Relevance of Sustainability Assurance Engagements in Current Context – Globally as well as in India 

Regulatory requirements: A separate set of performance parameters, BRSR Core, which are mentioned in Annexure 1, vide a consultation paper had been released by SEBI in March 2023, vide regulation # 34 (2) (f) LODR. Further, SEBI’s circular, dated the 12th of July 2023, calls for assurance of the reported BRSR Core by the top 1000 listed companies in phases, as well as reporting and assurance of the BRSR Core by the value chain for the top 250 listed companies, on a comply-or-explain basis.  

Investors Requirements: Various B2B investors are seeking third party assurance of the ESG performance disclosed by the companies prior to taking investment related decisions.  

ESG Rating Agencies: Various ESG Rating frameworks have questions that seek assurance for different kind of ESG performances that have been disclosed by companies. Additional marks are provided if the disclosures are third party endorsed. This in turn, facilitates companies to improve their ESG score and attract better investment and or better business match making.  

Investment in Green Funds: Various green based financial instruments are seeking assurance of the ESG performance of their companies/impacts of their projects, prior to seeking approvals as green fund before investment in the market. 

Demonstration of Transparency & Credibility for the Information Reported: Various stakeholders, primarily the shareholders, regulatory authorities, local communities, customers, are seeking an external assurance of the company’s ESG performance and long-term sustenance.  

Requirement by companies based abroad: The companies in the value chain of UK, EU, US, etc. based companies are gradually seeking independent assurance against various requirements emerging out of their local ESG norms.

The post Decoding the Business Responsibility first appeared on Nangia & Co LLP.

India’s regulatory framework to deal with Stressed Assets has matured over more than three decades, beginning with the Sick Industrial Companies (Special Provisions) Act, 1985. Since then, the three major objectives of each new regulatory scheme have remained the same – early detection of corporate sickness, speedy resolution/revival, or if that is not possible, speedy liquidation. The most revolutionary regulatory development came in the form of the IBC in 2016, which made several big changes in several statutes and sweeping changes in the way corporate insolvencies were resolved or liquidated. The biggest change wrought is that the Board of the defaulting company is superseded by a ‘Resolution Professional’ with the company’s creditors calling the shots, thus eliminating a huge conflict of interest. In 2019, the RBI announced the Prudential Framework for Resolution of Stressed Assets that applied to Banks and NBFCs, with the key focus being early detection of potential loan defaults and their resolution. These reforms, along with the growth of specialized financial intermediaries like ARCs and AIFs, have made it increasingly feasible for sophisticated investors to bring in resources for reconstruction, and take the trouble of recovering dues from NPAs off the banks’ hands. This has given rise to a new investment class – Stressed Assets. Stressed Assets as an investment class are set to take off and are a rich source of ‘value buy’ investment opportunities for foreign FIs looking to invest in India.

In this publication, Nangia Andersen takes a bird’s eye-view of the Stressed Assets market and zooms in on the profit potential for foreign investors in stressed assets. We take a balanced view of the opportunities open to foreign FIs for potentially high-profit investments in India, and also list the further reforms desirable in the coming months and years to attract big-ticket investments in Stressed Assets. Our team at Nangia Andersen would endeavour to advise and handhold different stake holders at various stages of the entire process and provide holistic solutions keeping in mind the Indian regulatory environment and commercial aspects of the transaction.

Introduction to Stressed Assets 

Deterioration of asset quality has emerged as a big economic risk for the Indian banking sector in the post-COVID-19 times, leading to increased attention to ‘stressed assets’. Stressed assets present opportunities for investors to purchase operational and good quality underlying assets at attractive valuations with turnaround potential. They can enable strategic investors to expand capacity in a cost- effective manner. From a banker’s perspective, “stressed assets/loans” mean loan exposures that are classified as NPAs or SMAs. SMAs have been categorized by the Prudential Framework for Resolution of Stressed Assets issued by the RBI vide circular dated June 7, 20191, and further clarified vide circular dated November 12, 20212, requiring lenders to classify the accounts immediately on default of principal or interest or any other amount wholly or partly overdue or, in case of revolving credit facilities, the outstanding balance remains continuously in excess of the sanctioned amounts or drawing power, whichever is lower. SMAs are further classified as SMA-0, SMA-1 and SMA-2 based on the no. of days of default. A loan whose interest and/ or installment of principal have remained ‘overdue ‘ (not paid) for a period of 90 days or more is considered as an NPA.

The post Distressed Funds and NPAs – Indian Landscape  first appeared on Nangia & Co LLP.

What is Remote Unauthenticated Code Execution Vulnerability in OpenSSH server? 

