สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 
โพสต์ถูกสร้างโดย NCSA_THAICERT
-
Splunk และ Palo Alto Networks ออกแพตช์แก้ไขช่องโหว่ความรุนแรงสูงโพสต์ใน Cyber Security News
-
นักวิจัยเผยช่องโหว่ใหม่ GreatXML อาจถูกใช้ข้ามการป้องกัน BitLocker ผ่าน Windows Recovery Modeโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
พบการโจมตีช่องโหว่ความรุนแรงสูงบนแพลตฟอร์มพัฒนา AI 'Langflow' แนะนำผู้ใช้งานอัปเดตระบบทันทีโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
CISA เผยแพร่คำแนะนำด้านระบบควบคุมอุตสาหกรรม (ICS) จำนวน 7 รายการโพสต์ใน OT Cyber Security News
Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) จำนวน 7 รายการ เมื่อวันที่ 11 มิถุนายน 2569 เพื่อให้ข้อมูลที่ทันเวลาเกี่ยวกับประเด็นด้านความมั่นคงปลอดภัย ช่องโหว่ และการโจมตีที่เกี่ยวข้องกับระบบ ICS โดยมีรายละเอียดดังนี้
- ICSA-26-160-01 Schneider Electric Modicon Network Managed Switches
- ICSA-26-160-02 Siemens KACO Blueplanet Inverters
- ICSA-26-160-03 Schneider Electric EcoStruxure Panel Server
- ICSA-24-135-04 Mitsubishi Electric Multiple FA Engineering Software Products (Update F)
- ICSA-24-326-03 Schneider Electric Modicon M340, MC80, and Momentum Unity M1E & EcoStruxure (Update A)
- ICSA-25-035-06 Schneider Electric Modicon M340 and BMXNOE0100/0110, BMXNOR0200H (Update B)
- ICSA-25-254-09 Schneider Electric Modicon M340, BMXNOE0100, and BMXNOE0110 (Update A)
-
CISA เผยแพร่คำแนะนำด้านระบบควบคุมอุตสาหกรรม (ICS) จำนวน 4 รายการโพสต์ใน OT Cyber Security News
Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) จำนวน 4 รายการ เมื่อวันที่ 11 มิถุนายน 2569 เพื่อให้ข้อมูลที่ทันเวลาเกี่ยวกับประเด็นด้านความมั่นคงปลอดภัย ช่องโหว่ และการโจมตีที่เกี่ยวข้องกับระบบ ICS โดยมีรายละเอียดดังนี้
- ICSA-26-162-01 Yarbo Android/iOS Mobile Application and Cloud Infrastructure
- ICSA-26-162-02 Naxclow IoT Platform
- ICSA-26-162-03 Brickcom Cameras
- ICSA-25-070-01 Schneider Electric Uni-Telway Driver (Update D)**
-
CISA เพิ่มช่องโหว่ที่ถูกใช้โจมตี 1 รายการลงในแคตตาล็อกโพสต์ใน Cyber Security News
เมื่อวันที่ 11 มิถุนายน 2569 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 1 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว มีรายละเอียดดังนี้
- CVE-2026-10520 Ivanti Sentry OS Command Injection Vulnerability
ทาง CISA จะปรับปรุงและเพิ่มช่องโหว่ใหม่เข้าสู่แคตตาล็อก KEV อย่างต่อเนื่อง เพื่อให้ครอบคลุมความเสี่ยงที่ตรวจพบจริงในปัจจุบันและอนาคต
อ้างอิง
https://www.cisa.gov/news-events/alerts/2026/06/11/cisa-adds-one-known-exploited-vulnerability-catalog
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
CISA เพิ่มช่องโหว่ที่ถูกใช้โจมตี 3 รายการลงในแคตตาล็อกโพสต์ใน Cyber Security News
เมื่อวันที่ 10 มิถุนายน 2569 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 3 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว มีรายละเอียดดังนี้
- **CVE-2026-7473 Arista Extensible Operating System Incomplete Comparison with Missing Factors Vulnerability
- CVE-2026-11645 Google Chromium V8 Out-of-Bounds Read and Write Vulnerability
- CVE-2026-20245 Cisco Catalyst SD-WAN Manager Improper Encoding or Escaping of Output Vulnerabilityทาง CISA**
ทาง CISA จะปรับปรุงและเพิ่มช่องโหว่ใหม่เข้าสู่แคตตาล็อก KEV อย่างต่อเนื่อง เพื่อให้ครอบคลุมความเสี่ยงที่ตรวจพบจริงในปัจจุบันและอนาคต
อ้างอิง
https://www.cisa.gov/news-events/alerts/2026/06/09/cisa-adds-three-known-exploited-vulnerabilities-catalog
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand -
Cyber Threat Intelligence 12 June 2026โพสต์ใน Cyber Security News
Industrial Sector
- Yarbo Android/iOS Mobile Application And Cloud Infrastructure
"Successful exploitation of these vulnerabilities could allow an attacker to obtain hard-coded credentials, gain access to telemetry data, and potentially send operational commands to the robot fleet."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-162-01
Naxclow IoT Platform
"Successful exploitation of these vulnerabilities could allow an attacker to impersonate devices, intercept or manipulate communications, harvest sensitive credentials at scale, or gain unauthorized access."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-162-02 - Brickcom Cameras
"Successful exploitation of these vulnerabilities could allow a remote unauthenticated attacker to gain unauthorized access to live video feeds, retrieve sensitive visual information from affected premises, and obtain administrative control of the device."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-162-03 - Segmentation Works For OT If Operators Are Paying Attention
"Separating systems to limit the damage in a cyber attack is still considered the way to secure industrial technology, but it remains a difficult goal. Segmentation only works to secure operational technology (OT) environments if operators know what threats and risks to look for, and in most cases, key concerns are overlooked. Not only does OT help power critical infrastructure sectors, but it’s increasingly converging with IT environments as well. However, security continues to lag despite its critical role across industries."
https://www.darkreading.com/cybersecurity-operations/segmentation-works-for-ot-if-operators-are-paying-attention
Vulnerabilities
- Oracle Mitigates PeopleSoft Zero-Day Exploited In Data Theft Attacks
"Oracle is warning about a critical PeopleSoft Suite zero-day vulnerability tracked as CVE-2026-35273 that allows unauthenticated remote code execution, with the flaw actively exploited in ShinyHunter data theft attacks. The flaw is within Oracle PeopleSoft PeopleTools and has a CVSS base score of 9.8. "This Security Alert addresses vulnerability CVE-2026-35273 in Oracle PeopleSoft PeopleTools. Oracle PeopleSoft Enterprise Applications customers may also be affected by this vulnerability," reads a new Oracle advisory."
https://www.bleepingcomputer.com/news/security/oracle-mitigates-peoplesoft-zero-day-exploited-in-data-theft-attacks/
https://thehackernews.com/2026/06/shinyhunters-exploits-oracle-peoplesoft.html
https://www.securityweek.com/oracle-addresses-peoplesoft-vulnerability-amid-reports-of-zero-day-attacks/
https://www.helpnetsecurity.com/2026/06/11/oracle-peoplesoft-under-attack-cve-2026-35273/ - Max Severity Ivanti Sentry Vulnerability Now Exploited In Attacks
"Attackers are now targeting a recently patched maximum-severity flaw in Ivanti Sentry, enabling them to execute code with root privileges on Internet-exposed secure mobile gateways. Formerly known as MobileIron Sentry, the Ivanti Sentry security gateway appliance secures traffic between back-end corporate systems and remote mobile devices. Tracked as CVE-2026-10520, the maximum-severity vulnerability stems from an OS command injection weakness and was patched by Ivanti on Tuesday with the release of Sentry versions R10.5.2, R10.6.2, and R10.7.1."
https://www.bleepingcomputer.com/news/security/max-severity-ivanti-sentry-vulnerability-now-exploited-in-attacks/
https://www.darkreading.com/vulnerabilities-threats/max-severity-ivanti-sentry-flaw-exploited-24-hours
https://securityaffairs.com/193530/uncategorized/cve-2026-10520-exploited-ivanti-sentry-gateways-compromised-shortly-after-patch-release.html - Splunk, Palo Alto Networks Patch Severe Vulnerabilities
"Splunk and Palo Alto Networks on Wednesday rolled out patches for multiple vulnerabilities across their product portfolios, including critical and high-severity bugs. Palo Alto Networks drew attention to a high-severity security flaw in the Cortex XSOAR and Cortex XSIAM platforms that could allow attackers to access and modify restricted resources. Tracked as CVE-2026-0274, the issue is described as the improper validation of credentials in the CommvaultSecurityIQ integration of the affected products and does not require a special configuration to be triggered."
https://www.securityweek.com/splunk-palo-alto-networks-patch-severe-vulnerabilities/ - CISA Adds One Known Exploited Vulnerability To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2026-10520 Ivanti Sentry OS Command Injection Vulnerability"
https://www.cisa.gov/news-events/alerts/2026/06/11/cisa-adds-one-known-exploited-vulnerability-catalog
https://www.bleepingcomputer.com/news/security/cisa-tells-govt-agencies-to-patch-critical-exploited-flaws-in-3-days/ - New GreatXML Exploit Bypasses Windows BitLocker Via Recovery Partition XML Files
"Security researcher Chaotic Eclipse (aka Nightmare-Eclipse and MSNightmare) has released a new Windows BitLocker bypass dubbed GreatXML, a day after they published an exploit for Microsoft Defender. "This was an accidental discovery, it took a total of 4 hours to find this," the researcher said in a post on Blogger. "If you ever attempted to use Windows Defender Offline Scan, you're automatically vulnerable to a BitLocker bypass. I'm unsure if you can still trigger the bug without ever using the offline scan feature, because you can definitely.""
https://thehackernews.com/2026/06/new-greatxml-exploit-bypasses-windows.html
https://deadeclipse666.blogspot.com/2026/06/greatxml-bitlocker-that-seems-to-only.html
https://www.securityweek.com/greatxml-zero-day-exploit-bypasses-bitlocker/
https://securityaffairs.com/193516/security/chaotic-eclipse-strikes-again-new-zero-day-unlocks-bitlocker-in-four-hours-of-research.html
https://www.theregister.com/security/2026/06/11/nightmare-eclipse-drops-claimed-bitlocker-bypass-for-microsoft-windows/5254371 - CVE-2026-30612: A Vulnerability In Time4Popcorn (PopcornTime)
"Time4Popcorn is a fork of Popcorn Time, a popular download application. This fork is also distributed under the name ‘Popcorn Time’. Since early 2025, a new project started using the PopCorn Time name and is building a legal alternative, this research does not apply to that software. The Windows, Mac and Android versions of this software, contain a vulnerable update component. The updater connects to its update servers over an insecure channel. An attacker that is able to manipulate this traffic can offer his own update. On Windows and Mac, this update occurs in the background without user interaction and will run with full privileges (NT AUTHORITY\SYSTEM or root). On Android, the user is prompted to install an attacker-supplied APK file."
https://research.eye.security/cve-2026-30612-a-vulnerability-in-time4popcorn-popcorntime/
Malware
- Threat Actors Weaponize AI Hype To Deliver AsyncRAT
"As AI adoption continues to grow, threat actors have wasted no time exploiting the trend. FortiGuard Labs recently observed a campaign delivering malicious files disguised as AI-related documents, with titles such as "AI-Ready PostgreSQL 18: Building Intelligent Data Systems" and " A Guide for Thinking Marketers in the Age of AI." These lures are designed to target users actively seeking AI-related learning resources. The attack chain behind these files is remarkably complex, using multiple staged scripts to hide activity before ultimately deploying AutoHotkey-based loaders that reflectively inject a .NET remote access trojan and AsynRAT into memory for command-and-control communication and follow-on execution."
https://www.fortinet.com/blog/threat-research/threat-actors-weaponize-ai-hype-to-deliver-asyncrat
https://www.infosecurity-magazine.com/news/fake-ai-guides-dev-tools-spread/
https://hackread.com/hackers-fake-claude-code-guide-ai-pdfs-asyncrat/ - Sniper’s Nest: From Brand Impersonation To Browser Hijacking And CPA Fraud
"During an investigation into phishing activity targeting users across the Middle East and North Africa (MENA), Group-IB analysts identified multiple fraudulent Facebook accounts impersonating politicians, public figures, and trusted organizations. These accounts promoted fake offers, including free mobile internet packages, financial compensation, and government subsidy programs. Victims were encouraged to click embedded links to claim the advertised benefits, but were instead redirected through a chain of intermediary websites that ultimately led to phishing and traffic monetization infrastructure."
https://www.group-ib.com/blog/inside-sniperdz-phaas-ecosystem/
https://www.infosecurity-magazine.com/news/interpol-dismantles-sniperdz/
https://hackread.com/authorities-dismantle-sniperdz-phishing-network/ - A Fake Bug Report Hijacks Your AI Coding Agent – And Nothing Catches It.
