NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ
    1. หน้าแรก
    2. NCSA_THAICERT
    3. กระทู้
    • รายละเอียด
    • ติดตาม 0
    • คนติดตาม 3
    • กระทู้ 2,355
    • กระทู้ 2,356
    • ดีที่สุด 0
    • Controversial 0
    • กลุ่ม 2

    โพสต์ถูกสร้างโดย NCSA_THAICERT

    • BeyondTrust เตือนช่องโหว่ Critical ใน RS และ PRA เสี่ยงถูกข้ามการยืนยันตัวตน

      BeyondTrust เตือนช่องโหว่ Critical ใน RS และ PRA เสี่ยงถูกข้.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand be8fa15a-be16-4485-9e7b-385cd91ed8de-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • ช่องโหว่ Backdoor ในเราเตอร์ Tenda เปิดทางผู้โจมตี Bypass Login และได้สิทธิ์ผู้ดูแลระบบ ยังไม่มีแพตช์แก้ไข

      ช่องโหว่ Backdoor ในเราเตอร์ Tenda เปิดทางผู้โจมตี By.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 19eada3b-a673-4e12-baee-424507a89c83-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • ผู้ไม่หวังดีพุ่งเป้าสแกนช่องโหว่ความรุนแรงระดับวิกฤตบน Gitea Docker หลังการเปิดเผยข้อมูลเพียง 13 วัน

      ผู้ไม่หวังดีพุ่งเป้าสแกนช่องโหว่ความรุน.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 80258978-dbe1-4272-9dbe-848ef3288907-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • CISA เพิ่มช่องโหว่ที่ถูกใช้โจมตี 1 รายการลงในแคตตาล็อก

      เมื่อวันที่ 7 กรกฏาคม 2569 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 1 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว มีรายละเอียดดังนี้

      • CVE-2026-48282 Adobe ColdFusion Path Traversal Vulnerability

      ทาง CISA จะปรับปรุงและเพิ่มช่องโหว่ใหม่เข้าสู่แคตตาล็อก KEV อย่างต่อเนื่อง เพื่อให้ครอบคลุมความเสี่ยงที่ตรวจพบจริงในปัจจุบันและอนาคต

      อ้างอิง

      https://www.cisa.gov/news-events/alerts/2026/07/07/cisa-adds-one-known-exploited-vulnerability-catalog

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • CISA เพิ่มช่องโหว่ที่ถูกใช้โจมตี 3 รายการลงในแคตตาล็อก

      เมื่อวันที่ 7 กรกฏาคม 2569 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 3 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว มีรายละเอียดดังนี้

      • CVE-2026-48908 JoomShaper SP Page Builder Unrestricted Upload of File with Dangerous Type Vulnerability
      • CVE-2026-55255 Langflow Authorization Bypass Through User-Controlled Key Vulnerability
      • CVE-2026-56290 Joomlack Page Builder Improper Access Control Vulnerability

      อ้างอิง
      https://www.cisa.gov/news-events/alerts/2026/07/07/cisa-adds-three-known-exploited-vulnerabilities-catalog
      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 788160c0-7841-4cfc-9a7e-b950c61fc1c4-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • Cyber Threat Intelligence 08 July 2026

      Industrial Sector

      • Hydro-Québec Le Circuit Electrique Charging Station Backend
        "Successful exploitation of these vulnerabilities could lead to privilege escalation, or result in a denial-of-service attack."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-188-01
      • Siemens SINEC OS
        "SINEC OS before V4.0 contains multiple vulnerabilities. Siemens has released a new version for RUGGEDCOM RST2428P and recommends to update to the latest version."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-188-05
      • Hitachi Energy PROMOD V
        "Hitachi Energy is aware of insecure HTTP transmission vulnerability in PROMOD V product versions listed in this document. This vulnerability could allow attackers to intercept or manipulate sensitive data in transit, potentially leading to credential theft, session hijacking, or unauthorized access."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-188-02
      • Hitachi Energy e-Mesh EMS
        "Hitachi Energy is aware of a buffer overflow vulnerability that affects e-mesh EMS product versions listed in this document. Successful exploitation of this vulnerability could lead to a buffer overflow condition, potentially resulting in application outages (denial of service) and possible arbitrary code execution. Please refer to the Recommended Immediate Actions for information about the mitigation/remediation."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-188-03
      • Siemens Mendix Studio Pro
        "Mendix Studio Pro versions before V11.12 are affected by a file parsing vulnerability that could be triggered when the application reads specially crafted malicious project during the build pipeline. This could allow an attacker to execute arbitrary code in the context of that user. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens is preparing further fix versions and recommends countermeasures for products where fixes are not, or not yet available."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-188-04
      • Labcenter Proteus 9
        "Successful exploitation of these vulnerabilities could disclose information and allow a malicious user to execute arbitrary code on affected installations."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-188-06
      • Digi International PortServer TS, Digi One SP IA
        "Successful exploitation of these vulnerabilities could allow an attacker to bypass authentication and gain access to restricted resources, obtain credentials, and inject malicious scripts."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-188-07
      • Threat Landscape For Industrial Automation Systems. Q1 2026
        "The percentage of ICS computers on which malicious objects were blocked continued to decrease, reaching 19.6% in Q1 2026. This is the lowest value in three years, and it is 1.4 times lower than in Q2 2023."
        https://securelist.com/industrial-threat-report-q1-2026/120643/

      New Tooling

      • Apple Container: Open-Source Tool For Linux Containers On The Mac
        "Developers on Apple silicon Macs have run Linux containers through software built around a single shared virtual machine for years. Apple’s open-source Container project gives each Linux workload its own lightweight virtual machine. Container is written in Swift and tuned for Apple silicon. It creates and runs Linux containers as lightweight virtual machines, and it works with OCI-compatible images, so a developer can pull from and push to any standard registry. Images built with it run in any other OCI-compatible application. Under the hood, it draws on the Containerization Swift package for low-level container, image, and process management."
        https://www.helpnetsecurity.com/2026/07/07/apple-container-open-source-linux-mac/
        https://github.com/apple/container

      Vulnerabilities

      • Security Advisory Bulletin 066
        "A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi Connect Application to execute a Command Injection on the host device."
        https://community.ui.com/releases/Security-Advisory-Bulletin-066-066/984eceb3-49c8-4227-942d-671c289b3afc
      • BeyondTrust Warns Of Critical Flaws In Remote Access Software
        "BeyondTrust warned customers to patch two critical security flaws in its Remote Support (RS) and Privileged Remote Access (PRA) software that could allow attackers to bypass authentication. The first vulnerability, tracked as CVE-2026-40138, affects the company's RS remote desktop and assistance platform (versions 25.3.2 or earlier) and the PRA enterprise cybersecurity solution (versions 25.3.2 or earlier). This vulnerability stems from an improper authentication weakness in the authentication subsystem, and successful exploitation enables attackers without privileges to bypass access controls and access targeted appliances, including accounts with elevated privileges."
        https://www.bleepingcomputer.com/news/security/beyondtrust-warns-of-critical-flaws-in-remote-access-software/
        https://www.beyondtrust.com/trust-center/security-advisories/bt26-03
        https://thehackernews.com/2026/07/beyondtrust-patches-critical-auth.html
      • Tenda Firmware (multiple Versions) Contains Hidden Authentication Backdoor
        "Several versions of Tenda firmware contain an undocumented authentication backdoor that grants administrative access to the devices' web management interfaces. An attacker can expoit this vulnerability, tracked as CVE-2026-11405, to bypass the password verification process and obtain full administrative control without valid credentials."
        https://kb.cert.org/vuls/id/213560
        https://thehackernews.com/2026/07/certcc-warns-of-hidden-admin-backdoor.html
        https://www.bleepingcomputer.com/news/security/hidden-backdoor-in-tenda-router-firmware-grants-admin-access/
        https://securityaffairs.com/194878/security/hidden-tenda-router-backdoor-grants-admin-access-no-patch-available.html
      • CISA Adds Three Known Exploited Vulnerabilities To Catalog
        "CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
        CVE-2026-48908 JoomShaper SP Page Builder Unrestricted Upload of File with Dangerous Type Vulnerability
        CVE-2026-55255 Langflow Authorization Bypass Through User-Controlled Key Vulnerability
        CVE-2026-56290 Joomlack Page Builder Improper Access Control Vulnerability"
        https://www.cisa.gov/news-events/alerts/2026/07/07/cisa-adds-three-known-exploited-vulnerabilities-catalog
      • CISA Adds One Known Exploited Vulnerability To Catalog
        "CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
        CVE-2026-48282 Adobe ColdFusion Path Traversal Vulnerability"
        https://www.cisa.gov/news-events/alerts/2026/07/07/cisa-adds-one-known-exploited-vulnerability-catalog
      • Rogue Agent: How a Single Code Block Could Hijack Your AI Conversations In Google’s DialogFlow
        "Varonis Threat Labs discovered a critical vulnerability in Google Cloud Platform’s (GCP) Dialogflow CX service, Google’s flagship conversational AI platform for building interactive experiences across voice and text chatbots. We’ve named this latest discovery Rogue Agent. The vulnerability allowed attackers to exploit the Code Blocks feature to inject persistent malicious code into the Dialogflow agents’ pipeline, silently exfiltrating conversations and conducting large-scale phishing campaigns. To initiate, the exploit requires a single edit permission known as dialogflow.playbooks.update on one agent."
        https://www.varonis.com/blog/rogue-agent-dialogflow-attack
        https://www.darkreading.com/application-security/dialogflow-cx-rogue-agent-flaw-enabled-ai-chatbot-data-theft
        https://thehackernews.com/2026/07/rogue-agent-flaw-could-have-let.html
      • GitLost: How We Tricked GitHub’s AI Agent Into Leaking Private Repos
        "Noma Labs discovered a critical prompt injection vulnerability within GitHub’s new Agentic Workflows, allowing an unauthenticated attacker to silently pull data from private repositories by posting a crafted GitHub Issue in a public repository belonging to the same organization as the private repositories. Noma Labs named the vulnerability GitLost."
        https://noma.security/blog/gitlost-how-we-tricked-githubs-ai-agent-into-leaking-private-repos/
        https://thehackernews.com/2026/07/public-github-issue-could-trick-github.html
        https://www.darkreading.com/cyber-risk/gitlost-leaks-private-data-github-agentic-workflows
        https://hackread.com/gitlost-github-ai-agent-leaking-repository-data/
      • WriteOut: Abusing The Sandbox For a Critical Cross-Tenant Vulnerability In Writer AI
        "Every AI platform tells you the same comforting bedtime story. Don't worry, the code runs in a sandbox. Whatever the model generates, whatever the user uploads, whatever the agent decides to do at 2 a.m. with no human watching, it's all safely boxed in. The box is the boundary. Enter Writer AI, an enterprise platform where teams build their own AI agents. We found a way to turn Writer's own sandbox against its users: an agent could hand an attacker the keys to any account on the platform. We dubbed it WriteOut, and Writer has since fixed it. Until they did, an outsider could go from having no access to taking over any Writer AI organization inside industry-leading enterprises, with nothing more than a link."
        https://www.sandsecurity.ai/blog/writeout-writer-ai-cross-tenant
        https://thehackernews.com/2026/07/writer-ai-flaw-could-let-agent-previews.html

