By the CyberWire staff
Serious Windows flaw patched in August.
ZDNet reports that Microsoft's August Patch Tuesday included a fix for a severe elevation-of-privilege vulnerability that could allow an attacker on a network to impersonate any computer account within the domain, including the domain controller (the server responsible for handling security authentication requests), and reset the password for that account. The vulnerability, dubbed "Zerologon" (CVE-2020-1472), was assigned a CVSS score of 10, but technical details of the flaw weren't made public at the time of the patch's release.
Researchers at Secura have now published an analysis of the vulnerability, and observers quickly realized the flaw is extremely serious. The vulnerability is trivial to exploit, and several public exploits are already available (Secura itself refrained from publishing its proof-of-concept). Secura explains, "Leaving a DC unpatched will allow attackers to compromise it and give themselves domain admin privileges. The only thing an attacker needs for that is the ability to set up TCP connections with a vulnerable DC; i.e. they need to have a foothold on the network, but don’t require any domain credentials." The researchers add that "it basically allows any attacker on the local network (such as a malicious insider or someone who simply plugged in a device to an on-premise network port) to completely compromise the Windows domain."
The vulnerability is due to flaws in the custom AES cryptographic authentication scheme used by the Netlogon protocol. Netlogon is responsible for a number of features involving user account authentication, including updating passwords within the domain. Secura's Tom Tervoort found that the cryptographic scheme used a fixed Initialization Vector (IV), against the security requirements for AES. This fixed IV consisted of sixteen zero bytes, leading Tervoort to discover that "for 1 in 256 keys, applying AES-CFB8 encryption to an all-zero plaintext will result in all-zero ciphertext." As a result, an attacker can repeatedly try to authenticate using an all-zero client challenge until the authentication succeeds, which Secura says will take about three seconds. If the attacker sets a few other message parameters to zero, they can set an empty password for the domain controller (at which point, since they know the password, they can change the password to whatever they wish).
Microsoft's August patch addresses this issue, and organizations are urged to apply the fix as soon as possible. Microsoft also plans to release a more comprehensive patch in February 2021.
For more, see the CyberWire Pro Research Briefing.
[On-Demand Webinar] A Conversation with a CIO about Lowering Cost and Reducing Risk
Breach damage caused by hackers evading detection has accelerated in 2020, and the stakes are higher than ever. Watch this on-demand webinar to learn how Altra Industrial Motion, a leading manufacturer of motion control products, uses existing technologies and makes strategic decisions to lower risk and costs in tandem.
Database leak exposes Zhenhua Data's information gathering.
The Australian Broadcasting Corporation has obtained what appears to be a leaked database showing individuals against whom Chinese intelligence services are developing detailed target packs. Around 2.4 million people are on a list maintained by Shenzhen-based Zhenhua Data, believed to be a Ministry of State Security contractor. The ABC says the trove suggests "a complex global operation using artificial intelligence to trawl publicly available data to create intricate profiles of individuals and organisations, potentially probing for compromise opportunities." Zhenhua maintains that there’s nothing particularly sinister about the database: essentially, it’s marketing data. The majority of the material has been scraped from public sources, such as social media profiles, news stories, and criminal records, but some of the data appear to be confidential, including "bank records, job applications, and psychological profiles."
The database holds information on 51,000 US citizens, 35,0000 Australians, 10,000 Indian nationals, 10,000 British residents, and 5,000 Canadians, according to the Australian Financial Review. A number of these individuals are high-ranking politicians, diplomats, celebrities, and others listed as being of "special interest." Robert Potter from Canberra-based cybersecurity firm Internet 2.0 told to the Guardian he found evidence that the database had been used to search for employees with criminal records working at companies of interest: "If you combine that with publicly available information and you start scraping for criminal activity around somebody’s name, you’re into the security vetting and intelligence vetting side … you’re not just looking at someone’s Twitter at that point. You’re gathering multiple sources together to make an assessment of vulnerability." Similarly, the New Zealand Herald quotes New Zealand's Minister of Foreign Affairs as saying, "It is very disquieting in the extreme that the collection of information is being sought, not for what you might call a marketing purpose or to sell product, but the purpose is perhaps to find information that can be used in a future time to persuade a certain outcome from individuals associated with the person that has been the source of the information collection."
Christopher Balding, the US academic who first received the database from an undisclosed source, is convinced that the database was used by Chinese intelligence, writing, "This data provides proof of activities that China was believed to engage in, but for the first-time, data confirmed these activities....Reviewing the raw data, even Chinese “experts” continue to radically underestimate the investment in monitoring and surveillance tools dedicated to controlling and influencing, not just its domestic citizens and institutions, but assets outside of China."
