back to article Chinese gang shoots down aerospace security with MSFT flaws

An alleged Chinese advanced hacking group has been found cherry-picking data from high-profile governments and corporations, p0wning many within six hours according to Dell researchers. The group, codenamed TG-3390 or Panda Emissary, is thought to operate from China and have an appetite for defence-related aerospace projects …

  1. Hans 1 Silver badge
    Thumb Up

    Another excellent article!

    If you look at the secureworks threat analysis, these guyz 0wn Windows architectures in no time. Weird, all their toolsets seem to target Windows systems and Microsoft software running on it, except for some other middleware.

    I really do not like how Dell provide file names / domains / IP addresses to try and help mitigate your risk, these are all subject to change, without notice! rofl

    Scary stuff, guyz, I do hope you have a few honeypots in your datacenter, along with strong filesystem integrity measures. Note that they can hide their DLL's anywhere on the path, under any name of their choice.

    Ports, IP Adresses, domain names, user agent strings (rofl), file names etc will change.

    1. Anonymous Coward
      Anonymous Coward

      " these guyz 0wn Windows architectures in no time"

      As it says "The outfit exploits old vulnerabilities not yet patched by victims" - presumably they would own any platform fairly quickly on that basis.

      One comment that implies that they are attacking those with old and poorly configured systems is on the timeline it says "dump credentials from DC". That would only be possible on Windows 2000 level or earlier domains, or upgraded domains with poor settings. Since Windows 2003 just the hashes are stored, as per:

      https://technet.microsoft.com/pt-pt/library/hh994559(v=ws.10).aspx

      "all their toolsets seem to target Windows systems and Microsoft software running on it, except for some other middleware."

      Not surprising since the vast majority of corporate servers (~75%) and desktops (~95%) run Windows. Particularly email servers and file servers - which are likely to be of most interest.

      1. Anonymous Coward
        Anonymous Coward

        SAM dump and hash cracking definatley works on DCs above Win2k

        1. Twilight Turtle

          You can dump plaintext passwords from the Windows Authentication Digest in every version of Windows since XP, except AFAIK 10, with admin on that box.

          1. TheVogon Silver badge

            "You can dump plaintext passwords from the Windows Authentication Digest"

            Yes - because that has to use reversible encryption - as it stores passwords that need to be replayed in original form to websites, WiFi systems, etc. and hashes wouldn't work This is not where Windows user account passwords are stored.

        2. TheVogon Silver badge

          "SAM dump and hash cracking definatley works on DCs above Win2k"

          Only if they have been upgraded from an earlier version without updating the security settings. As per the link above - from Win2K3 onwards, the default is not to use reversible encryption for Active Directory passwords.

          1. Anonymous Coward
            Anonymous Coward

            "As per the link above - from Win2K3 onwards, the default is not to use reversible encryption for Active Directory passwords."

            That's a different issue. Reversing encryption and hash cracking are different beasts, so your point is irrelevant.

            1. TheVogon Silver badge

              "That's a different issue. Reversing encryption and hash cracking are different beasts, so your point is irrelevant."

              They are different - and that is the whole point - and is entirely relevant.

              From Windows 2K3 onwards, Active Directory passwords are by default not stored using any sort of reversible encryption or crackable (LanMan) hash. They are only stored as a complex one way hash function. Therefore there is no way of recovering the original password other than brute force. Which is likely not computationally feasible for anything complex and at least ~ 8 characters or longer.

              1. Twilight Turtle

                I'm not sure this is factually accurate. Before the 2014 patch, cleartext password will be stored in LSASS for interactive logon sessions unless explicitly disabled. By default Vista, 7, 2008, 2008R2 and 2012 all stored plaintext credentials in LSASS until KB2871997 when this was disabled by Microsoft, but that still doesn't remove plaintext credentials from WDigest according to their own patch overview ( http://blogs.technet.com/b/srd/archive/2014/06/05/an-overview-of-kb2871997.aspx ). I don't know about Kerberos but it certainly used to be the case that it also required plaintext storing of credentials in-memory for ticket generation

                My understanding is that the cleartext passwords are stored encrypted and in-memory via SSP, historically for numerous supported authentication methods but these days pretty much solely for WDigest. The encryption is done via the LSAProtectMemory function, which can simply be reversed via (ab)use of the LSAUnprotectMemory function. There are several tools publicly available that do this, including WCE and Mimikatz.

      2. This post has been deleted by its author

      3. Anonymous Coward
        Anonymous Coward

        "Not surprising since the vast majority of corporate servers (~75%) and desktops (~95%) run Windows. Particularly email servers and file servers - which are likely to be of most interest."

        Yes indeed, the lack of diversity in this sector is an enormous vulnerability in itself.

    2. Twilight Turtle

      ...these are all subject to change

      All too true, but they do represent 'easy wins' that are quick to deploy and can be used retrospectively to check across log data for any signs of compromise. Pushing out IDS/IPS rules for picking up the traffic on the wire won't tell you if you got owned a year ago unless they/your AV have completely failed at cleaning up.

  2. Anonymous Coward
    Anonymous Coward

    Good idea, m'lord!

    Terrified enterprises should .... search for logs

    Yep. While our organization has all kind of high-flying ideas about productivity increases and the next hot thing that has to be pursued, I would indeed have to "search for logs".

  3. John Smith 19 Gold badge
    Unhappy

    Oh dear. Same old tricks still working.

    Only when the CIO is personally liable (and some start racking up serious jail time) will this ever change.

    BTW by "watering holes" would that not make El Reg a major target?

    1. Anonymous Coward
      Anonymous Coward

      Re: Oh dear. Same old tricks still working.

      No it wouldn't. There just wouldn't be a CIO except in companies installed in "free trade" areas/countries.

      The way to go is insurance claims. And better software that is dearer.

    2. An0n C0w4rd

      Re: Oh dear. Same old tricks still working.

      CIO is probably not the problem. The CIO on their own is likely not sufficient to enact change as they still need to rely on budget approvals from other people. The CEO and the entire board of directors (including the chairman) need to be liable. Only then will START to change.

      I am starting to think that people that say antivirus/antimalware/IDS and IPS are the wrong solution are correct. Antivirus/antimailware only work once the signature of an attack is known. Most IDS and IPS are set up the same way, look for known attack traffic and then respond.

      No, you need to set up your systems to allow known legitimate traffic/files/applications and block everything else (i.e. whitelist good stuff, not blacklist known bad stuff). Only then will security start becoming effective.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019