      Malware

      • Vidar Infostealer Being Spread Through Phishing Emails
        "First identified in 2018, Vidar operates under a Malware-as-a-Service (MaaS) model and continues to be distributed through various attack cases to this day. AhnLab SEcurity intelligence Center (ASEC) has been monitoring cases of Vidar distribution targeting Korea, and this report summarizes the Vidar distribution cases identified in the first half of 2026."
        https://asec.ahnlab.com/en/94363/
      • Connecting Scattered Spider: Defining A Cybercrime Collective Through Shared TTPs
        "Scattered Spider has attracted a lot of attention in recent years, including the mass media, especially after being attributed as the responsible party for a number of high profile attacks. Its initial days can be traced back to 2022, when notorious attacks started being attributed to Scattered Spider, such as the attack which compromised around 125 Twilio customers in August 2022 or the Caesars Palace and MGM Resort incidents in September 2023. These high profile attacks have led to law enforcement agencies taking action against the so-called Scattered Spider members. However, attacks attributed to Scattered Spider never stopped, with CISA and other organizations releasing advisories warning about its attacks even in 2025."
        https://www.group-ib.com/blog/connecting-scattered-spider/
        https://thehackernews.com/2026/07/court-filing-reveals-windows-device-id.html
        https://www.infosecurity-magazine.com/news/scattered-spider-as-cybercrime/
      • One Email Closer To The Edge: UNK_MassTraction & The Physics Of Exploitation
        "Beginning in May 2026, Proofpoint observed a new cluster of activity – tracked as UNK_MassTraction – exploiting CVE-2024-42009, a cross-site scripting vulnerability in Roundcube. The campaign targeted physics and engineering departments at major US and Canadian universities, with a focus on administrators and professors in departments with either national security ties, or entities studying astrophysics and particle physics. While the targeting appeared specific to these departments, the exploit only requires that the email is opened in the mail client to achieve access to the mailserver so the recipients may have been inconsequential."
        https://www.proofpoint.com/us/blog/threat-insight/one-email-closer-edge-unkmasstraction-physics-exploitation
        https://thehackernews.com/2026/07/suspected-china-aligned-hackers-exploit.html
        https://www.bankinfosecurity.com/chinese-cyberespionage-exploits-university-roundcube-servers-a-32165
        https://cyberscoop.com/china-espionage-attacks-us-canada-universities-proofpoint/
        https://www.infosecurity-magazine.com/news/china-aligned-cluster-roundcube/
      • UAT-7810 Continues Building ORB Networks Using New Malware
        "Talos assesses with high confidence that UAT-7810 is a China-nexus threat actor based on the infrastructure that it provides to secondary China-nexus APTs such as UAT-5918. Open-source reporting has also illustrated overlapping tooling between UAT-5918 and UAT-7810. However, at this time, Talos considers UAT-5918 and UAT-7810 separate APT actors tasked with their own set of objectives and targets. Talos’ latest findings on UAT-7810 indicate that the threat actor continues to develop their custom-made malware dubbed “SHORTLEASH” with a newer version already being developed and hosted on attacker-controlled infrastructure. We track this new version of SHORTLEASH as “LONGLEASH.”"
        https://blog.talosintelligence.com/uat-7810/
        https://www.bleepingcomputer.com/news/security/chinese-hackers-develop-longleash-malware-to-expand-orb-network/
      • RedWing: A Mobile Malware-As-a-Service Operation
        "The zLabs team has uncovered RedWing, a new Android spyware variant offered as a Malware-as-a-Service (MaaS) through a Telegram channel and appears to have links to Russian threat actors. Malicious operators distribute this rental-based malware through mobile-targeted phishing sites. A substantial number of the associated payloads and droppers currently evade detection by conventional security tools. This discovery looks like a new variant of the oblivion malware, due to the similarity on the dropper stage and some of the overlays used."
        https://zimperium.com/blog/redwing-a-mobile-malware-as-a-service-operation
        https://thehackernews.com/2026/07/redwing-maas-packages-android-bank.html
      • DEBULL: Storm-2372-Style Microsoft Device-Code Phishing With GraphSpy Post-Exploitation
        "The tradecraft has strong characteristics previously described in Microsoft Storm-2372 reporting: messaging or Teams-style lures, device-code authentication, Microsoft Authentication Broker usage, geo-plausible infrastructure, and device-registration relevant follow-on activity. We do not attribute the campaign directly to Storm-2372. We assess that the operator is using Storm-2372-style tradecraft through a reusable tooling layer we track as DEBULL. Follow-up analysis exposed the backend behind the campaign. The same IP that created the attacker-side Microsoft Authentication Broker session also served a DEBULL login panel directly."
        https://zerobec.com/blog/debull-storm-2372-microsoft-device-code-phishing-graphspy
        https://thehackernews.com/2026/07/debull-tooling-abuses-microsoft-device.html
      • Vidar Stealer Unmasked: Code Signing Abuse, Go Loaders And File Inflation
        "In April 2026, Unit 42 researchers identified a financially motivated campaign delivering Vidar stealer and the XMRig cryptocurrency miner to consumer and small- and medium-sized business victims worldwide. Attackers lure victims via malvertising to pages for downloading files that impersonate cracked versions of copyright-protected software. Upon execution, the loader drops and runs both Vidar stealer and XMRig. Vidar stealer targets information like browser credentials, cookies and crypto wallets. XMRig mines Monero cryptocurrency."
        https://unit42.paloaltonetworks.com/vidar-stealer-xmrig-miner-campaign-analysis/

      Breaches/Hacks/Leaks

      • Accenture Confirms Breach After Hacker Offers Stolen Data For Sale
        "IT services giant Accenture has confirmed it suffered a security breach after a threat actor claimed to have stolen 35 GB of source code and other data from the company. "We are aware of this isolated matter, and we have remediated its source. There is no impact to Accenture operations and service delivery," Accenture told BleepingComputer. Accenture is a global professional services company that provides consulting, technology, cloud, engineering, and managed services to businesses and governments worldwide."
        https://www.bleepingcomputer.com/news/security/accenture-confirms-breach-after-hacker-offers-stolen-data-for-sale/
      • County Government Reportedly Paid $1 Million To Cyber Extortion Group
        "A government entity in the US reportedly paid a $1 million ransom to the Kairos cyber extortion group to prevent the public dissemination of information stolen in a May 2025 intrusion, Ransom-ISAC reports. A leaked negotiation transcript shows that the extortion group demanded $3 million in cryptocurrency from the victim organization, but eventually settled for $1 million. Kairos claimed to have stolen over 2 terabytes of data, or approximately 1.6 million files, after accessing the victim’s environment in a brute-force attack."
        https://www.securityweek.com/county-government-reportedly-paid-1-million-to-cyber-extortion-group/
      • Major Japanese Telco Says Cyberattack Exposed 12 Million Emails
        "One of Japan's largest telecommunications providers said Monday that a cyberattack targeting an email platform it operates for internet service providers exposed more than 12.2 million customer email addresses and 7.6 million passwords. The company said the breach affected an email system used to manage customer email accounts, webmail services and email storage for five Japanese internet service providers. KDDI first disclosed the unauthorized access in June but only confirmed the scale of the data exposure after completing its forensic investigation and submitting a report to Japan's communications ministry earlier this week."
        https://therecord.media/major-japanese-telco-cyberattack-12-million-emails