Still, there's no hard evidence that Beijing has used the database or that the data were collected illegally. The Australian government’s reaction to the incident has been relatively subdued, according to the Guardian, but the Labor Party has called upon the Information Commissioner to open an investigation. Reaction from India’s government has been similarly low-key. The Economic Times says New Delhi probably won't investigate the findings without evidence that Zhenhua used illegal methods to collect the data. A government official told the publication, "It seems like an effort towards statecraft and action cannot be taken till the time there are reports of a data breach by a platform or intermediaries, like (it) has happened in the past."
For more, see the CyberWire Pro Privacy Briefing.
[On-Demand Webinar] A Real Conversation About Post-Compromise with Dave Bittner
Learn more about the inevitability of compromises and how to stop attacks from escalating into a full-on data breach with Dave Bittner!
This webinar will also discuss:
- Trends that are complicating the job of security professionals today like work-from-home and cloud adoption
- Bigger threats on your network today and what to do to truly lower your risk
Patient dies after hospital sustains ransomware attack.
A woman in need of emergency care in Germany died after the nearest hospital sustained a ransomware attack, forcing the patient to be diverted to another hospital twenty miles away, the Associated Press reports. The attackers infected thirty servers belonging to the Düsseldorf University Clinic after exploiting a directory-traversal vulnerability in Citrix ADC (CVE-2019-19781), according to BleepingComputer.
Some organized ransomware gangs claim to avoid hitting hospitals, and this case seems to have been an accident; based on the ransom note, the attack was apparently meant to hit a university affiliated with the hospital. The attackers provided the hospital with the decryption keys after being informed of their mistake, but Graham Cluley points out "the fact that the ransomware attack hit the wrong organisation was down to sheer recklessness and lack of attention by the criminals behind it." The AP says German prosecutors are seeking the perpetrators on suspicion of negligent manslaughter. Reuters notes that "If the investigation leads to a prosecution, it would be the first confirmed case in which a person has died as the direct consequence of a cyber attack."
Germany's BSI said the incident demonstrates the importance of prompt patching, stating, "The vulnerability in the VPN that has been known since January 2020-Products from Citrix represent a possible gateway into internal networks, depending on the local network configuration. Corresponding security updates have been available since January 2020 and, if not already done, should be imported urgently. Systems that were patched in January 2020 can also be affected by the exploitation. These may have been compromised before the Citrix security updates were installed and can therefore still allow attackers to access internal networks and other activities, such as the diversion or encryption of sensitive data or the manipulation or shutdown of systems, business processes and operating procedures."
Maze ransomware delivered via VM.
Sophos warns that the Maze ransomware operators are delivering their payloads via virtual machines, a technique first used by the RagnarLocker ransomware earlier this year. BleepingComputer explains that the attackers turned to this tactic after their first two attempts to install the ransomware failed. Sophos says the attackers had been in the network for at least six days before deploying this tactic, and they configured the VM specifically for the victim's shared network drives.
How'd you like to be the office cybersecurity hero?
With a CyberWire Pro Enterprise subscription, you can make that happen. You can help to keep your organization up to date with the latest news, analysis, and trends across the evolving cybersecurity landscape, save some money, and look like a hero at the same time. To learn more, visit our CyberWire Pro page and click on the Contact Us link in the Enterprise box.
A look at cybersecurity companies' security practices.
Oracle wins TikTok deal with ByteDance, subject to US government approval.
Oracle has landed a deal with ByteDance to serve as "the trusted technology provider" for TikTok, although some details of the arrangement remain unclear. Under the proposed deal, TikTok’s American operations will be incorporated as a US company, but ByteDance will retain a majority stake in the business with Oracle holding a significant minority interest, according to the Wall Street Journal.
The Washington Post thinks the reorganization is likely to meet with US regulatory approval, as does CNBC, but that's based largely upon suppositions about Oracle's influence with the White House and the presumed success of Chinese lobbying. US regulatory agencies have yet to weigh in. The proposal has been coldly received by Congress, The Hill reports, with Republican Senators notable for their disapproval. And the Wall Street Journal says President Trump, Treasury Secretary Mnuchin, and other officials have signaled that they won't be happy with a deal that gives ByteDance majority ownership of TikTok.
The US Department of Commerce on Friday announced that most transactions with WeChat and TikTok will be banned in the US, effective Sunday. Commerce explained the decision as follows: "While the threats posed by WeChat and TikTok are not identical, they are similar. Each collects vast swaths of data from users, including network activity, location data, and browsing and search histories. Each is an active participant in China’s civil-military fusion and is subject to mandatory cooperation with the intelligence services of the CCP. This combination results in the use of WeChat and TikTok creating unacceptable risks to our national security." The action was taken pursuant to Executive Orders 13942 and 13943.