"Tenet Threat Labs has demonstrated a new class of attack “Agentjacking” that hijacks AI coding agents into running attacker-controlled code on a developer’s machine, triggered by a single fake error report and invisible to every security control. Using only public Sentry APIs, breaching nothing, we found 2,388 organizations exposed, saw 100+ agents act on injected errors in controlled testing, with confirmed agent execution at organizations spanning from Fortune 500 enterprise down to independent developers."
https://tenetsecurity.ai/blog/agentjacking-coding-agents-with-fake-sentry-errors/
https://www.infosecurity-magazine.com/news/agentjacking-attacks-hijack-ai/ - Inside OnyxC2: The New Stealer Targeting 210 Apps
"A new stealer called OnyxC2 surfaced on a cybercrime network in early 2026, sold as a complete product: a web panel, a payload builder, tiered pricing, and refunds if a build gets caught. For $250 a month, operators get a kit that harvests browser credentials, password managers, two-factor authentication (2FA), and crypto wallets across roughly 210 applications and extensions, then ships it all back over an encrypted channel."
https://www.blackfog.com/inside-onyxc2-the-new-stealer-targeting-210-apps/
https://www.securityweek.com/onyxc2-stealer-offers-cybercriminals-enterprise-grade-theft-for-250-a-month/
https://securityaffairs.com/193523/malware/onyxc2-malware-as-a-service-offers-enterprise-grade-data-theft.html - Inside The Phantom Mantis Operation
"Phantom Mantis , initially known as ArmCorp, is a financially motivated threat group active since March 2025. The group conducts intrusions for extortion and is led by a Russian-speaking criminal tracked as LARVA-368 . For about four months, Phantom Mantis operated as an affiliate group conducting double-extortion attacks, leveraging resources from various Ransomware-as-a-Service (RaaS) operations, including Tenacious Mantis (a.k.a. LockBit) and in particular Pestilent Mantis (a.k.a. Qilin)."
https://catalyst.prodaft.com/public/report/inside-the-phantom-mantis-operation/overview
https://thehackernews.com/2026/06/the-gentlemen-ransomware-claims-478.html - OceanLotus: From External Espionage To Domestic Targeting
"Our tracking of OceanLotus activities from 2024–2026 reveals a shift in operational focus. During this period, the Vietnam-aligned OceanLotus adopted a more selective approach to external operations while placing increasing emphasis on domestic espionage. We identified two distinct campaigns involving the SPECTRALVIPER backdoor: a supply-chain attack targeting stock investors in Vietnam and a prolonged espionage operation against a Vietnamese infrastructure and transport construction company. Whether the shift represents a temporary adjustment or a long-term strategic change remains unclear; however, this 15-year-old APT group continues to demonstrate aggressive tactics and a level of craftiness in its tooling."
https://www.welivesecurity.com/en/eset-research/oceanlotus-external-espionage-domestic-targeting/
https://thehackernews.com/2026/06/oceanlotus-hits-vietnam-investors-with.html - ShinyHunters Targets Education Sector With Oracle PeopleSoft Exploit
"Mandiant and Google Threat Intelligence Group (GTIG) have identified an active compromise and extortion campaign attributed to UNC6240 (ShinyHunters) targeting Oracle PeopleSoft application infrastructure. The activity was observed between May 27, 2026, and June 9, 2026 and is consistent with the exploitation of CVE-2026-35273, a critical remote code execution vulnerability (CVSS 9.8) in the Environment Management component. The exploitation of this vulnerability directly aligns with the observed targeting of Environment Management Hub (PSEMHUB) endpoints. Because this activity predates Oracle's June 10, 2026 advisory, the vulnerability was exploited as a zero-day."
https://cloud.google.com/blog/topics/threat-intelligence/shinyhunters-targets-education-sector-oracle-exploit
https://www.theregister.com/cyber-crime/2026/06/11/shinyhunters-claims-oracle-peoplesoft-0-day-hit-100-orgs/5254443
Breaches/Hacks/Leaks
- Japanese Energy Firm Loses Drive With Data Of 10.9 Million Clients
"Kyushu Electric Power Co., Inc. has disclosed a physical security incident that affects private data of more than 10 million customers. In an official announcement, the company explains that the IT staff regularly performs backups to manage server storage. Due to capacity constraints, on April 27 an external storage device was used for the task. The drive was then stored in a server room cabinet protected by multiple physical security layers. On May 26, when IT staff went to retrieve it, they found the cabinet had been left unlocked and the driver was missing."
https://www.bleepingcomputer.com/news/security/japanese-energy-firm-loses-drive-with-data-of-109-million-clients/ - Nottingham University Data Breach Affects Over 450,000 Students
"The University of Nottingham confirmed on Wednesday that a hacking group gained access to its student records system in a breach affecting both current students and alums. Nottingham University is a public research university with 7,000 staff and over 46,000 students, ranking in the Top 20 in the United Kingdom and the Top 100 worldwide. The university told BleepingComputer in an emailed statement that the incident exposed a "significant amount of data," and that the breach has been reported to the UK's Information Commissioner's Office."
https://www.bleepingcomputer.com/news/security/nottingham-university-data-breach-affects-over-450-000-students/
https://therecord.media/university-of-nottingham-cyber-incident-shiny-hunters
https://hackread.com/shinyhunters-university-of-nottingham-student-data-leak/
https://www.securityweek.com/university-of-nottingham-confirms-breach-after-hackers-leak-data/ - British High School Sends Students Home Following Cyberattack
"The majority of students at a high school in Buckinghamshire, England, were sent home for the second day in a row on Thursday after what the headteacher told parents was “a cybersecurity incident affecting our ICT systems.” Great Marlow School, which has 1,428 pupils according to the Department for Education (DfE), said it was set to remain closed while it works with specialist IT and cybersecurity professionals to resolve the issue."
https://therecord.media/british-school-sends-students-home-cyberattack - Nearly a Million Passports And Photo IDs Were Left Unprotected On The Public Internet
"Typing a few letters and numbers into my web browser, I find myself gaping at the identity documents of complete strangers. The passport of a young woman from Germany. The passport of a man from Spain with glasses resting on his head. The front and back of another man’s driver’s license, a stereotypically goofy expression on his face. They were all sitting unprotected at public URLs, with no password or access control of any sort. If I sent you a link, you could have looked at someone’s passport."
https://www.theverge.com/tech/947157/passports-data-breach-cannabis-club-systems-nefos-puffpal
https://github.com/xn0tsa/because-i-got-high
General News
- Ransomware Gangs Cut Off From EUR 336 Million ‘AudiA6’ Crypto Laundering Pipeline
"An international law enforcement operation has dismantled one of the cryptocurrency laundering services most trusted by ransomware gangs and cybercriminal networks, cutting off a key financial pipeline used to wash hundreds of millions in illicit profits. The service, known as ‘AudiA6’, is suspected of laundering more than EUR 336 million between 2022 and 2025. Investigators believe the platform became a central hub for ransomware actors and cybercriminals seeking to cash out stolen digital assets while hiding the money trail from authorities."
https://www.europol.europa.eu/media-press/newsroom/news/ransomware-gangs-cut-eur-336-million-audia6-crypto-laundering-pipeline
https://www.bleepingcomputer.com/news/legal/authorities-dismantle-audia6-ransomware-crypto-laundering-service/ - When Your AI Agent’s Memory Becomes a Security Liability
"Check Point Research discovered how a single overlooked API in LangGraph, one of the world’s most widely used AI agent frameworks, can hand an attacker complete control of your AI infrastructure. LangGraph is not a niche tool. With close to 46.5 million downloads last month alone, it powers AI agents across thousands of production environments, from customer support automation to internal enterprise workflows. That kind of adoption means any security issue in it is worth paying close attention to."
https://blog.checkpoint.com/research/when-your-ai-agents-memory-becomes-a-security-liability/
https://research.checkpoint.com/2026/from-sqli-to-rce-exploiting-langgraphs-checkpointer/ - The Hidden Security Risks Of Poor Software Testing
"A system does not need to be attacked by an advanced hacker to fail. One overlooked flaw in the code, one outdated dependency, or one rushed release can give attackers the access they need, especially after the exploitation of AI in cybercrime. Companies can spend heavily on antivirus software, firewalls, endpoint tools, and multi-factor authentication. Those controls matter, but they cannot fully protect a product that was released with avoidable security flaws. Once vulnerable code reaches production, attackers have a real target."
https://hackread.com/the-hidden-security-risks-of-poor-software-testing/ - 9 Out Of 10 People Can No Longer Distinguish Real From AI-Generated Content
"Online fraud is becoming harder to distinguish from legitimate activity as AI-generated messages, voices, photos, reviews, and identities become more convincing. Nearly nine in ten adults say they can no longer tell what is real from AI-generated content, according to the latest Malwarebytes survey. The share increased from 66% in 2025 to 85% in 2026. The survey covered 1,500 adults aged 18 and older in the United States, the UK, Austria, Germany, and Switzerland."
https://www.helpnetsecurity.com/2026/06/11/ai-scams-deepfakes-survey/ - Threat Actors Are Recruiting The People Who Hold Cloud Logins
"Companies keep most of their data and applications in cloud platforms that anyone can reach with the right login. That setup turns each employee holding those credentials into a security variable, and members of the cybercrime underground have built methods to reach those people. Intel 471 tracked this activity into 2026 and sorted insider risk into three categories that cloud-reliant organizations contend with."
https://www.helpnetsecurity.com/2026/06/11/report-cloud-insider-threats/ - Prompt Injection Still Drives Most Agentic AI Security Failures In Production
"A backdoor sat on PyPI for three hours in March 2026. Nearly 47,000 downloads occurred during the window. The compromised package, LiteLLM, serves as the language-model gateway for CrewAI, DSPy, Microsoft GraphRAG, and dozens of other AI agent frameworks. Anyone pulling an update during that window pulled in an autonomous attack bot named hackerbot-claw along with it."
https://www.helpnetsecurity.com/2026/06/11/owasp-prompt-injection-ai-security-failures/ - ISC2 Research: How Enterprises Use Training To Strengthen Cybersecurity Teams
"Cybersecurity professionals face a constantly evolving landscape of threats, new technologies and changing organizational priorities. To stay on top of – and indeed ahead – of these needs, maintaining and developing relevant skills is an essential requirement. However, with many new and emerging cybersecurity skills in short supply, training and development remain among the most pressing challenges for employers and professionals alike. A new research report from ISC2, How Enterprises are Strengthening Their Cybersecurity Teams Through Training, examines how enterprise organizations (5,000+ employees) across Canada, Germany, India, Japan, the U.K. and the U.S. approach security team training."
https://www.isc2.org/Insights/2026/06/enterprise-training-trends
https://edge.sitecorecloud.io/internationf173-xmc4e73-prodbc0f-9660/media/Project/ISC2/Main/Media/Research/ISC2_Enterprise_Training_Trends_Research_Report_2026.pdf
https://www.infosecurity-magazine.com/news/cybersecurity-training-time/ - Extortion-Only Attacks Increase, With Data Theft Dominating Ransomware Claims
"Insurance experts have urged organizations to reduce their exposure to extortion-only attacks and better manage the consequences when they occur, after revealing a surge in this category of threats. Insurer Resilience said in a new report that 65% of extortion-related claims it handled in the second half of 2025 did not involve data encryption. That’s up from 49% in the first half of the year. By the end of 2025, only 13% of attacks relied on encryption alone, while data theft – on its own or combined with encryption – accounted for 87% of ransomware claims, it noted."
https://www.infosecurity-magazine.com/news/extortion-only-attacks-surge/ - Alert Fatigue Is Becoming a Security Threat Of Its Own
"Alert fatigue and its related effects on SOC efficiency are self-evident problems. Less obvious and more complex are the cause, effect and possible solutions to these problems. SOC analysts are inundated with a huge and continuous volume of alerts generated by security tools. Each alert is often meaningless absent correlation with other alerts. But finding relationships is time-consuming, and even if found, might be irrelevant to business security. Much of the alert volume is simply noise, but attempting correlation to find true positive alerts (signals) from the huge number of false positives (noise) is difficult, boring, and often pointless."
Priority: 3 - Important
Relevance: General
https://www.securityweek.com/alert-fatigue-is-becoming-a-security-threat-of-its-own/
The Defender's Playbook For LLM-Powered Vulnerability Discovery
"My last article on how attackers will behave showed what they’ll do once LLMs flood the system with new Common Vulnerabilities and Exposures (CVEs). This essay looks at what defenders could do in response. Some moves are obvious. Others break norms and carry risk. We group by the four vendor types from that article, then list every move with its trade-offs."
https://blog.barracuda.com/2026/06/11/defenders-playbook-llm-vulnerability-discovery- Hacker Linked To Void Blizzard Faces Charges Over Cyberespionage Campaign
"A Russian national with suspected links to the Void Blizzard hacking group appeared in U.S. federal court this week on charges of supporting a Kremlin-linked cyberespionage campaign that targeted U.S. companies, according to media reports. Denis Obrezko, 36, made his initial appearance in federal court in Boston on Tuesday after being transferred to U.S. custody from Thailand, where he was arrested last November."
https://therecord.media/hacker-linked-to-void-blizzard-faces-charges
https://cyberscoop.com/russian-national-charged-void-blizzard-cyber-espionage/ - What Makes Or Breaks Cyber-Readiness For SMBs
"Cybersecurity has a familiar way of saying the storm will come: “a breach is a matter of when, not if.” While the industry’s sternest maxim has probably never been more true, it sometimes feels as though it’s also lost some of its edge over the years. Eveveryone agrees that there could be a ‘cloud on the horizon,’ but will they also hurry to draft or review their IT contingency plan or commit to a level of operational pain that their company can endure while under attack?"
https://www.welivesecurity.com/en/business-security/smb-cyber-readiness-what-makes-breaks-it/ - CrowdStrike 2026 Technology Threat Landscape Report: China’s Ambitions Fuel Attacks
"The technology sector has, for the past several years, been the most targeted industry among eCrime and state-sponsored adversaries whose motivations span financial gain, long-term intelligence collection, and industrial espionage. Modern tech companies are building the world’s most valuable and targeted assets. Their cutting-edge innovations, now including AI, represent competitive advantage and heightened risk. Adversaries are taking aim, and defenders that understand them are best equipped to stop them."
https://www.crowdstrike.com/en-us/blog/crowdstrike-2026-technology-threat-landscape-report/ - Shadowserver Report Provides Cybersecurity Insights And Recommendations For ECOWAS Member States In West Africa
"In recent years, West African nations have experienced a rapid digital transformation that has helped spur economic growth and development. Yet, this transformation has also brought to light many institutional and operational cybersecurity deficiencies that make the region an attractive and vulnerable target of cyber threat actors. West Africa has experienced an alarming increase in cyberattacks in recent years, with cybercrime accounting for more than 30-percent of all reported crime in the region."
https://www.shadowserver.org/news/shadowserver-report-provides-cybersecurity-insights-and-recommendations-for-ecowas-member-states-in-west-africa/
https://www.shadowserver.org/wp-content/uploads/2026/06/SSF001-ECOWAS-Report-ENG-FINAL.pdf
อ้างอิง
Electronic Transactions Development Agency (ETDA)
- Yarbo Android/iOS Mobile Application And Cloud Infrastructure
-
Cyber Threat Intelligence 11 June 2026โพสต์ใน Cyber Security News
Industrial Sector
- ICS Patch Tuesday: Vulnerabilities Fixed By Siemens, Schneider, Phoenix Contact
"ICS Patch Tuesday advisories were published this month by Siemens, Schneider Electric, and Phoenix Contact. Siemens published only four new advisories. In Sinec INS, the industrial giant fixed authenticated command execution, information disclosure, privilege escalation, and password exposure flaws. The company also addressed a DoS and potential code execution issue in Siprotec 5, and a sensitive information exposure weakness in WinCC Certificate Manager."
https://www.securityweek.com/ics-patch-tuesday-vulnerabilities-fixed-by-siemens-schneider-phoenix-contact/ - Attacking UPS Network Cards To Take Down Data Centers
"Team82 has uncovered two serious vulnerabilities in Vertiv’s uninterruptible power supply (UPS) network cards that enable authentication bypass to the control interface of the UPS, denial of service, and potentially code execution. UPS devices come in all sizes, from units as small as a laptop to as big as a six-door closet. They serve the same purpose: keeping critical equipment running in the event of a power outage. During an outage, a UPS switches to its internal battery, preventing sudden shutdowns. Data centers, for example, rely on them to keep servers, routers, and control systems stable and protected from power spikes or drops, keeping devices online or shutting them down safely."