      General News

      • Q2 2026 Vulnerability Trends Report
        "A total of 20,701 new CVEs were reported in the second quarter of 2026. Of these, 2,317 were “Critical” vulnerabilities with a CVSS score of 9.0 Or higher, accounting for 11.2% Of the total. Medium- and high-risk vulnerabilities, including those rated “High,” accounted for 51.7% Of the total. While the overall volume remained similar to Q1, the number of “Critical” vulnerabilities—which can cause immediate damage—increased by 62.5% From 1,426 in Q1."
        https://asec.ahnlab.com/en/94360/
      • Windows Platform Security For AI Agents
        "AI agents are no longer just answering questions, they are taking actions across systems with increasing autonomy. As they become persistent participants in how software runs, they introduce new risk to control and trust, challenging the security assumptions that have defined computing for decades. Developers are building agents that read files, invoke services, modify environments and chain operations together at increasing speed. That capability is powerful, but it raises a critical question: how do you ensure these systems remain trustworthy when they operate autonomously, at scale, on real data?"
        https://blogs.windows.com/windowsdeveloper/2026/06/02/windows-platform-security-for-ai-agents/
        https://www.helpnetsecurity.com/2026/07/07/microsoft-execution-containers-ai-agents-constraints/
      • Power Shortages Could Slow AI Data Center Expansion
        "AI adoption is increasing demand for data center capacity at the same time operators are running into limits around power, equipment, land, and permitting, according to NTT Data. Access to electricity is becoming a deciding factor in where new data centers are built, when new capacity comes online and how quickly AI projects can expand."
        https://www.helpnetsecurity.com/2026/07/07/ai-data-centers-demand-expansion/
      • CISO Conversations: Tarah Wheeler, Cybersecurity Leader, Thought Leader And Original Thinker
        "Tarah Wheeler is CISO at TPO Group. TPO is an acronym for technology, policy and operations, and the firm provides cybersecurity consultancy for high-stakes organizations such as critical industries and federal agencies. But despite this elevated position, her journey was far from typical. “I absolutely did not choose this career on purpose,” she said. “No, I fell backwards into it. I feel like this career dragged me into an alley, coshed me over the head, and said, ‘You’re one of us now. kid’.” For Americans unfamiliar with British slang, the ‘cosh’ phrase would be better understood as ‘hit me over the head with a baseball bat’ – and it may be worth noting that although born in Washington, Wheeler is currently studying at Oxford in the UK."
        https://www.securityweek.com/ciso-conversations-tarah-wheeler-cybersecurity-leader-thought-leader-and-original-thinker/

      อ้างอิง
      Electronic Transactions Development Agency (ETDA) db681405-4874-44b2-8b40-19c467a38620-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • Adobe เตือนเร่งอัปเดต ColdFusion หลังยืนยันช่องโหว่ Critical ถูกใช้โจมตีจริง

      Adobe เตือนเร่งอัปเดต ColdFusion หลังยืนยันช่องโหว่ C.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 728df355-67fb-4a8d-89a5-ea8914205baf-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • Medtronic แจ้งเหตุข้อมูลรั่วไหล กระทบประชาชนกว่า 3.8 ล้านราย หลังถูกกลุ่ม ShinyHunters โจมตี

      Medtronic แจ้งเหตุข้อมูลรั่วไหล กระทบประชาชนกว่.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand e8fab952-bed1-43cb-92fd-27c17fa0b14e-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • Flipper Devices ปรับแนวทางการพัฒนาเฟิร์มแวร์ Flipper Zero โดยมุ่งเน้นการมีส่วนร่วมของชุมชนนักพัฒนา

      Flipper Devices ปรับแนวทางการพัฒนาเฟิร์มแวร์ Flipper Zero โ.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand baef9c2b-cea9-4a34-a685-530616d30644-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • CISA เผยแพร่คำแนะนำด้านระบบควบคุมอุตสาหกรรม (ICS) จำนวน 7 รายกาi

      Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) จำนวน 6 รายการ เมื่อวันที่ 7 กรกฏาคม 2569 เพื่อให้ข้อมูลที่ทันเวลาเกี่ยวกับประเด็นด้านความมั่นคงปลอดภัย ช่องโหว่ และการโจมตีที่เกี่ยวข้องกับระบบ ICS โดยมีรายละเอียดดังนี้

      • ICSA-26-188-01 Hydro-Québec Le Circuit Electrique charging station backend
      • ICSA-26-188-02 Hitachi Energy PROMOD V
      • ICSA-26-188-03 Hitachi Energy e-mesh EMS
      • ICSA-26-188-04 Siemens Mendix Studio Pro
      • ICSA-26-188-05 Siemens SINEC OS
      • ICSA-26-188-06 Labcenter Proteus 9
      • ICSA-26-188-07 Digi International PortServer TS, Digi One SP IA9

      อ้างอิง
      https://www.cisa.gov/news-events/ics-advisories 17878665-3a46-4411-8b74-3c21976a98bd-image.png

      โพสต์ใน OT Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • CISA เพิ่มช่องโหว่ที่ถูกใช้โจมตี 1 รายการลงในแคตตาล็อก

      เมื่อวันที่ 7 กรกฏาคม 2569 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 1 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว มีรายละเอียดดังนี้

      • CISA Adds One Known Exploited Vulnerability to Catalog

      ทาง CISA จะปรับปรุงและเพิ่มช่องโหว่ใหม่เข้าสู่แคตตาล็อก KEV อย่างต่อเนื่อง เพื่อให้ครอบคลุมความเสี่ยงที่ตรวจพบจริงในปัจจุบันและอนาคต

      อ้างอิง
      https://www.cisa.gov/news-events/alerts/2026/07/01/cisa-adds-one-known-exploited-vulnerability-catalog
      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 7f3a27c4-343c-46c6-b80a-d9d4d696f308-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • Cyber Threat Intelligence 07 July 2026

      Financial Sector

      • The Future Of Payment Fraud Could Be Automated
        "Payment fraud is becoming more organized as criminal groups use fake websites, large-scale operations, and, in some cases, forced labor to steal money and personal information. Advances in agentic AI could automate many stages of payment fraud, from collecting and assembling stolen credentials to deploying password-cracking tools. CAPCO’s “US Payment Fraud Survey” found that consumers increasingly value fraud protection when choosing payment providers. Security was one of the most important factors for 63% of respondents, and 50% selected advanced fraud protection. Both ranked ahead of customer service, transaction speed, brand reputation, and rewards."
        https://www.helpnetsecurity.com/2026/07/06/key-payment-fraud-trends-report/

      New Tooling

      • Omnigent: Open-Source AI Agent Framework And Meta-Harness
        "Plenty of developers now keep several coding agents close at hand, reaching for Claude Code on one task and Codex or Cursor on the next. Each tool arrives with its own command line, its own handling of credentials, and its own way of running shell commands against a working directory. That spread leaves teams with a governance gap around where agent actions land and how much they cost. Omnigent, an open-source project, sits one level above those tools as a meta-harness. The common layer drives Claude Code, Codex, Cursor, OpenCode, Hermes, Pi, and agents a team writes in YAML, and a user swaps or combines them with one-line changes."
        https://www.helpnetsecurity.com/2026/07/06/omnigent-open-source-ai-agent-framework/
        https://github.com/omnigent-ai/omnigent

      Vulnerabilities

      • One Trigram At a Time: XSLeak Via Universal CSS Injection And DoS In Opera (GX)
        "This paper focuses on a critical browser vulnerability discovered in Opera GX that allows cross-site data exfiltration simply by visiting an attacker-controlled website, without requiring any user interaction. By abusing the browser’s GX Mods feature, what initially appears to be a harmless customization mechanism can be turned into a universal CSS injection affecting every webpage visited by the user. As we will see, this makes it possible to build a practical XS-Leak capable of exfiltrating sensitive information from arbitrary websites. The same attack vector also enables a denial-of-service attack affecting both Opera GX and Opera."
        https://zhero-web-sec.github.io/research-and-things/one-trigram-at-a-time-xsleak-via-universal-css-injection-and-dos-in-opera-(gx)
        https://thehackernews.com/2026/07/opera-gx-flaw-let-malicious-sites-auto.html
        https://www.infosecurity-magazine.com/news/opera-gx-flaw-gx-mods-css/
      • SkillCloak Lets Malicious AI Agent Skills Evade Static Scanners With Self-Extracting Packing
        "Scanners meant to catch malicious add-on "skills" for AI coding agents can be fooled by a few simple changes that leave the malware working, according to a new study from researchers at the Hong Kong University of Science and Technology. Their strongest trick slipped past every scanner tested more than 90% of the time, and the same team built a runtime checker that catches most of the disguised skills the scanners miss."
        https://thehackernews.com/2026/07/new-skillcloak-technique-lets-malicious.html
        https://arxiv.org/abs/2607.02357
      • 16-Year-Old Linux KVM Flaw Lets Guest VMs Escape To Host On Intel And AMD x86 Systems
        "A use-after-free bug in Linux's KVM hypervisor can be triggered from a guest virtual machine to corrupt the shadow-page state of the host kernel that runs it. Dubbed 'Januscape' and tracked as CVE-2026-53359, the flaw sits in the shadow MMU code that KVM shares across both Intel and AMD. The public proof-of-concept panics the host; the researcher claims that a separate, unreleased exploit turns the same bug into full host code execution. Security researcher Hyunwoo Kim (@v4bel) found and reported the bug. He described Januscape as the first guest-to-host exploit triggerable on both Intel and AMD, to the best of public knowledge. The flaw went unnoticed for roughly 16 years."
        https://thehackernews.com/2026/07/16-year-old-linux-kvm-flaw-lets-guest.html
        https://github.com/V4bel/Januscape
      • New TrojPix Attack Leaks Data From Air-Gapped Systems Via Video Cable Emissions
        "Researchers at Shandong University have shown a fast new way to pull data off computers that are cut off from every network. The technique, called TrojPix, tweaks on-screen pixels in ways the eye cannot see, so that the video cable carrying them radiates a faint radio signal a nearby receiver can decode. But TrojPix works only once malware is already on the target machine, so it is a way for stolen data to get out, not a way in. In the researchers' tests, TrojPix hit a peak throughput of 8.1 Mbps and reached as far as 208 meters, the two measured separately rather than together."
        https://thehackernews.com/2026/07/new-trojpix-attack-leaks-data-from-air.html

