We use cookies to improve your experience. Do you accept?

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Oct 30, 2023

Elastic Security Labs identified a campaign using malicious MSIX application packages to deploy a stealthy loader called GHOSTPULSE. Attackers potentially phish unsuspecting victims through compromised websites, SEO tactics, or malvertising. Speaking of malvertising, a unique case appeared wherein a compromised wedding planner’s website, combined with Google Dynamic Search Ads, unintentionally led to malware distribution. The mechanics involved Google Ads creating this ad from the hacked pages, making the website owner an accidental victim who ends up paying for the malicious ad.

Meanwhile, three unpatched vulnerabilities in the NGINX Ingress controller for Kubernetes have been disclosed, allowing threat actors to potentially steal secret credentials from vulnerable clusters, inject arbitrary code into the controller process, and gain unauthorized access to sensitive data. Patch now!

Top Breaches Reported in the Last 24 Hours

CCleaner maker confirms data breach

Gen Digital, the parent company of the popular optimization app CCleaner, has confirmed a data breach that exposed the personal information of its paid customers. The breach occurred through a vulnerability in the MOVEit file transfer tool used by CCleaner and other organizations. The stolen data includes names, contact information, and product purchase details. Although Gen Digital claims that less than 2% of its users were affected, it did not disclose the exact number.

School district breach raises concern

The Clark County School District (CCSD) of Nevada experienced a significant data breach; threat actor(s) called 'SingularityMD' claimed to have stolen the information of over 200,000 CCSD students. Hackers accessed CCSD's email servers earlier this month. An investigation revealed that limited personal information related to a subset of students, parents, and employees was compromised. As a response, CCSD had to disable external access to its Google Workspace and reset all student passwords.

LockBit ransomware targets aerospace giant

The LockBit ransomware group added aerospace giant Boeing to its list of victims and claims to have stolen a significant amount of sensitive data from the company. The group threatens to publish the data unless Boeing contacts them before the specified deadline. Criminals reportedly demanded an $80 million ransom, however, the group claimed that the company only offered $1 million.

Top Malware Reported in the Last 24 Hours

GHOSTPULSE exploits MSIX Windows Apps

A new cyberattack campaign was found distributing a novel malware loader, GHOSTPULSE, using deceptive MSIX Windows app package files disguised as popular software like Google Chrome and Microsoft Edge. MSIX, a legitimate Windows app format, is being misused by threat actors who have access to code signing certificates. Victims are enticed to download these malicious MSIX packages through compromised websites and SEO manipulation. Once executed, the campaign unfolds through multiple stages, delivering various payloads including SectopRAT, Rhadamanthys, Vidar, Lumma, and NetSupport RAT.

Remcos RAT disguised as payslip

ASEC uncovered a phishing campaign distributing the Remcos remote access trojan. Cybercriminals disguised the malware as a payslip in a deceptive email. The attached compressed cab file contained an executable (Remcos RAT) camouflaged with a PDF file icon. Remcos RAT can perform a range of malicious activities, including keylogging, capturing screenshots, controlling webcams and microphones, and extracting browser histories and passwords. What sets it apart is that it remains dormant until it receives commands from the attacker's C2 server.

Accidental malvertising led to malware distribution

A business specializing in wedding planning unknowingly had its website injected with malware that promoted software cracks and serial keys. Google's Dynamic Search Ads automatically generated misleading ads based on the compromised content. When users searching for software like PyCharm clicked on these ads, they were redirected to a hacked page offering a fake serial key. This led to the installation of numerous malware programs on victims' computers.

Top Vulnerabilities Reported in the Last 24 Hours

High-severity flaws in NGINX Ingress controller

Three high-severity vulnerabilities found in the NGINX Ingress controller for Kubernetes could be exploited by threat actors to steal secret credentials and gain unauthorized access to sensitive data. The vulnerabilities include a lack of path validation (CVE-2022-4886) in the Ingress object, allowing attackers to pilfer Kubernetes API credentials, annotation injection (CVE-2023-5043) leading to arbitrary command execution, and a code injection (CVE-2023-5044) via a permanent redirect annotation. While fixes are pending, mitigations have been suggested to protect against these risks.

Related Threat Briefings