This Week in Security: Breaking CACs to Fix NTLM, the Biggest Leak Ever, and Fixing Firefox by Breaking It
For starters, Microsoft's June security patch contains a fix for CVE-2022-26925, a Man-In-The-Middle attack against NTLM. According to NIST, this attack is actively exploited in the wild, so it landed on the Known Exploited Vulnerabilities (KEV) catalog. This list captures the most important vulnerabilities to address and triggers a mandatory patch installation no later than July 22. The unique thing here is that the Microsoft patch that fixes CVE-2022-26925 also includes a fix for a few certificate vulnerabilities, including CVE-2022-2693, Certifried. This vulnerability was one where a machine certificate could be renamed in the same way as a domain controller, resulting in an organization-wide compromise.
The patch rolled out in June now requires a "strong certificate mapping" to be in place to bind a user to a certificate. Having the same common name is no longer sufficient and a secure value such as the security identifier (SID) must be mapped from certificate to user in Active Directory. The fix puts AD in a compatibility mode, which accepts insecure mapping, as long as the user account is older than the security certificate. This has the unintended consequence of breaking the way the US government uses Common Access Cards (CACs) to authenticate their users. Government agencies typically begin their onboarding by issuing a CAC and then creating an AD account for that user. This makes the certificate older, which means that the most recent patch rejects it. Fortunately, there is a registry key that can be set, allowing the old mapping to continue to work, although this will likely result in a slight security hole.
Decryptor released because of Copycat?One of the weirdest things we've seen in the ransomware plague is the release of decryptors when a criminal group goes out of business. In this case, AstraLocker shut down and released a set of decryption routines. Although these decryption programs have been shown to work, if you are one of the unfortunate victims, wait until a reputable group like Emsisoft uses these shady tools and bundles them into a known solution.
Why does a group shut down and release the keys to their kingdom? In some cases, it's because law enforcement is getting uncomfortably close and the jig is just in place. Here, it looks like a bunch of copycats have started distributing their own iteration on Astralocker. The problem with AstraLocker 2.0 is that it is a "smash and grab", a low effort campaign that never seems to deliver decryption keys. One possible explanation is that this impersonation campaign ruins the "good reputation" of the original actor and makes it much more difficult to convince victims to pay for the decryption, leading to retirement.
Chinese Police Leak DatabaseWe've covered some database breaches in the past where entire countries are exposed, but this one seems to take the cake. Over a billion users have been exposed in what appears to be a Chinese police database leak – likely the result of credentials unwittingly leaked in a blog post. The database was offered for sale for 10 bitcoins, less than the price of a pizza. This thread has since been deleted from the forum where it was posted. This is probably the biggest database leak ever, and on this scale it will be difficult to overcome.
Firefox sanitizerMozilla is developing a new JavaScript feature in Firefox, Sanitizer. This is an effort to defeat Cross-Site Scripting (XSS) type attacks by adding a standardized means of data sanitization. Part of the idea is that the browser itself can be a very reliable source of "truth" regarding how HTML will be understood.
For starters, Microsoft's June security patch contains a fix for CVE-2022-26925, a Man-In-The-Middle attack against NTLM. According to NIST, this attack is actively exploited in the wild, so it landed on the Known Exploited Vulnerabilities (KEV) catalog. This list captures the most important vulnerabilities to address and triggers a mandatory patch installation no later than July 22. The unique thing here is that the Microsoft patch that fixes CVE-2022-26925 also includes a fix for a few certificate vulnerabilities, including CVE-2022-2693, Certifried. This vulnerability was one where a machine certificate could be renamed in the same way as a domain controller, resulting in an organization-wide compromise.
The patch rolled out in June now requires a "strong certificate mapping" to be in place to bind a user to a certificate. Having the same common name is no longer sufficient and a secure value such as the security identifier (SID) must be mapped from certificate to user in Active Directory. The fix puts AD in a compatibility mode, which accepts insecure mapping, as long as the user account is older than the security certificate. This has the unintended consequence of breaking the way the US government uses Common Access Cards (CACs) to authenticate their users. Government agencies typically begin their onboarding by issuing a CAC and then creating an AD account for that user. This makes the certificate older, which means that the most recent patch rejects it. Fortunately, there is a registry key that can be set, allowing the old mapping to continue to work, although this will likely result in a slight security hole.
Decryptor released because of Copycat?One of the weirdest things we've seen in the ransomware plague is the release of decryptors when a criminal group goes out of business. In this case, AstraLocker shut down and released a set of decryption routines. Although these decryption programs have been shown to work, if you are one of the unfortunate victims, wait until a reputable group like Emsisoft uses these shady tools and bundles them into a known solution.
Why does a group shut down and release the keys to their kingdom? In some cases, it's because law enforcement is getting uncomfortably close and the jig is just in place. Here, it looks like a bunch of copycats have started distributing their own iteration on Astralocker. The problem with AstraLocker 2.0 is that it is a "smash and grab", a low effort campaign that never seems to deliver decryption keys. One possible explanation is that this impersonation campaign ruins the "good reputation" of the original actor and makes it much more difficult to convince victims to pay for the decryption, leading to retirement.
Chinese Police Leak DatabaseWe've covered some database breaches in the past where entire countries are exposed, but this one seems to take the cake. Over a billion users have been exposed in what appears to be a Chinese police database leak – likely the result of credentials unwittingly leaked in a blog post. The database was offered for sale for 10 bitcoins, less than the price of a pizza. This thread has since been deleted from the forum where it was posted. This is probably the biggest database leak ever, and on this scale it will be difficult to overcome.
Firefox sanitizerMozilla is developing a new JavaScript feature in Firefox, Sanitizer. This is an effort to defeat Cross-Site Scripting (XSS) type attacks by adding a standardized means of data sanitization. Part of the idea is that the browser itself can be a very reliable source of "truth" regarding how HTML will be understood.
What's Your Reaction?
![Three of ID's top PR executives quit ad firm Powerhouse [EXCLUSIVE]](https://variety.com/wp-content/uploads/2023/02/ID-PR-Logo.jpg?#){kind=logo}