https://claroty.com/team82/research/attacking-ups-network-cards-to-take-down-data-centers
https://www.securityweek.com/critical-hvac-and-ups-vulnerabilities-could-let-hackers-disrupt-data-centers/
Vulnerabilities
- Ivanti: Max Severity Sentry Flaw Allows Code Execution As Root
"Security software company Ivanti has released patches to address two critical vulnerabilities in its Sentry secure mobile gateway solution, including a maximum-severity flaw that enables remote attackers to execute code with root privileges. Formerly known as MobileIron Sentry, Ivanti Sentry is a security gateway appliance that secures traffic between back-end corporate systems and remote mobile devices. Tracked as CVE-2026-10520, the maximum-severity vulnerability stems from an OS command injection weakness. The second Sentry security flaw patched on Tuesday (tracked as CVE-2026-10523) is a critical authentication bypass that can be exploited remotely by unauthenticated attackers to create rogue administrative accounts and gain full administrative access."
https://www.bleepingcomputer.com/news/security/new-max-severity-ivanti-sentry-flaw-allows-code-execution-as-root/
https://nvd.nist.gov/vuln/detail/CVE-2026-10520
https://www.theregister.com/patches/2026/06/10/ivanti-urges-sentry-users-to-patch-two-critical-bugs/5253428
https://www.helpnetsecurity.com/2026/06/10/ivanti-sentry-cve-2026-10520-cve-2026-10523/ - Critical Vulnerabilities Patched In Fortinet, Ivanti Products
"Fortinet and Ivanti on Tuesday rolled out fixes for multiple vulnerabilities in their products, including critical-severity OS command injection flaws. Fortinet published three advisories describing security defects in FortiSandbox, FortiOS, FortiProxy, and FortiPortal. The most severe of the three bugs is CVE-2026-25089 (CVSS score of 9.8), an OS command injection issue impacting FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS WEB UI."
https://www.securityweek.com/critical-vulnerabilities-patched-in-fortinet-ivanti-products/
https://thehackernews.com/2026/06/ivanti-fortinet-and-sap-release-patches.html - Langflow - Path Traversal Arbitrary File Write Via Upload_user_file
"The 'POST /api/v2/files' endpoint does not sanitize the 'filename' parameter from the multipart form data, allowing an attacker to write files to arbitrary locations on the filesystem using path traversal sequences ('../')."
https://www.tenable.com/security/research/tra-2026-26
https://thehackernews.com/2026/06/unpatched-langflow-flaw-cve-2026-5027.html
https://www.bleepingcomputer.com/news/security/path-traversal-flaw-in-ai-dev-platform-langflow-exploited-in-attacks/ - Cyera Research Uncovers Six Protobuf.js Vulnerabilities Impacting The Backbone Of Data And AI Systems
"Cyera researchers discovered and helped remediate six vulnerabilities in protobuf.js, including flaws that could lead to remote code execution (RCE) and denial-of-service (DoS) attacks. If you're wondering why this matters, that's a fair question. Most of us rarely interact directly with protobuf.js. However, it is the most widely used JavaScript runtime for Protocol Buffers, a serialization format that powers communication across millions of applications, databases, cloud-native services, and AI systems. The package alone is downloaded more than 50 million times per week, with true adoption likely far higher due to its widespread inclusion as a dependency in countless software projects."
https://www.cyera.com/blog/cyera-research-uncovers-six-protobuf-js-vulnerabilities-impacting-the-backbone-of-data-and-ai-systems
https://www.cyera.com/research/proto6-the-schema-was-not-supposed-to-run
https://thehackernews.com/2026/06/six-proto6-vulnerabilities-in.html - Microsoft Patches Exchange Server Zero-Day Exploited In Attacks
"Microsoft has patched an actively exploited Exchange Server vulnerability that allows threat actors to execute arbitrary JavaScript code in cross-site scripting (XSS) attacks targeting Outlook Web Access users. This high-severity spoofing vulnerability (CVE-2026-42897) affects Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition (SE) software and can be exploited by remote attackers with no privileges."
https://www.bleepingcomputer.com/news/microsoft/microsoft-patches-exchange-server-zero-day-exploited-in-attacks/ - Microsoft Patches YellowKey, GreenPlasma, MiniPlasma Zero-Days
"On Tuesday, Microsoft patched two zero-day vulnerabilities that let attackers gain SYSTEM privileges on fully patched Windows systems, and a third one that grants access to BitLocker-protected drives. All three security flaws were disclosed last month by a security researcher using the "Nightmare Eclipse" handle in protest over how the Microsoft Security Response Center (MSRC) handles the disclosure process."
https://www.bleepingcomputer.com/news/microsoft/microsoft-patches-yellowkey-greenplasma-miniplasma-zero-days/
Malware
- Expanded JDY IoT And SOHO Botnet Enables Rapid Vulnerability Exploitation
"Black Lotus Labs
recently identified a significant resurgence of the JDY botnet, a covert reconnaissance network tied to China-nexus threat activity. In this report, we examine how the botnet has expanded its footprint, diversified its device base and enabled rapid vulnerability targeting, giving defenders important insight into how modern reconnaissance supports subsequent exploitation."
https://www.lumen.com/blog/en-us/expanded-jdy-iot-and-soho-botnet-enables-rapid-vulnerability-exploitation
https://www.bleepingcomputer.com/news/security/china-linked-jdy-botnet-expands-targeting-of-us-military-networks/
https://thehackernews.com/2026/06/china-linked-jdy-botnet-expands-to-1500.html
https://www.theregister.com/security/2026/06/11/china-linked-operators-revive-botnet-stir-ai-datacenter-debate/5253873 - SilabRAT, What’s Your Power?
"By this point, the security community has analyzed countless Remote Access Trojans (RATs), so one might ask: Who needs another RAT analysis? Rather than simply cataloging another piece of malware, this still provides an opportunity to shed educational light on how attacker tooling continues to evolve. While reputable RAT families remain popular among adversaries, some have begun searching for alternatives. Well-known RATs are heavily monitored, and therefore easily classified or detected by modern security solutions. As a result, attackers frequently experiment with newer, less common tools in an effort to evade detection and extend operational longevity. In this blog, we deep-dive into SilabRAT and look at some of its interesting capabilities."
https://www.group-ib.com/blog/silabrat-hijackloader-trojan-malware/
https://www.infosecurity-magazine.com/news/silabrat-trojan-session-hijacking/ - Phishing Attacks Leverage TikTok, Instagram Reels
"Short-form videos on social media apps are currently being leveraged by threat actors as a phishing vector, utilizing tutorial style content with the promise of free premium software to lure victims onto malicious sites. This is an important threat to be cognizant of, as the videos can trick users into directly downloading malware. In order to best defend organizations, steps can be taken to mitigate the risks associated with these videos, both in user training and technical guardrails."
https://www.reversinglabs.com/blog/social-media-attacks-phishing
https://www.infosecurity-magazine.com/news/fake-software-videos-tiktok-vidar/
https://hackread.com/scammers-tiktok-instagram-reels-vidar-infostealer/
https://www.malwarebytes.com/blog/news/2026/06/free-spotify-premium-hacks-on-social-media-are-spreading-infostealers - New Browser-In-The-Browser Phishing Uses Fake Login Popups To Steal Microsoft 365 Credentials
"A new Browser-in-the-Browser (BitB) phishing campaign is targeting Microsoft 365 users with fake login popups designed to closely mimic legitimate browser authentication windows, according to Palo Alto Networks Unit 42. The attack relies on a fake browser window embedded within a webpage. Victims who click a Microsoft sign-in button are presented with what appears to be a standard authentication prompt, complete with a spoofed Microsoft OAuth URL and a login form."
https://www.helpnetsecurity.com/2026/06/10/browser-in-the-browser-phishing-microsoft-365-users/
https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2026-06-08-Browser-In-The-Browser-Pishing-Campaign.txt - FIFA World Cup 2026 Scams Are Already Active: Fake Domains, Phishing Sites, And How To Stay Safe
"The FIFA World Cup 2026 kicks off on June 11, and the world’s biggest sporting event is drawing more than just fans — it is already attracting a wave of cybercriminals targeting ticket buyers, job seekers, streaming viewers, and corporate brands alike. The FBI has issued a formal Public Service Announcement warning that threat actors are creating fraudulent versions of FIFA-affiliated websites to steal personal information, conduct financial fraud, and sell fake products and services. Cyble researchers independently analyzed the domains flagged by the FBI and confirmed that many remained active and operational at the time of publishing this report."
https://cyble.com/blog/fifa-world-cup-2026-scams/
Breaches/Hacks/Leaks
- Oracle PeopleSoft Servers Hacked In ShinyHunters Data Theft Attacks
"Oracle PeopleSoft servers are being targeted in ongoing data theft attacks by the ShinyHunters extortion gang, which claims to have stolen data from over 100 organizations. PeopleSoft is an enterprise business software suite used by large organizations to manage business operations such as human resources, payroll, finance, supply chain management, procurement, and student administration. Yesterday, BleepingComputer learned of widespread data theft attacks targeting both cloud and on-premises Oracle PeopleSoft customer instances.These customers were receiving extortion demands that were signed by the ShinyHunters extortion gang."
https://www.bleepingcomputer.com/news/security/oracle-peoplesoft-servers-hacked-in-shinyhunters-data-theft-attacks/ - Cyberattack Shuts Down Major Australian Sugar Mills, Disrupting Harvest
"A cyberattack has disrupted sugar production in one of Australia's largest cane-growing regions, forcing two major sugar mills to shut down and bringing harvesting operations to a halt. Mackay Sugar, Australia's second-largest sugar producer, said on Wednesday that it was responding to a cybersecurity incident affecting parts of its operations and had engaged cybersecurity experts and local authorities to investigate the attack and restore its systems safely."
https://therecord.media/cyberattack-shuts-down-major-australian-sugar-producer
General News
- AI Agents Are Becoming Enterprise Workers. Who Secures Them?
"A sales operations team builds an AI agent to help manage renewal requests. On the surface, the workflow looks ordinary. The agent reads inbound customer emails, checks the account record in the CRM, looks up contract terms, drafts a response, updates the opportunity stage, and creates a follow-up task. No one has set out to build a sentient machine in a basement. They are just trying to remove friction from a familiar business process. Underneath that ordinary workflow, something important has changed."
https://blog.checkpoint.com/ai-security/ai-agents-are-becoming-enterprise-workers/ - Patch Smarter, Not Harder
"Artificial intelligence is assisting both researchers and adversaries in identifying flaws in software, vastly increasing the pace at which new vulnerabilities are discovered. Defenders are already struggling to keep up. Per Verizon’s 2026 Data Breach Investigations Report, only 26% of vulnerabilities on CISA’s Known Exploited Vulnerabilities (KEV) Catalog were fully remediated by organizations in 2025, a drop from the previous year’s 38%. The median time for full resolution rose to 43 days. Defenders need greater clarity and speed to patch systems in today’s threat landscape. We must flip the script on patching prioritization: patch smarter, not harder."
https://www.cisa.gov/news-events/news/patch-smarter-not-harder
https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk
https://www.darkreading.com/cyber-risk/cisa-rewrites-federal-patching-requirements-ai-threat-era
https://therecord.media/cisa-to-require-federal-agencies-to-patch-3-days
https://cyberscoop.com/cisa-vulnerability-remediation-directive-bod-26-04/ - AI Risk Worries Insurers And Businesses Alike
"The insurance industry is undergoing a major shift as businesses look to quickly adopt artificial intelligence (AI) while seeking insurance policies to manage potential risks — especially those posed by agentic AI systems that could cause significant damage before being caught by human-in-the-loop processes. The current risk is small as companies test potential ways to integrate AI into their operations. But some insurers are already taking steps to exclude AI-caused damage from their more traditional insurance policies, leaving the risk to be absorbed by cyber insurance policies or tech errors-and-omissions (E&O) coverage. Others have already created explicit policies to protect against AI risks, even if the current market for insuring against AI risk is tiny."
https://www.darkreading.com/cyber-risk/ai-risk-worries-insurers-businesses-alike - The Invisible Battlefield: How Cyberwar Is Reshaping Everyday Life
"Chris Inglis, First US National Cyber Director, Semperis Strategic Adviser: For much of my career, battlefields were tangible places, deserts, cities, mountains, and oceans you could see and touch. You could point to the terrain, define the front line, and distinguish between the fight abroad and life at home. Today, one of the most consequential battlefields of all is almost entirely invisible. It is cyberspace — ambient, persistent, and woven into nearly every part of modern life."
https://www.darkreading.com/endpoint-security/invisible-battlefield-cyber-war-reshaping-everyday-life - AI Slop Will Kill Cybersecurity Storytelling If We Let It
"One of the most valuable lessons I learned about cybersecurity storytelling came more than 20 years ago, and it didn't come from a press relations or marketing guru. It came from Rhonda Maclean, one of the industry's first female Fortune 500 CISOs (roles included Boeing, Bank of America, and Barclays) and the keynote speaker at the inaugural Executive Women's Forum conference in 2003. Given how few women were at her level at the time, I expected her talk to be about female empowerment."
https://www.darkreading.com/cyber-risk/ai-slop-kill-cybersecurity-storytelling-we-let-it
Justice Department, FBI Disable 13 Websites Backed By Suspected Chinese Agents That Sought Sensitive U.S. * Information From Security Clearance Holders
"Thirteen internet domains used to target U.S. persons, including current and former security clearance holders with access to classified and sensitive U.S. government information, were seized today by federal authorities. “These domain seizures offer a glimpse at how foreign actors can use promises of easy money to lure Americans into revealing sensitive or classified information that they are duty‑bound to protect,” said Assistant Attorney General for National Security John A. Eisenberg. “Anyone approached online with offers of easy income for vague ‘consulting’ work should treat those overtures with extreme caution and remain vigilant for warning signs of malicious targeting.”"
https://www.justice.gov/opa/pr/justice-department-fbi-disable-13-websites-backed-suspected-chinese-agents-sought-sensitive
https://hackread.com/fbi-seizes-china-fake-consulting-sites-us-clearance/ - Every Set Of AI Guardrails Can Be Broken By The Right Prompt
"Companies that build AI systems wrap them in guardrails meant to block harmful output, including deepfakes, malware, and instructions for making biological weapons or illicit drugs. When a user prompts the system for such content, the guardrails are designed to flag the request and refuse. A new mathematical proof sets a limit on how secure those guardrails can ever be. Apostol Vassilev, a senior scientist at the National Institute of Standards and Technology, published the proof in the peer-reviewed journal IEEE Security & Privacy. It demonstrates that for any finite set of guardrails, some prompt exists that gets the AI to disregard them. Finding that prompt is the only requirement."
