Red Hat Security Advisory 2024-9472-03 - An update for grafana-pcp is now available for Red Hat Enterprise Linux 9.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_9472.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: grafana-pcp security updateAdvisory ID:        RHSA-2024:9472-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:9472Issue date:         2024-11-13Revision:           03CVE Names:          CVE-2024-34156====================================================================Summary: An update for grafana-pcp is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The Grafana plugin for Performance Co-Pilot includes datasources for scalable time series from pmseries and Redis, live PCP metrics and bpftrace scripts from pmdabpftrace, as well as several dashboards.Security Fix(es):* encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion (CVE-2024-34156)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-34156References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2310528

Red Hat Security Advisory 2024-9472-03

Red Hat Security Advisory 2024-9470-03 - An update for cups is now available for Red Hat Enterprise Linux 9. Issues addressed include a code execution vulnerability.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_9470.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Low: cups security updateAdvisory ID:        RHSA-2024:9470-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:9470Issue date:         2024-11-12Revision:           03CVE Names:          CVE-2024-47175====================================================================Summary: An update for cups is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The Common UNIX Printing System (CUPS) provides a portable printing layer for Linux, UNIX, and similar operating systems.Security Fix(es):* cups: libppd: remote command injection via attacker controlled data in PPD file ()For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-47175References:https://access.redhat.com/security/updates/classification/#lowhttps://bugzilla.redhat.com/show_bug.cgi?id=2314256

Red Hat Security Advisory 2024-9470-03

Red Hat Security Advisory 2024-9468-03 - An update for python3.9 is now available for Red Hat Enterprise Linux 9.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_9468.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: python3.9 security updateAdvisory ID:        RHSA-2024:9468-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:9468Issue date:         2024-11-12Revision:           03CVE Names:          CVE-2024-6232====================================================================Summary: An update for python3.9 is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.Security Fix(es):* python: cpython: tarfile: ReDos via excessive backtracking while parsing header values (CVE-2024-6232)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-6232References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2309426

Red Hat Security Advisory 2024-9468-03

Red Hat Security Advisory 2024-9459-03 - An update for buildah is now available for Red Hat Enterprise Linux 9. Issues addressed include denial of service and traversal vulnerabilities.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_9459.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: buildah security update  
Advisory ID:        RHSA-2024:9459-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:9459  
Issue date:         2024-11-13  
Revision:           03  
CVE Names:          CVE-2024-9341  
====================================================================

Summary: 

An update for buildah is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The buildah package provides a tool for facilitating building OCI container images. Among other things, buildah enables you to: Create a working container, either from scratch or using an image as a starting point; Create an image, either from a working container or using the instructions in a Dockerfile; Build both Docker and OCI images. 

Security Fix(es):

* go/parser: golang: Calling any of the Parse functions containing deeply nested literals can cause a panic/stack exhaustion (CVE-2024-34155)

* encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion (CVE-2024-34156)

* go/build/constraint: golang: Calling Parse on a \"// +build\" build tag line with deeply nested expressions can cause a panic due to stack exhaustion (CVE-2024-34158)

* Podman: Buildah: cri-o: FIPS Crypto-Policy Directory Mounting Issue in containers/common Go Library (CVE-2024-9341)

* Buildah: Podman: Improper Input Validation in bind-propagation Option of Dockerfile RUN --mount Instruction (CVE-2024-9407)

* buildah: Buildah allows arbitrary directory mount (CVE-2024-9675)

* Podman: Buildah: CRI-O: symlink traversal vulnerability in the containers/storage library can cause Denial of Service (DoS) (CVE-2024-9676)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-9341

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2310527  
https://bugzilla.redhat.com/show_bug.cgi?id=2310528  
https://bugzilla.redhat.com/show_bug.cgi?id=2310529  
https://bugzilla.redhat.com/show_bug.cgi?id=2315691  
https://bugzilla.redhat.com/show_bug.cgi?id=2315887  
https://bugzilla.redhat.com/show_bug.cgi?id=2317458  
https://bugzilla.redhat.com/show_bug.cgi?id=2317467  
https://issues.redhat.com/browse/RHEL-62107