A security regression (CVE-2024-6387) was found in OpenSSH’s server (sshd). This issue arises from a race condition that causes sshd to handle certain signals unsafely. A remote attacker, without authentication, might exploit this by failing to authenticate within a specified time frame. The Qualys Threat Research Unit (TRU) discovered an unauthenticated Remote Code Execution (RCE) vulnerability in OpenSSH’s server (sshd) on glibc-based Linux systems. This marks the first OpenSSH vulnerability in nearly twenty years and allows an unauthenticated RCE that provides full root access. The vulnerability affects the default configuration and requires no user interaction, representing a significant exploit risk. 

What is affected? 

OpenSSH versions earlier than 4.4p1 are vulnerable to this signal handler race condition unless they are patched for CVE2006-5051 and CVE-2008-4109. Versions from 4.4p1 up to, but not including, 8.5p1 are not vulnerable due to a transformative patch for CVE-2006-5051, which made a previously unsafe function secure. Versions from 8.5p1 up to, but not including, 9.8p1 are vulnerable due to the accidental removal of a critical component in a function. OpenBSD systems 

The post Unmasking CVE-2024- 6387: The Critical OpenSSH first appeared on Nangia & Co LLP.

What is the vulnerability 

A zero-day command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Tracked as CVE-2024-3400, the issue has a CVSS score of 10.0, indicating maximum severity. Threat actors have been able to exploit the vulnerability to compromise the firewall to introduce a python based backdoor, create a reverse shell, download further tools on the device, exfiltrate data and move laterally within the network. The exact origins of the threat actor exploiting the flaw are presently unknown but Palo Alto Networks Unit 42 is tracking the malicious activity under the name Operation MidnightEclipse. 

How do you protect yourself? 

This issue is fixed in hotfix releases of PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, and in all later PAN-OS versions. Hotfixes for other commonly deployed maintenance releases will also be made available to address this issue. Palo Alto Networks states that hotfixes for rest of the versions will be released by the date 19/04/2024.

The post Don’t Get Hacked: Fixing the PAN-OS Flaw first appeared on Nangia & Co LLP.

In recent years, India has witnessed a significant rise in white-collar and corporate crimes, driven by rapid economic growth and technological advancements. These crimes, often committed by individuals in high social and professional positions, have a profound impact on our society and economy. They encompass fraud, embezzlement, bribery, insider trading, money laundering, and cybercrimes. Several factors contribute to this increase: 

Technological Advancements: 

The digitalization of financial transactions and corporate operations has created new opportunities for cybercrimes and financial frauds. A recent report by the Indian Cybercrime Coordination Centre (I4C) revealed that digital financial frauds accounted for a staggering INR 1.25 lakh crore over the last three years. According to the National Cybercrime Reporting Portal (NCRP), in 2023, at least INR 10,319 crore was reported to be lost by victims of digital financial fraud. 

Economic Growth: 

India’s rapid industrial and economic development has inadvertently facilitated corporate frauds. The need for effective fraud risk management is underscored by the disappearance of companies from stock exchanges. For instance, 2750 companies vanished from the Bombay Stock Exchange, highlighting the urgency of implementing robust fraud risk management measures. 

The post RBI Strengthens Fraud Risk Management in Banks  first appeared on Nangia & Co LLP.

What are the different Vulnerabilities found in Microsoft Products? 

Remote Code Execution via MSMQ: 

An attacker can exploit the flaw in Microsoft Message Queuing component (MSMQ) by sending a specially crafted malicious MSMQ packet to a server with the MSMQ service enabled. Successful exploitation allows the attacker to execute arbitrary code on the server which may leads to takeover of the system. This vulnerability highlights the critical security concern for CVE-2024-30080. 

Remote Code Execution via Outlook: 

An attacker can exploit this vulnerability in Microsoft Outlook by bypassing the registry block lists to create and load malicious DLL files, which can execute without user interaction if the auto-open email feature is enabled. The vulnerability arises from improper handling of certain registry keys related to DLL handling and can be triggered by opening a specially crafted email in the Preview Pane. This vulnerability highlights the critical security concern for CVE-2024-30103. 

The post Multiple remote code execution Vulnerabilities first appeared on Nangia & Co LLP.

 Comments on the Proposed Norms 

1. Stringency and Achievability  

• Proposed Norms 

o CAFE-III: 91.7 gCO2/km (2027-2032)  

o CAFE-IV: 70 gCO2/km (2032-2037)  

• Current Norms: CAFE-II (113 gCO2/km) 
• Global Comparison: 

o US (2024-2026): 40 miles per gallon (approximately 58 gCO2/km) (Center for Automotive Research).  

o EU (2021): 95 gCO2/km with further reductions planned (Wikipedia).  