https://www.helpnetsecurity.com/2026/06/10/broken-ai-guardrails-research/
https://ieeexplore.ieee.org/document/11475847 - The Security In Smartphones Is Helping Send Them To Landfills
"Billions of working smartphones reach the end of their service lives each year and move into drawers, recycling streams, and waste piles. The WEEE Forum estimated that 5.3 billion mobile phones became electronic waste in 2022. Many of these devices still function. The average smartphone stays in use for about three years, and owners often replace handsets that retain enough computing power for other jobs. A team at the Université Libre de Bruxelles examined a barrier to giving those devices a second life. The barrier comes from the security hardware that protects phones during their first life. Secure boot, Trusted Execution Environments, and fused cryptographic keys guard user data and system integrity. These same mechanisms tie a device to its original maker and resist the changes that reuse requires."
https://www.helpnetsecurity.com/2026/06/10/secure-smartphone-reuse-landfills/ - Scams Now Operate Like Real Businesses With Budgets And Targets
"Social media has overtaken email as a primary attack vector, showing changes in how people consume information and interact online, according to Bitdefender’s Global Scam Intelligence Report 2026. Fraud campaigns use advertisements, sponsored content, impersonation pages, and direct messages to reach users. One in seven consumers fell victim to a scam during the past year. Scam operations resemble organized businesses, with structured workflows, dedicated personnel, and tactics designed to exploit trust through familiar brands, platforms, and communication channels."
https://www.helpnetsecurity.com/2026/06/10/bitdefender-global-scam-trends-report/ - Identity Theft Is Turning Into a Chain Reaction For Victims
"For a growing number of victims, identity theft no longer ends with a fraudulent charge or a compromised account. More than one in four people who contacted the Identity Theft Resource Center during the reporting period were dealing with multiple identity-related incidents, according to the organization’s 2026 Trends in Identity Report. The report is based on data from 6,188 individuals who sought assistance between April 2025 and March 2026."
https://www.helpnetsecurity.com/2026/06/10/identity-theft-incidents-itrc-report/ - Cybersecurity Software Fails To Detect Fifth Of Brower-Based Phishing Attacks
"Cybersecurity software regularly fails to detect and prevent the cyber-attacks they are designed to protect organizations from, especially within the bowser layer, research by Menlo Security has warned. Published on June 9, Menlo Security's 2026 Browser Threat Report found that one in five phishing attacks which target the enterprise browser users go completely undetected by the tools which are supposed to protect the network and its users from attacks. Based on platform telemetry across millions of active browser sessions in enterprise customer environments between January 1 and March 31 2026, the research warned that threat actors are gaining entry to enterprise environments through the browser session layer."
https://www.infosecurity-magazine.com/news/cybersecurity-fails-to-detect/
https://www.menlosecurity.com/resources/2026-state-of-browser-security-threat-report - Over a Quarter Of Identity Crime Victims Hit By Multiple Incidents, ITRC Data Shows
"Identity crime experts have warned of “multi-layered crises” after revealing that many victims dealt with two or more incidents over the past year. The findings come from US non-profit the Identity Theft Resource Center (ITRC), which analyzed data from over 6000 reports submitted to it between April 1 2025 and March 31 2026. Its 2026 Trends in Identity Report revealed that nearly 26% of victims managed two or more concurrent identity crime incidents, up from 24% the previous year. ITRC chief operating and programs officer, Mona Terry, said that identity crimes are becoming increasingly complex."
https://www.infosecurity-magazine.com/news/quarter-identity-crime-victims/ - One Click To Compromise: ThreatLabz 2026 Phishing And Initial Access Report
"AI is accelerating the enterprise, but it is also raising the cost of a single user mistake. Phishing remains one of the easiest on-ramps for attackers, with campaigns that look routine, move fast, and convert clicks into access. Identity has also become the real perimeter, and attackers are looking for the fastest path through it. That means more reconnaissance to find exposed entry points, more credential validation to test what will work, and more abuse of encrypted channels to blend into normal traffic."
https://www.zscaler.com/blogs/security-research/one-click-compromise-threatlabz-2026-phishing-and-initial-access-report - Infostealers Turn Millions Of Devices Into Credential Theft Machines
"Hackers no longer force open the side-window when infostealers can give them a key to the front door. Infostealers have become the primary source of stolen credentials for attackers. Using these credentials is now a favored route for bad actors to access a target effectively as an invited guest. It is quicker, easier, less visible and more effective than forcing an entry. More than 11.1 million devices were infected with infostealers in 2025, reports Flashpoint. More than 3.3 billion credentials, browser artifacts, session information and other forms of identity are now circulating in illicit marketplaces. These don’t simply provide entry to a target, they often provide authorized access to valuable data undisturbed by security defenses within the target."
https://www.securityweek.com/infostealers-turn-millions-of-devices-into-credential-theft-machines/
https://flashpoint.io/resources/e-book/2026-guide-to-infostealers/ - Cybercriminals: The 'auditors' You Never Hired
"There’s one cognitive bias that we humans are prone to, and it lies at the centre of some of the challenges that cybersecurity professionals face every day. It’s known as the normalcy bias – what Dr. Lauren Braithwaite defines as “our tendency to underestimate the possibility of disaster and believe that life will continue as normal, even in the face of significant threats or crises.” It's why people hesitate after fire alarms go off or delay reacting in other unfolding situations because things still appear manageable."
https://www.welivesecurity.com/en/business-security/cybercriminals-auditors-never-hired/ - Chinese, N. Korean Threat Groups Build On Asia-Pacific Success
"Cyber-threat groups linked to North Korea and China continue to target financial firms and cryptocurrency assets in the Asia-Pacific region, but face increasing headwinds as national governments collaborate more closely with each other and private industry to seize cryptocurrency accounts linked to illegal activity. In its recent 2026 Financial Services Threat Landscape Report, CrowdStrike noted that six of the nine major threat groups targeting financial services in Q1 2026 are linked to China and North Korea, while at least 78 organizations in the Asia-Pacific and Oceania regions were targeted by cybercriminals groups' data-leak-and-ransom operations."
https://www.darkreading.com/cyberattacks-data-breaches/chinese-korean-threat-groups-asia-pacific-success - GenAI Is Both Hunter And Hunted At Pwn2Own Berlin 2026
"Pwn2Own has unequivocally arrived in the generative AI (GenAI) age. TrendAI
Research has a full report on the event that took place at OffensiveCon 2026, but I also had the privilege of participating in the disclosure process for some of the artificial intelligence (AI) targets. Obviously, I cannot discuss the details of the actual bugs until the disclosure period is over, but I have some general observations to make."
https://www.trendmicro.com/en_us/research/26/f/pwn2own-genai.html
อ้างอิง
Electronic Transactions Development Agency (ETDA)
- ICS Patch Tuesday: Vulnerabilities Fixed By Siemens, Schneider, Phoenix Contact
-
Google ออกอัปเดตฉุกเฉิน แก้ช่องโหว่ Chrome Zero-day ที่ถูกใช้โจมตีจริงโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
ServiceNow ออกอัปเดตความปลอดภัย หลังพบช่องโหว่ถูกใช้เข้าถึง Customer Instances โดยไม่ได้รับอนุญาตโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
พบช่องโหว่ความรุนแรงระดับวิกฤตบน Veeam Backup & Replication เสี่ยงถูกรันโค้ดจากระยะไกลโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Gogs ออกแพตช์แก้ไขช่องโหว่ Zero-Day เสี่ยงถูกสั่งรันโค้ดจากระยะไกลโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
CISA เพิ่มช่องโหว่ BerriAI LiteLLM และ Check Point Security Gateway เข้าสู่บัญชี KEV หลังพบถูกใช้โจมตีโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
WhatsApp สกัดกั้นการโจมตีด้วยสปายแวร์ Pegasus ระลอกใหม่ พร้อมยื่นศาลสหรัฐฯ เอาผิดผู้พัฒนาโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
CISA เพิ่มช่องโหว่ที่ถูกใช้โจมตี 7 รายการลงในแคตตาล็อกโพสต์ใน Cyber Security News
เมื่อวันที่ 9 มิถุนายน 2569 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 7 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว มีรายละเอียดดังนี้
- CVE-2026-7473 Arista Extensible Operating System Incomplete Comparison with Missing Factors Vulnerability
- CVE-2026-11645 Google Chromium V8 Out-of-Bounds Read and Write Vulnerability
- CVE-2026-20245 Cisco Catalyst SD-WAN Manager Improper Encoding or Escaping of Output Vulnerability
ทาง CISA จะปรับปรุงและเพิ่มช่องโหว่ใหม่เข้าสู่แคตตาล็อก KEV อย่างต่อเนื่อง เพื่อให้ครอบคลุมความเสี่ยงที่ตรวจพบจริงในปัจจุบันและอนาคต
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Cyber Threat Intelligence 10 June 2026โพสต์ใน Cyber Security News
Industrial Sector
- Schneider Electric Modicon Network Managed Switches
"Schneider Electric is aware of a RADIUS protocol vulnerability affecting its Modicon Network Managed Switch product. The Modicon Network Managed Switch product provides connectivity for multiple Ethernet devices, network management, enhanced cyber security and more advanced switching features. Failure to apply the mitigation provided below may risk forgery attacks in RADIUS Protocol, which could result in modification of any valid Response (Access-Accept, Access-Reject, or Access-Challenge) to any other response which could result in the possibility of denial of service and loss of confidentiality, integrity of the devices connected to the switch."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-160-01 - Threat Landscape For Industrial Automation Systems. Q1 2026
"The percentage of ICS computers on which malicious objects were blocked continued to decrease, reaching 19.6% in Q1 2026. This is the lowest value in three years, and it is 1.4 times lower than in Q2 2023. Regionally, the percentage figures ranged from 9.1% in Northern Europe to 27.4% in Africa. The difference between the highest and lowest percentage figures across regions is quite significant: the percentage in Africa is 3.0 times that in Northern Europe (see the chart in the “Statistics across all threats. All threats” section)."
https://ics-cert.kaspersky.com/publications/reports/2026/06/09/threat-landscape-for-industrial-automation-systems-q1-2026/ - Siemens KACO Blueplanet Inverters
"KACO blueplanet Inverters contain multiple vulnerabilities that could allow an attacker to derive the credentials from the devices serial number and misuse them to gain unauthorized access. KACO new energy GmbH has released new versions for several affected products and recommends to update to the latest versions. KACO new energy GmbH is preparing further fix versions and recommends countermeasures for products where fixes are not, or not yet available."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-160-02 - Schneider Electric EcoStruxure Panel Server
"Schneider Electric is aware of its vulnerability in its EcoStruxure Panel Server offer. The EcoStruxure Panel Server is a high performance, modular gateway with enhanced cybersecurity that provides easy and fast connections to multiple concurrent edge control or cloud applications. Failure to apply the remediations provided below may risk unauthorized authentication, which could lead to access to sensitive information."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-160-03
Vulnerabilities
- SAP Patches Critical NetWeaver, Commerce Vulnerabilities
"Enterprise software maker SAP on Tuesday released 15 new security notes, including four that resolve critical-severity vulnerabilities in NetWeaver, Commerce, and Data Hub. The most severe of the resolved bugs is CVE-2026-44748 (CVSS score of 9.9), described as an XML Signature Wrapping issue in the SAML Authentication of NetWeaver AS ABAP and ABAP Platform. An authenticated attacker with normal privileges could “obtain a valid signed message and send modified signed XML documents with tampered identity information to the verifier,” application security firm Onapsis explains."
https://www.securityweek.com/sap-patches-critical-netweaver-commerce-vulnerabilities/
https://www.bleepingcomputer.com/news/security/sap-fixes-critical-flaws-in-netweaver-and-commerce-cloud/ - Adobe Patches 123 Vulnerabilities
"Adobe’s latest Patch Tuesday updates fix 123 vulnerabilities across 11 products. Of the total, 57 vulnerabilities were patched in Adobe Experience Manager. The vast majority are XSS flaws that allow arbitrary code execution, and three issues have been described as improper input validation that can lead to a security feature bypass. Two critical issues with a CVSS score of 10, both allowing arbitrary code execution, have been patched in Adobe Campaign Classic."
https://www.securityweek.com/adobe-patches-123-vulnerabilities/ - Google Patches New Chrome Zero-Day Flaw Exploited In The Wild
"Google has released emergency updates to patch another Chrome zero-day vulnerability that has been exploited in the wild, the fifth such flaw patched since the start of the year. "Google is aware that an exploit for CVE-2026-11645 exists in the wild," the company said in a Monday security advisory. The company fixed the zero-day for users in the Stable Desktop channel, with patched versions rolling out worldwide to Windows (149.0.7827.102), Mac (149.0.7827.103), and Linux (149.0.7827.102) systems two weeks after an anonymous security researcher reported it to Google."
https://www.bleepingcomputer.com/news/security/google-patches-fifth-chrome-zero-day-bug-exploited-in-attacks-this-year/
https://thehackernews.com/2026/06/chrome-v8-zero-day-cve-2026-11645.html
https://www.infosecurity-magazine.com/news/google-patch-chrome-vulnerability/
https://www.securityweek.com/google-patches-5th-chrome-zero-day-exploited-in-2026/
https://securityaffairs.com/193371/hacking/google-fixes-fifth-actively-exploited-chrome-zero-day-of-2026.html
https://www.malwarebytes.com/blog/bugs/2026/06/update-chrome-google-patches-actively-exploited-vulnerability-and-73-others
https://www.theregister.com/security/2026/06/09/chromes-zero-day-whac-a-mole-continues-with-fifth-exploited-bug-of-the-year/5252689
https://www.helpnetsecurity.com/2026/06/09/google-chrome-zero-day-cve-2026-11645/ - Microsoft June 2026 Patch Tuesday Fixes 3 Zero-Day, 200 Flaws
"Today is Microsoft's June 2026 Patch Tuesday, with security updates for 200 flaws and three publicly disclosed zero-day vulnerabilities. This Patch Tuesday addresses 33 "Critical" vulnerabilities, 28 of which are remote code execution, 4 are elevation of privilege, and 1 is an information disclosure flaw."
