New ShrinkLocker ransomware uses BitLocker to encrypt files

A new ransomware called ShrinkLocker creates a new boot partition and encrypts corporate systems using Windows BitLocker.

ShrinkLocker is written in Visual Basic Scripting (VBScript). One of its functions is to use Windows Management Instrumentation (WMI) to determine the specific version of Windows running on the target computer.

The attack only proceeds if certain parameters are met, such as the current domain matching the target and an operating system version newer than Vista. Otherwise, ShrinkLocker will automatically terminate and remove itself.

If the target meets the attack requirements, the malware uses the diskpart tool in Windows to shrink each non-bootable partition by 100 MB and split the unallocated space into new primary volumes of the same size.

The same resizing operations are performed in other versions of the Windows operating system, but with different code, the researchers explained in their technical analysis.

ShrinkLocker also modifies registry entries to disable remote desktop connections or enable BitLocker encryption on hosts without a TPM.

Ransomware that uses BitLocker to encrypt computers is nothing new. Attackers used this security feature in Windows to encrypt 100TB of data on 40 servers at a hospital in Belgium.

Google patches eighth zero-day in Chrome this year

Google has released a new emergency security update to address the eighth zero-day vulnerability in Chrome that has been confirmed to be actively exploited.

The vulnerability was discovered by Google’s Clément Lecigne and is tracked as CVE-2024-5274. It is a high-severity type confusion in V8, Chrome’s JavaScript engine, which is responsible for executing JS code.

“Google is aware of an exploit for CVE-2024-5274,” the company said in a security advisory.

Google did not disclose technical details about the vulnerability in order to protect users from potential exploitation attempts by attackers and to allow them to install a browser version that fixes the problem.

CVE-2024-5274 is the eighth actively exploited vulnerability that Google has patched in Chrome since the beginning of the year, and the third this month.

The patch will appear in version 125.0.6422.112/.113 for Windows and Mac, while Linux users will receive the update in version 125.0.6422.112 in the coming weeks.

Norway Recommends Replacing SSL VPNs with IPSec

Norway’s National Cyber Security Center (NCSC) is recommending that SSLVPN/WebVPN solutions be replaced with alternatives due to repeated abuse to penetrate corporate networks.

The organization recommends that the transition be completed by 2025, while organizations subject to the “Security Act” or organizations in critical infrastructure should adopt more secure alternatives by the end of 2024.

“Due to the severity of the vulnerabilities and the repeated exploitation of these types of vulnerabilities by attackers, the NCSC recommends that secure remote access solutions using SSL/TLS should be replaced with more secure alternatives. The NCSC recommends the use of IPsec with Internet Key Exchange (IKEv2),” the NCSC advisory states.

While the cybersecurity organization acknowledges that IPsec with IKEv2 is not without flaws, it believes that switching to it would significantly reduce the attack vector because it is less tolerant of configuration errors compared to SSLVPN.

Fake Putty and WinSCP sites in Google ads spread ransomware

According to a recent report from Rapid7, a search engine campaign displayed ads for fake Putty and WinSCP sites when users searched for the words download winscp or download putty.

These ads used typosquatting domain names such as puutty[.]org, wnscp[.]net, and vvinscp[.]net.

These pages contain links to download the ZIP archive from the attacker’s servers. These archives contain the Setup.exe executable, which is a renamed and legitimate Python executable for Windows (pythonw.exe), and the malicious python311.dll file.

When the user runs the Setup.exe file, thinking that he is installing PuTTY or WinSCP, he loads the malicious DLL library that extracts and executes the encrypted Python script.

This script eventually installs the Sliver post-exploitation toolkit, a popular tool used to gain initial access to corporate networks.

According to Rapid7, the attacker used the Sliver tool to remotely launch other useful applications, including the Cobalt Strike beacon. Attackers begin data exfiltration and attempt to deploy encryption ransomware.