Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Nov 24, 2023

The use of Kubernetes secrets introduces potential security risks that organizations should be aware of. Security experts recently identified multiple instances of publicly exposed Kubernetes configuration secrets—across Fortune 500 companies—and opening gateways for unauthorized access and supply chain attacks. A sophisticated malware loader is back in the picture to deliver phishing messages via delivery- and shipping-themed lures. The malware, initially targeting Italian organizations, deploys Ursnif trojan and uses Discord for hosting components, incorporating MQTT protocol for stealth and evasion.

Proof-of-Concept (PoC) risk update - Organizations are urged to patch a critical zero-day flaw in Windows SmartScreen technology due to the emergence of a PoC exploit for the same. Successful intrusion may lead to phishing attacks, malware distribution, and other cybersecurity threats.

Top Breaches Reported in the Last 24 Hours

New Relic issues security advisory

Third-party experts are investigating a security incident experienced by web tracking and analytics company New Relic, as per an advisory. The advisory urges customers to monitor accounts for suspicious activity, offering minimal details on the nature of the incident. CEO Bill Staples reassured customers of ongoing efforts to address the situation, but specific information about potential risks or required actions remains undisclosed.

Brazil criminals target South African firms

Brazil-based hacking group N4ughtySecTU threatened to expose the financial and personal data of South Africans from potential fresh data breaches targeting TransUnion and Experian. The adversaries allegedly demanded $30 million from each organization and claimed to have gained direct access to all their data and infrastructure. Both credit reporting agencies acknowledged the demand, but the attackers are yet to provide any evidence of the breach.

Privacy Commissioner of Canada investigates breach

The Privacy Commissioner of Canada launched an investigation into a cyberattack that compromised data on current and former members of the Canadian armed forces and the Royal Canadian Mounted Police (RCMP). Affiliated companies, Brookfield Global Relocation Services (BGRS) and Sirva Canada LP, contracted by the Canadian government for relocation services since 1995, reported the breach. The incident, affecting a significant volume of data, is yet to identify specific individuals affected.

Insurance giant hit by cyberattack

Fortune 500 insurance company Fidelity National Financial (FNF) confirmed a security incident, forcing the shutdown of several systems. An intruder accessed FNF systems and acquired credentials, prompting ongoing investigations. The disruption impacted various services, including title insurance, escrow, and mortgage transaction services. Ransomware group ALPHV/BlackCat claimed responsibility, demanding a response from FNF before disclosing more details.

? Supply chain risk for major firms

Security researchers discovered several publicly exposed Kubernetes configuration secrets in repositories, including those of top blockchain and Fortune 500 companies. Aqua security researchers discovered encoded Kubernetes configuration secrets uploaded to public repositories, with 46% containing valid credentials, exposing organizations to potential supply chain attacks. Of the 93 manually set passwords, nearly 50% were deemed weak, emphasizing the need for robust password policies.

Top Malware Reported in the Last 24 Hours

WailingCrab uses delivery-themed lures

A sophisticated malware loader named WailingCrab—associated with the TA544 (Hive0133) threat actor—was found utilizing delivery-themed email messages to deploy a multi-component payload, including a loader, injector, downloader, and backdoor. Observed in late December 2022 for the first time, the malware employs stealthy tactics, utilizing legitimate websites and unconventional protocols like MQTT for command-and-control communication. The attack begins with PDF-laden emails, leading victims to JavaScript files on Discord.

Cross-platform backdoor in Hamas-Israel attacks

Security researchers have uncovered a Rust version of SysJoker, a cross-platform backdoor used by a Hamas-affiliated threat actor targeting Israel during regional conflicts. Notably, the threat actor has transitioned from Google Drive to OneDrive for storing dynamic command-and-control server URLs, enhancing the ability to change C2 addresses and evade reputation-based services.

Top Vulnerabilities Reported in the Last 24 Hours

PoC exploit emerges for SmartScreen bug

A proof-of-concept exploit for the critical zero-day vulnerability (CVE-2023-36025) in Windows SmartScreen has been released, emphasizing the urgency for organizations to address the flaw. The security bypass vulnerability allows attackers to evade Windows Defender SmartScreen checks, enabling the execution of malicious code without triggering alerts. The exploit involves the use of a URL file distributed through phishing emails or compromised websites.

Related Threat Briefings