News & Notes: July 26th, 2021

• Wireshark 3.4.7 released.

• ’PetitePotam’ ADCS Domain Admin Vulnerability
  • This one come from Bojan Zdrnja (@bojanz) and a great diary he posted to ISC about the entire issue.
  • Bojan’s piece is a must-read to wrap your head around everything going on.
  • At the core is NTLM (New Technology LAN Manager) relay, in which an attacker has a “machine-in-the-middle” position and is able to intercept credentials being sent. This gets into Microsoft’s encrypted file system remote protocol, and no further authentication is required, making matters worse.
  • Summed up, Don’t use NTLM for authentication! Particularly, on Active Directory Certificate Services, make sure that IIS is not allowing authentication via NTLM.
  • Mitigation documentation from Microsoft here.
  • More coverage also from Bleeping Computer.

• Mac Malware ‘XCSSET’ Targets Google Chrome & Telegram. And more sexiness here.

• Windows Malware Fake Windows 11 Downloads are getting users infected with password & data-stealing malware. Here’s how to download Windows 11 while avoiding malware. And more here.

• VidMe Domain Owner Change Causes Major News Sites to Show Pornography
  • This one is causing quite the kerfluffle including, we believe, the New York Times, Washington Post, and Huffington Post temporarily showing adult-themed content temporarily on their sites.

• French President Emmanuel Macron ‘pushes for Israeli inquiry’ into NSO spyware concerns.

• Estonian Citizen Pleads Guilty to Computer Fraud and Abuse he operrated a botnet of 1,000 compromised computers and internet routers.

• When coin miners evolve, Part 1: Exposing LemonDuck and LemonCat, modern mining malware infrastructure.
  • ”Anything that can gain access to machines—even so-called commodity malware—can bring in more dangerous threats.”