OOBU For Kerberos released by Microsoft

The issue is related to the PerformTicketSignature registry subkey value in CVE-2020-17049, a security feature bypass bug in Kerberos Key Distribution Center (KDC) that Microsoft fixed on last patch Tuesday

CVE-2020-17049, the tech company explains, resides in the manner in which KDC determines whether tickets are eligible for delegation via Kerberos Constrained Delegation (KCD).

“To exploit the vulnerability, a compromised service that is configured to use KCD could tamper with a service ticket that is not valid for delegation to force the KDC to accept it. The update addresses this vulnerability by changing how the KDC validates service tickets used with KCD,”

Last week, the company identified a series of issues that could occur on writable and read-only domain controllers (DC), namely tickets not being renewed for non-Windows Kerberos clients and S4UProxy delegation failing when PerformTicketSignature is set to 1 (the default), and services failing for all clients when PerformTicketSignature is set to 0.

“An out-of-band optional update is now available on the Microsoft Update Catalog to address a known issue affecting Kerberos authentication. As part of this issue, ticket renewal and other tasks, such as scheduled tasks and clustering, might fail. This issue only affects Windows Servers, and Windows 10 devices and applications in enterprise environments,”

The company recommends that only impacted organizations install the out-of-band update on their domain controllers. Microsoft warns that there are some issues that enterprises should be aware of when installing the update, related to the Microsoft Input Method Editor (IME) for Japanese or Chinese languages.

Microsoft Japan provided the steps that admins should take to address such issues, in addition to deploying the update to all of the DCs and RODCs (Read-Only Domain Controllers) in the environment.

Tesla X Bluetoothed

Tesla is using over the air updates to patch vulnerabilities and add new features to its keyless entry system in Tesla Model X vehicles. However, according to a specialist at Leuven Catholic University (Belgium) Lennert Wouters (Lennert Wouters), using this update delivery mechanism can be stolen in a matter of minutes.

Wouters discovered vulnerabilities both in the Tesla Model X keyless entry system and in the car itself, which allowed him to rewrite the firmware of the key fob via a Bluetooth connection, remove the unlock code and steal the car. A hijacker who manages to read the identification number and approach the victim’s key fob at a distance of 4.6 m will be able to exploit these vulnerabilities. The equipment required for this will cost $ 300, it can easily fit into a backpack, and is controlled using a smartphone.

In just 90 seconds, the device presented by Wouters can extract the radio code to unlock the Tesla Model X. Once inside the car, the hijacker can exploit the second vulnerability and start the car in just a minute using his own key fob.

“A combination of the two vulnerabilities allows a hacker to hijack a Model X in minutes. If you combine them, the attack will be much more powerful, ”the researcher said.

Wouters notified Tesla of the issue in August of this year, and the company has promised to release fixes for key fobs soon . According to the manufacturer, it can take up to one month to send updates to all vulnerable Tesla Model Xs, so owners must install all available updates to protect themselves from the above attack. For his part, the researcher promised not to publish any codes and details about vulnerabilities ahead of time in order to avoid their possible exploitation by hackers.

Qakbot 🐎 ->Prolock ☠️-> Egregor 👹

Group-IB discovered that QakBot (aka Qbot) operators have abandoned ProLock for Egregor ransomware.

ProLock = Egregor

The analysis of attacks where Egregor has been deployed revealed that the TTPs used by the threat actors are almost identical to the ones used by the ProLock operators.

First, the initial access is always gained via QakBot delivered through malicious Microsoft Excel documents impersonating DocuSign-encrypted spreadsheets. Moreover, Egregor operators have been using Rclone for data exfiltration – same as with ProLock. Same tools and naming convention have been used as well, for example md.exe, rdp.bat, svchost.exe.

Egregor operators leverage the intimidation tactics, they threaten to release sensitive info on the leak site they operate instead of just encrypting compromised networks. The biggest ransom demand was at $4 million worth of BTC till now.

Egregor operators in a spam of 3 months have managed to successfully hit 69 companies around the world with 32 targets in the US, 7 victims in France and Italy each, 6 in Germany, and 4 in the UK. Other victims happened to be from the APAC, the Middle East, and Latin America. Egregor’s favorite sectors are Manufacturing (28.9% of victims) and Retail (14.5%).

Egregor ransomware sample obtained during a recent incident response engagement revealed that the executable code of Egregor is very similar to Sekhmet.

Egregor source code bears similarities with Maze ransomware as well. The decryption of the final payload is based on the command-line provided password.Egregor operators use the combination of ChaCha8 stream cipher and RSA-2048 for file encryption.

The use of CobaltStike and QakBot is to watch when hunting for Egregor. More threat hunting and detection tips from Group-IB DFIR team as well as a detailed technical analysis of Egregor operations are available in Group-IB’s blog.

Malware service providers arrested

The malware encryption service run by a Romanian based in Craiova and Bucharest duo helped hackers embed malicious code in legit software to bypass antivirus tools.

The pair ran online malware encryption services, aka crypting services dubbed CyberSeal and Dataprotector. These services were offered to cybercriminals to encrypt the computer code in malware, including information stealers, Remote Access Trojans, and ransomware, to help cyber criminals launch attacks successfully.

The pair also offered the Cyberscan service through which their cybercriminal clients could test their malware against antivirus (AV) programs. Malware authors used these services to wrap their payloads in encryption shells to bypass most of the AV tools.

Over 1560 cyber criminals purchased this and improved 3000 malware strains for sophisticated attacks. Testing samples against AV scanners, the operators demanded $7 to $40, and for the actual crypting services, they asked for $40 to $300. Varies on the requirements

Cybercriminals could embed and hide their malware in legitimate software by purchasing these services and circulated them to unsuspecting users. Cyberscan allowed attackers to test their malware strains against AV tools.

The duo had been offering crypting services since 2010. They launched the CyberSeal service in 2014 and Dataprotector in 2015. The Cyberscan service was comparatively new, as it was launched in 2019.

Romanian police obtained search warrants for locating the suspects. The police raided four homes, including the suspects’ houses in Craiova and Bucharest, and discovered back-end servers in Romania, the USA, and Norway. Finally the CyberSeal (cyber-seal.org) and Cyberscan (cyberscan.org) websites are now offline.