The Telegraph summarizes the situation: "The ban on TikTok could be rescinded by Donald Trump if the US government approves the Oracle deal. If it is rejected, Apple and Google could be forced to suspend offering the two apps to American users of their app stores from September 20."
Seeking Alpha reports that TikTok is looking to rally allies among rival social platforms to challenge the coming US ban. And, whatever Washington ultimately decides about a TikTok spinoff, the Wall Street Journal notes that any such arrangement would require Beijing’s approval, too.
For more business news, including executive moves, see the CyberWire Pro Business Briefing.
Update: the CyberWire brought it’s glossary back!
And we’ve revamped with a whole new interface and set of features to give you richer context and clarity beyond just a definition. Each term has its own dedicated page that includes a pronunciation sound bite, a listing of CyberWire podcasts and publications where it has been used, and the episode of Word Notes that features the term, if applicable. Be sure to bookmark this curated collection of hundreds of cybersecurity terms, essential for all cybersecurity professionals and newcomers alike. Check it out.
The US Cybersecurity and Infrastructure Security Agency has released an advisory on the activities of China’s Ministry of State Security (MSS) and its affiliated agencies and contractors. The MSS has tended to concentrate on recently identified vulnerabilities, hoping to catch organizations that have been laggard in patching. Some of the issues exploited include Microsoft Exchange Server (CVE-2020-0688), F5's Big-IP remote takeover vulnerability (CVE-2020-5902), Pulse Secure VPN's remote code flaw (CVE-2019-11510) and Citrix VPN's directory traversal problem (CVE-2019-19781).
CISA also released an alert stating that the Iran-aligned threat actor Pioneer Kitten is exploiting these same VPN vulnerabilities.
Crime and punishment.
The US Justice Department unsealed indictments against five Chinese nationals and two Malaysians accused of international cybercrime and involvement with the China-aligned threat actor APT41 (also tracked as "Barium," "Winnti," "Wicked Panda," and "Wicked Spider"). The first indictment, from August 2019, charged Zhang Haoran and Tan Dailin with twenty-five counts of conspiracy, wire fraud, aggravated identity theft, money laundering, and CFAA violations. A second indictment, from August 2020, charged Jiang Lizhi, Qian Chuan, and Fu Qiang with nine counts of "racketeering conspiracy, conspiracy to violate the CFAA, substantive violations of the CFAA, access device fraud, identity theft, aggravated identity theft, and money laundering."
Two of the defendants were arrested by Malaysian authorities on Monday and are expected to be extradited to the US. The US District Court for the District of Columbia has also "issued seizure warrants that resulted in the recent seizure of hundreds of accounts, servers, domain names, and command-and-control (C2) 'dead drop' web pages used by the defendants to conduct their computer intrusion offenses."
The US Justice Department also unsealed an indictment of two pro-Iranian hackers in connection with their alleged defacement of websites in response to the US drone strike that killed Iranian General Soleimani during his activities in Baghdad.
And the US Department of the Treasury’s Office of Foreign Assets Control has issued sanctions against the Iranian threat group APT39, along with forty-five individuals associated with the group, and a front company, Rana Intelligence Computing Company. Treasury says the Iranian government used Rana to launch "a years-long malware campaign that targeted Iranian dissidents, journalists, and international companies in the travel sector." The forty-five sanctioned individuals "served in various capacities while employed at Rana, including as managers, programmers, and hacking experts."
For more, see the CyberWire Pro Disinformation Briefing.
Courts and torts.
The Wall Street Journal reports that the US Federal Trade Commission is making preparations to file a possible antitrust suit against Facebook, although a final decision hasn't been made to proceed with the case.
Policies, procurements, and agency equities.
The US Federal Energy Regulatory Commission (FERC) is soliciting comments on risks to the nation's power grid highlighted in May's Executive Order on Securing the United States Bulk-Power System. FERC specifically mentions Huawei and ZTE as examples of supply chain threats to national security. The Commission is interested in comments on:
- "the extent to which equipment and services provided by such entities are used in the operation of the bulk electric system;
- "the risks to bulk electric system reliability and security posed by the use of equipment and services;
- "whether the current Critical Infrastructure Protection (CIP) Reliability Standards adequately mitigate the identified risks; and
- "possible actions the Commission could consider to further address the identified risks."
San Francisco-based network intelligence company Sandvine announced that it's cancelled a deal with the government of Belarus after determining that Minsk had used the company's products to cut off the country's Internet access during its election last month, Bloomberg reports. Sandvine will no longer provide software updates or technical support for its products used by the Belarusian government, although the products will still be functional in the short term. The company asserts that the government added custom code to its technology "to thwart the free flow of information during the Belarus election," stating, "This is a human rights violation and it has triggered the automatic termination of our end user license agreement."
For more, see the CyberWire Pro Policy Briefing.