      Malware

      • Max Severity Adobe ColdFusion Flaw Now Exploited In Attacks
        "Attackers are now exploiting a maximum-severity Adobe ColdFusion vulnerability tracked as CVE-2026-48282, according to vulnerability intelligence company KEVIntel. ColdFusion is a commercial web app development platform designed to help build and deploy enterprise-grade websites. The CVE-2026-48282 security flaw affects ColdFusion versions 2025.9, 2023.20, and earlier, and can be exploited by attackers without privileges to gain remote code execution on unpatched systems. Adobe released security updates on Tuesday to address the vulnerability, saying that it posed a high risk of exploitation and urging admins to deploy patches immediately."
        https://www.bleepingcomputer.com/news/security/max-severity-adobe-coldfusion-flaw-now-exploited-in-attacks/
        https://securityaffairs.com/194837/hacking/adobe-coldfusion-flaw-cve-2026-48282-now-exploited-in-the-wild.html
      • Threat Actors Probe Gitea Docker Flaw CVE-2026-20896 13 Days After Disclosure
        "Threat actors have been observed attempting to exploit a recently patched critical security flaw in Gitea Docker images, according to Sysdig. The vulnerability in question is CVE-2026-20896 (CVSS score: 9.8), a vulnerability that stems from the DevOps platform trusting the "X-WEBAUTH-USER" header from any source IP address, effectively allowing an unauthenticated internet client to get elevated access."
        https://thehackernews.com/2026/07/threat-actors-probe-gitea-docker-flaw.html
      • Phishing Poses As Big-Brand Job Interview To Steal Google Accounts
        "A phishing campaign is impersonating more than 30 well-known brands, including Adobe, Netflix, Coca-Cola, and OpenAI, in fake job interviews to steal Google account credentials from marketing professionals. The operation is abusing the legitimate cloud-based PeopleForce human resources platform and a domain associated with the Salesforce Marketing Cloud service before redirecting the recipient to a malicious landing page. To further instill trust and increase the chances of success, the threat actor is using the names and pictures of real recruiters at impersonated companies."
        https://www.bleepingcomputer.com/news/security/phishing-poses-as-big-brand-job-interview-to-steal-google-accounts/
        https://gist.github.com/BushidoUK/57c38d5ee75481fb237e968a537de778
      • Fake IT Support Calls On Microsoft Teams Push EtherRAT Malware
        "Threat actors are abusing Microsoft Teams voice calls by impersonating corporate IT support staff to trick employees into installing the EtherRAT malware, giving attackers initial access to corporate networks. The campaign, reported by Palo Alto Networks' Unit 42, combines phishing emails, Microsoft Teams voice calls, legitimate remote management tools, and a Node.js-based malware loader to compromise victims' computers. According to a report by Unit 42 posted on GitHub, the attack begins with a phishing email containing an "Employee Survey" lure and a malicious PDF attachment."
        https://www.bleepingcomputer.com/news/security/fake-it-support-calls-on-microsoft-teams-push-etherrat-malware/
        https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2026-06-28-Fake-IT-support-abuses-Teams-to-deliver-EtherRAT.txt
      • Cavern Manticore: Exposing Iran-Linked Modular C2 Framework
        "Since early 2026, Check Point Research (CPR) has tracked a new modular command-and-control framework used by Cavern Manticore, an Iran-nexus APT group primarily targeting Israeli organizations, with a focus on IT providers, and government sectors. Cavern Manticore is an Iran MOIS (Ministry of Intelligence and Security)-linked actor, with links to the OilRig subgroup named Lyceum. The framework reflects a mature and adaptable toolset built around a shared .NET foundation, while using multiple compilation formats across different components, including .NET Framework, .NET Mixed-Mode C++/CLI, and .NET Native AOT. The compilation format itself becomes the anti-analysis layer that forces reverse engineers into multiple toolsets and metadata-reconstruction workflows."
        https://research.checkpoint.com/2026/cavern-manticore-exposing-iran-linked-modular-c2-framework/
        https://thehackernews.com/2026/07/iran-linked-hackers-use-new-cavern-c2.html
        https://www.infosecurity-magazine.com/news/new-iran-hacking-group-targets/
      • When Checking The URL Isn’t Enough: a Device Code Phishing Attack Via a Microsoft Website
        "One of the most common pieces of anti-phishing advice is to double-check the website’s domain name before providing your credentials. Typically, a fraudulent domain stands out to the trained eye, differing from the official URL by at least a few characters. Recently, however, we encountered a campaign where attackers instruct victims to input data directly into a legitimate, trusted corporate site: the Microsoft Identity Platform, which supports an OAuth 2.0 specification known as the Device Authorization Grant."
        https://securelist.com/microsoft-device-code-phishing-attack/120350/
      • Operation DragonReturn: China-Nexus Cyber Espionage Campaign Targeting Govt. Of India/MoF Tax Infrastructure Via Multi-Stage DcRAT Deployment
        "Seqrite Lab actively tracks and analyse threat actors and their campaigns, focusing on attribution, infrastructure analysis, and adversary tradecraft. Throughout our research, we have attributed numerous operations to China-aligned threat clusters targeting both regional and international entities. As part of our latest investigation, we uncovered a campaign that demonstrates operational and technical similarities to a China-nexus threat cluster. Further analysis revealed overlapping TTPs with a prominent and highly active threat actor known for conducting cyber-espionage operations against Asian countries through the deployment of RAT-based malware."
        https://www.seqrite.com/blog/operation-dragonreturn-china-nexus-cyber-espionage-campaign-targeting-govt-of-india-mof-tax-infrastructure-via-multi-stage-dcrat-deployment/
        https://thehackernews.com/2026/07/suspected-china-nexus-hackers-use-fake.html
      • Novel Java-Based QuimaRAT Targets Windows, MacOS, And Linux
        "Remote access trojans (RATs) are legacy threats that continue to evolve alongside an expanding and ever-changing threat landscape. Following our recently published articles about novel and notable RATs, including KarstoRAT, the latest version of ClickFix, and ClickFix’s macOS variant, we analyzed QuimaRAT, a novel Java-based RAT that targets Windows, Linux, and macOS environments and is currently being sold on the dark web as a subscription-based RAT platform."
        https://www.levelblue.com/blogs/spiderlabs-blog/novel-java-based-quimarat-targets-windows-macos-and-linux
        https://thehackernews.com/2026/07/new-java-based-quimarat-maas-built-to.html
      • Ukrainian Media Outlets Now Among 'priority Targets' For Russian Hackers
        "Russia-linked hackers are increasingly targeting Ukrainian media organizations, local officials warned, as news outlets continue to face pressure not only from cyber operations but also Russia's ongoing military attacks. Ukraine's domestic security agency, the SBU, said media organizations have become "one of the priority targets" for Russian hackers. Previous attacks have primarily sought to disrupt broadcasts, spread propaganda and undermine public trust."
        https://therecord.media/ukraine-media-organizations-priority-hacking-targets-russia

      Breaches/Hacks/Leaks

      • US Army Websites Defaced With Pro-Kurdish Sentiments, Insults To Trump
        "Multiple U.S. Army internet subdomains were defaced in a 404 hijacking campaign, CyberScoop has confirmed. As of Monday morning, error pages on two U.S. Army websites – oil.army.mil and ai2c.army.mil – displayed defacement messages visible to users. The messages denigrated President Donald Trump and United States Ambassador to Türkiye Tom Barrack, called to “FREE KURDISTAN,” And included another line reading “Kurdish sr was here.”"
        https://cyberscoop.com/us-army-websites-defaced-404-hijacking-kurdistan/