Red Hat Security Advisory 2024-9459-03

Red Hat Security Advisory 2024-9458-03 - An update for python3.11-urllib3 is now available for Red Hat Enterprise Linux 9.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_9458.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: python3.11-urllib3 security updateAdvisory ID:        RHSA-2024:9458-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:9458Issue date:         2024-11-12Revision:           03CVE Names:          CVE-2024-37891====================================================================Summary: An update for python3.11-urllib3 is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The python-urllib3 package provides the Python HTTP module with connection pooling and file POST abilities.Security Fix(es):* urllib3: proxy-authorization request header is not stripped during cross-origin redirects (CVE-2024-37891)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-37891References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2292788

Red Hat Security Advisory 2024-9458-03

Red Hat Security Advisory 2024-9457-03 - An update for python3.12-urllib3 is now available for Red Hat Enterprise Linux 9. Issues addressed include a remote shell upload vulnerability.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_9457.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: python3.12-urllib3 security updateAdvisory ID:        RHSA-2024:9457-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:9457Issue date:         2024-11-12Revision:           03CVE Names:          CVE-2024-37891====================================================================Summary: An update for python3.12-urllib3 is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:urllib3 is a powerful, user-friendly HTTP client for Python. urllib3 brings many critical features that are missing from the Python standard libraries:   • Thread safety.  • Connection pooling.  • Client-side SSL/TLS verification.  • File uploads with multipart encoding.  • Helpers for retrying requests and dealing with HTTP redirects.  • Support for gzip, deflate, brotli, and zstd encoding.  • Proxy support for HTTP and SOCKS.  • 100% test coverage.Security Fix(es):* urllib3: proxy-authorization request header is not stripped during cross-origin redirects (CVE-2024-37891)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-37891References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2292788

Red Hat Security Advisory 2024-9457-03

Directory Traversal vulnerability in DotNetZip v.1.16.0 and before allows a remote attacker to execute arbitrary code via the src/Zip.Shared/ZipEntry.Extract.cs component NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-xhg6-9j5j-w4vf: DotNetZip Directory Traversal vulnerability

A vulnerability was found in Moodle. Additional checks are required to ensure users with permission to view badge recipients can only access lists of those they are intended to have access to.

GHSA-g8r3-2v89-j6r5: Moodle IDOR when accessing list of badge recipients

CISOs understand the risk scenarios that can help create safeguards so everyone can use AI safely and focus on the technology's promises and opportunities.

Lucas Moody, Chief Information Security Officer, Alteryx

November 13, 2024

4 Min Read

Source: Andreas Prott via Alamy Stock Photo

COMMENTARY

No one wants to miss the artificial intelligence (AI) wave, but the "fear of missing out" has leaders poised to step onto an already fast-moving train where the risks can outweigh the rewards. A PwC survey highlighted a stark reality: 40% of global leaders don't understand the cyber-risks of generative AI (GenAI), despite their enthusiasm for the emerging technology. This is a red flag that could expose companies to security risks from negligent AI adoption. This is precisely why a chief information security officer (CISO) should lead in AI technology evaluation, implementation, and governance. CISOs understand the risk scenarios that can help create safeguards so everyone can use the technology safely and focus more on AI's promises and opportunities. 

**The AI Journey Starts With a CISO **

Embarking on the AI journey can be daunting without clear guidelines, and many organizations are uncertain about which C-suite executive should lead the AI strategy. Although having a dedicated chief AI officer (CAIO) is one approach, the fundamental issue remains that integrating any new technology inherently involves security considerations. 

