Welcome to this week's episode of SnapAttack Threat Snapshot! In this video, we'll dive into CVE-2024-32002, a critical remote code execution (RCE) vulnerability in Git that leverages symlink handling in repositories with submodules. This vulnerability can be exploited through a simple git clone command, potentially allowing attackers to execute arbitrary code on the victim's machine. *Subscribe to SnapAttack for more in-depth analyses and real-world applications of cybersecurity defenses.*

In this episode, we dive into CVE-2024-30051, a critical out-of-bounds write vulnerability in the Desktop Window Manager. This bug, similar to CVE-2023-36033, allows attackers to escalate privileges to SYSTEM by exploiting a heap overflow in dwmcore.dll. CVE-2024-30051 has been actively exploited to deploy malware like Qakbot, as identified by Kaspersky. This video covers the process of hunting down a sample, executing it in a sandbox environment, and creating effective detections using logs from the exploit’s activity.

Since 2021, ransomware groups have set their sights on VMware ESXi hypervisors, with the SEXi variant, emerging in 2024, being the most recent threat. The Babuk Locker was one of the first to target ESXi, and its leaked source code enabled other strains like ESXiArgs, BlackBasta, and Clop to develop customized variants terminating VMs and encrypting data on ESXi servers. While employing similar tactics like exploiting vulnerabilities and encrypting VM files, these ESXi-focused ransomware exhibit patterns that provide detection opportunities across the board. By analyzing past attacks, we can better prepare for future threats targeting our virtualization environments. Join the SnapAttack community to access in-depth detection content covered in this video and stay ahead of evolving ransomware targeting ESXi.