      General News

      • How To Prioritize AI Agent Security By Business Impact
        "Your CEO calls about an AI agent security incident in finance. He wants to know whether money moved, whether financial data was exposed, who owned the agent and why it had this level of access. The agent was connected to a spend management application to reconcile invoices, summarize vendor contracts and flag unusual payment activity. The breakdown occurred when the employee who configured it left and the OAuth grant remained active, allowing the agent to continue accessing vendor banking details, contract terms and internal approval notes even though its ownership and business purpose had changed."
        https://www.helpnetsecurity.com/2026/07/06/prioritize-ai-agent-security-business-impact/
      • OAuth, Guest Accounts, And Weak MFA Drive SaaS Risk
        "Organizations often create guest accounts to give contractors, suppliers, and partners temporary access to files and SaaS applications. Many of these accounts remain active long after they are needed, creating overlooked access paths to corporate data. Guest accounts accounted for 69% of monitored SaaS accounts in 2025, an increase of more than 1.9 million compared with the previous year, according to Kaseya’s 2026 SaaS Security Report: Closing the Unmanaged Trust Gap."
        https://www.helpnetsecurity.com/2026/07/06/saas-environments-security-risks-report/
      • Finding Vulnerabilities Was Never The Hard Part
        "I keep hearing the same frustration when I talk with security leaders. The real problem sitting on their desk isn’t finding vulnerabilities. It’s deciding which ones actually matter. The industry has spent billions on better visibility. We’ve convinced ourselves that if we could just discover more vulnerabilities, collect more data, and ingest more threat intelligence, we’d become more secure. But look around. Organizations still aren’t more secure. They’re just overwhelmed."
        https://cyberscoop.com/ai-cybersecurity-vulnerability-prioritization-op-ed/
      • Mid-Year Threat Trends: What H1 2026 Signals For The Rest Of The Year
        "The first half of 2026 has given security teams little room to breathe. Ransomware operators kept up a punishing pace. If that wasn’t enough, access brokers turned network intrusions into a marketplace, and nation-state activity blurred further into hacktivism and organized cybercrime. Taken together, the numbers point to a threat landscape that isn’t just growing louder; it’s becoming faster, more coordinated, and harder to attribute."
        https://cyble.com/blog/2026-threat-intelligence-trends/
      • It Might Feel Like We’ve Been Here Before, But We Haven’t
        "As artificial intelligence (AI) adoption surges and organisations move from the ‘should we?’ phase to the ‘how do we?’ phase, it’s natural to evaluate the likelihood of positive returns on AI investments. That’s always been the case with the onset of each new technology paradigm: C-suite executives, guided by their boards and aided by technical and business teams, remain keenly focused on traditional metrics such as return on investment, shareholder equity, developing and extending competitive advantage, and ensuring superior customer relationships."
        https://www.paloaltonetworks.com/blog/2026/07/it-might-feel-like-weve-been-here-before-but-we-havent/
        https://www.paloaltonetworks.com/resources/ebooks/executive-edge-peer-insights-governing-ai-and-agentic-systems-at-enterprise-scale
      • The Shift Toward Business-Aligned Risk Management
        "In the movie Moneyball, the Oakland A’s didn’t need more data; they needed to know which data actually won games. Risk assessment data has the same problem. A CVSS score of 9.1 might mean little to a CFO; the fact that it represents a vulnerability in a payment system processing $2 million daily means a great deal. This data must therefore link to information about operational disruptions that can cause financial loss, product delays, or draw the ire of regulatory authorities, for it to become more actionable."
        https://www.securityweek.com/the-shift-toward-business-aligned-risk-management/
      • FBI And Spanish Police Arrest Alleged Cyber Army Of Russia Reborn Member
        "Spanish police have arrested an alleged member of the pro-Russia hacktivist group Cyber Army of Russia Reborn, also known as Z-Pentest, in an operation carried out with support from the FBI. The arrest forms part of ongoing measures to identify and disrupt people involved in cyberattacks targeting critical infrastructure. The FBI confirmed that its Los Angeles field office worked with Spain’s National Police to coordinate the arrest. US authorities said the action falls under Operation Riptide, an international effort aimed at disrupting malicious cyber activity and holding those responsible accountable."
        https://hackread.com/fbi-spanish-police-arrest-cyber-army-russia-reborn-member/

      อ้างอิง
      Electronic Transactions Development Agency (ETDA) 8d2199e2-aa21-4aa7-af80-1150927cb657-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • พบปฏิบัติการ JADEPUFFER ใช้ LLM Agent ดำเนินการโจมตีแรนซัมแวร์แบบอัตโนมัติ

      พบปฏิบัติการ JADEPUFFER ใช้ LLM Agent ดำเนินการโจมตีแรน.jpg

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 38ec3089-ef68-4654-8114-1f798e16ea4c-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • FBI เตือน TeamPCP เจาะเครื่องมือนักพัฒนา ขโมยข้อมูลรับรองคลาวด์และโจมตีแบบ Software Supply Chain

      FBI เตือน TeamPCP เจาะเครื่องมือนักพัฒนา ขโมยข้อม.jpg

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand eca84b7a-5312-4567-b866-b0ebdd91a139-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • พบแคมเปญ PolinRider กลุ่มแฮกเกอร์ฝังแพ็กเกจและส่วนขยายอันตราย 108 รายการ พุ่งเป้านักพัฒนาซอฟต์แวร์

      พบแคมเปญ PolinRider กลุ่มแฮกเกอร์ฝังแพ็กเกจ และส.jpg

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 33e130dc-5e85-4300-b9b9-6f8777b20f1d-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • Cyber Threat Intelligence 06 July 2026

      Vulnerabilities

      • Seven FatFs Bugs, One Very Large Blast Radius
        "Heads up! If you ship firmware that touches FAT media (think any removable storage, like USB drives and SDCards), you'll want to pay attention to this post. This work was part of runZero's research into long-tail supply chain bug hunting using LLMs. We live in the future! Today, we're publishing seven CVEs documenting several vulnerabilities in FatFs project, ranging from CVSS Medium to High (no Criticals, phew!). The affected ecosystem includes some major non-hobby platforms like Espressif ESP-IDF, STMicroelectronics STM32Cube middleware, Zephyr RTOS, MicroPython, ArduPilot, RT-Thread, Mbed, Samsung TizenRT, and SWUpdate, with downstream reach into consumer IoT, industrial controllers, drones, crypto wallets, and more."
        https://www.runzero.com/blog/fatfs-bugs/
        https://thehackernews.com/2026/07/unpatched-flaws-disclosed-in-filesystem.html
      • New "Bad Epoll" Linux Kernel Flaw Lets Unprivileged Users Gain Root, Hits Android
        "A newly disclosed Linux kernel flaw called Bad Epoll (CVE-2026-46242) lets an ordinary user with no special access take full control of a machine as root. It affects Linux desktops, servers, and Android, and a fix is out. Bad Epoll sits in the same small stretch of kernel code where Anthropic's most powerful AI model, Mythos, recently found a different bug. The AI caught one flaw and missed this one. A researcher, Jaeyoung Chung, found it and built a working attack."
        https://thehackernews.com/2026/07/new-bad-epoll-linux-kernel-flaw-lets.html
        https://github.com/J-jaeyoung/bad-epoll
      • New ClamAV Security Patch Closes Seven Scanner Bugs Dating Back Two Decades
        "Open source antivirus scanning sits inside mail gateways, file upload checks, and endpoint tooling at organizations of every size. Much of that work runs through ClamAV, the scanning engine maintained by Cisco’s Talos group. The project released two patch versions, 1.5.3 and 1.4.5, carrying fixes for seven security flaws along with smaller hardening changes."
        https://www.helpnetsecurity.com/2026/07/06/clamav-security-patch-versions/