https://www.bleepingcomputer.com/news/microsoft/microsoft-june-2026-patch-tuesday-fixes-3-zero-day-200-flaws/
https://blog.talosintelligence.com/microsoft-patch-tuesday-for-june-2026-snort-rules-and-prominent-vulnerabilities/
https://www.darkreading.com/vulnerabilities-threats/blame-ai-patch-tuesday-record-206-cves
https://cyberscoop.com/microsoft-patch-tuesday-june-2026/
https://www.securityweek.com/microsoft-patches-200-vulnerabilities/
https://securityaffairs.com/193417/security/microsoft-releases-record-breaking-patch-tuesday-with-208-cves.html
https://www.theregister.com/patches/2026/06/09/ai-is-making-patch-tuesday-kinda-fun-again/5253225 - New Veeam Vulnerability Exposes Backup Servers To RCE Attacks
"Veeam has released security updates to patch a critical Backup & Replication security flaw that can be exploited to gain remote code execution (RCE) on domain-joined backup servers. The vulnerability (tracked as CVE-2026-44963 and reported by WatchTowr security researcher Sina Kheirkhah) affects Veeam Backup & Replication (VBR) 12.3.2.4465 and all earlier version 12 builds, and was fixed in version 12.3.2.4854. While any domain user with low privileges can exploit this vulnerability, the flaw only impacts Veeam Backup & Replication installations that are joined to a domain."
https://www.bleepingcomputer.com/news/security/new-veeam-vulnerability-exposes-backup-servers-to-rce-attacks/
https://www.veeam.com/kb4869
https://thehackernews.com/2026/06/veeam-backup-replication-rce-flaw-lets.html
https://securityaffairs.com/193385/uncategorized/critical-veeam-rce-flaw-lets-low-privilege-users-take-over-backup-servers.html - OpenSSL Patches High-Severity Vulnerability Found With AI
"The latest OpenSSL releases patch 18 vulnerabilities, including a high-severity issue that could allow remote code execution. The high-severity vulnerability, tracked as CVE-2026-45447, is a heap user-after-free bug in a function used for PKCS#7 (Public-Key Cryptography Standard #7) verification. Discovered by a Calif researcher in collaboration with Claude AI and Anthropic Research, the bug can be triggered using a specially crafted PKCS#7 or S/MIME signed message during PKCS#7 signature verification."
https://www.securityweek.com/openssl-patches-high-severity-vulnerability-found-with-ai/ - Critical PhpBB Flaw Lets Attackers Hijack Any Account With One Request
"A critical flaw in the phpBB forum software has been disclosed that lets attackers hijack any account, including administrators, with a single unauthenticated request and no password. Tracked as PTT-2026-004 and rated 9.4 on the CVSS scale, the flaw is pending an official CVE ID. The authentication bypass was discovered by Dan Stefan Alexandru of Pentest-Tools.com and reported to phpBB on June 4. Every phpBB version up to 3.3.16 is affected in its default database-authentication mode, meaning a standard install is exposed out of the box. The 4.0.0 alpha is vulnerable too."
https://www.infosecurity-magazine.com/news/phpbb-authentication-bypass/ - CISA Adds Three Known Exploited Vulnerabilities To Catalog
"CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2026-7473 Arista Extensible Operating System Incomplete Comparison with Missing Factors Vulnerability
CVE-2026-11645 Google Chromium V8 Out-of-Bounds Read and Write Vulnerability
CVE-2026-20245 Cisco Catalyst SD-WAN Manager Improper Encoding or Escaping of Output Vulnerability"
https://www.cisa.gov/news-events/alerts/2026/06/09/cisa-adds-three-known-exploited-vulnerabilities-catalog - Microsoft Defender 'RoguePlanet' Zero-Day Grants SYSTEM Privileges
"A security researcher has released a new Microsoft Defender zero-day exploit named "RoguePlanet" just hours after Microsoft fixed two previously disclosed flaws during June 2026 Patch Tuesday. The researcher, known as Nightmare Eclipse, says the new vulnerability affects fully patched Windows 10 and Windows 11 devices, allowing attackers to spawn a command prompt with SYSTEM privileges via a Microsoft Defender race condition vulnerability. The researcher shared a proof-of-concept exploit on Tuesday afternoon in a self-hosted Git repository after saying that GitHub and GitLab repositories hosting their exploits had previously been removed by Microsoft."
https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-rogueplanet-zero-day-grants-system-privileges/ - Ghost-Sender - Universal Email Spoofing Against Exchange Online
"Using Exchange Online (or on-premises exchange in hybrid mode) in combination with an external MX record, such as a third-party email server or spam protection solution, can allow the spoofing of emails from any sender to any recipient in the target tenant. This is regardless of the configured SPF, DKIM, and DMARC policies of the spoofed sender’s domain, and the emails are delivered without any further warning. It is possible to send emails from anyone, including external and internal email addresses. For internal senders, Outlook even resolves the sender’s profile picture."
https://labs.infoguard.ch/posts/ghost-sender/
https://www.darkreading.com/vulnerabilities-threats/exchange-flaw-attackers-spoof-email-address
Malware
- Phishing For Lobsters: How We Tricked OpenClaw Into Spilling Secrets
"Many enterprises are plugging AI agents directly into the inbox. Agents triage email, retrieve internal data, and even respond to emails. The inbox is also the place that’s most exposed and vulnerable to phishing attacks. Varonis Threat Labs explored whether the same phishing techniques that have tricked humans for decades would also work on the AI agents working on their behalf. We created an OpenClaw AI agent named Pinchy to test whether the agent would pass or fail versions of classic phishing simulations. The results were mixed."
https://www.varonis.com/blog/openclaw-phishing
https://www.bleepingcomputer.com/news/security/openclaw-ai-agent-found-falling-for-phishing-attacks-spills-user-data/ - Technical Analysis Of MLTBackdoor
"In May 2026, Zscaler ThreatLabz identified a new malware family that we track as MLTBackdoor that is likely leveraged by a ransomware-related threat actor. MLTBackdoor has been observed by ThreatLabz being delivered in a multi-stage ClickFix infection chain. MTLBackdoor supports a set of commands like downloading and uploading files from the victim’s system. However, one of the most powerful features is the ability to load Beacon Object Files (BOFs) to expand its capabilities. In this blog post, ThreatLabz provides a technical analysis of MLTBackdoor, including its core features, configuration, obfuscation, network communication protocol, and capabilities."
https://www.zscaler.com/blogs/security-research/technical-analysis-mltbackdoor - Hackers Pose As Women Seeking Romance To Spy On Russian Soldiers
"A previously undocumented cyber espionage group has been attempting to compromise the smartphones, computers and Telegram accounts of Russian military personnel by posing as women seeking romantic relationships, researchers have found. The group, dubbed SiribClone by Russian cybersecurity firm F6, has been active since at least the summer of 2025 and has primarily targeted members of the Russian armed forces stationed in border regions and combat zones."
https://therecord.media/hackers-pose-as-women-seeking-romance-russian-military - Inside The Miasma Software Supply Chain Attack Toolkit
"The infamous Miasma worm goes open source. Multiple GitHub repositories with name Miasma-Open-Source-Release started appearing since yesterday. Most of them are likely published through compromised developer accounts. We have seen this in the past when Team PCP open sourced the Mini Shai-Hulud payload which in turn, likely motivated further software supply chain attacks. We managed to obtain the source code from one such repository (yanked now). As the developers of PMG, we are continuously looking to update our benchmark of attacker TTPs against which we evaluate PMG, especially its sandbox features."
https://safedep.io/inside-the-miasma-supply-chain-attack-toolkit/
https://www.theregister.com/cyber-crime/2026/06/09/miasma-supply-chain-attack-toolkit-goes-public-on-github/5253074 - Blinding The Watchmen: Abusing Cloud Logging Services For Defense Evasion And Visibility
"Cloud logging services provide comprehensive visibility into actions performed within cloud resources, making them essential for security monitoring. However, this reliance also makes logging services a high-value target for attackers. An attacker who exploits these services could create weak spots, evade detection, and in certain scenarios, establish continuous visibility within a target’s environment. Services such as Amazon Web Services (AWS) CloudTrail and Google Cloud are powerful for defenders, and prime targets for attackers seeking to remain undetected by disrupting the flow of logs."
https://unit42.paloaltonetworks.com/cloud-logging-defense-evasion/ - From Cause To Cash: a Cross-Border Look At Hacktivist Activity
"While tracking the activities of 4BID we uncovered a new string of campaigns that appear to be the work of several interconnected actors. While politically motivated groups generally limit their scope to specific nations – for 4BID and its peers, primarily Russian and occasionally Belarusian organizations – our latest findings reveal a shift. The actual geographic footprint of these attacks became broader than expected, striking companies across Kazakhstan, the UAE, Syria, and Egypt. What triggered our investigation was spotting a cluster of indicators of compromise within a breached Russian organization’s infrastructure. We used these footprints to successfully track down other environments hit by the same threat actors and piece together the bigger picture."
https://securelist.com/tr/hacktivists-broaden-attack-geography/120115/ - AI Brands As Bait: How Threat Actors Are Using The AI Hype In Social Engineering
"As threat actors operationalize AI to accelerate attacks, they are also leveraging the wider global interest around AI itself as a social engineering lure. In recent months, Microsoft Threat Intelligence has observed a growing number of campaigns that impersonate the branding of popular AI platforms such as ChatGPT, Microsoft Copilot, DeepSeek, and Anthropic’s Claude as lures. These campaigns, which don’t represent compromise of services, span phishing, malvertising, and search engine optimization (SEO)-driven attacks that ultimately lead to credential theft, financial fraud, or malware infection."
https://www.microsoft.com/en-us/security/blog/2026/06/08/ai-brands-as-bait-how-threat-actors-are-using-the-ai-hype-in-social-engineering/
Breaches/Hacks/Leaks
- French Govt Messaging Service Breached In Account Hijacking Attack
"DINUM, the digital affairs directorate of the French government, warned that hackers used a hijacked user account to breach Tchap, the French government's encrypted messaging platform. Developed in-house by DINUM in collaboration with ANSSI (the French Cybersecurity Agency) in 2018, Tchap is an instant messaging service and collaboration tool based on the decentralized Matrix protocol, designed exclusively for the French public sector. Tchap has now reached over 300,000 monthly users and over 500,000 downloads on Google's Play Store after Prime Minister François Bayrou mandated the use of Tchap and banned foreign apps for work communications for all civil servants in early August 2025."
https://www.bleepingcomputer.com/news/security/french-govt-messaging-service-breached-in-account-hijacking-attack/
https://www.theregister.com/security/2026/06/09/france-probes-compromise-of-gov-messaging-platform-after-account-hijack/5252717
https://www.helpnetsecurity.com/2026/06/09/tchap-french-government-secure-messaging-platform-breach/ - Qilin NHS Breach Tally Grows As Essex Trust Confirms Stolen Records
"The patient tally from the Synnovis ransomware attack continues to grow two years later, with Mid and South Essex NHS Foundation Trust confirming it was caught up in the breach. The trust told The Register that the Synnovis breach affected about 2,380 records relating to patients who underwent specialist diagnostic testing. The disclosure follows a similar announcement by Bedfordshire Hospitals NHS Foundation Trust, which earlier this month said that almost 33,000 patient records had been caught up in the same breach."
https://www.theregister.com/cyber-crime/2026/06/09/qilin-nhs-breach-tally-grows-as-essex-trust-confirms-stolen-records/5252663 - Maine Govt Portal Lists 10M Discord Data Breach Notice, But Filing Shows Red Flags
"A data breach notice submitted to the Maine Attorney General’s office has named Discord Inc. as the affected company, but the filing includes several details that make the claim difficult to treat as confirmed. The notice, submitted on June 8, 2026, lists Discord Inc. of San Francisco, California, as the entity involved. It claims that more than 10 million people were affected by an incident described as “Insider wrongdoing.” The number of affected Maine residents is listed as unknown."
https://hackread.com/maine-govt-portal-discord-data-breach-notice/ - Handala Claims Israeli Radar Hack, But Evidence Shows Phone Admin Panel
"An Iranian-linked hacker group called Handala claimed to have hit Israeli military targets with massive cyberattacks on Sunday, June 7 2026. The group used the Telegram messaging app to announce they had successfully disrupted signal networks across Israel’s military radar systems. What’s interesting here is the timing of the announcement, as Handala’s claim perfectly coincides with a chaotic real-world development, as Israel and Iran broke their two-month ceasefire by trading heavy missile strikes on the same day."
https://hackread.com/handala-israeli-radar-hack-evidence-phone-admin-panel/ - ServiceNow Discloses Security Incident Exposing Customer Data
"ServiceNow is warning about a security incident after attackers exploited an unauthenticated access flaw through a vulnerable API endpoint, allowing them to query data from customer instances. The company quietly warned impacted customers through a support bulletin and direct support cases after detecting "anomalous activity" related to the issue. The bulletin, which is hidden behind ServiceNow's customer support login portal, states that the company applied a security update to hosted customer instances on June 5, 2026."
https://www.bleepingcomputer.com/news/security/servicenow-discloses-security-incident-exposing-customer-data/
General News
- May 2026 Dark Web Breach Incident Trend Report
"the May 2026 Dark Web Breach Incident Trend Report is organized around the major cases of Data Breaches posted on the deep web and dark web forums. due to the nature of the source, some of the information may not be fully verifiable as to whether it is true or not, and is therefore subject to verification."
https://asec.ahnlab.com/en/94028/ - Dark Web Threat Actor Trend Report May 2026
"the May 2026 Dark Web Threat Actor Trend Report summarizes the trends of threat actors and hacktivists operating on the deep web and dark web. some statements are not factually verifiable."
https://asec.ahnlab.com/en/94033/ - May 2026 Dark Web Issue Trend Report
"the May 2026 Dark Web Issue Trend Report summarizes the Major Issues that occurred on the deep web and dark web. it stated that due to the nature of the sources, some of the information cannot be fully verified for factual accuracy."
https://asec.ahnlab.com/en/94034/ - The Real Problem With “Spot The Phish” Training In 2026
"Users are shown examples of suspicious emails and asked to identify the clues: bad grammar, odd links, fake branding, strange attachments. The idea is simple. Teach employees to recognize the signs and phishing risk goes down. The problem is that modern phishing does not always present obvious signs anymore."
https://cofense.com/blog/the-real-problem-with-spot-the-phish-training-in-2026 - Mythos Preview Can Weaponize N-Day Vulnerabilities In Hours
"Mythos Preview can develop working exploits from newly disclosed software vulnerabilities in hours, cutting down a process that has historically taken days or weeks, according to Anthropic. Anthropic’s recent cybersecurity research has largely focused on zero-days, vulnerabilities unknown to software vendors. The new study examines N-days, vulnerabilities that have already been disclosed and patched but remain present on unpatched systems."
https://www.helpnetsecurity.com/2026/06/09/anthropic-mythos-preview-n-day-exploits-firefox-windows/
https://red.anthropic.com/2026/n-days/
https://www.securityweek.com/claude-mythos-turns-n-days-into-n-hours-with-rapid-exploit-creation/ - Treating AI Agents Like Service Accounts For Federated Query Security
"In this interview with Help Net Security, Paras Malhotra, CISO at Starburst, explains how the company handles data governance across federated query environments. Topics include layering Starburst’s access controls above native source permissions, tiering vendor risk across more than 200 partners and connectors, and building audit trails for autonomous agents. The conversation covers how AIDA turns natural language into SQL while guarding against prompt injection, and how the company treats AI agents querying through MCP endpoints as scoped service accounts with short-lived credentials and accountable owners."
https://www.helpnetsecurity.com/2026/06/09/paras-malhotra-starburst-federated-query-security/ - Malware Ships With Bugs That Defenders Could Use Against It
"Static analysis tools have spent years scanning legitimate software for security bugs before it goes out the door. The same scanners work on malware, and malware carries a steady supply of its own bugs. Researchers ran four of these tools across 658 leaked malware projects and found that close to 90 percent contained at least one recognized software weakness. The malware code came from VX-Underground, a public repository of leaked samples. The scanners were Cppcheck, Bandit, Snyk, and Semgrep. For comparison, the team ran the same analysis on 249 open-source projects, among them the most-downloaded Python and JavaScript packages and a group of security tools that includes nmap, sqlmap, and zap. The team picked smaller community projects on purpose, so the comparison would sit closer to the size and staffing of malware work."
https://www.helpnetsecurity.com/2026/06/09/malware-source-code-bugs-research/
https://arxiv.org/pdf/2606.05945 - Will AI Kill The Bug Bounty Industry?