The rise of AI is bringing security expertise to the forefront for organizationwide security and compliance. CISOs are critical to navigating the complex AI landscape among emerging new regulations and executive orders to ensure privacy, security, and risk management. As a first step to an organization's AI journey, the CISOs are responsible for implementing a security-first approach to AI and establishing a proper risk management strategy via policy and tools. This strategy should include:   

Related:Dark Reading Confidential: Pen-Test Arrests, 5 Years Later

*   Aligning AI goals: Establish an AI consortium to align stakeholders and the adoption goals with your organization's risk tolerance and strategic objectives to avoid rogue adoption.  
    

*   Collaborating with cybersecurity teams: Partner with cybersecurity experts to build a robust risk evaluation framework.  
    

*   Creating security-forward guardrails: Implement safeguards to protect intellectual property, customer and internal data, and other critical assets against cyber threats.  
    

**Determining Acceptable Risk **

Although AI has plenty of promise for organizations, rapid and unrestrained GenAI deployment can lead to issues like product sprawl and data mismanagement. Preventing the risk associated with these problems requires aligning the organization's AI adoption efforts.  

CISOs ultimately set the security agenda with other leaders, like chief technology officers, to address knowledge gaps and ensure the entire business is aligned on the strategy to manage governance, risk, and compliance. CISOs are responsible for the entire spectrum of AI adoption — from securing AI consumption (i.e., employees using ChatGPT) to building AI solutions. To help determine acceptable risk for their organization, CISOs can establish an AI consortium with key stakeholders that work cross-functionally to surface risks associated with the development or consumption of GenAI capabilities, establish acceptable risk tolerances, and act as a shared enforcement arm to maintain appropriate controls on the proliferation of AI use. 

Related:Varonis Warns of Bug Discovered in PostgreSQL PL/Perl

Suppose the organization is focused on securing AI consumption. In that case, the CISO must determine how employees can and cannot use the technology, which can be whitelisted or blacklisted or more granularly managed with products like Harmonic Security that enable a risk-managed adoption of SaaS-delivered GenAI tech. On the other hand, if the organization is building AI solutions, CISOs must develop a framework for how the technology will work. In either case, CISOs must have a pulse on AI developments to recognize the potential risks and stack projects with the right resources and experts for responsible adoption. 

Related:The Vendor's Role in Combating Alert Fatigue

**Locking in Your Security Foundation  **

Since CISOs have a security background, they can implement a robust security foundation for AI adoption that proactively manages risk and establishes the correct barriers to prevent breakdowns from cyber threats. CISOs bridge the collaboration of cybersecurity and information teams with business units to stay informed about threats, industry standards, and regulations like the EU AI Act.  

In other words, CISOs and their security teams establish comprehensive guardrails, from assets management to robust encryption techniques, to be the backbone of secure AI integration. They protect intellectual property, customer and internal data, and other vital assets. It also ensures a broad spectrum of security monitoring, from rigorous personnel security checks and ongoing training to robust encryption techniques, to respond promptly and effectively to potential security incidents. 

Remaining vigilant about the evolving security landscape is essential as AI becomes mainstream. By seamlessly integrating security into every step of the AI life cycle, organizations can be proactive against the rising use of GenAI for social engineering attacks, making distinguishing between genuine and malicious content harder. Additionally, bad actors are leveraging GenAI to create vulnerabilities and accelerate the discovery of weaknesses in defenses. To address these challenges, CISOs must be diligent by continuing to invest in preventative and detective controls and considering new ways to disseminate awareness among the workforces.   

**Final Thoughts  **

AI will touch every business function, even in ways that have yet to be predicted. As the bridge between security efforts and business goals, CISOs serve as gatekeepers for quality control and responsible AI use across the business. They can articulate the necessary ground for security integrations that avoid missteps in AI adoption and enable businesses to unlock AI's full potential to drive better, more informed business outcomes.    