      Malware

      • Espionage Against The European Parliament: Member Of Committee Investigating Spyware Hacked With Pegasus
        "We found that former Member of the European Parliament Stelios Kouloglou was hacked with Pegasus spyware while serving on the PEGA committee, which investigated Pegasus and other spyware abuses in Europe. Through forensic analysis of his device, we found that the attackers could have had access to confidential documents and committee deliberations."
        https://citizenlab.ca/research/member-of-committee-investigating-spyware-hacked-with-pegasus/
        https://thehackernews.com/2026/07/european-parliament-member.html
        https://therecord.media/pegasus-spyware-european-parliament-pega-committee-member
        https://www.bankinfosecurity.com/lawmaker-probing-pegasus-spyware-infected-using-same-malware-a-32153
        https://cyberscoop.com/pegasus-spyware-pega-committee-member-targeted/
        https://securityaffairs.com/194728/malware/pegasus-used-against-mep-investigating-pegasus-citizen-lab-finds.html
      • Verified X Ad Spreads Mac Malware, While ConsentFix Steals Microsoft Accounts
        "Cybercriminals are finding new ways to trick people into compromising their own devices and accounts. One campaign used a sponsored ad on X to target Mac users, while another technique, dubbed ConsentFix, steals Microsoft 365 accounts without installing malware. Researchers have discovered a ClickFix-style attack running as a sponsored advertisement on X. The ad was posted from a verified account, adding an extra layer of credibility to the scam."
        https://www.malwarebytes.com/blog/news/2026/07/verified-x-ad-spreads-mac-malware-while-consentfix-steals-microsoft-accounts
      • Armored Likho Digging a Snake Pit: Inside The Covert BusySnake Stealer Campaign
        "During our routine threat monitoring, we uncovered a new phishing campaign tied to a previously unknown APT group that we dubbed Armored Likho (also known as Eagle Werewolf based on circumstantial evidence). This targeted campaign focuses heavily on government agencies and the electric power sector. The geographical footprint of these attacks spans Russia, Brazil, and Kazakhstan, establishing the group as a global threat actor."
        https://securelist.com/tr/armored-likho-apt-with-busysnake-stealer/120292/
        https://thehackernews.com/2026/07/armored-likho-targets-government.html
      • The Anatomy Of a Shadow AI Supply-Chain Breach: Lessons From The 2026 Vercel Incident
        "The Vercel breach of April 2026 did not begin with a classic zero-day exploit, a misconfigured cloud bucket, or a sophisticated nation-state infrastructure implant. Instead, it unfolded when an unreviewed Artificial Intelligence (AI) tool became a trusted corporate connection without a standard enterprise security review. At first glance, the incident resembled a typical third-party software supply chain compromise. An AI tooling vendor, Context.ai, was breached via an employee account, allowing attackers to move downstream into a much larger technology provider: Vercel. However, the deeper architectural lesson lies in the relationship between the two entities. The breached tool was not part of an enterprise deployment; it was a consumer-grade browser extension self-adopted by an employee using a corporate identity."
        https://securityaffairs.com/194709/hacking/the-anatomy-of-a-shadow-ai-supply-chain-breach-lessons-from-the-2026-vercel-incident.html
      • Vibe Coded Extortion: Avalon’s Path From Legal Lure To CrownX Ransom Capabilities
        "Blackpoint’s Adversary Pursuit Group (APG) identified and analyzed a previously undocumented malware framework, now tracked as Avalon, delivered through a multi-stage phishing chain designed to evade conventional security controls. The attack began with a spoofed legal document email directing recipients to a password protected archive on Proton Drive. Malicious content was embedded inside an ISO image rather than attached directly, reducing the likelihood of detection at the email layer."
        https://blackpointcyber.com/blog/avalons-path-from-legal-lure-to-crownx-ransom-capabilities/
        https://thehackernews.com/2026/07/new-avalon-malware-framework-packs.html
      • Lazarus-Linked Npm Malware Masquerades As Rollup Polyfills
        "The JFrog Security research team identified a malicious npm package cluster masquerading as Rollup polyfill tooling. The two entry packages, rollup-packages-polyfill-core and rollup-runtime-polyfill-core, imitate the naming, README content, repository metadata, and package shape of the legitimate rollup-plugin-polyfill-node project."
        https://research.jfrog.com/post/rollup-polyfill-masquerading/
        https://thehackernews.com/2026/07/north-korea-linked-npm-packages-mimic.html
      • PamStealer: a Rust-Based MacOS Infostealer That Validates Credentials Through PAM
        "While reviewing results from our sample pipeline, Jamf Threat Labs identified a macOS infostealer distributed as a compiled AppleScript (.scpt) file impersonating “Maccy,” a legitimate open-source clipboard manager. We are tracking this malware under the name PamStealer after one of its core behaviors: validating the victim’s login password through the macOS Pluggable Authentication Modules (PAM) before harvesting it. PamStealer is delivered in two stages. The first is a compiled AppleScript distributed inside a disk image that downloads and stages a second-stage payload. The second is a Rust-based Mach-O infostealer responsible for credential theft, browser data collection, persistence and exfiltration. The dropper is hosted on the fake domain maccyapp[.]com, which impersonates the legitimate Maccy project."
        https://www.jamf.com/blog/pamstealer-macos-infostealer-applescript-rust/
        https://thehackernews.com/2026/07/pamstealer-uses-fake-maccy-sites-and.html
        https://hackread.com/pamstealer-malware-macos-fake-maccy-clipboard-app/
      • PolinRider: North Korea-Linked Supply Chain Campaign Expands Across Open Source Ecosystems
        "PolinRider is a supply chain campaign linked to North Korean threat actors associated with the broader Contagious Interview / Famous Chollima activity cluster. Our latest findings show that the campaign has expanded beyond npm into additional open source ecosystems, with 162 malicious release artifacts identified across 108 unique packages, including compromise traces in 80 Go modules, 10 Packagist packages, and one Chrome extension. The campaign remains active, and new malicious packages are likely to continue appearing as threat actors compromise maintainer accounts, modify legitimate repositories, and publish infected package versions where they retain or obtain registry access."
        https://socket.dev/blog/polinrider-north-korea-linked-supply-chain-campaign-expands
        https://thehackernews.com/2026/07/north-korean-hackers-publish-108.html
      • FBI: TeamPCP Compromised Dev Tools To Steal Cloud Credentials
        "On July 2, 2026, the FBI published a FLASH alert identifying the criminal group called TeamPCP and detailing how it compromised widely used developer and security tools to steal credentials from victim environments at scale. The targets weren’t end users. They were the tools developers trust every day inside their build pipelines. TeamPCP is behind multiple supply chain attacks, in the past, they targeted PyPI packages and NPM repositories, and most recently the “Mini Shai-Hulud” campaign also caught two OpenAI employees. The pattern is consistent: go after the tools developers trust, poison the supply chain, and let the downstream damage multiply."
        https://securityaffairs.com/194741/cyber-crime/fbi-teampcp-compromised-dev-tools-to-steal-cloud-credentials.html
        https://www.ic3.gov/CSA/2026/260702.pdf

      Breaches/Hacks/Leaks

      • AdaptHealth Says Attackers Sweet-Talked Their Way Into Cloud Systems And Stole Patient Data
        "AdaptHealth says attackers used social engineering to breach its systems and steal sensitive patient data, including passwords associated with insurance billing. The medical equipment company disclosed the attack to the Securities and Exchange Commission (SEC) on Thursday, noting that attackers accessed internal patient management systems, document storage platforms, and external electronic health record system portals. The attack targeted an unwitting third-party contractor, through which the cybercriminals gained entry to the company's cloud environment, where they accessed business applications holding sensitive data."
        https://www.theregister.com/security/2026/07/03/adapthealth-crooks-stole-our-passwords-patient-health-data/5266512
      • Kairos Ransomware: Data-Extortion Case Study Involving a U.S. Government Entity
        "A leaked negotiation transcript and payment-flow analysis of a successful $1 million ransom payment by a U.S. government body to Kairos — a data-extortion actor whose "ransomware group" status remains unverified — including fund tracing to ByBit, OKX, and BELQI exchange touchpoints."
        https://ransom-isac.org/blog/kairos-ransomware-data-extortion-case-study/
        https://thehackernews.com/2026/07/us-government-entity-paid-kairos-group.html
        https://securityaffairs.com/194750/security/u-s-government-agency-paid-1m-to-data-extortion-group-kairos.html

      General News

      • Q2 2026 Attack Techniques Trend Report
        "The second quarter of 2026 was marked by a notable increase in actual exploits that targeted public assets, identities, and AI stacks. The number of CISA KEV listings reached 75, an increase of approximately 27% compared to the same period in 2025. Primary targets included web and server applications, endpoints, network perimeter devices, and remote management tools, and also included vulnerabilities related to AI and the supply chain. The percentage of listings associated with ransomware rose from 8.5% In the same period of 2025 to 16.0%."
        https://asec.ahnlab.com/en/94320/
      • Chinese LLMs Broaden The Gap Between Attackers & Defenders
        "Chinese companies released two new AI models in the past month that have pushed the boundaries of the nation's capabilities for vulnerabilities discovery and caused concerns among some cybersecurity experts. On June 13, Chinese firm Zhipu AI released an open-weight model, GLM 5.2, that subsequent testing found outperforms Anthropic's Opus and Open AI's GPT-5.5 on some bug-finding benchmarks and costs only $0.17 per vulnerability found. Two weeks later, another firm, 360 Security Technology, released a frontier-model-based security tool, Tulongfeng (aka "Dragon Saber"), that its founder touted as China's version of Mythos, claiming it had already found more than 3,400 vulnerabilities, according to a Reuters report."
        https://www.darkreading.com/cyber-risk/chinese-llms-broaden-gap-between-attackers-and-defenders
      • Non-Interactive SSH Attacks Dominate After Login
        "Anyone who runs a server with SSH exposed to the internet sees the same pattern in the logs. A steady stream of automated scanners tries to log in, hour after hour, from addresses all over the world. The common picture of what comes next has an attacker landing a shell, looking around the system, and typing commands. The reality recorded across eleven research honeypots looks almost nothing like that. Eleven SSH honeypots ran on cloud servers in Frankfurt, Germany, for fifteen days in late May and early June, in a study by researchers at the Czech Technical University in Prague. Together they logged 177,622 authenticated sessions, every one an attacker who got past the login."
        https://www.helpnetsecurity.com/2026/07/03/research-non-interactive-ssh-attacks/
        https://arxiv.org/pdf/2606.28006
      • Organizations Struggle To Prioritize Known Cyber Risks
        "Organizations collect more cyber risk data than ever, with many still struggling to build a unified view of their exposure. The latest State of Threat Management report from Filigran found that security teams continue to work across disconnected tools, leaving important context spread across multiple systems. Cloud infrastructure, on-premises environments, third-party services, vulnerability scanners, threat intelligence feeds, and attack surface management platforms all generate information about potential risk."
        https://www.helpnetsecurity.com/2026/07/03/cyber-risk-exposure-report/
      • Qilin Dominates Ransomware Market Amid Growing Cybercrime Consolidation
        "The ransomware ecosystem is moving from fragmentation back to consolidation, with Qilin emerging as the dominant ransomware-as-a-service (RaaS) operation after the disruption of major groups including LockBit and RansomHub. Yet despite Qilin's strong position, the rapid emergence of other groups, such as The Gentlemen, demonstrates how quickly the cybercrime landscape continues to evolve. Lotem Finkelstein, VP research at Check Point, highlighted that based on the cybersecurity firm’s research in their 2026 Cyber Security Report, Qilin now holds around 16% of the cybercriminal market share."
        https://www.infosecurity-magazine.com/news/qilin-dominates-ransomware-market/
      • Which Industry & Country Has The Worst Email Security? An Analysis Of 5,800+ Domains For SPF, DMARC, DKIM & MTA-STS Protocols
        "Every day, cybercriminals send around 3.4 billion phishing emails. 90 percent of successful cyber attacks originate from one of these emails. We analyzed the live DNS records for 5,849 domains across 13 sectors, scoring each domain on eight points based on its Sender Policy Framework (SPF), Domain-based Message Authentication, Reporting, and Conformance (DMARC), DomainKeys Identified Mail (DKIM), and Mail Transfer Agent Strict Transport Security (MTA-STS)."
        https://www.comparitech.com/news/which-industry-country-has-the-worst-email-security-an-analysis-of-5800-domains-for-spf-dmarc-dkim-mta-sts-protocols/
        https://securityaffairs.com/194677/security/government-and-healthcare-are-the-weakest-links-in-global-email-security.html

      อ้างอิง
      Electronic Transactions Development Agency (ETDA) 7ef8063e-9062-4613-8503-22f32314f6ab-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • Apple ออกอัปเดตแก้ไขช่องโหว่หลายรายการใน iOS, macOS และ Safari

