Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Apr 24, 2023

Promoting fake software downloads on search engines is a go-to tactic for cybercriminals. A recent discovery by cybersecurity experts has revealed a new BumbleBee loader infection campaign that utilizes Google advertisements to promote trojanized versions of widely-used applications. Making the headlines is also the first-ever exploitation of Kubernetes (K8s) Role-Based Access Control (RBAC) to create backdoors. The adversaries take this opportunity to drop DaemonSets as a means to commandeer and seize control of the resources within the compromised K8s clusters. The goal is, however, to mine cryptocurrency.

A rather serious bug has been neutralized by Google. Security researchers reported a 0-day in Google’s Cloud Platform (GCP) that impacted all users. Named GhostToken, the vulnerability could make a malicious application invisible and unremovable.

Top Breaches Reported in the Last 24 Hours

Canadian directory publisher suffered attack

Yellow Pages Group disclosed experiencing a cyberattack after the Black Basta ransomware and extortion group posted sensitive stolen data over the weekend. Affected records include scans of passports and driving licenses, tax documents, Social insurance numbers, sales and purchase agreements, account sheets, and budget and debt forecast documents.

Ransomware cripples tank storage firm

Fossil fuels tank storage company Vopak was targeted by a ransomware group resulting in the theft of critical business information from its systems. Vopak has been operational since 1616 and runs terminals in the port of Rotterdam and the Eemshaven in Groningen, while also having a widespread presence across several countries worldwide.

Top Malware Reported in the Last 24 Hours

Malware impersonates top software

The Bumblebee malware was spotted spreading via fake installers of well-known software such as Zoom, Cisco AnyConnect, ChatGPT, and Citrix Workspace. It leverages Google Ads and SEO poisoning campaigns to rank itself in the top search results when a user is looking for it on the search engine. In one instance, hackers promoted a fake Cisco AnyConnect Secure Mobility Client download page.

Kubernetes RBAC abused for crypto-mining

Cloud security firm Aqua uncovered a massive crypto-mining campaign that creates backdoors and runs miners using Kubernetes (K8s) Role-Based Access Control (RBAC). In this attack, threat actors also check for the presence of other miner malware on the server and then establish persistence using the RBAC. Additionally, they deploy DaemonSets to access resources of the K8s clusters.

Top Vulnerabilities Reported in the Last 24 Hours

Googe fixes GCP bug

Google patched a security hole dubbed GhostToken that affects all the users of Google Cloud Platform (GCP). This flaw enables attackers to gain access to user accounts through the installation of malicious OAuth applications obtained from either the Google Marketplace or third-party providers. Criminals can hide malicious apps by abusing this flaw.

Critical ICS bug in RTU

A remote terminal unit (RTU) manufactured by Slovenia-based industrial automation company Inea had a flaw that could potentially harm industrial organizations using it. The OS command injection bug is earmarked CVE-2023-2131 and could allow an unauthorized user to perform remote code execution. It impacts Inea ME RTUs running firmware versions prior to 3.36.

Related Threat Briefings