This Week In Security:Breaking CACs To Fix NTLM, The Biggest Leak Ever, And Fixing Firefox By Breaking It

To start with, Microsoft’s June Security Patch has a fix for CVE-2022-26925, a Man-In-The-Middle attack against NTLM. According to NIST, this attack is actively being exploited in the wild, so it landed on the KEV (Known Exploited Vulnerabilities) Catalog. That list tracks the most important vulnerabilities to address, and triggers a mandated patch install no later than July 22nd. The quirk here is that the Microsoft Patch that fixes CVE-2022-26925 also includes a fix for a couple certificate vulnerabilities including CVE-2022-2693, Certifried. That vulnerability was one where a machine certificate could be renamed to the same as a domain controller, leading to organization-wide compromise.

The fix that rolled out in June now requires that a “strong certificate mapping” be in place to tie a user to a certificate. Having the same common name is no longer sufficient, and a secure value like the Security IDentifier (SID) must be mapped from certificate to user in Active Directory. The patch puts AD in a compatibility mode, which accepts the insecure mapping, so long as the user account predates the security certificate. This has an unintended consequence of breaking how the US Government uses CACs (Common Access Cards) to authenticate their users. Government agencies typically start their onboarding by issuing a CAC, and then establishing an AD account for that user. That makes the certificate older, which means the newest patch rejects it. Thankfully there’s a registry key that can be set, allowing the older mapping to still work, though likely with a bit of a security weakness opened up as a result.

Decryptor Released Because of Copycat?

One of the stranger things we’ve seen out of the ransomware plague is the release of decryptors when a criminal group closes up shop. In this case, AstraLocker has closed its doors, and released a set of decryption routines. While those decryption programs have been demonstrated to work, if you happen to be one of the unfortunate victims, wait until a reputable group like Emsisoft takes those shady tools and packages them into a known-good solution.

Why does a group close down and release the keys to their kingdom? In some cases it’s because law enforcement is getting uncomfortably close and the jig is simply up. Here, it appears that a copycat group has started distributing their own iteration on Astralocker. The problem with AstraLocker 2.0 is that it’s a “smash and grab”, a low effort campaign that appears to never actually provide decryption keys. One possible explanation is that this copycat campaign is spoiling the “good name” of the original actor, and makes it much harder to convince victims to pay for decryption, leading to the retirement.

Chinese Police Leaks Database

We’ve covered some database breaches in the past, where entire countries are exposed, but this one seems to take the cake. Over a billion users have been exposed in what appears to be a leak of a Chinese police database — likely the result of credentials unintentionally leaked in a blog post. The database was offered for sale for 10 bitcoins, less than the price of a pizza. That thread has since been deleted from the forum where it was being offered. This is likely the biggest database leak ever seen, and at this scale, it’s going to be hard to top.

Firefox Sanitizer

Mozilla is developing a new JavaScript feature in Firefox, Sanitizer. It’s an effort to defeat Cross-Site Scripting (XSS) attacks, by adding a standardized way to sanitize data. Part of the thought is that the browser itself can be a very reliable source of “truth” when it comes to how HTML will be understood.

It’s an experimental feature that’s still being built, but it’s available for testing, and researchers are already starting to work to make it better. [Gareth Heyes] took a crack at it, and discovered a potential problem with SVG handling. SVGs are images generated by XML code, and one of the valid elements is a use statement, essentially including SVG code from somewhere else. That somewhere else could potentially be malicious, and some very clever work can result in arbitrary JavaScript execution as a result. The flaw was fixed in Firefox 102, and ideally when this feature leaves expiremental, all those bugs will be worked out. If it proves useful, Chrome will pick it up, and it may even get on a track for inclusion as a web standard.

Bits and Bytes

Project Zero has an overview of the in-the-wild bugs they’ve tracked so far this year. There 18 total bugs, but nine of those were variants of previous bugs, instances when the patch to fix a known problem was insufficient to actually fix the root problem. In a couple cases, it wasn’t even a variant, but the exact same bug that was fixed and then made vulnerable again. If nothing else, it’s a powerful testament to the value of regression tests.

The British Army’s official Twitter and YouTube accounts were accessed by a malicious third party this week. With this access, all that was posted was links to crypto scam site — hardly living up to the potential of having access to such valuable accounts. Appears to decidedly not have been a state-sponsored actor.

And finally, in the long tradition of security software introducing security vulnerabilities, Trend Micro has patched a vulnerability that allowed privilege escalation via mount point manipulation on Windows. The issue was found and reported privately, and the fix was rolled out in version 17.7. There’s no sign this one was ever exploited, so chalk one up for the good guys!

16 thoughts on “This Week In Security:Breaking CACs To Fix NTLM, The Biggest Leak Ever, And Fixing Firefox By Breaking It

  1. “The database was offered for sale for 10 bitcoins, less than the price of a pizza.”

    What kind of pizza do you want? I am happy to bake one for you and fly it to any place in the US. Oh, and only today: Buy one, get the second one 50% off.

  2. Jeez. What kind of pizza do you people eat? The current exchange rate is over $21000 per bitcoin.

    Over two hundred thousand dollars for a pizza.

    Is it served on a golden plate by naked, gold dusted dancing girls who hand feed it to you?

  3. “The database was offered for sale for 10 bitcoins, less than the price of a pizza.”

    I just checked again and we are still in 2022, one bitcoin is around 20k

  4. LGTFY:

    12 years ago a Bitcoin enthusiast spent 10 Bitcoin on two large pizzas, considered the first real world Bitcoin transaction.

    Since then, May 22 has been known as Bitcoin Pizza day.

      1. It would also however have involved a transaction.

        I guess the point is, that it was the first one that meant something in the real world vs look it works if you put this number in here, it turns up in this guys wallet over there.

  5. Let the government collect data on how good a citizen you are, to keep you safe…

    Can we also pause for a moment and question why the Chinese police had a data on over a billion people? That’s a minimum of 2/3 of their population… basically, their police has a file on EVERYONE, whether or not they’re labelled a “criminal” yet.

  6. Firefox today has some bad problems with many sites where various things just don’t work (for example T-Mobile’s coverage map) or things are shifted away from where they’re supposed to be so that they do things like cover the text you want to read, or text formatting is screwed up so things like line spacing is too small and lines overlap.

    It’s like Firefox is the new Internet Explorer while Chrome and Edge work fine like Netscape Navigator did back in the day.

    1. Except for the “Document Contains no Data” bug with some forms that Netscape and early Firefox had where you’d fill out a form, click the button and it’d sit there doing nothing for several minutes then popping up “Document Contains no Data”. Meanwhile every other browser would work just fine with the same form.

    2. It may actually be the opposite issue, where Chromium has become so dominant, that web developers are writing pages only for Chrome. (Been guilty of that). It’s often wrong on Firefox because the dev relied on a Chromism.

      1. Firefox’s market share is so small that most of us don’t bother testing it. But AFAIK it tends to work fine.

        Samsung browser has been “the new IE” for a long time, unfortunately.

        Edge is remarkably well behaved.

        But yes, we do have to code for Chrome. A common issue is chrome ignoring “do not autofill” instructions… I’ve seen it auto fill passwords into search boxes 😭. So you end up adding dummy fields to distract chrome.

        1. >> A common issue is chrome ignoring “do not autofill” instructions… I’ve seen it auto fill passwords into search boxes

          That sounds like a pretty major flaw. Maybe even worthy of a mention in “this week in security”?

          Yet another reason I’m glad I don’t use Chrome.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.