"AI is disruptive. Anthropic’s Claude Mythos model, and its successors, promise to be even more disruptive: they could threaten the existing bug bounty and/or in-house offensive security industries. AI has been widely adopted by both cybersecurity attackers and defenders. Attackers use it to help find bugs and craft attacks from sophisticated social engineering through to developing exploit and malware code. Defenders use it to help detect attacks in progress, detect deepfakes, and help code new software, and for bug bounty hunters and offensive security practitioners, to unearth bugs to fix them before they can be exploited."
https://www.securityweek.com/will-ai-kill-the-bug-bounty-industry/ - Global Cyber Attacks Ease In May 2026, But Ransomware Surges 48% As Threats Reorganize
"In May 2026, global cyber-attack activity eased from April’s sharp rebound, though the underlying trends offer little genuine comfort. Organizations experienced an average of 2,055 weekly cyber-attacks, a 2% increase year over year and a short term 7% decrease month over month. While the monthly decline may read as stabilization, ransomware activity surged to its highest year-over-year growth rate of 2026, and GenAI-driven data exposure risks continued to deepen across enterprise environments. Check Point Research data consistently shows that short-term volume moderation does not equal reduced risk. Adversaries keep recalibrating timing, tools, and targeting, and May is a clear example of that pattern."
https://blog.checkpoint.com/research/global-cyber-attacks-ease-in-may-2026-but-ransomware-surges-48-as-threats-reorganize/ - CISA Is Rethinking How It Prioritizes Risks And Vulnerabilities For Feds, Private Sector
"The Cybersecurity and Infrastructure Agency wants to fundamentally reevaluate how it prioritizes risks and vulnerabilities, both for privately-owned critical infrastructure and within the federal government, acting director Nick Andersen said Tuesday. The plans include a binding operational directive for federal agencies set to be published Wednesday and getting more specific with critical infrastructure owners and operators about which assets they need to protect most and how, Andersen said while speaking at an event hosted by Axonius in Washington, D.C. and talking with reporters afterwards."
https://cyberscoop.com/cisa-cyber-risk-prioritization-vulnerability-directive/ - **https://therecord.media/cisa-to-transform-how-it-assesses-cyber-vulns-risks
- 75% Of Firms Deploy Vulnerable Code Amid Pressure On CISOs, Report Finds**
"Nearly all CISOs have felt pressured to suppress or delay compliance-related cybersecurity issues in code, especially when business deadlines need to be hit, a new report has warned. According to the research, released on Jun 8 by Checkmarx, 95% of CISOs said they faced pressure to deprioritize or delay reporting of security issues by other parts of the business. As a result of this pressure, 75% of those surveyed said that their organization had knowingly deployed vulnerable code into a production environment."
https://www.infosecurity-magazine.com/news/firms-deploy-vulnerable-code/ - AI Coding Adoption Hits 97% But Governance Lags Behind
"Nearly all software development teams have adopted AI coding assistants, but fewer than a third govern how the tools are used and that gap is capping the productivity AI promises. The figures come from an independent survey of 831 software engineers and DevOps professionals carried out by the research firm UserEvidence for Black Duck in March 2026. It found 97% actively using the tools but just 30% with a fully governed approach to oversight."
https://www.infosecurity-magazine.com/news/ai-coding-adoption-governance-lags/
อ้างอิง
Electronic Transactions Development Agency (ETDA)
- Schneider Electric Modicon Network Managed Switches
-
Cyber Threat Intelligence 09 June 2026โพสต์ใน Cyber Security News
Industrial Sector
- NAVTOR NavBox
"Successful exploitation of this vulnerability could allow a local attacker to gain unauthorized access to SOAP methods, resulting in a disruption of operations."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-155-01 - Hitachi Energy ITT600 Explorer
"Hitachi Energy is aware of vulnerabilities that affect ITT600 Explorer product versions listed in this document. These vulnerabilities can be exploited to carry out Denial of Service (DoS) attack on the product. The vulnerabilities only affect Hitachi Energy Integrated Testing Tool ITT600 SA Explorer without affecting IEC 61850 system endpoints. Please refer to the Recommended Immediate Actions for information about the mitigation/remediation."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-155-02 - B&R PPT30 Operating System
"B&R is aware of a vulnerability in the product versions listed as affected in the advisory. An attacker who successfully exploits this vulnerability could make the OPC-UA server of the product inaccessible."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-155-03 - Hitachi Energy RTU500
"Hitachi Energy is aware of vulnerabilities that affect RTU500 product versions listed in this document. If exploited, these vulnerabilities primarily impact product availability, with potential secondary impacts on confidentiality and integrity. Please refer to the Recommended Immediate Actions for information about the mitigation/remediation."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-155-04 - Hitachi Energy MACH HiDraw
"Hitachi Energy is aware of a buffer overflow vulnerability that affects MACH HiDraw product versions listed in this document. Successful exploitation of this vulnerability could lead to a buffer overflow condition, potentially resulting in application outages (denial of service) and possible arbitrary code execution. Please refer to the Recommended Immediate Actions for information about the mitigation/remediation."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-155-05
New Tooling
- DockSec: Open-Source AI-Powered Docker Security Scanner
"DockSec is an OWASP Incubator Project that combines three container security scanners with a language-model layer for explanation and remediation. Created by Advait Patel, the Python tool runs Trivy, Hadolint, and Docker Scout against a developer’s Dockerfile and image, correlates the findings, returns a 0-100 security score, and proposes line-specific fixes. DockSec requires Python 3.12 and ships under the MIT license. It supports four language-model backends: OpenAI, Anthropic, Google Gemini, and local models served through Ollama, with a scan-only mode that operates offline and requires no API key."
https://www.helpnetsecurity.com/2026/06/08/docksec-open-source-ai-docker-security-scanner/
https://github.com/OWASP/DockSec
Vulnerabilities
- Popping Root On UniFi OS Server: Unauthenticated RCE Chain Detection & Analysis
"Ubiquiti’s Security Advisory Bulletin 064 covers vulnerabilities across the UniFi OS device family that chain into unauthenticated remote code execution. An attacker bypasses the front-end authentication gateway to reach an internal API endpoint that runs an attacker-controlled value as a shell command, all without credentials. We confirmed the full chain end-to-end, turning a single request into a reverse shell with full root privileges. The severity comes from what the appliance controls: it is the management plane for the network it runs. Root on it, therefore, exposes every stored secret, lets an attacker forge admin sessions that survive the patch, and, in physical deployments, can compromise managed devices including door controls and security cameras."
https://bishopfox.com/blog/popping-root-on-unifi-os-server-unauthenticated-rce-chain-detection-analysis
https://www.bleepingcomputer.com/news/security/critical-unifi-os-bug-lets-hackers-gain-root-without-authentication/
Security Advisory – Action Required – Active Exploitation Of Check Point VPN Authentication Bypass (CVE-2026-50751) - "Check Point Research has identified active exploitation of CVE-2026-50751, a critical authentication bypass vulnerability affecting Check Point Remote Access VPN and Mobile Access deployments configured to use the deprecated IKEv1 key exchange protocol. By exploiting a logic flaw in certificate validation, an attacker can establish a VPN session without possession of a valid password, effectively bypassing authentication requirements. Additional post-authentication activity is required to access internal resources or escalate privileges."
https://blog.checkpoint.com/security/check-point-releases-important-hotfix-for-vulnerabilities-in-deprecated-ikev1-vpn-protocol/
https://www.bleepingcomputer.com/news/security/check-point-links-vpn-zero-day-attacks-to-qilin-ransomware-gang/
https://www.darkreading.com/vulnerabilities-threats/check-point-vpn-flaw-exploited-early-may
https://thehackernews.com/2026/06/critical-check-point-vpn-flaw-exploited.html
https://www.helpnetsecurity.com/2026/06/08/check-point-cve-2026-50751-qilin-ransomware/
https://www.theregister.com/cyber-crime/2026/06/08/attackers-had-month-long-head-start-on-patched-check-point-vpn-zero-day/5252438 - CISA Adds Two Known Exploited Vulnerabilities To Catalog
"CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2026-42271 BerriAI LiteLLM Command Injection Vulnerability
CVE-2026-50751 Check Point Security Gateway Improper Authentication Vulnerability"
https://www.cisa.gov/news-events/alerts/2026/06/08/cisa-adds-two-known-exploited-vulnerabilities-catalog - Gogs Patches Critical Zero-Day Enabling Remote Code Execution
"Gogs has patched a critical security zero-day flaw that can allow attackers to compromise Internet-facing instances and access any repositories (including private ones). This argument injection vulnerability has yet to be assigned a CVE ID, can only be exploited by authenticated attackers without admin privileges, and affects all Gogs releases up to and including 0.14.2 and 0.15.0+dev. They can exploit this vulnerability to compromise the targeted server, read any repository (including private repos), steal credentials, move laterally to other systems on the network, and alter any hosted source code."
https://www.bleepingcomputer.com/news/security/gogs-patches-critical-zero-day-enabling-remote-code-execution/ - Off By !: Exploiting a Use-After-Free In The Linux Kernel
"In this blog post, we discuss a use-after-free vulnerability that we found in the nftables subsystem of the Linux kernel in early 2025. This vulnerability was patched upstream on 5 February 2026 and assigned CVE-2026-23111. This blog post covers a technical analysis of the vulnerability and how we exploited it to perform a local privilege escalation from an unprivileged user to root on Debian Bookworm, Debian Trixie, Ubuntu 22.04 LTS, and Ubuntu 24.04 LTS."
https://blog.exodusintel.com/2026/06/08/off-by-exploiting-a-use-after-free-in-the-linux-kernel/
https://thehackernews.com/2026/06/one-character-linux-kernel-flaw-enables.html
Malware
- NFCShare Android Malware Spreads Via Fake Banking App Updates On GitHub
"New variants of the NFCShare Android malware are being distributed as fake updates for legitimate banking apps hosted on GitHub. The malware has evolved and is now targeting customers of multiple banks and financial institutions across Europe in a phishing campaign aimed at stealing payment card data. After tricking victims with a fake verification screen to place the cards near the mobile device's near-field communication (NFC) chip, NFCShare reads the information using Android’s IsoDep interface and EMV commands."
https://www.bleepingcomputer.com/news/security/nfcshare-android-malware-spreads-via-fake-banking-app-updates-on-github/ - Shai-Hulud Descends To Hades: Miasma Worm Campaign Spreads With New PyPI Wave
"Socket detected a coordinated PyPI compromise involving 37 malicious wheel artifacts across 19 packages. The compromised releases shipped a *-setup.pth file that attempts to execute automatically during Python startup, download the Bun JavaScript runtime, and run an obfuscated JavaScript payload named _index.js. Socket’s AI malware detection system identified the malicious package cluster minutes after publication. The attack is cross-runtime, and the tradecraft is unmistakably Shai-Hulud / Miasma. Python packages provide the delivery vehicle, but the payload runs under Bun as a heavily obfuscated JavaScript stealer."
https://socket.dev/blog/shai-hulud-descends-to-hades-miasma-pypi-wave
https://www.bleepingcomputer.com/news/security/new-shai-hulud-attack-trojanizes-19-science-focused-pypi-packages/
https://www.darkreading.com/application-security/hades-campaign-pypi-shai-hulud - Fighting Spyware: An Update From WhatsApp
"WhatsApp caught and disrupted spear phishing attempts linked to NSO, a spyware firm blacklisted by the US government. Today, we’re asking the court to hold NSO in contempt for violating a permanent injunction that barred them from ever targeting WhatsApp and its users. Spyware is a national security threat, which is why we are supporting a growing coalition of privacy advocates and security researchers against spyware, and donating to the Spyware Accountability Initiative."
https://about.fb.com/news/2026/06/fighting-spyware-an-update-from-whatsapp/
https://www.bleepingcomputer.com/news/security/whatsapp-says-it-disrupted-new-nso-spyware-phishing-attacks/
https://thehackernews.com/2026/06/meta-blocks-nso-groups-new-whatsapp.html
https://therecord.media/whatsapp-says-nso-targeted-users-with-attacks-against-court-order
https://cyberscoop.com/meta-contempt-complaint-nso-group-spyware/
https://hackread.com/whatsapp-blocked-pegasus-spyware-campaign-nso/
https://www.securityweek.com/whatsapp-catches-spyware-firm-nso-defying-no-hacking-court-order/
https://securityaffairs.com/193333/security/meta-accuses-nso-of-violating-whatsapp-court-injunction.html
https://www.theregister.com/security/2026/06/08/nso-group-back-in-metas-crosshairs-after-alleged-whatsapp-targeting/5252105
https://www.helpnetsecurity.com/2026/06/08/meta-whatsapp-nso-group-phishing-campaign/ - From Fake Amazon Security Alert To HarborWatch Agent: ClickFix Delivery Of a Custom Monitoring RAT
"Threat actors do not always need to compromise a major company to weaponize its trust; they simply need to borrow its name. In the following campaign threat, cybercriminals utilize social engineering, lookalike domains, and fake verification tactics to turn a routine security alert into a ClickFix malware delivery with the goal of convincing recipients to unknowingly infect themselves. The Cofense Phishing Defense Center has identified an Amazon-themed malware delivery campaign that abuses the ClickFix self-infection technique to deliver a custom monitoring RAT known as HarborWatch Agent. This campaign highlights a growing trend in the threat landscape where attackers are abusing trusted brands and fake verification to turn users into the mechanism of their own infection."
