After Kerberos network authentication was broken by November Patch Tuesday updates, Microsoft is now releasing fixes for issues with the Kerberos network authentication protocol on Windows Server. As reported two weeks back, the updates released on November 8 or later that were installed on Windows Server with the Domain Controller responsibilities of managing network and identity security requests resulted in the disruption of Kerberos authentication capabilities. These issues ranged from failures in domain user sign-ins and Group Managed Service Accounts authentication to remote desktop connections not working. Other problems included printer connections requiring domain user authentication failing and users being unable to access shared files on workstations. At the time, Microsoft warned in its Windows Health Dashboard that “engineers are currently investigating this problem and that it may impact any Kerberos authentication in your environment.” Microsoft released emergency out-of-band (OOB) patches late last week that may be applied to all Domain Controllers, claiming that customers don’t need to install additional updates or make modifications to other servers or client devices to fix the problem. The business added any workarounds that used to minimise the issue are no longer necessary and ought to be taken away.   Before applying these cumulative updates, you don’t need to apply any previous updates, according to Microsoft. “You do not need to delete the concerned updates before installing any later updates, including the [OOB] updates, if you have previously installed updates released on November 8, 2022.” On an unsecured network like the internet, Kerberos is used to authenticate service requests between a number of trusted hosts, using secret-key encryption and a dependable third party to verify user identities and application functionality. It was developed by MIT researchers in the 1980s. Microsoft started utilising Kerberos in Windows 2000, and the OS now ships with it as the default authorisation tool. There are more Kerberos versions available for various operating systems, such as Apple OS, that are supported by the Kerberos Consortium. In response to two vulnerabilities identified as CVE-2022-37967 and CVE-2022-37966, the manufacturer released two upgrades on November 8 to tighten the security of Kerberos as well as Netlogon, another authentication technology. The authentication problems that were fixed by the most recent fixes were caused by those updates. While processing an AS request for the target service, the account did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 1), according to a notice labelled “Microsoft-Windows-Kerberos-Key-Distribution-Center Event ID 14 error event” in the System section of the Event Log on their Domain Controller. Users can manually import the patches into Windows Server Update Services for the standalone bundle of OOB updates by looking up the KB number in the Microsoft Update Catalog. Users can manually import the patches into Windows Server Update Services for the standalone bundle of OOB updates by looking up the KB number in the Microsoft Update Catalog in addition to Endpoint Configuration Manager.  

On Monday, Dell Technologies Inc. reported a 68 percent increase in quarter-over-quarter operating profit because of strong server and network equipment demand that buffered weak PC sales and eased supply-chain pressure keeping costs under control.

A 12% increase was reported in revenue for the company’s infrastructure solutions division, which includes servers, storage devices, and networking hardware.

At the same time/In parallel/ In the meantime, the company was impacted by the widely recorded cooling demand for personal computers and laptops in the wake of the pandemic.

The revenue of consumers plunged 29%, and the revenue of large enterprises, or commercial sales, dropped 13%. Despite a decline in revenue, Refinitiv IBES data showed total revenue of $24.72 billion, beating expectations of $24.54 billion by $3 billion.

An improved supply chain helped minimize the impact of higher component and freight costs on the company. Furthermore, it prevented external hiring to reduce expenses.

During the third quarter ending Oct. 28, operating expenses decreased by 8%, the company reported.

Due to a $1 billion settlement of a lawsuit over a disputed 2018 stock swap, net income declined 93% to $241 million.

An increase of $1.76 billion was recorded in operating income from $1.05 billion last year.

In terms of earnings per share, Dell earned $2.30 after excluding items.

The FBI and the US Cybersecurity & Infrastructure Security Agency jointly issued an advisory less than two weeks ago warning of the danger of ransomware attacks from a group going by the name of “Cuba.” The gang has been on the rampage over the past year, attacking an increasing number of businesses and other institutions in the US and internationally, according to academics who believe the group is actually located in Russia. According to recent research, Cuba has been employing malware that has received Microsoft certification or permission in its attacks.

Cuba attempted to disable security scanning programmes and alter settings using these cryptographically signed “drivers” after infiltrating a target’s systems. The intention of the activity was to go unnoticed, however, monitoring software from the security company Sophos alerted to it. Earlier this year, the Lapsus$ hacker group stole an NVIDIA certificate that was used by Cuba to sign a privileged piece of software known as a “kernel driver,” according to researchers from Palo Alto Networks Unit 42. Additionally, according to Sophos, the gang has been observed using the tactic with certificates from at least one other Chinese tech company, Zhuhai Liancheng Technology Co., according to Mandiant, a security firm.

Microsoft stated in a security advisory today that it recently learned that drivers approved by the Windows Hardware Developer Program were being utilised maliciously in post-exploitation behavior. The signed malicious drivers were probably used to assist post-exploitation intrusion activity like the propagation of ransomware. “Several developers’ accounts for the Microsoft Partner Centre were active in submitting malicious drivers to get a Microsoft signature.”

The activity was reported to Microsoft by Sophos, Mandiant, and security company SentinelOne on October 19. According to Microsoft, the fraudulent Partner Centre accounts have been terminated, the fake certificates have been revoked, and security patches for Windows have been made in response to the issue. The business also states that other than the partner account abuse, it hasn’t discovered any system compromises.

WIRED asked Microsoft to speak further than the advisory, but they denied taking it any further!

These attackers are knowledgeable, persistent, and most likely members of the Cuba ransomware organisation “explains Christopher Budd, Sophos’ Director of Threat Research. “In total, we have discovered 10 malicious drivers, all of which are variations of the original find. Since at least this past July, these drivers have made a determined attempt to advance through the trust chain. It’s challenging to build a malicious driver from scratch and have it approved by an official body. But because the driver can essentially perform any tasks without hesitation, it’s highly successful.”

A crucial verification method known as “cryptographic software signing” is used to make sure that software has been examined and approved by a reliable third party, or “certificate authority.” Attackers, however, are constantly hunting for flaws in this infrastructure where they may tamper with certificates or otherwise subvert and misuse the signing process to make their malware appear legitimate.

Mandiant stated in a study released today that it has “before witnessed circumstances where it is suspected that groups employ a common criminal service for code signing.” Threat actors sometimes employ stolen or fraudulently obtained code signing certificates and offering these certificates or signing services has turned out to be a lucrative niche in the criminal underworld.

Google revealed earlier this month that malicious Android apps were signed using a variety of hacked “platform certificates” controlled by manufacturers of Android devices, including Samsung and LG. It appears that at least a few of the compromised certificates were applied to the Manuscrypt remote access tool’s component signing process.

In the past, the FBI and CISA have linked Manuscrypt malware family activity to attacks on cryptocurrency platforms and exchanges by North Korean state-sponsored hackers.

According to Sophos’ Budd, “In 2022, we’ve observed ransomware criminals trying to defeat endpoint detection and response products of many, if not most, big vendors. In order to put additional security measures in place, the security community needs to be aware of this threat. Additionally, we might witness additional attackers try to copy this style of assault”.

Given the large number of compromised certificates floating around, it appears that many attackers have already been informed of the change in technique.