Chinese gang shoots down aerospace security with MSFT flaws An alleged Chinese advanced hacking group has been found cherry-picking data from high-profile governments and corporations, p0wning many within six hours according to Dell researchers. The group, codenamed TG-3390 or Panda Emissary, is thought to operate from China and have an appetite for defence-related aerospace projects …
Another excellent article!
If you look at the secureworks threat analysis, these guyz 0wn Windows architectures in no time. Weird, all their toolsets seem to target Windows systems and Microsoft software running on it, except for some other middleware.
I really do not like how Dell provide file names / domains / IP addresses to try and help mitigate your risk, these are all subject to change, without notice! rofl
Scary stuff, guyz, I do hope you have a few honeypots in your datacenter, along with strong filesystem integrity measures. Note that they can hide their DLL's anywhere on the path, under any name of their choice.
Ports, IP Adresses, domain names, user agent strings (rofl), file names etc will change.
" these guyz 0wn Windows architectures in no time"
As it says "The outfit exploits old vulnerabilities not yet patched by victims" - presumably they would own any platform fairly quickly on that basis.
One comment that implies that they are attacking those with old and poorly configured systems is on the timeline it says "dump credentials from DC". That would only be possible on Windows 2000 level or earlier domains, or upgraded domains with poor settings. Since Windows 2003 just the hashes are stored, as per:
https://technet.microsoft.com/pt-pt/library/hh994559(v=ws.10).aspx
"all their toolsets seem to target Windows systems and Microsoft software running on it, except for some other middleware."
Not surprising since the vast majority of corporate servers (~75%) and desktops (~95%) run Windows. Particularly email servers and file servers - which are likely to be of most interest.
"You can dump plaintext passwords from the Windows Authentication Digest"
Yes - because that has to use reversible encryption - as it stores passwords that need to be replayed in original form to websites, WiFi systems, etc. and hashes wouldn't work This is not where Windows user account passwords are stored.
"That's a different issue. Reversing encryption and hash cracking are different beasts, so your point is irrelevant."
They are different - and that is the whole point - and is entirely relevant.
From Windows 2K3 onwards, Active Directory passwords are by default not stored using any sort of reversible encryption or crackable (LanMan) hash. They are only stored as a complex one way hash function. Therefore there is no way of recovering the original password other than brute force. Which is likely not computationally feasible for anything complex and at least ~ 8 characters or longer.
I'm not sure this is factually accurate. Before the 2014 patch, cleartext password will be stored in LSASS for interactive logon sessions unless explicitly disabled. By default Vista, 7, 2008, 2008R2 and 2012 all stored plaintext credentials in LSASS until KB2871997 when this was disabled by Microsoft, but that still doesn't remove plaintext credentials from WDigest according to their own patch overview ( http://blogs.technet.com/b/srd/archive/2014/06/05/an-overview-of-kb2871997.aspx ). I don't know about Kerberos but it certainly used to be the case that it also required plaintext storing of credentials in-memory for ticket generation
My understanding is that the cleartext passwords are stored encrypted and in-memory via SSP, historically for numerous supported authentication methods but these days pretty much solely for WDigest. The encryption is done via the LSAProtectMemory function, which can simply be reversed via (ab)use of the LSAUnprotectMemory function. There are several tools publicly available that do this, including WCE and Mimikatz.
This post has been deleted by its author
All too true, but they do represent 'easy wins' that are quick to deploy and can be used retrospectively to check across log data for any signs of compromise. Pushing out IDS/IPS rules for picking up the traffic on the wire won't tell you if you got owned a year ago unless they/your AV have completely failed at cleaning up.
CIO is probably not the problem. The CIO on their own is likely not sufficient to enact change as they still need to rely on budget approvals from other people. The CEO and the entire board of directors (including the chairman) need to be liable. Only then will START to change.
I am starting to think that people that say antivirus/antimalware/IDS and IPS are the wrong solution are correct. Antivirus/antimailware only work once the signature of an attack is known. Most IDS and IPS are set up the same way, look for known attack traffic and then respond.
No, you need to set up your systems to allow known legitimate traffic/files/applications and block everything else (i.e. whitelist good stuff, not blacklist known bad stuff). Only then will security start becoming effective.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
