back to article You'll never guess who's been exploiting the ManageEngine service to steal passwords

Palo Alto Networks' Unit 42 research team has said criminals using tools accompanied by Chinese instructions gained access to high-interest networks and stole passwords after exploiting at least 370 password management services in the US. "As early as September 17 the actor leveraged leased infrastructure in the United States …

  1. Doctor Syntax Silver badge

    Online password services exploited? Really?

    <Gets up off of floor after being struck by a passing feather>

    1. Wellyboot Silver badge

      You missed the obvs icon!

    2. A Non e-mouse Silver badge
    3. chuBb. Silver badge

      It's not really an online password service, I mean some twat will have made it publically available. It's more of a hell desk front end to basic AD user operations password reset account unlock that sort of thing

      Basically could be severely hampered by MFA and using a more modern approach to AAA

      Won't be surprised to see more efforts directed at "internal" business support systems now external security is generally better in 3rd party solutions than internal

      1. Version 1.0 Silver badge

        So what's more secure? An online service or a piece of paper stuck underneath the keyboard? We used to see that as stupid but nowadays it seems to be a lot safer than storing passwords on the internet.

        1. chuBb. Silver badge

          Not relying on a single authentication method for authorisation.

          xkcd password with alternating capitisation and if Warrentted numeric substitution, coupled with a pin and or an authenticator app or one use token is my minimum recommendation

          As for post it note what ever works for you, although I'd be more inclined to write a mnemonic or an acrostic for an xkcd password than the actual password

      2. Clausewitz 4.0 Bronze badge

        Some exploits can reach execution before reaching MFA checks, only sayin..

  2. Wellyboot Silver badge

    >>>KdcSponge, it injects itself into the Local Security Authority Subsystem Service (LSASS) process, where it hooks undocumented functions to collect usernames and passwords from inbound Kerberos authentication attempts<<<

    Documentation available via your TLA of choice...

    1. Anonymous Coward
      Anonymous Coward

      Windows - closed source software with NSA backdoors built in. Stop looking surprised.

  3. John Brown (no body) Silver badge

    Out of curiosity...

    ".zip files with a JavaServer Pages (JSP) webshell disguised as an x509 certificate"

    ...just how big is an x509 cert and how big are ".zip files with a JavaServer Pages (JSP) webshell ".

    1. chuBb. Silver badge

      Re: Out of curiosity...

      Cert size depends chain size and how many you feeling like cat'ing together

      A root ca collection can be a couple of mb

      1. John Brown (no body) Silver badge
        Thumb Up

        Re: Out of curiosity...

        Ah, OK, thanks. That's not something I was aware of and a Cert file being big enough that you can masquerade a web server as a cert seemed a bit odd :-)

        1. chuBb. Silver badge

          Re: Out of curiosity...

          It's not so much the payload that's the problem (plain text interpreted script) it's that it's possible to execute an uploaded file that's the issue.

          What must be happening (I've not looked at specifics) is:

          Zip is uploaded and extracted

          Tomcat is set to engage java for all file requests (typically you would exclude any static files from wasting server resources, manage engine have a very lan centric trusted environment expectation with their out of box configs runs as root and sets the execute bit by default on file permissions on the *nix installer for example)

          Because of this misconfiguration the attackers script is executable and good bye server you've been pwned.

          The payload zip file would be a couple of kb in size and would require actual inspection to be detected as a zipped pem file and a zipped jsp would look very very similar in a hex editor...

  4. Anonymous Coward
    Anonymous Coward


    Is is just me or does the “Chinese instructions” bit actually scream NSA left a note saying “China woz ‘ere”? I can’t tell these days what’s US propaganda and what’s genuine, but I am quite certain there’s a LOT of propaganda against China as the US is terrified of losing the top spot globally.

    1. Clausewitz 4.0 Bronze badge

      Re: China

      Let's not forget that these actors have an entire framework to re-purpose tools's symbols, paths, debug information, to point to other actors...

      May have been USA posing as China using a tool to look like the Russians :-)

    2. Anonymous Coward
      Anonymous Coward

      Re: China

      They will be very upset to realise they lost that a long time ago at best merika is 3rd more likely 4th behind the EU

      1. Anonymous Coward
        Anonymous Coward

        Re: China

        Not the EU, the Euro experiment failed when The Iran issue with Swift payments escalated and the dollar won due to US owning SWIFT. Thankfully China are building a real alternative so at least we’ll have a choice of two oppressive regimes to choose from

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022