      Apple ออกอัปเดตแก้ไขช่องโหว่หลายรายการใน iOS, macOS.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 1e141423-9a4e-4b9e-92c3-90021047a418-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • Kubota North America เผยผู้โจมตีเข้าถึงระบบเครือข่ายนานกว่าหนึ่งเดือน กระทบข้อมูลพนักงานและผู้ติดตาม

      Kubota North America เผยผู้โจมตีเข้าถึงระบบเครือข่ายน.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 1b9775f6-85e6-4276-b802-f08cf18619a2-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • เชื่อมโยงแคมเปญขโมยข้อมูล FortiBleed กับกลุ่มมัลแวร์เรียกค่าไถ่ Lynx และ INC

      เชื่อมโยงแคมเปญขโมยข้อมูล FortiBleed กับกลุ่มมั.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 72fd65eb-4f8d-4bce-9e2d-9316ae6cb75c-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • ETDA Cyber Threat Intelligence 03 July 2026

      Industrial Sector

      • Building More Resilient CNI: What Industry Pen Testers Told Us
        "For those of us working in operational technology here at the NCSC, part of our job is to engage with penetration testers. Also known as ‘pen testers’, it’s their job to try to break into systems, poke holes in your infrastructure and find any weak spots. These can then be patched to improve the system’s resilience against attackers who have the same skills, but bad intentions. In this blog, we’ll explain what pen testers told us when we asked: ‘What can organisations do to make your job harder?’"
        https://www.ncsc.gov.uk/blogs/building-more-resilient-cni-what-industry-pen-testers-told-us
        https://www.infosecurity-magazine.com/news/ncsc-tips-make-pen-testers-job/

      Vulnerabilities

      • New CitrixBleed Vulnerability Exploited Immediately After Public Disclosure
        "Threat actors began exploiting the latest CitrixBleed-like vulnerability in NetScaler ADC and NetScaler Gateways less than 24 hours after public disclosure, Scottish cybersecurity firm Lupovis reports. Tracked as CVE-2026-8451 (CVSS score of 8.8), the security defect was disclosed on June 30, when Citrix rolled out patches, and attack surface management company watchTowr published technical details on it. The bug is described as an out-of-bounds read issue affecting NetScaler appliances configured as SAML IDP and leading to memory disclosure."
        https://www.securityweek.com/new-citrixbleed-vulnerability-exploited-immediately-after-public-disclosure/
      • CISA Adds One Known Exploited Vulnerability To Catalog
        "CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
        CVE-2026-45659 Microsoft SharePoint Server Deserialization of Untrusted Data Vulnerability"
        https://www.cisa.gov/news-events/alerts/2026/07/01/cisa-adds-one-known-exploited-vulnerability-catalog
        https://thehackernews.com/2026/07/sharepoint-rce-cve-2026-45659-added-to.html
        https://www.bleepingcomputer.com/news/security/cisa-microsoft-sharepoint-rce-flaw-now-actively-exploited/
        https://www.securityweek.com/cisa-warns-of-actively-exploited-microsoft-sharepoint-vulnerability/
        https://securityaffairs.com/194654/security/u-s-cisa-adds-a-microsoft-sharepoint-server-flaw-to-its-known-exploited-vulnerabilities-catalog.html
        https://www.theregister.com/security/2026/07/02/microsoft-said-exploitation-was-less-likely-but-cisa-just-added-sharepoint-rce-to-kev-list/5265886
      • Apple’s Hide My Email Doesn’t Hide It Very Well
        "404 Media reports that a researcher has found a vulnerability in Apple’s Hide My Email feature that could allow someone to discover a person’s real email address. That’s especially concerning because protecting your real email address is exactly what the feature is designed to do. 404 Media did not publish technical details of the vulnerability to avoid helping attackers exploit it, but said it independently verified that the issue works."
        https://www.malwarebytes.com/blog/news/2026/07/apples-hide-my-email-doesnt-hide-it-very-well
      • WinRAR Flaw Could Allow Attackers To Take Control Of Your Computer
        "Rarlab has released a new version of the popular WinRAR tool to patch a vulnerability that can be abused in remote code execution attacks. The issue is fixed in WinRAR 7.23, but users must install the new version manually because WinRAR still does not offer automatic updates. They also need to make sure they download the version that matches their system and language preference. There are five operating system to choose from (Windows, macOS, Android, Linux, and FreeBSD), which shouldn’t be too hard. More people will struggle with choosing 64 bits, 32 bits, or ARM, which requires checking their system specifications."
        https://www.malwarebytes.com/blog/news/2026/07/winrar-flaw-could-allow-attackers-to-take-control-of-your-computer

      Malware

      • JADEPUFFER: Agentic Ransomware For Automated Database Extortion
        "Ransomware has had a human at the keyboard, or at least a human writing its script, since it was first established as a category of threat. The Sysdig Threat Research Team (TRT) has captured what we assess to be the first documented case of agentic ransomware: a complete extortion operation driven end-to-end by a large language model (LLM). This operator, which we have dubbed JADEPUFFER, gained initial access to an internet-facing Langflow instance through CVE-2025-3248 and ran an adaptive and fully automated campaign, ultimately pivoting to the intended target and running a destructive database-extortion playbook against the victim's production database server. JADEPUFFER is considered an agentic threat actor (ATA), or an operator whose attack capability is delivered by an AI agent rather than a human-driven toolkit."
        https://www.sysdig.com/blog/jadepuffer-agentic-ransomware-for-automated-database-extortion
        https://thehackernews.com/2026/07/ai-agent-exploits-langflow-rce-to.html
        https://hackread.com/sysdig-jadepuffer-first-agentic-ransomware-operation/
        https://www.theregister.com/security/2026/07/02/smooth-ai-criminal-drives-first-end-to-end-agentic-ransomware-attack/5266073
      • Fake Google And Cloudflare Verification Pages Spread Multiple Malware Families
        "ClickFix attacks, which trick people into running malicious commands themselves, continue to evolve. This latest campaign uses fake Google and Cloudflare verification pages to convince victims to infect their own devices. A single mistake can install malware that steals passwords and other sensitive data, gives attackers remote access to your computer, or downloads additional malware that can take full control of your system. We uncovered multiple campaigns using the same infrastructure to deliver malware including HijackLoader, StealC, Remus, Amatera Stealer, CastleLoader, NetSupport, and a Rust-based stealer."
        https://www.malwarebytes.com/blog/threat-intel/2026/07/fake-google-and-cloudflare-verification-pages-spread-multiple-malware-families
      • Indirect Prompt Injection In Web Content Targets AI Agents
        "AI agents are increasingly changing how users interact with web content, making the content itself a growing attack surface for threat actors. Just as a human user can be socially engineered through phishing, AI agents are also susceptible to similar attacks. Indirect prompt injection (IPI) is an example of these types of attacks that embed malicious instructions in the content retrieved by an AI agent (websites, documents, email, etc.) to influence the agent’s reasoning during task execution. Zscaler ThreatLabz has observed malicious websites that impersonate legitimate services and use IPI to manipulate AI-driven workflows."
        https://www.zscaler.com/blogs/security-research/indirect-prompt-injection-web-content-targets-ai-agents
      • From CitrixBleed 2 To Cloudflared: The Tools And Techniques Behind Anubis Ransomware Attacks
        "Throughout 2026, Arctic Wolf has investigated multiple Anubis ransomware intrusions. Although threat actor tradecraft differs between intrusions, key themes have emerged: abuse of VPN infrastructure, blending in with legitimate activity through the use of Remote Monitoring and Management (RMM) solutions, and using other legitimate binaries on victim devices. Public reporting has focused largely on the group’s ransomware-as-a-service (RaaS) model, affiliate program, and encryptor payloads. In this research publication, we provide new insight into initial access techniques in Anubis ransomware cases, including exploitation of CitrixBleed 2 (CVE-2025-5777). We also report on the stealthy use of RMM tooling to blend in with legitimate activity, as well as various other techniques used to evade safeguards in victim environments. An understanding of these behaviors provides defenders with opportunities for early detection and containment."
        https://arcticwolf.com/resources/blog/citrixbleed-2-to-cloudflared-the-tools-and-techniques-behind-anubis-ransomware-attacks/
        https://thehackernews.com/2026/07/ransomware-groups-turn-to-citrix-bleed.html
      • Remus Stealer: A New, Not-So-New Infostealer
        "The underground marketplace rarely stays quiet for long. A new information-stealing malware dubbed Remus Stealer has surfaced in the cybercrime underground, exhibiting significant similarities to the notorious Lumma malware family across its administration panel, stolen log files, and core code structure. Despite parallels in its code and functionality, threat actors are eagerly buying into the platform. In addition to its familiar features, it provides attackers with a distinct, modern command and control (C2) and networking infrastructure designed to slip past current security perimeters."
        https://flashpoint.io/blog/remus-stealer-a-new-not-so-new-infostealer/
      • Vect And TeamPCP Partner For Ransomware Campaigns
        "Counter Threat Unit™ (CTU) researchers investigated two interconnected threat groups known as Vect and TeamPCP. The two groups announced a formal operational partnership in late March 2026 to combine TeamPCP’s credential harvesting and data theft capabilities with Vect’s ransomware deployment infrastructure in a widespread campaign involving supply chain attacks and the extortion of multiple organizations."
        https://www.sophos.com/en-us/blog/vect-and-teampcp-partner-for-ransomware-campaigns
      • Iran-Nexus TAG-182 Disseminates MarkiRAT Surveillance Tool
        "Insikt Group has identified new infrastructure associated with the TAG-182 threat cluster, used to disseminate MarkiRAT malware in support of Iranian government surveillance operations. It is highly likely that TAG-182 is targeting Iranians living inside and outside the country using different lures, including free download tools and fake VPN applications. The group’s operations are highly likely active across social media platforms like Instagram. As the kinetic conflict with the United States and Israel has subsided since April 2026, Iran's security apparatus is likely redirecting its focus toward intensified cyber surveillance and digital enforcement operations targeting perceived dissidents and alleged foreign collaborators."
        https://www.recordedfuture.com/research/nexus-tag182-disseminates-markirat
        https://assets.recordedfuture.com/insikt-report-pdfs/2026/cta-ir-2026-0701.pdf
      • The BYOVD Epidemic: How Attackers Are Weaponizing Trusted Windows Drivers To Kill Security
        "Defense evasion has quietly become one of the most consequential stages of an advanced cyber intrusion. As security products have grown harder to beat, attackers have changed their tactics. Rather than attempting to fly under the radar, they are opting to switch off security altogether. With ransomware attacks, in particular, attempting to disable security software is now a standard part of the attack chain. One technique has come to dominate the area of defense evasion and, over the past three years, it has become something close to an epidemic. The Bring Your Own Vulnerable Driver (BYOVD) technique lets attackers abuse flaws in legitimate, validly signed kernel drivers to seize control of the Windows kernel itself and operate at the highest level of privilege on a machine."
        https://www.security.com/threat-intelligence/byovd-vulnerable-drivers

