Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Briefing, 19 - 25 october
GitLab fixes vulnerabilities that trigger XSS and DoS attacks
GitLab has released critical security updates for its Community Edition (CE) and Enterprise Edition (EE) versions that address a high-severity HTML injection vulnerability. This vulnerability, identified as CVE-2024-8312, with a CVSSv3 score of 8.7 according to the vendor, affects GitLab CE/EE versions from 15.10 and allows attackers to execute XSS attacks by injecting HTML into the global search field within a diff view, posing a high risk to the confidentiality and integrity of affected systems.
GitLab urges users with self-managed installations to upgrade to the patched versions 17.5.1, 17.4.3 and 17.3.6. In addition, the updates also address a medium severity denial of service (DoS) vulnerability, tracked as CVE-2024-6826, with a CVSSv3 of 6. 5 according to GitLab, exploitable through the import of manipulated XML files and affecting versions since 11.2. Improvements have also been made to additional tools such as helm charts and the analysis stack.
NotLockBit: ransomware targeting macOS systems
Researchers at SentinelOne have published research indicating that they have identified a new ransomware called NotLockBit that targets devices running macOS. Specifically, the name comes from the fact that this new malware family spoofs LockBit by displaying a LockBit 2.0 banner in the desktop background. In terms of features, NotLockBit is distributed as an x86_64 binary, suggesting that it only runs on Intel and Apple Silicon macOS devices running the Rosetta emulation software. It also uses RSA asymmetric encryption, so the malicious actor behind NoLockBit ensures that the master key cannot be decrypted without the private key in the attacker's possession.
As for exfiltration, this is done to an AWS bucket controlled by the attacker, using encrypted AWS credentials. SentinelOne says that although these AWS accounts have now been removed, they believe that due to the complexity of the threat, it is still in development.
0-day vulnerability actively exploited in Samsung
Google has warned of the existence of a 0-day vulnerability in Samsung's mobile processors, which has been exploited as part of an EoP chain of exploits for arbitrary code execution. The flaw, identified as CVE-2024-44068 with a CVSSv3 score of 8.1 and patched as part of Samsung's October security fix set, corresponds to a use-after-free bug that an attacker could exploit to escalate privileges on vulnerable devices. The vulnerability affects Samsung's Exynos 9820, 9825, 980, 990, 850 and W920 processors and is due to an issue in a driver, which provides hardware acceleration for multimedia functions.
For its part, the exploit triggers the indicated bug and subsequently uses a firmware command to copy data into virtual I/O pages, resulting in a kernel space duplication attack (KSMA) and breaking Android kernel isolation protections.
Increase in callback phishing spam campaigns detected
Between July and September, Trustwave researchers detected a 140% increase in spam campaigns. In these campaigns, malicious actors were reportedly employing a two-stage spam technique, starting with phishing emails and then moving on to phone calls.
Specifically, the attackers used a technique called callback phishing or Telephone-Oriented Attack Delivery (TOAD), in such a way that the emails sent to the victims, which contained lures such as a fake invoices or an account cancellation notice, were intended to make them call the attacker's phone number indicated in the message.
Finally, during the call, the attackers would ask the victim for their personally identifiable information or make them access web pages that downloaded malware and allowed the attacker to steal more information and even gain remote access to the victims' devices.
New analysis of the Grandoreiro banking trojan
Kaspersky's research team has published an analysis on Grandoreiro, the well-known banking Trojan that has been operating since at least 2016 and is part of Tetrade, a classification that groups four major banking Trojan families (Astaroth, Javali, Melcoz and Grandoreiro), created, developed and spread by Brazilian malicious actors. Grandoreiro facilitates banking fraud through the victim's computer, circumventing security measures.
Despite arrests in Spain, Brazil and Argentina in 2021 and 2024, the gang remains active, expanding its infrastructure and improving its techniques to avoid detection. In 2024, Grandoreiro attacked 1700 banks and 276 cryptocurrency wallets in 45 countries. This malware has implemented new tactics, such as the use of 3 DGAs, text encryption and mouse tracking, to evade anti-fraud solutions.
Recent campaigns are based on phishing, malvertising and malicious ZIP files. In addition, the group has fragmented its code base, generating local versions targeting Mexico and other countries.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
