Active Directory Defense – A must review these days

Active directory is the Microsoft software that manages all the information of objects on the network . (from docs.microsoft.com )

“A directory is a hierarchical structure that stores information about objects on the network. A directory service, such as Active Directory Domain Services (AD DS), provides the methods for storing directory data and making this data available to network users and administrators. For example, AD DS stores information about user accounts, such as names, passwords, phone numbers, and so on, and enables other authorized users on the same network to access this information.”

Image from http://bucarotechelp.com/computers/winadmin/89001102.asp

You can see that the Active Directory(AD) is in the middle of all Windows network functions.  So it goes almost without saying that if AD is not configured correctly then there will either be problems to do with some windows software functionality or it will be easy to hack the network configuration.

There are a number of online information sites to help you learn what not to do. Like from Sean Metcalf a frequent security conference speaker like at Derbycon 2019:  “Beyond the Easy Button

For example: Service accounts sometimes are installed by vendors, these need to be removed eventually.

Also sometimes System administrators (or your IT guy/gal) do not always have different tiers for managing systems (workstations, servers, and domain controllers). Instead they may have it set up to be ‘easier’ which also means they are easier to take advantage of. It all depends on how many people are managing the environment and how large the environment is.

Do you have several ‘forests’? Is this a problem?

Forest trust  can be a problem, especially  when a problem in one forest can manifest itself into problems in the other forest. And sometimes because one has to manage both forests, if they are not administered correctly then it can be a security problem.don’t forget to review the backup of your active directory information, as a hacker can copy the NTDS.DIT (which is the file that keeps all of the information for AD). If you search for NTDS.DIT around the net, the first website that comes up is Insider Threat Security Blog: ‘Extracting Password Hashes from the NTDS.DIT file’

With so much attention paid to detecting credential-based attacks such as Pass-the-Hash (PtH) and Pass-the-Ticket (PtT), other more serious and effective attacks are often overlooked. One such attack is focused on exfiltrating the Ntds.dit file from Active Directory Domain Controllers.

So be aware that this file Ntds.dit is wanted by the hackers,  as they can try to guess username passwords that are in it. and more.

If you are not looking at possible theft of this file, and you have a significant investment to protect, then you should spend money on tools to help you to see if this file was taken or not.

Needless to say this is a topic that is much larger than a single post. if you are interested in discussing this topic let me know.

Exim, Internet Mail Software, Flaw Causes Problems

Needless to say a flaw in an older version of Exim (4.92.1) had a serious problem or flaw that became CVE-2019-15846:

I like to point out some problems that come up that are interesting… This Software is needed in Mail servers and is not obviously known to most people. But if a company does have it now needs to be upgraded.

Notice there were many releases of this software before someone found the vulnerability , here is the CVE information from Bugtraq:

Description- Exim before 4.92.2 allows remote attackers to execute arbitrary code as root via a trailing backslash.

 

Bugtraq has an interesting explanation :

"Zerons" and Qualys discovered that a buffer overflow triggerable in the
TLS negotiation code of the Exim mail transport agent could result in the
execution of arbitrary code with root privileges.

 

So it seems that hackers found the flaw and it was patched quickly… But the administrators still need to install and update. So as usual here is the weak point – administrators which are already stressed have to do some off-hours updates sooner than later.

Contact Us to discuss

 

 

 

China Attacks and We Do? Nothing for most part

Chinese Hackers Eye US Cancer Research:

https://www.technewsworld.com/story/86211.html

This is another outrageous attack on our companies and institutions as Chinese APT  hacker groups appear to be linked to stealing information from Cancer research

 

Here is a news story about espionage by Chinese paid doctors. NBCnews story about 3 scientists removed from  MD Anderson Cancer Center

FireEyE  published a report on how the Chinese

Focused attacks in healthcare to steal medical research

FireEye was the company that documented and released the Unit 61398 (China military attacking World targets since 2004) report about the APT1 group.

Since 2006 Mandiant (today a FireEye company)  has observed APT1 compromise 141 companies in 20 major industries.

 

So it is obvious to all people who keep up on these things, that China has stolen or can have access to many companies as many times as they want:

“Once APT1 has established access, they periodically revisit the victim’s network over several months or years and steal broad categories of intellectual property, including technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, and emails and contact lists from victim organizations’ leadership.”

 

So I want to ask now why would the Chinese even want to embark on this type of method to interact with the world?  Do they think they will make friends over the long term?  Are they interested in making friends? Or are they obsessed with history? The history of the Boxers rebellion and the general weakness of the Qing dynasty until the dynasty came to an end in 1911.  The weakness of the Qing dynasty and teh early days of the republic caused all kinds of things to happen which the western governments took full advantage of.

So this stealing and taking is just payback? Yes in part. It is also a fulfillment of Confucius philosophy and his understanding of Tian (or heaven), specifically the fact that only the Chinese can be close to heaven.  It does not even have to be pure Confucius thought as long as the interpretation has been accepted by most people.  Including one of the 3 great Confucian  philosophers (Xunzi) that rejects that humans are innately good.