• Feasibility in India: Achieving these targets will be challenging due to the current technological and infrastructural limitations in India. While the targets align well with global efforts to reduce emissions, the pace of technological adoption and infrastructure development in India may not be sufficient to meet these stringent norms within the proposed timeline.

1. Infrastructure Development 

• Current State: India’s EV infrastructure, including charging stations and service facilities, is underdeveloped compared to countries like the US and EU. Rapid and extensive investment is needed to support the widespread adoption of electric and hybrid vehicles required to meet the CAFE-III and CAFE-IV norms.  
• • Global Standards: Countries like Norway, which leads in EV adoption, have robust infrastructure and incentives for electric vehicles. The EU and the US are also significantly investing in EV infrastructure to support their stringent emission norms (Center for Automotive Research).  
•  Recommendation: To make the proposed norms achievable, India must prioritize the development of EV infrastructure, including expanding the network of charging stations and enhancing testing facilities 

The post Analysis of the Proposed CAFE – 3 and CAFE – 4 first appeared on Nangia & Co LLP.

A critical Remote Code Execution (RCE) vulnerability, CVE-2024-32002, has been identified in Git’s repository cloning process. This flaw allows attackers to exploit submodule configurations, executing arbitrary code during the clone operation without user intervention. As a result, malicious actors can gain control over the affected system, potentially installing malware or exfiltrating data. Developers cloning repositories from platforms like GitHub and GitLab are at heightened risk. Our Cyber Security Team has documented a detailed advisory outlining the vulnerability, associated risks and mitigation steps. 

What is the RCE Vulnerability while Cloning Git Repositories? 

A critical Remote Code Execution (RCE) vulnerability has been identified in the process of cloning Git repositories. This issue arises when repositories containing submodules are manipulated to exploit a flaw in Git, allowing files to be written not in the submodule’s work tree but directly into the “.git/” directory. This exploit causes a hook to execute during the cloning process, giving users no opportunity to inspect or interrupt the code execution. As a result, this vulnerability poses a significant security risk, as it enables automatic code execution without user verification. Malicious actors can leverage repositories with submodules to exploit this bug, leading to the execution of a hook from the “.git/” directory during the cloning process, and potentially resulting in Remote Code Execution (RCE). This type of attack is especially dangerous because it can provide attackers with control over the system, allowing them to run arbitrary code, install malware, or carry out other malicious actions without the user’s knowledge or consent. The RCE vulnerability while cloning Git repositories underscores the critical security concern identified as CVE-2024-32002. 

What is affected? 

Version prior to 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4 are affected 

The post Git clone Catastrophe: Unpatched Vulnerability first appeared on Nangia & Co LLP.

What is XZ Utils Backdoor Vulnerability? 

The CVE-2024-3094 vulnerability, also known as the xz supply chain attack, represents a significant security issue identified within the xz/liblzma package, beginning from version 5.6.0. This flaw involves the discovery of malicious code within the upstream tarballs of xz, posing a threat to the software supply chain, especially in opensource environments. Exploitation of this backdoor may potentially grant unauthorized entry and control over compromised systems.XZ Utils is a vital data compression tool widely integrated into Linux distributions. It is utilized in compressing diverse file types like release tarballs, software packages, kernel images, and initramfs images. 

Background of the Vulnerability: 

A Microsoft engineer involved in contributing to PostgreSQL projects encountered performance issues on a Debian system linked to SSH. These issues were characterized by heightened CPU usage during SSH logins and errors flagged by valgrind, a memory monitoring tool. Subsequent investigation uncovered that certain versions of the xz libraries contained malicious code, highlighting the significance of CVE-2024-3094 as a critical concern for Linux security.  

The post Supply Chain Attack Leads to Backdoor vulnerability  first appeared on Nangia & Co LLP.

What is “BatBadBut” Vulnerability 

The BatBadBut Vulnerability is a critical flaw affecting the handling of batch files (bat and cmd extensions) on Windows platforms across various programming languages/ technologies. It allows attackers to execute arbitrary shell commands by bypassing the escaping mechanism. This vulnerability may also affect the application that executes commands without specifying the file extension. 

Background of Vulnerability 

Flatt Security has discovered a critical vulnerability called BatBadBut “bad, but not the worst” that could allow attackers to inject malicious commands into Windows applications. The flaw, discovered by Flatt Security’s security engineer RyotaK, affects multiple programming languages. It was reported to the CERT Coordination Center and registered as CVE2024-24576 on GitHub with a severity score of 10.0. 

The post “BatBadBut” Bug Bites: Critical Windows Injection first appeared on Nangia & Co LLP.