Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Briefing, 18 - 24 May
Critical vulnerability in Git allows remote code execution when cloning repositories
A critical remote code execution vulnerability was recently discovered in Git's clone command. This flaw, identified as CVE-2024-32002 and with a CVSSv3 score of 9.0 according to GitHub, is a vulnerability that allows Git repositories with specially crafted submodules to trick Git into writing files to a directory. git/ instead of the submodule's working tree.
This allowed attackers to exploit symlinks and thus support remote code execution when a victim clones a malicious repository. Git has fixed this issue by ensuring proper handling of directories and symlinks. In addition, the fix includes checking whether a directory contains only a .git file and cancelling operations to prevent overwriting under certain conditions. In addition, a proof of concept (PoC) has been published, which demonstrates how the vulnerability can be triggered during the cloning process.
WhatsApp traffic analysis could enable government surveillance
The Intercept claims to have gained access to a WhatsApp threat assessment in which the company claimed that its users were vulnerable to a form of government surveillance. Specifically, although the app encrypts conversations between users, the company reportedly claimed that nationwide traffic analysis would allow a state to discern which users belong to private groups or which users are communicating with each other, as well as likely their location.
According to a post by The Intercept, this would be of particular concern to WhatsApp staff because of its possible use by Israel to monitor Palestinian citizens. However, the WhatsApp spokeswoman reportedly indicated that this flaw would not be exclusive to the application, but that the traffic analysis could be carried out with other software in a similar way, and that it would not be a vulnerability in use but rather a purely theoretical utility.
Grandoreiro banking Trojan resurfaces
The Windows-based Grandoreiro banking Trojan, operated as a Malware-as-a-Service (MaaS), has resurfaced in a global campaign since March 2024 following a law enforcement intervention in January. Analysis of the malware has revealed significant updates to the string decryption and domain generation algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected computers to spread more phishing emails.
The latest variant of the malware also specifically targets more than 1,500 global banks, allowing attackers to conduct banking fraud in more than 60 countries, including regions in Central and South America, Africa, Europe and the Indo-Pacific.
Rockwell urges to disconnect ICS devices from the Internet due to cyber threats
Rockwell Automation has warned its customers to disconnect all industrial control systems (ICS) that are not designed for online exposure from the public Internet due to an increase in global malicious activity. In the recent security advisory issued, the company recommends not configuring these devices to allow remote connections from outside the local network, to reduce the attack surface.
This measure is intended to ensure that attackers cannot access systems that have not been patched against security vulnerabilities. In this regard, Rockwell emphasizes the urgency of removing public Internet connectivity from devices not designed for it, reducing exposure to cyber-attacks.
In addition, it urges customers to take steps to mitigate specific vulnerabilities in Rockwell ICS devices. In addition, CISA has also issued an alert on this new Rockwell advisory to protect ICS from cyber-attacks.
ShrinkLocker uses BitLocker to encrypt compromised devices
Threat actors are reportedly using the BitLocker utility to carry out ransomware attacks. According to research by Secure List, the ShrinkLocker malware uses VBScript to discover, by probing Windows Management Instrumentation, the version of the victim's operating system, after which it performs disk resizing operations on fixed drives instead of network drives. Once it has reset the partitioning and boot configuration, with BitLocker enabled and running, the malware encrypts the compromised device.
Finally, ShrinkLocker removes the local decryption key and user recovery options, shutting down the infected system and displaying a message telling the victim that these BitLocker recovery options no longer exist. The malware also has the ability to change the label of partitions by inserting the attackers' email address.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