https://cofense.com/blog/from-fake-amazon-security-alert-to-harborwatch-agent-clickfix-delivery-of-a-custom-monitoring-rat - Don't Fear The Repo: UNK_DeadDrop Phishing Campaign Targets Developers To Steal Cryptocurrency
"Since at least 2022, North Korea-aligned threat actors have made a concerted effort not only to target cryptocurrency and decentralized finance organizations, but specifically to target developers using fake recruiter personas, malicious npm/PyPI packages (TraderTraitor / Jade Sleet), and trojanized cryptocurrency trading applications (AppleJeus / Citrine Sleet). These often masquerade as technical assessments or coding challenges and use techniques such as ClickFix or abusing Visual Studio Code’s features to execute malware. Approaches often occur over LinkedIn, Slack, Telegram, or in a multi-platform manner, with a consistent aim of targeting developer assets such as API tokens, cryptocurrency wallets, and credentials."
https://www.proofpoint.com/us/blog/threat-insight/dont-fear-repo-unkdeaddrop-phishing-campaign-targets-developers-steal
https://www.infosecurity-magazine.com/news/north-korean-hackers-developers/
https://www.theregister.com/security/2026/06/08/suspected-norks-send-250-fake-dev-job-pitches-to-steal-crypto/5252526 - Old WinRAR Flaw Fuels Attacks On Ukraine: How Unmanaged Software Keeps The Door Open
"When Russia annexed Crimea in 2014, the Russia-aligned cyber threat landscape was defined by a handful of known actors: Pawn Storm (also known as APT28), Sandworm, Earth Koshchei (also known as APT29), Turla, and Earth Dahu (also known as Gamaredon). A decade later, those groups remain active, but they have been joined by a much larger number of distinct activity clusters targeting Ukraine. One pattern cuts across these clusters: the rapid adoption of vulnerabilities in widely used software. CVE-2025-8088, the WinRAR vulnerability at the center of this report, was first reported in July 2025 as a zero-day used by Void Rabisu (ROMCOM) and has since been exploited by other groups, including Sandworm and Turla. SHADOW-EARTH-066 (known as UAC-0226) and Earth Dahu also exploited this vulnerability."
https://www.trendmicro.com/en_us/research/26/f/old-winrar-flaw-fuels-attacks-on-ukraine.html - When “Hi, This Is IT” Comes Through Microsoft Teams
"It's Friday afternoon. The week has been busy, and everyone is wrapping up before the weekend. One of your workers receives a message (Figure 1) through Microsoft Teams from what appears to be the IT Service Provider. The message is marked as external. The worker previews the message and sees, "Hi, this is the IT Department. We see an issue with your account." The message looks routine and is in MS Teams, not email. The worker accepts the message. The conversation proceeds and the "IT technician" explains that a login anomaly was detected and asks the worker to approve a multi-factor authentication (MFA) prompt to confirm their identity. The conversation continues for a few minutes to maintain credibility, but behind the scenes the compromise is already underway."
https://unit42.paloaltonetworks.com/microsoft-teams-phishing/
Breaches/Hacks/Leaks
- SoFi Confirms Third-Party Data Breach At Hong Kong Subsidiary
"SoFi Hong Kong is warning that it suffered a data breach after hackers gained access to a database at a third-party vendor containing customer information. The company is a U.S.-based financial technology company that offers banking, investing, loans, and other personal finance services. The company also operates SoFi Hong Kong, which provides investment and securities services to customers in the region. In emails sent to customers and shared with BleepingComputer, SoFi said it discovered the incident on April 30, 2026, after detecting unauthorized access to a database of SoFi Securities (Hong Kong) Limited via one of its vendors."
https://www.bleepingcomputer.com/news/security/sofi-confirms-third-party-data-breach-at-hong-kong-subsidiary/ - Over 20,000 Instagram Accounts Stolen In Meta AI Support Hack
"Meta has revealed that 20,225 Instagram users had their accounts hijacked in a recent incident where attackers used Meta's AI-powered support system to reset passwords. As BleepingComputer reported one week ago, the threat actors exploited a flaw in the company's High Touch Support (HTS) tool, an AI-assisted support system that helps users regain access after being locked out of their Instagram accounts. By exploiting the fact that HTS didn't verify whether email addresses were associated with the targeted Instagram accounts, they obtained password reset links that allowed them to log in and hijack accounts without two-factor authentication (2FA) enabled."
https://www.bleepingcomputer.com/news/security/meta-ai-support-data-breach-affects-20-000-instagram-accounts/
https://www.infosecurity-magazine.com/news/over-20000-instagram-accounts/
https://hackread.com/instagram-recovery-tool-bug-accounts-password-reset/
https://www.securityweek.com/meta-says-20000-instagram-accounts-hacked-via-ai-tool-abuse/
https://securityaffairs.com/193307/ai/meta-ai-recovery-tool-flaw-exposed-20000-instagram-accounts.html
https://www.helpnetsecurity.com/2026/06/08/instagram-ai-support-vulnerability-account-takeovers/ - 174,000 Impacted By Lansing Community College Data Breach
"Lansing Community College (LCC) is notifying over 174,000 people that their personal information was compromised in a data breach more than one year ago. The incident was identified in February 2025, roughly one week after hackers gained access to some of its systems using compromised credentials, the Lansing, Michigan public community college says in notification letters sent to the impacted individuals. Working with third-party cybersecurity experts, LCC determined that the hackers accessed personal information such as names, addresses, dates of birth, driver’s license details, and Social Security numbers."
https://www.securityweek.com/174000-impacted-by-lansing-community-college-data-breach/ - Ransomware Sends Illinois High School On An Early Summer Vacation
"An Illinois high school won't reopen until Wednesday at the earliest after suffering a ransomware attack on Sunday, June 7. Evanston Township High School (ETHS), located 14 miles north of Chicago, said it would be closed today and tomorrow, and that the closure also affected summer school, sports camps, and on-campus activities, which are all canceled."
https://www.theregister.com/cyber-crime/2026/06/08/ransomware-attack-shuts-illinois-high-school-until-wednesday/5252322
General News
- Iran Signed a Ceasefire — Its Hackers Didn't
"The United States and Iran have extended what began as a two-week ceasefire. The pause applies only to kinetic warfare, and even that didn't fully stop the shooting. The cyber front has no signs of a truce. The day before that ceasefire took effect, six federal agencies — the FBI, CISA, NSA, EPA, DOE, and U.S. Cyber Command's Cyber National Mission Force — issued a joint advisory warning that Iranian-affiliated actors had been manipulating programmable logic controllers inside U.S. critical infrastructure since at least March. Victim organizations across water, energy, and government services confirmed operational disruptions and financial losses. Hours after the ceasefire took effect, one IRGC-linked group announced it was pausing attacks on the U.S., for now, while vowing to revive them "when the time is right." Another pledged operations against Israel would continue “at full force.”"
https://www.darkreading.com/cyberattacks-data-breaches/iran-signed-ceasefire-hackers - Cybercriminals Create 19,000 FIFA-Themed Domains Ahead Of 2026 World Cup
"Fans looking for tickets, accommodation and match broadcasts are already encountering scams tied to the 2026 FIFA World Cup. The 2026 FIFA World Cup will bring millions of visitors and an estimated 6 billion spectators to a tournament spread across 16 host cities in the United States, Canada and Mexico. In a new report, Intel 471 describes the 2026 FIFA World Cup as “the largest and most complex cyberattack surface in sporting history.”"
https://www.helpnetsecurity.com/2026/06/08/fifa-world-cup-cyber-threats/ - Everybody Is Vibe Coding But Nobody Told The Security Team
"In February 2025, Andrej Karpathy coined the term “vibe coding” to describe a new way of building software: rapid, AI-assisted development where users ‘fully give in to the vibes, embrace exponentials, and forget that the code even exists’.” Fast forward to 2026, and Anthropic CEO now predicts that 90% of code will be written by AI in 3-6 months. According to one survey, 84% of developers globally are using or planning to use AI coding tools in their workflow, up from 76% in 2024. Of those, 51% of professional developers use AI tools daily."
https://www.securityweek.com/everybody-is-vibe-coding-but-nobody-told-the-security-team/ - The Hardest Fork
"Mythos is real. I know a big chunk of the industry thinks it's a marketing stunt, and I get why. I get it. But I've seen the findings, and they're bad. These aren't "whoops, this line right here is wrong, and that's RCE." They're novel combinations of a few dozen issues out of thousands of things every SAST scanner already finds, chained together into something much worse. It's real creativity, like Move 37. That's not a better scanner. That's a different category of threat."
https://thehackernews.com/2026/06/the-hardest-fork.html - 52% Of Direct-To-IP Threats Are Missing From Intelligence Feeds
"Security tools are good at inspecting websites, domains, URLs, and files, so attackers are moving lower in the stack and communicating directly with IP addresses, where visibility is limited. According to Palo Alto Networks’ report, this creates a visibility gap that allows malicious traffic to blend into normal internet activity and evade detection. At the internet edge, this gap starves security systems of the telemetry needed to identify and block threats. Threat actors hide the signals security tools rely on, use shared infrastructure to avoid detection, and scale these techniques with AI."
https://www.helpnetsecurity.com/2026/06/08/palo-alto-networks-securing-ip-connections-report/
อ้างอิง
Electronic Transactions Development Agency (ETDA)
- NAVTOR NavBox
-
Cyber Threat Intelligence 08 June 2026โพสต์ใน Cyber Security News
New Tooling
- AgentGG: Open-Source Agentic SAST Scanner
"Static analysis tools have spent years matching source code against known-bad patterns and handing engineers long lists of candidate issues to triage by hand. AgentGG approaches the same job with AI agents that read the code, follow imports, walk the call graph, and confirm a finding before they report it. The project is an open-source agentic SAST scanner released under the Apache 2.0 license."
https://www.helpnetsecurity.com/2026/06/05/agentgg-open-source-agentic-sast-scanner/
https://github.com/agentgg-dev/agentgg
Vulnerabilities
- Chrome 149 Patches 429 Vulnerabilities
"Google this week promoted Chrome 149 to the stable channel with patches for 429 vulnerabilities, a record for a single Chrome refresh. Already exceeding several times the total number of Chrome security fixes released in 2025, the surge in Chrome flaws is likely driven by AI use, which led Google to lower Chrome bug bounties in April. Over 100 of the newly resolved security defects are critical and high-severity issues, most of which are use-after-free and insufficient validation of untrusted input flaws."
https://www.securityweek.com/chrome-149-patches-429-vulnerabilities/ - Cisco Warns Of Unpatched SD-WAN Zero-Day Exploited In Attacks
"On Thursday, Cisco warned of a high-severity, unpatched zero-day in the Cisco Catalyst SD-WAN Manager (tracked as CVE-2026-20245) actively exploited in attacks enabling root privilege escalation. The zero-day flaw impacts all deployment types, including On-Prem Deployment, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Government (FedRAMP). In a Thursday advisory, Cisco said the issue stems from insufficient validation of user-supplied input, and it can allow local attackers with low privileges to execute arbitrary commands as root."
https://www.bleepingcomputer.com/news/security/new-cisco-sd-wan-flaw-exploited-in-zero-day-attacks-to-gain-root/
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-privesc-4uxFrdzx
https://thehackernews.com/2026/06/cisco-catalyst-sd-wan-manager-cve-2026.html
https://www.securityweek.com/cisco-warns-of-7th-sd-wan-zero-day-exploited-in-2026/
https://securityaffairs.com/193203/security/cisco-sd-wan-has-a-new-root-level-problem-and-theres-no-fix-yet.html
https://www.theregister.com/security/2026/06/05/yet-another-cisco-sd-wan-0-day-under-attack-and-no-patch-in-sight/5251855
https://www.helpnetsecurity.com/2026/06/05/cisco-sd-wan-cve-2026-20245-0-day-exploited/ - CISA Adds One Known Exploited Vulnerability To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2026-28318 SolarWinds Serv-U Uncontrolled Resource Consumption Vulnerability"
https://www.cisa.gov/news-events/alerts/2026/06/05/cisa-adds-one-known-exploited-vulnerability-catalog
https://www.bleepingcomputer.com/news/security/cisa-hackers-now-exploit-solarwinds-serv-u-flaw-to-crash-servers/
https://thehackernews.com/2026/06/cisa-adds-actively-exploited-solarwinds.html
https://securityaffairs.com/193245/security/u-s-cisa-adds-solarwinds-serv-u-flaw-to-its-known-exploited-vulnerabilities-catalog.html - AI Agent Uncovers 21 Zero-Days In FFmpeg; Chrome Patches Record 429 Bugs
"Two things landed within days of each other this week. A security startup reported 21 previously unknown vulnerabilities in FFmpeg, the media library inside almost everything that touches video, all of them found by an autonomous AI agent. The same week, Google shipped Chrome 149 with patches for 429 security bugs, the most ever in a single release."
https://thehackernews.com/2026/06/ai-agent-uncovers-21-zero-days-in.html - Claude Opus Found a Four-Year-Old Hole In Zcash’s Privacy Layer. Nobody Knows If Someone Already Used It.