So if the Chinese thinking is completely different than yours that is because their books are written with different philosophies.

 

It actually does not matter the exact thinking the Chinese have, as we will not understand it anyway.  We should not try to find nuance in Confucian philosophy, all we need to do is understand that thinking is different and we have to modify our strategic thinking.

Look at the PLA  hierarchy:

and where the unit 61398 is in the hierarchy.

The main thing I see in this diagram is a dictator and his government structure. everything else is just a confirmation of his rule. Can an underling find a few words in Confucianism to say we can do XYZ? I am sure it can be found.

 

We have to ‘try’ to deny the freewheeling rip-off artists so that we can keep our IP(Intellectual Property) as long as possible.

 

Today it is health care information, tomorrow it will be whatever is the latest technology or service to be stolen. The Chinese do not have a judiciary equal with the Chinese Communist Party(CCP). The CCP is always going to run everything in China. There are no checks and balances, there is only full power by the person on top. This to me is the definition of dictatorship.

So if we have a complaint with them, there is no court that will adjudicate with them in a position of power, unless we have power as well (military or Cyber).

So what we need is our own Cyber power, defensive and offensive. That is my suggestion to fight back against China.

As it is we do nothing as you can plainly see in the news stories.

Contact me to discuss

Why is China Trying to Steal our Stuff?

First thing I think of (being of a certain age) when someone asks why: Why ask why? Answer: Try Bud Dry!(Silly old Budweiser commercial)

So why do we need to ask why? Because it would be good to know why we are consistently being attacked by this region of the world.  It is always good to know your opponent.

In this case _we are the people_ with computers, financial information, Intellectual property, health information, and really anything that can make money (Credit Cards, information that can be used against competitors).

So money is one motivator, but hackers have other motivations, just like Anonymous like Jeremy Hammond hacktivist received a 10 year sentence. As noted in this NYpost story.

“Some breaches in Hammond’s life had been a challenge. He’d search the code on websites he wanted to target, combing through the symbols and letters of computing languages for security flaws to exploit. He’d create user accounts on the sites, and then test for ways in. It could take months of trying, and sometimes he gave up.”

“He considered hacking a means of social justice, and he did it in secret while pursuing civil disobedience and protest in public, as well.”

So hacking can be a social justice act or even a kind of civil disobedience.

Now what if you had a state apparatus with the massive resources?

Hacker News article from 2015

There are some very interesting points in this article:

CHINESE CYBER WARFARE UNITS
According to McReynolds, China has three types of operational military units:
  • Specialized military forces to fight the network — The unit designed to carry out defensive and offensive network attacks.
  • Groups of experts from civil society organizations — The unit has number of specialists from civilian organizations – including the Ministry of State Security (its like China’s CIA), and the Ministry of Public Security (its like FBI) – who are authorized to conduct military leadership network operations.
  • External entities — The unit sounds a lot like hacking-for-hire mercenaries and contains non-government entities (state-sponsored hackers) that can be organized and mobilized for network warfare operations.
According to experts, all the above units are utilized in civil cyber operations, including industrial espionage against US private companies to steal their secrets.

It means that the Chinese have discarded their fig leaf of quasi-plausible deniability,” McReynolds said. “As recently as 2013, official PLA [People’s Liberation Army] publications have issued blanket denials such as, ‘The Chinese military has never supported any hacker attack or hacking activities.’ They can’t make that claim anymore.

The hackernews article got the information from “The Science of Military Strategy”(SMS) 2013 PLA document.

So the strategy of the Chinese is bare for all to see – they have hundreds or thousands of people in cyber warfare units.

The SMS authors also focus heavily on the central role of peacetime “network reconnaissance”—that is, the technical penetration and monitoring of an adversary’s networks—in developing the PLA’s ability to engage in wartime network operations. As the SMS puts it, since the technical principles underlying successful penetrations of an adversary’s systems are essentially the same whether the objective is reconnaissance or active disruption, at the appropriate moment “one need only press a button” to switch from reconnaissance to attack.

So now we have a stated goal of Chinese Cyber warfare units to run constant surveillance and prepare for eventual war or otherwise goals that will steal or destroy information.

This SMS ‘plan’ is in line with what China thinks of itself as New English Review article by Brandon Weichert mentions:  The concept of Tianxia the “All under the heavan”. boils down to

The choice made by all peoples to have only one political system that is the top of the world. they believe that just like in the Warring States Period the weaker competitor will give way to the more ideological and correct with the Chinese belief that the Chinese emperors possessed the mandate of heaven concept, all of the world had to pay tribute to the emperor as a symbol of his supremacy. Thus, going back to antiquity, the borders of China were fungible; always waiting for China to gain the strength needed to push to those farthest edges of the world map and bring barbarianism and chaos to civilized order.

In the narrative, China is the growing power and the US is in decline (status quo) , so the Chinese political and ideological purpose of reconnaissance  of the networks of the world. Until the systems are ready to be attacked in  the time of conflict (whenever it actually occurs).  The key with analyzing Chinese actions is to look at them from the eyes of an Asian viewpoint – not Western history examples( like Thucydides trap).