**About the Author**

Chief Information Security Officer, Alteryx

Lucas Moody is chief information security officer (CISO) at Alteryx and is focused on protecting Alteryx products, customers, and the business from cyber threats. Lucas is a technical security leader with extensive experience spanning enterprise and consumer software companies across the technology, financial, social networking, and retail sectors. He is a global-minded executive noted for his ability to drive security outcomes while enabling growing businesses to accelerate. His passion for technology, security, and building amazing teams has helped companies thrive during periods of hyper-growth and change.

How CISOs Can Lead the Responsible AI Charge

Bitdefender has released a free decryptor for ShrinkLocker ransomware, which exploits Windows BitLocker to encrypt systems. Discover all…

Bitdefender has released a free decryptor for ShrinkLocker ransomware, which exploits Windows BitLocker to encrypt systems. Discover all about the techniques used by attackers and the free decryptor tool released by Bitdefender to help victims recover their data.

Cybersecurity researchers at Bitdefender have discovered a new type of ransomware called ShrinkLocker, and a subsequent solution to combat this threat. The new threat was identified in May 2024, written in VBScript, and 70% of its code is hard-coded to be “only executed on legacy systems like Windows 7/8 or Windows Server 2008/2012,” researchers noted in the report shared with Hackread.com ahead of its publishing.

Unlike modern ransomware that relies on complex encryption algorithms, ShrinkLocker employs a unique approach to manipulating Windows BitLocker configurations to encrypt system drives. This is a more straightforward route to compromise devices. 

What happens is that it first checks for the presence of BitLocker and, if absent, installs it. Then, it re-encrypts the system using a randomly generated password, known only to the attacker. This password is then uploaded to a server controlled by the adversary, rendering the system inaccessible to the victim. The attacker then demands a ransom to provide the decryption key.

Attempt to recover BitLocker access shows email addresses of the attacker (Screenshot: Bitdefender)

Bitdefender researchers analyzed a ShrinkLocker attack on a Middle Eastern healthcare company where the attackers gained access to an unmanaged system. on an Active Directory domain controller, creating text files and initiating a remote session.

According to the company’s blog post, two scheduled tasks were executed under the SYSTEM context, ensuring widespread deployment of the ransomware. They successfully encrypted systems running various operating systems, including Windows 10, Windows 11, Windows Server 2016, and Windows Server 2019. 

What makes ShrinkLocker particularly concerning is its capability to compromise entire networks with minimal effort. By exploiting Group Policy Objects (GPOs) and scheduled tasks, it can encrypt multiple systems within a network in as little as 10 minutes per device. This simplicity makes it an attractive option for individual threat actors who may not be part of larger **ransomware-as-a-service (RaaS)** operations.

****Free ShrinkLocker Ransomware Decryptor****

However, Bitdefender Labs researchers have found a window of opportunity for full data recovery immediately after the ransomware removed protectors from BitLocker-encrypted disks. Their in-depth analysis led to the development of a free decryptor, now available to the public. 

The decryptor offers a lifeline to victims of past ShrinkLocker attacks, enabling them to regain access to their encrypted data. By providing a practical solution, which has, thus far, saved an estimated $1.6 billion in ransom fees. Bitdefender Labs has demonstrated its commitment to combating cyber threats and safeguarding digital assets.

It is noteworthy that ShrinkLocker uses a Windows feature, BitLocker, to encrypt entire drives, including system drives. Therefore, proactive monitoring of Windows event logs can help organizations identify and respond to **BitLocker attacks**, especially during the early stages when attackers are testing their encryption capabilities. Tracking events from the “Microsoft-Windows-BitLocker-API/Management” source can also help.

1.  Free Decryptor for LockerGoga Ransomware Victims
2.  Universal decryptor key for REvil ransomware released
3.  How to decrypt data from Hakbit, Jigsaw ransomware for free
4.  Man Hacks Attacker, Releases Mushtik Ransomware Decryption Keys
5.  Kransom Ransomware Poses as a Game, Attacks via DLL Side-Loading

Latest News