"On May 29, the security researcher Taylor Hornby found a critical vulnerability in Zcash Orchard privacy pool using Claude Opus 4.8. The Zcash team hired Hornby specifically to look for this kind of issue. He found one fast enough to be embarrassing. The Orchard pool is the newest and most advanced shielded transaction system in the cryptocurrency Zcash. Introduced in 2022, it allows users to send and receive ZEC while keeping transaction details private. It uses zero-knowledge proofs to validate transactions without revealing amounts or participants. The bug: a specific check that was supposed to validate transaction inputs wasn’t actually enforcing the rules it appeared to enforce. An attacker could have exploited the flaw to feed false inputs into that check and generate ZEC from nothing, with the zero-knowledge proof system blessing the fraudulent transaction as valid."
https://securityaffairs.com/193224/hacking/claude-opus-found-a-four-year-old-hole-in-zcashs-privacy-layer-nobody-knows-if-someone-already-used-it.html
Malware
- VerdantBamboo: Just Another BRICKSTORM In The Firewall
"In September 2025, Volexity conducted an incident response engagement that began after suspicious network traffic was observed from a Linux-based virtual machine appliance on a customer’s network. The virtual machine was an Egnyte Storage Sync system, which is designed to facilitate syncing local on-premise files with the cloud. Volexity discovered that instead of connecting to a domain affiliated with Egnyte, the appliance was connecting to a threat-actor-controlled domain behind Cloudflare IP addresses. The appliance was also making TLS connections to one of Google’s public DNS servers (8.8.8.8). It appeared to be using Google to perform queries via DNS over HTTPS, as there was no DNS activity for the domain observed in the connections. Later in the investigation, this was confirmed to be the case after Volexity obtained snapshots of the Storage Sync system for analysis."
https://www.volexity.com/blog/2026/06/04/verdantbamboo-just-another-brickstorm-in-the-firewall/
https://www.bleepingcomputer.com/news/security/chinese-apt-deploys-new-malware-to-keep-access-to-hacked-networks/ - Suspicious Polyfill Login Prompts Pop Up On Toshiba, Muji Websites
"Tech giant Toshiba and mega-retailer Muji warned visitors that suspicious sign-in screens popping up on their websites could collect credentials. Both Japanese companies advised users who entered their account login data in the authentication screens to change their passwords to access the service. The login pop-ups were generated by the external service hosted at polyfill[.]io, which in 2024 introduced malicious code in scripts delivered by its CDN."
https://www.bleepingcomputer.com/news/security/suspicious-polyfill-login-prompts-pop-up-on-toshiba-muji-websites/ - New Mac Stealer SHub Reaper Is Spoofing Apple, Google, And Microsoft
"Threat actors are using fake websites for popular software to distribute an updated version of SHub Stealer, a piece of macOS malware. What’s different about this malware and why Mac users should care? The malware is using a technique for distribution that is automating ClickFix, which we have seen before. This technique makes it more difficult for Mac users to spot the cyberattack. Let’s dive in."
https://moonlock.com/mac-stealer-shub-reaper
https://hackread.com/reaper-macos-infostealer-script-editor-crypto-passwords/ - Silent Ransom Group (SRG): Uncovering DNS Fast Flux Infrastructure
"The Silent Ransom Group (SRG), also known as Luna Moth, Chatty Spider, and UNC3753, is a sophisticated cyber extortion group that has been active since at least 2022. Unlike traditional ransomware groups that encrypt data, SRG focuses on data theft and extortion without relying on encryption. The group is particularly known for targeting industries that handle sensitive information, such as law firms, healthcare, hotels, finance, and insurance . The FBI recently issued an advisory about the SRG, which is actively targeting U.S.-based law firms and other industries through social engineering and in-person attacks. In this threat intelligence report, Resecurity highlights the notable tactics used by the SRG — specifically, the use of Clearnet Data Leak Sites (DLS) and DNS Fast Flux, an evasion technique used by cybercriminals to hide servers behind a continuously rotating network of compromised devices (often a botnet) acting as proxies. By changing the DNS records and using short Time-To-Live (TTL) values, attackers make their malicious infrastructure resilient against takedowns."
https://www.resecurity.com/blog/article/silent-ransom-group-srg-uncovering-dns-fast-flux-infrastructure
https://securityaffairs.com/193215/cyber-crime/silent-ransom-group-srg-switching-to-dns-fast-flux-infrastructure.html - PCPJack Hijacked 230 AWS, GCP, And Azure Servers To Run a Hidden SMTP Relay Network
"SentinelOne documented PCPJack in April 2026, covering how the campaign gains initial access and harvests credentials from compromised Linux servers. What that report didn't cover was what happens next. During a routine infrastructure hunting session, our team found an open directory on 213.136.80[.]73, a server already tied to PCPJack's C2 infrastructure. No authentication required. Twelve files sitting exposed on port 8444, including source code, compiled binaries, and deployment state logs. A second open directory on port 9443 exposed the operator's live working directory, active scanners, exploitation tooling, and a Sliver C2 configuration, all accessible at the same time."
https://hunt.io/blog/pcpjack-230-cloud-servers-smtp-proxy-network-sliver-chisel
https://thehackernews.com/2026/06/pcpjack-hijacks-230-aws-google-cloud.html
https://securityaffairs.com/193189/cyber-crime/pcpjack-exposed-researchers-uncover-230-node-cloud-email-relay-network.html - Android Spyware Asin Targets Arabic Users Via Fake News, PDF And War Map Apps
"Arabic-speaking users have emerged as the target of a new Android spyware codenamed Asin, according to findings from ESET. The Slovakian cybersecurity company said it first detected the malware spread via multiple campaigns in early 2025, with each attack wave making use of distinct websites mimicking utilities, war-related updates, and a government news source:"
https://thehackernews.com/2026/06/android-spyware-asin-targets-arabic.html - ReliaQuest's Agentic AI Uncovers New China-Linked Cluster OP-512
"ReliaQuest’s Agentic AI recently surfaced what we assess with moderate-high confidence to be a new China-linked cluster, which we’re tracking as “OP-512.” Our AI agent stitched together a high volume of seemingly unrelated suspicious events across a customer’s environment into one high-priority incident, revealing a coordinated intrusion that manual review alone would have been unlikely to reconstruct at the same speed, if at all. ReliaQuest threat research analysts then reviewed and validated the findings."
https://reliaquest.com/blog/threat-spotlight-reliaquests-agentic-ai-uncovers-new-china-linked-cluster-op-512
https://thehackernews.com/2026/06/new-threat-cluster-op-512-targets.html - Seeking Counsel: Ongoing Targeted Campaign Against US Law Firms
"From January through May 2026, Mandiant identified a financially motivated data theft extortion campaign executed by the threat cluster UNC3753 (also tracked as "Luna Moth," “Chatty Spider,” and "Silent Ransom Group") targeting dozens of organizations across professional, legal, and financial services in the United States. UNC3753 leverages voice phishing (vishing) and social engineering deception techniques to achieve remote access into corporate environments. Using pretexts such as data migration or invoice related emails, the threat actors initiate phone conversations posing as IT support and convince targets to host screen-sharing sessions and download remote monitoring and management (RMM) utilities. Once inside the environment, the threat actors either directly conduct searches to locate and exfiltrate highly sensitive data, or manipulate the victim into executing these actions on their behalf. This data typically includes proprietary legal agreements, personally identifiable information (PII), and financial records for subsequent extortion demands."
https://cloud.google.com/blog/topics/threat-intelligence/targeted-campaign-us-law-firms
https://www.bleepingcomputer.com/news/security/silent-ransom-group-targets-law-firms-with-fake-it-support-calls/
https://www.theregister.com/cyber-crime/2026/06/05/if-you-dont-fall-for-these-extortionists-calls-theyll-show-up-with-usb-sticks/5251891 - Threat Brief: Active Exploitation Of PAN-OS CVE-2026-0257
"Palo Alto Networks Unit 42 has observed active exploitation of PAN-OS vulnerability CVE-2026-0257 by an unidentified threat actor attempting to access GlobalProtect. This security flaw involves an authentication bypass in the portal and gateway components of vulnerable versions of PAN-OS software, which could allow unauthorized attackers to circumvent security controls and initiate VPN connections. This CVE was added to the Known Exploited Vulnerability (KEV) catalog on May 29."
https://unit42.paloaltonetworks.com/active-exploitation-of-pan-os-cve-2026-0257/ - FSB’s Matryoshka #3/3 – Gamaredon’s Gifts That Keeps Unpacking – GammaSteel
"Gamaredon is a cyberespionage group specialized in long-term and persistent intrusion operations targeting Ukraine. Officially operated by Russia’s FSB, the group is focusing government, military, and critical infrastructure networks, and is still actively operating at the time of this publication. This report analyses over a decade of malware families and establishes a unified naming taxonomy to cut through the fragmented nomenclature. The infection chain is designed to be invisible: by hiding inside legitimate Windows features and abusing trusted platforms like Telegram, Cloudflare, and standard cloud storage, Gamaredon leaves almost no trace on infected machines."
https://blog.sekoia.io/fsbs-matryoshka-3-3-gamaredons-gifts-that-keeps-unpacking-gammasteel/ - Miasma Worm Hits 73 Microsoft GitHub Repositories In Major Supply Chain Attack
"Microsoft's GitHub repositories have become the latest to fall victim to the ongoing Miasma self-replicating supply chain attack campaign. The incident impacted 73 Microsoft repositories across four of its GitHub organizations, including Azure, Azure-Samples, Microsoft, and MicrosoftDocs, per OpenSourceMalware. The development has GitHub to disable access to those repositories. "Access to this repository has been disabled by GitHub Staff due to a violation of GitHub's terms of service," reads the message when attempting to access the "Azure/azure-functions-host" repository. "If you are the owner of the repository, you may reach out to GitHub Support for more information.""
https://thehackernews.com/2026/06/miasma-worm-hits-73-microsoft-github.html
https://safedep.io/miasma-worm-ai-coding-agent-config-injection/
https://falconfeeds.io/blogs/shai-hulud-npm-pypi-supply-chain-worm-analysis/
Breaches/Hacks/Leaks
- Nightclub Giant RCI Says Data Breach Affects 40,000 Individuals
"Adult nightclub giant RCI Hospitality Holdings has informed authorities that a data breach disclosed in April affects roughly 40,000 individuals. RCI Hospitality is one of the largest adult nightclub operators in the United States, and its portfolio also includes sports bars and dance clubs. The company told the SEC in mid-April that its RCI Internet Services subsidiary discovered an insecure direct object reference (IDOR) vulnerability on March 23 in an IIS web server, allowing unauthorized access to personal information."
https://www.securityweek.com/nightclub-giant-rci-says-data-breach-affects-40000-individuals/ - Attackers Obtained Encrypted Password Vaults From Some Dashlane User Accounts
"Dashlane has disclosed new details about a brute-force attack that let a threat actor access some customer accounts and copy encrypted vaults. Dashlane said it found no evidence that the attackers compromised its internal systems. The company first acknowledged the incident on May 31 after users reported receiving account suspension emails and experiencing login problems. “Your account has been temporarily suspended for security reasons as someone has attempted to register a new device and didn’t enter the correct token after several tries,” the emails read, instructing affected users to contact customer support to restore access."
https://www.helpnetsecurity.com/2026/06/05/dashlane-brute-force-attack-vaults-customer-accounts/ - Oxford Uni Student Data Pwned Yet Again - This Time Via Career Platform Breach
"Oxford University students seeking work will be dismayed to learn that crooks have breached a second external platform provider for the university in as many months. The institution’s CareerConnect platform, provided by Group GTI, was the target of the intrusion, which exposed users’ full names and email addresses. Those who don’t use single sign-on (SSO) had their encrypted passwords leaked, too. CareerConnect forms part of Oxford University’s career services department, supporting students and alumni to find work opportunities. It is available to students, alumni, research staff, and recruiters."
https://www.theregister.com/security/2026/06/06/oxford-university-data-pwned-again-by-career-platform-breach/5251754
General News
- Nightmare Eclipse Incident Shows The Researcher-Vendor Fights May Never Fully Go Away
"Microsoft reopened some wounds and has reignited debate over the past couple weeks about vulnerability disclosure and the sometimes adversarial dynamic it creates between security researchers and vendors. The latest controversy ensued when Microsoft threatened criminal legal action against a security researcher who publicly disclosed a series of zero-day vulnerabilities with proof-of-concept exploits. Microsoft insisted it received no details about the vulnerabilities prior to release, adding that the defects were not responsibly disclosed and put its customers at unnecessary risk."
https://cyberscoop.com/microsoft-coordinated-vulnerability-disclosure-debacle/ - C-Suite Impersonation In The Gulf: How Threat Actors Are Targeting UAE & Saudi Executives In 2026
"When a senior executive at a Dubai-based energy conglomerate receives a WhatsApp message that appears to come directly from their CEO — complete with the right profile photo, a familiar tone, and an urgent wire transfer request. This type of CEO fraud, CEO impersonation scam, or executive impersonation attack is becoming one of the most effective forms of financial cybercrime targeting Gulf organizations. According to Cyble’s Middle East & Africa Threat Landscape Report: Q1 2026 report, executive impersonation has emerged as one of the most targeted and financially damaging attack vectors facing organizations in the UAE, Saudi Arabia, and Qatar in 2026."
https://cyble.com/blog/ceo-fraud-executive-impersonation-gulf-firms/
https://cyble.com/resources/research-reports/meta-cyber-threat-landscape-report-q1-2026/ - Adaptive, Agentic AI Worms Loom As Next Enterprise Threat
"The hunt is on to find protections against the coming generation of adaptive AI worm malware, to head off a global incident on the scale of other famous worm events, such as NotPetya, Stuxnet, MSBlast, or the SQL Slammer worm. AI adaptive worms will be autonomous agents that rapidly self-propagate by searching for zero-day bugs, known but unpatched software flaws, and unprotected secrets — and they will be able to do this across multiple environments, morphing dynamically as they go."
https://www.darkreading.com/cyber-risk/adaptive-agentic-ai-worms-enterprise-cyber-threat - AI Is Helping Low-Skill Hackers Pull Off Advanced Cyberattacks
"Anthropic has published an analysis of cyber-related misuse of its AI systems, examining 832 accounts that were banned for malicious cyber activity between March 2025 and March 2026. The company mapped the observed behavior to the MITRE ATT&CK framework, which documents tactics and techniques used by attackers. “These 832 cases are just a subset of the total number of accounts banned during this period, but they represent those where we had enough detail to conduct a thorough assessment of the attackers’ techniques,” the company said."
https://www.helpnetsecurity.com/2026/06/05/anthropic-ai-cyber-activity-analysis/ - Most Pros Have Seen AI Hallucinations In IT Operations
"Autonomous AI is taking action inside enterprise IT environments. Software is restarting services, isolating risky devices, and applying patches without waiting for a human to approve the step. The capability is spreading at the same time IT professionals are reporting frequent encounters with AI output errors that can carry operational impact. Ivanti’s 2026 AI Maturity Report, drawn from responses by 1,500 IT professionals across six countries, finds that 68% have personally seen AI produce hallucinations with potential operational impact. About 52% of those respondents say their team caught the errors before they caused issues. The remaining 16% report cases where the errors slipped through and reached production environments.
https://www.helpnetsecurity.com/2026/06/05/ai-hallucinations-it-operations-research/
อ้างอิง
Electronic Transactions Development Agency (ETDA)
- AgentGG: Open-Source Agentic SAST Scanner
-
เตือนผู้ใช้ Instagram เปิดใช้ 2FA หลังพบช่องโหว่ในระบบกู้คืนบัญชีโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
