To start with, Microsoft’s June Security Patch has a fix for CVE-2022-26925, a Man-In-The-Middle attack against NTLM. According to NIST, this attack is actively being exploited in the wild, so it landed on the KEV (Known Exploited Vulnerabilities) Catalog. That list tracks the most important vulnerabilities to address, and triggers a mandated patch install no later than July 22nd. The quirk here is that the Microsoft Patch that fixes CVE-2022-26925 also includes a fix for a couple certificate vulnerabilities including CVE-2022-2693, Certifried. That vulnerability was one where a machine certificate could be renamed to the same as a domain controller, leading to organization-wide compromise.
The fix that rolled out in June now requires that a “strong certificate mapping” be in place to tie a user to a certificate. Having the same common name is no longer sufficient, and a secure value like the Security IDentifier (SID) must be mapped from certificate to user in Active Directory. The patch puts AD in a compatibility mode, which accepts the insecure mapping, so long as the user account predates the security certificate. This has an unintended consequence of breaking how the US Government uses CACs (Common Access Cards) to authenticate their users. Government agencies typically start their onboarding by issuing a CAC, and then establishing an AD account for that user. That makes the certificate older, which means the newest patch rejects it. Thankfully there’s a registry key that can be set, allowing the older mapping to still work, though likely with a bit of a security weakness opened up as a result.
Decryptor Released Because of Copycat?
One of the stranger things we’ve seen out of the ransomware plague is the release of decryptors when a criminal group closes up shop. In this case, AstraLocker has closed its doors, and released a set of decryption routines. While those decryption programs have been demonstrated to work, if you happen to be one of the unfortunate victims, wait until a reputable group like Emsisoft takes those shady tools and packages them into a known-good solution.
Why does a group close down and release the keys to their kingdom? In some cases it’s because law enforcement is getting uncomfortably close and the jig is simply up. Here, it appears that a copycat group has started distributing their own iteration on Astralocker. The problem with AstraLocker 2.0 is that it’s a “smash and grab”, a low effort campaign that appears to never actually provide decryption keys. One possible explanation is that this copycat campaign is spoiling the “good name” of the original actor, and makes it much harder to convince victims to pay for decryption, leading to the retirement.
Chinese Police Leaks Database
We’ve covered some database breaches in the past, where entire countries are exposed, but this one seems to take the cake. Over a billion users have been exposed in what appears to be a leak of a Chinese police database — likely the result of credentials unintentionally leaked in a blog post. The database was offered for sale for 10 bitcoins, less than the price of a pizza. That thread has since been deleted from the forum where it was being offered. This is likely the biggest database leak ever seen, and at this scale, it’s going to be hard to top.
Firefox Sanitizer
Mozilla is developing a new JavaScript feature in Firefox, Sanitizer. It’s an effort to defeat Cross-Site Scripting (XSS) attacks, by adding a standardized way to sanitize data. Part of the thought is that the browser itself can be a very reliable source of “truth” when it comes to how HTML will be understood.
It’s an experimental feature that’s still being built, but it’s available for testing, and researchers are already starting to work to make it better. [Gareth Heyes] took a crack at it, and discovered a potential problem with SVG handling. SVGs are images generated by XML code, and one of the valid elements is a use statement, essentially including SVG code from somewhere else. That somewhere else could potentially be malicious, and some very clever work can result in arbitrary JavaScript execution as a result. The flaw was fixed in Firefox 102, and ideally when this feature leaves expiremental, all those bugs will be worked out. If it proves useful, Chrome will pick it up, and it may even get on a track for inclusion as a web standard.
Bits and Bytes
Project Zero has an overview of the in-the-wild bugs they’ve tracked so far this year. There 18 total bugs, but nine of those were variants of previous bugs, instances when the patch to fix a known problem was insufficient to actually fix the root problem. In a couple cases, it wasn’t even a variant, but the exact same bug that was fixed and then made vulnerable again. If nothing else, it’s a powerful testament to the value of regression tests.
The British Army’s official Twitter and YouTube accounts were accessed by a malicious third party this week. With this access, all that was posted was links to crypto scam site — hardly living up to the potential of having access to such valuable accounts. Appears to decidedly not have been a state-sponsored actor.
And finally, in the long tradition of security software introducing security vulnerabilities, Trend Micro has patched a vulnerability that allowed privilege escalation via mount point manipulation on Windows. The issue was found and reported privately, and the fix was rolled out in version 17.7. There’s no sign this one was ever exploited, so chalk one up for the good guys!