The Lighthouse IT Podcast - July 30th, 2021
This week, we discuss how Kaseya obtained a decryption key without paying any ransom, the NTLM relay attack called PetitPotam, the HiveNightmare Bug that may leak your passwords, Apple's Zero-Day bug affecting iOS & macOS, and some Olympic advertising drama.
Kaseya obtains decryption key without paying ransom
- On July 21, the company announced that a universal decryption tool had been obtained "from a third party". They were working with security company Emsisoft to help victims of the sprawling ransomware attack.
- On Monday, Kaseya released a statement denying rumors that they paid a ransom to REvil, the ransomware group that launched the attack. REvil initially released a ransom demand of $70 million but reportedly lowered it to $50 million before their entire operation went dark on July 13.
NTLM relay attack called PetitPotam
- French security researcher Gilles Lionel, aka Topotam, disclosed a new technique called 'PetitPotam' that performs an NTLM relay attack that does not rely on the MS-RPRN API but instead uses the EfsRpcOpenFileRaw function of the MS-EFSRPC API.
- This allows threat actors to take over a domain controller, and thus an entire Windows domain.
- Lionel stated that he does not see this as a vulnerability but rather the abuse of a legitimate function.
- Unfortunately, no way has been found to disable the EfsRpcOpenFileRaw from being used to relay authentication requests
HiveNightmare Bug may leak your passwords
- The moniker HiveNightmare comes from the fact that Windows stores its registry data in a small number of proprietary database files, known in Microsoft jargon as hives or hive files.
- These hive files include a trio called SAM, SECURITY and SYSTEM, which between them include secret data including passwords and security tokens that regular users aren't supposed to be able to access.
- They're kept in a special, and supposedly secure, folder under the Windows directory called C:\Windows\System32\config
- If you have any system restore points on your computer, those restore points include copies of your original SAM, SECURITY and SYSTEM registry hive file with the old and insecure access control settings.
- Reset the ACLs on the live registry hive files using the ICACLS command. This protects your system from now on.
- Remove all existing restore points or shadow copies. This ensures no wrongly-secured files are left behind in a shadow copy directory.
- Recreate a new restore point, if needed.
Apple Zero-Day affects iOS & macOS
- A zero-day vulnerability that affects both iOS & macOS was discovered. Apple's official statement: "An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited."
International Olympic Committee putting rules on how brands can sponsor athletes
- Despite the updated guidance, there are still a slew of restrictions that athletes and their "personal sponsors," aka companies not affiliated with the Olympics, need to watch out for between July 13 and August 10.
- For instance: Brands and athletes can't use the Olympic rings and/or he Games's logos in marketing messaging. Basically, all Olympic IP is off limits.
Toyota pulling advertising from the games
- Toyota will drop all its TV adverts in Japan for Tokyo Olympics as the controversial games court widespread criticism in Japan.
- A spokeswoman told Reuters: "It is true that Toyota will not be attending the opening ceremony, and the decision was made considering various factors including no spectators."