So the reason China is doing everything it can to steal our stuff is to  become a bigger power than us so that they can order us around. And because it was always meant to be that way. All old Chinese competitors were assimilated and folded into the Chinese ‘heaven umbrella’.

Remember  the mongols(Kublai Khan)? They actually conquered the Chinese 1279. But it ended in 1368:

“The Chinese always resented the foreigners and in the end revolted and drove them out. A Chinese orphan Hongwu, a peasant soldier who gave up banditry to become a Buddhist monk, led the revolt and founded the Ming dynasty in 1368.”

After that the results of the Mongol invasion has almost completely disappeared inside today’s China.

but the Mongols were always foreigners in Chinese eyes.”

Have you also noticed that all the previous kingdoms in the warring states period are all forgotten (except maybe in some movies).

there is a definite arrogance to the Chinese. As if the new upstart (USA) which only started in 1776 is such a young country and really does not belong in the top spot.  I.e. it is the impudent upstart which needs to be brought a peg or two down. And any method will do (stealing is ok).

 

If you think about it the “all under Heaven”  is a great motivator for young hackers in China trying to hack and steal all our IP (Intellectual Property).

 

Another point: The CCP (Chinese Communist Party) has complete control over major aspects of the country. There is no rule of law in China, only rule of CCP.  I.e. if CCP wants to take your property then it does.   As Drake Long discusses in his post  on the power and control of China. The CCP of which the general secretary runs the party and the President (Xi  Jinping) runs China, and Xi Jinping has complete control over China.

“China has no rule of law” says Drake.

Whatever the true Party leader says goes.

“Those observing the anti-corruption campaign could liken it to whack-a-mole: there is little changing of bureaucratic rules, instead it is a targeted campaign against high-profile politicians. This illustrates the absurdity of it all. China’s corruption is systemic, owing to the lack of legal constraints and judicial independence in its government.”

There is no accountability, all that has happened with Xi’s anti-corruption campaign is he has solidified his dictatorship.  So what happens in a dictatorship? There are mostly yes men (no women).  Everyone  else gets ‘dealt’ with.

What happens to foreign companies?

With little rule of law, they will be gobbled up inside China: “Now we are beginning to see the fruits of that relationship, which is an increasingly worrisome one. With little rule of law, foreign companies will see more of their partners unexpectedly gobbled up by Xi’s Communist Party.”

You can see where this is heading, since there is no rule of law inside China, each minister/bureaucrat can do anything they want as long as it is under the aegis of Xi’s goals. This means stealing money and information is a go. In fact it is a state-sponsored activity.

We better learn to prepare ourselves and our companies to defend against the cyberwar already being fought on the Internet.

ZeroDay on Webmin What Does That Mean?

First of all one needs to know what a ZeroDay means, as well as webmin.

Webmin is easier to explain.  If you go to webmin.com then this explanation:  “Webmin is a web-based interface for system administration for Unix. Using any modern web browser, you can setup user accounts, Apache, DNS, file sharing and much more. ”  are the first 2 sentences.

Yes but what does it mean?

Here is the configuration page:

So webmin is software that allows a system administrator to more easily administer Websites, DNS configuration, file sharing, and more. In short it makes it easier to administer and run a Unix or Linux server.

 

So many Unix(or Linux) systems run this Webmin software to make life easier for the IT person. But then there along comes a Zero Day just like many before this one, Oversitesentry 12/15/15 post.

Belkin router zero day blogpost from 11/8/14

 

Fireeye and Kaspersky software hit with Zero day blogpost 9/8/15

 

Lastpass password manager ZeroDay flaw blogpost 07/27/16   

So as you see this is a recurring theme for all kinds software, including security software. Or administrative software like Webmin?

Zero day means that there is a vulnerability out there that can hack your computer AND there is NO patch to  fix it.

Check out this image:

 

 


It shows how after a vulnerability is introduced(t-v) and the exploit is released in the wild(t-e), now we have a Zero Day vulnerability. At this point an exploit can hack the software with anyone that runs exploit code and the infrastructure to make money (like ransomware).  So these Unix and Linux machines that have Webmin admin software are now vulnerable until Webmin can create a patch(t-p). Then once the patch is released is the administrator has to install the patch.

 

How long will it take for the patch to be released and installed? sometimes it is 30 days, and sometimes 60 or longer.

 

Update on 8/20/19:  Duo Security Inc. released the following

“On August 17, the developer of the popular Webmin and Usermin Unix tools pushed out an update to fix a handful of security issues. Normally that wouldn’t generate an avalanche of interest, but in this case, one of those vulnerabilities was introduced intentionally by someone who was able to compromise the software build infrastructure used by the developers.”

So this ‘zero-day’ was actually  a self-inflicted wound of sorts. it lookds like 1.930 the latest version is free from the vulnerability or backdoor code. Please patch your systems.

 

Let me know if you need help discussing this.