Windows Exposes Password Hashes; Patch Your D-Link Routers; CISA Details TTPs Used by Chinese Threat Actors

"Summer of SAM" as well as the remnants of "PrintNightmare" are offering two different relatively straight forward privilege escalation exploits to attackers. Make sure your end point visibility is sufficient to detect these attacks. As I am writing this, "Summer of SAM" is still developing. Watch out for guidance from Microsoft for mitigation and detection techniques. Do not fall for random "patches" that will be offered by malicious actors.

Johannes Ullrich

So sad to see another hardcoded password. I will take the log disclosure vulnerability. But hardcoded passwords? And before I forget: Turn off internet access to administrative interfaces on these devices. Even if your router isn't affected by this particular vulnerability.

Johannes Ullrich

The update, released July 15th, addresses the five vulnerabilities, which include both hard-coded passwords and a telnet server which can be launched without authentication. The telnet server allows logging into the CLI using a default credential stored in the firmware. D-Link is working to further refine the update, so watch for added updates after you apply this fix now.

Lee Neely

Enterprises that use large numbers of these routers should systematically apply the fix. SOHO users who have only one or two may find it cheaper to simply replace or upgrade the device. Given that these vulnerabilities were more the result of design and intent, rather than error or omission, consider changing brands. That said, it is likely that many vulnerable devices will never be replaced or updated.

William Hugh Murray

These CISA alerts are great to direct your hunt team. You may not be a victim of this particular actor, but the same TTPs are used by others as well and these reports are a great reality check for your detection tools to make sure you have visibility where it matters.

Johannes Ullrich

I welcome the focus on adversary behaviors (TTPs) over Indicators of Compromise (IoCs). If organizations can detect and respond to these TTPs, it will force the actor to change, which will cost them resources. Operate under assumed breach to focus on detecting adversary behaviors.

Jorge Orchilles

While this focuses on ATP40, the mitigations apply broadly and should be reviewed for general applicability in your organization. In combination, these mitigations are extremely powerful defenses, and many should look familiar. Hand the IOCs to your SOC to ensure they are incorporated in your SIEM, then check for any matches.

Lee Neely

Don’t plan on the ransomware operator providing you a working decryption key or tool, and don't expect them to remain in business/reachable. This becomes even more complex with services such as REvil which offers services to affiliates, but you have no direct interaction with the affiliate. Focus now on being prepared for a ransomware attack: disconnected differential backups, updated user training, MFA your accessible services, and administrator accounts, verify you are running secure configurations and patches/updates are applied in a timely fashion. Leverage the StopRansomware.gov site for even more comprehensive guidance.

Lee Neely

The information release so far does not detail how the malware got installed, but odds are very high it started with a phishing attack that compromised reusable passwords. This is a good item to show your Chief Legal Counsel to get some backing for requiring all privileged accounts to use multi-factor authentication and checking that key services firms (like law firms) are doing so.

John Pescatore

Campbell is offering 24 months of credit monitoring, fraud consultation and identity theft restoration to individuals with compromised SSN’s or equivalent. Because Campbell is a legal firm, one would expect they would rely on their ability to litigate as an attack response; even so, ransomware preparedness and cyber hygiene must be in place no matter who you are.

Lee Neely

A homoglyph is one of two or more graphemes, characters or glyphs with shapes that appear identical or very similar. The idea is user<@>legitdomain.com and user<@>hoimoglyph.com are visually identical so the message will be accepted as genuine. E.g., replacing upper case I with lower case L. The attack targeted small businesses in North America and solicited a fraudulent wire transfer using the logos and otherwise legitimate email addresses from the business they were impersonating.

Lee Neely

I’m a big fan of more testing for security products and in general the MITRE Engenuity ATT&CK evaluations are well done. But MITRE admits they do *not* directly address false positives. With so many products claiming to use machine learning/artificial intelligence to raise detection rates, false positive rates (or how much tuning is required to keep false positives at a workable level) is key to evaluating. These evaluations can give you good data on doing your own POC/bakeoff, but don’t replace the need to do so.

John Pescatore

All testing has limitations, late testing particularly so. Not all systems are as easily tested as others; complex systems should be designed to facilitate effective testing. Tests should be part of the product specification (rather than something thought up after the fact). Testing should be continuous throughout development, from component testing to final system test Testing should first demonstrate that the system performs as intended and only then that it is resistant to attack. The attack modes should be identified and addressed during development rather than sprung as a surprise at the end.

William Hugh Murray

This action triggered two bulletins from CISA: one in Top of the News and one below. The actions behind making the accusation and implementing the sanctions are long and complex and, while welcome, should not change your approach to defending your systems, nor should you expect a measurable decrease in attempted attacks.

Lee Neely

This is significant in the manner that it was coordinated and announced not only by the US but by NATO, the European Union, Australia, England, Canada, Japan, and New Zealand. At the same time, the US Department of Justice charged four Chinese nationals. The pressure on both China and Russia to stop protecting malicious actors operating out of their country will hopefully result in a positive outcome but we will have to wait and see.

Jorge Orchilles

Even if you’re not worried about APTs, read the information as to how a well-resourced adversary operates to better understand how you could be compromised. The information includes detection, defenses and mitigation options for most actions. Many of these are things that you should already be doing.

Lee Neely

The TTP that jumped out the most for me on this one was the use of steganography to hide stolen data inside of other files stored on GitHub. This is very difficult to detect and probably not the focus of most organizations. As your detections mature, take a look at the more sophisticated TTPs for detection and response.

Jorge Orchilles