers breached its IT network as early as December 2024. Ribbon provides networking solutions and secure cloud communications services to telecommunications companies and critical infrastructure organizations worldwide. The company has over 3,100 employees in 68 global offices, and its list of customers includes the City of Los Angeles, the Los Angeles Public Library, the University of Texas at Austin, government customers (such as the U.S. Department of Defense), and telecom providers like Verizon, CenturyLink, BT, Deutsche Telekom, Softbank, and TalkTalk."
  https://www.bleepingcomputer.com/news/security/major-telecom-services-provider-ribbon-breached-by-state-hackers/
  https://hackread.com/nation-state-hack-us-telecom-ribbon-communications/
  https://www.securityweek.com/major-us-telecom-backbone-firm-hacked-by-nation-state-actors/
• Akira Ransomware Claims It Stole 23GB From Apache OpenOffice
  "The Akira ransomware group claims to have breached Apache OpenOffice and stolen 23GB of data. Apache OpenOffice, for those unfamiliar, is a free and open-source office software suite developed by the Apache Software Foundation. It includes tools similar to Microsoft Office, serving as a free alternative available on Windows, Linux, and macOS. The suite offers Writer for word processing, Calc for spreadsheets, Impress for presentations, Draw for graphics and diagrams, Base for databases, and Math for creating mathematical formulas."
  https://hackread.com/akira-ransomware-stole-apache-openoffice-data/

General News

• New Guidance Released On Microsoft Exchange Server Security Best Practices
  "Today, CISA, in partnership with the National Security Agency and international cybersecurity partners, released Microsoft Exchange Server Security Best Practices, a guide to help network defenders harden on-premises Exchange servers against exploitation by malicious actors. Threat activity targeting Exchange continues to persist, and organizations with unprotected or misconfigured Exchange servers remain at high risk of compromise."
  https://www.cisa.gov/news-events/alerts/2025/10/30/new-guidance-released-microsoft-exchange-server-security-best-practices
  https://www.cisa.gov/resources-tools/resources/microsoft-exchange-server-security-best-practices
  https://www.nsa.gov/Portals/75/documents/resources/cybersecurity-professionals/CSI_Microsoft_Exchange_Server_Security_Best_Practices.pdf
  https://www.bleepingcomputer.com/news/security/cisa-and-nsa-share-tips-on-securing-microsoft-exchange-servers/
  https://www.bankinfosecurity.com/cisa-issues-guidance-to-curb-microsoft-exchange-exploits-a-29892
  https://cyberscoop.com/cisa-nsa-microsoft-exchange-server-guidance/
• The AI Trust Paradox: Why Security Teams Fear Automated Remediation
  "With the volume of threats and the complexity of the modern digital attack surface, it's no surprise that cybersecurity teams are overwhelmed. Risk has outstripped the human capacity required to remediate. As attackers embrace automation via AI, the quantity of vulnerabilities has skyrocketed, and the number of unique tools required to detect and eradicate threats and exposures in the enterprise has become untenable."
  https://www.darkreading.com/cybersecurity-operations/ai-trust-paradox-security-teams-fear-automated-remediation
• Stolen Credentials And Valid Account Abuse Remain Integral To Financially Motivated Intrusions
  "Throughout the first half of 2025, the FortiGuard Incident Response team responded to dozens of engagements across multiple industries that we attribute broadly to financially motivated threats. Each case we investigated had unique circumstances, but several consistent themes stand out: attackers are continuing to rely on valid accounts and legitimate remote access tools instead of “implant-heavy” intrusions. Industry representation aligns closely with findings from the FortiRecon Threat Intelligence Report (H1 2025), indicating that credential exposure trends observed externally mirror those seen during FortiGuard IR engagements."
  https://www.fortinet.com/blog/threat-research/stolen-credentials-and-valid-account-abuse-remain-integral-financially-motivated-intrusions
• How The City Of Toronto Embeds Security Across Governance And Operations
  "In this Help Net Security interview, Andree Noel, Deputy CISO at City of Toronto, discusses how the municipality strengthens its cyber defense by embedding security into strategic objectives and digital governance. She outlines the City’s approach to addressing evolving threats and modernizing legacy systems. Noel also shares how data-driven metrics guide leadership in advancing municipal cyber resilience."
  https://www.helpnetsecurity.com/2025/10/30/andree-noel-city-of-toronto-municipal-cyber-defense/
• Proton Claims 300 Million Records Compromised So Far This Year
  "Researchers have uncovered hundreds of millions of compromised records on the dark web, linked to nearly 800 individual data breaches so far this year. The findings come from a new monitoring and reporting service launched today by email and VPN provider Proton, in partnership with Constella Intelligence. The Data Breach Observatory is built on real-time dark web monitoring which scours cybercrime sites for evidence of breached records up for sale."
  https://www.infosecurity-magazine.com/news/proton-300-million-records/
  https://www.theregister.com/2025/10/30/proton_data_breach_observatory/
• Former US Defense Contractor Executive Admits To Selling Exploits To Russia
  "An Australian national pleaded guilty in a US court to stealing trade secrets from a US defense contractor and selling them to a Russian broker of cyber exploits, the US Department of Justice announced. While an employee of the victim company, the individual, Peter Williams, 39, stole at least eight “cyber-exploit components” of software associated with national security, which constituted trade secrets, the DoJ says. The exploits were stolen between April 2022 and June 2025, and sold to a Russian broker that provides cybersecurity exploits to various customers, including the Russian government, court documents show."
  https://www.securityweek.com/former-defense-contractor-executive-admits-to-selling-exploits-to-russia/
  https://www.infosecurity-magazine.com/news/defense-contractor-guilty-selling/
  https://securityaffairs.com/184025/security/ex-defense-contractor-exec-pleads-guilty-to-selling-cyber-exploits-to-russia.html
• National Cyber Incident Classification Handbook
  "This handbook is intended to guide participating States of the Organization for Security and Cooperation in Europe (OSCE) and other interested parties in developing and implementing a national cyber incident classification system. After an introduction and context-setting section explaining the benefits and challenges of cyber incident classification, the handbook divides the process of setting up a national system into six steps:"
  https://www.osce.org/secretariat/600455
  https://www.osce.org/files/f/documents/e/a/600455.pdf

อ้างอิง
Electronic Transactions Development Agency(ETDA)