      Breaches/Hacks/Leaks

      • Medtronic Notifies Customers Impacted By ShinyHunters Data Breach
        "Healthcare device firm Medtronic is notifying affected customers about a data breach that exposed their personal data to an unauthorized third party. The company previously confirmed that its IT systems were compromised by hackers, and the infamous data extortion group ‘ShinyHunters’ claimed the attack. The threat actor said that they were holding 9 million Medtronic records with personally identifiable information (PII) and internal corporate data."
        https://www.bleepingcomputer.com/news/security/medtronic-notifies-customers-impacted-by-shinyhunters-data-breach/
        https://www.theregister.com/security/2026/07/02/pacemaker-manufacturer-medtronic-warns-patients-cybercrooks-may-have-swiped-health-data/5265768

      General News

      • Under Pressure: Insights From The 2026 Exposure Gap Report
        "Risk is concentrating. The 2026 Exposure Gap Report shows vulnerabilities claiming a larger share of critical exposure, and that shift has real implications for how security teams prioritize their response. Two findings are central to this change. Vulnerabilities now represent a much larger share of critical exposure, and only a small percentage of vulnerability alerts are validated as exploitable. Together, these findings show why prioritization depends on context, validation, and a clear understanding of which exposures require action."
        https://blog.checkpoint.com/exposure-management/under-pressure-insights-from-the-2026-exposure-gap-report/
      • The Endpoint Recovery Gap Many Teams Discover During An Incident
        "In this interview with Help Net Security, IGEL CTO Matthias Haas explains why backups alone do not equal recovery. He makes the case that endpoint recovery is often overlooked, leaving organizations exposed when thousands of devices go down at once. Haas walks through what a well-planned recovery looks like, where the bottlenecks appear, and why restoring trusted user access matters more than counting blocked threats. He also shares how security leaders can convince a CFO to fund recovery capability before an incident proves it was worth the spend."
        https://www.helpnetsecurity.com/2026/07/02/matthias-haas-igel-endpoint-recovery-gap/
      • Catching Ransomware On The Wire Before It Locks The File Server
        "Corporate networks keep sensitive files off individual workstations and store them on shared servers that staff reach through mapped network drives. That arrangement hands ransomware operators a target worth chasing. A single compromised laptop can begin encrypting files that live on a server across the building, and the encryption travels over the network as ordinary file-sharing traffic. Endpoint detection tools watch the machine they run on. When the encryption lands on a remote file server, the server does little of the visible work. It accepts read and write commands from a client and carries them out, the same way it serves any legitimate user. The agent on the server records normal operation. The agent on the client sees an application touching mapped files. Damage settles in the gap between the two machines, where each agent has a poor view."
        https://www.helpnetsecurity.com/2026/07/02/shared-storage-ransomware-detection-research/
        https://arxiv.org/pdf/2606.30586
      • What The AI Patch Gap Means For Enterprise Security
        "Open-source maintainers are receiving more vulnerability reports than they can act on, and a rising share now comes from an AI system working at machine speed. Over roughly two months this spring, Anthropic’s Claude Mythos Preview combed through more than 23,000 open-source code paths and routed verified findings to the projects that own them. Tuskira studied what happens to those findings once they reach human hands. The program reported 1,596 verified vulnerabilities, spread across hundreds of projects over a window of about nine weeks. Six external security research firms triaged the findings before they reached maintainers."
        https://www.helpnetsecurity.com/2026/07/02/open-source-ai-patch-gap/
      • Cybercrime In Australia 2025
        "In 2025, 10,593 online Australians participated in the Australian Cybercrime Survey. Nearly half of all respondents reported having been a victim of some form of cybercrime in the 12 months prior to the survey. This included online abuse and harassment (24.9% of respondents), followed by malware (21.5%), identity crime and misuse (20.6%) and fraud and scams (11.4%). One in five respondents experienced multiple types of cybercrime. Between 2024 and 2025, the proportion of respondents who had been a victim of online fraud and scams increased."
        https://www.aic.gov.au/publications/sr/sr59
        https://www.darkreading.com/cybersecurity-analytics/aussies-face-reduced-cybercrime-risk-pressure-shifts-smbs
      • Apple Reverses Age-Old Patch Policy To Keep Up With AI
        "Apple is changing its approach to security patching, in response to the growing threat of accelerated artificial intelligence (AI) attacks. The company has historically saved big, bundled sets of bug fixes for new versions of its operating system (OS). That's set to change. The company released a variety of security updates June 29 for iPhones, iPads, Macbooks, and the Safari browser, untethered to any major version releases. It's hardly the first time it's released security updates out-of-band, but the motivation was different this time. According to Reuters, the company said "it was adapting to the reality that, given the ability of artificial intelligence to speed the development of malicious hacking tools, it ⁠needed to reduce the time between when updates were first made public and when they were put into customers' hands.""
        https://www.darkreading.com/cybersecurity-operations/apple-patch-policy-ai
      • When Too Much Security Data Became The Risk
        "For years, conventional wisdom in security operations was simple: collect everything. Logs were cheap. Storage was plentiful. And the more data a team had, the more confident it could feel about detection and forensics. That assumption quietly broke as organizations scaled. At Vensure Employer Solutions, a privately held HR services and payroll provider supporting more than 95,000 businesses, telemetry volume did not just grow; it exploded. Rapid acquisitions, expanding infrastructure, and a growing customer base turned routine firewall traffic into a relentless stream of raw data flowing into the company's security information and event management (SIEM) environment."
        https://www.darkreading.com/cyber-risk/too-much-security-data-risk
      • Researcher Behind 'Exploitarium' Explains Release Of Undisclosed Zero-Day Exploits
        "A pseudonymous security researcher has released over 30 proof-of-concept exploits for zero-day vulnerabilities in open-source projects without disclosing them to the maintainers first. The dump, called ‘Exploitarium,’ was shared publicly on GitHub by an individual going by name ‘bikini’ and ‘ashdfrkl’ on Discord. First published on June 27, the repository initially included around 15 exploits, before the researcher updated it over the next few days with new entries."
        https://www.infosecurity-magazine.com/news/researcher-exploitarium-exploits/
      • Missed Incidents, Persistent Threats, And Response Gaps: Insights From Compromise Assessment Projects
        "The following analysis presents the key findings from Kaspersky Compromise Assessment engagements performed in 2025. A compromise assessment is an independent, expert-driven service that examines whether a target network has been compromised. The service combines threat intelligence analysis (including darknet sources), tool-aided endpoint scanning, a systematic review of security event logs and network traffic, and, when necessary, an initial incident response and digital forensic investigation. This report focuses on missed incidents – threats that remained undetected for weeks, months, or even years."
        https://securelist.com/compromise-assessment-findings-2025/120542/
      • How To Conduct a Successful Audit Of AI-Driven Software Development
        "Traditionally, an audit independently examines records, processes and controls to verify compliance and assess financial and operational integrity. In the modern world, such an approach should extend to the software development lifecycle (SDLC) – especially in the age of artificial intelligence (AI) or large language model (LLM)-assisted code. Chief Information Security Officers (CISOs) and their teams need proof that developers are producing protected products, because one in five organizations has experienced a serious security incident directly tied to AI-generated code. Getting to the root of the problems requires visibility into who is leveraging AI, what tools they are using and where AI-generated code is introduced into the SDLC. This is considered the ADLC: the agentic development lifecycle."
        https://www.securityweek.com/how-to-conduct-a-successful-audit-of-ai-driven-software-development/
      • Google’s Continued Disruption Of Malicious Residential Proxy Networks
        "Today, in coordination with the FBI, Lumen, and others, Google took action against the NetNut residential proxy network, also known as Popa. This action builds on our disruption of the IPIDEA proxy network that took place in January 2026, and is a continuation of Google’s objective to dismantle malicious residential proxy networks."
        https://cloud.google.com/blog/topics/threat-intelligence/google-continued-disruption-residential-proxy-networks
        https://thehackernews.com/2026/07/google-disrupts-netnut-residential.html

      อ้างอิง

      Electronic Transactions Development Agency (ETDA) 820e18b2-6258-4b01-aaf0-f765073f98dc-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT