Kaseya Revil Ransomware

Summary: On July 2nd, Kaseya suffered a ransomwa re attack by REvil – the same organization behind the JBS attack – that exploited a vulnerability in VSA to drop a script that would shut off administrative access and start encrypting data. Kaseya VSA is a remote monitoring and management platform and is used by Managed Service Providers (MSPs) to support their clients. This attack coincided with the Fourth of July holiday, where IT staffing is typically lower, and had an initial ransom of $70 million USD.

As of July 6th, Kaseya had not yet released a patch which enabled other threat actors to release Trojans in the form of fake Kaseya updates. On July 11th, a full 9 days after the attack, Kaseya had finally released a patch for the vulnerability.

Interestingly enough, REvil’s websites went dark on July 13th, possibly due to pressure from the US government to crack down on Russian ransomware groups. This led to the fear that a decryption key would no longer be available to victims but Kaseya reported on July 22nd that they have obtained a key and would be reaching out to support customers in restoring data.

Why it matters: Kaseya VSA acts as middleware to many other companies. Although the attack affected fewer than 60 of Kaseya’s customers, any effect on an MSP would then have an impact on whoever they support – 1,500 businesses in over 17 different…. countries in this case. Many of these organizations had backups which helped continue business operations but it’s important to be mindful of where backups are stored and how long they take to restore. Additionally, attacks like these can result in opportunities for other threat actors to take advantage of, so verify the source and integrity of any patches that are released. Zyston released a threat bulletin on July 2nd notifying clients and took proactive steps to block and monitor Kaseya-related processes using EDR (Endpoint Detection and Response).

 

Solarwinds’ Serv-U Flaw

Summary: SolarWinds disclosed a critical remote code execution vulnerability on July 10th, 2021. Using a zero-day vulnerability (CVE-2021-35211), China based threat actor “DEV-0322” exploited SolarWinds’ Serv-U software. This threat actor group has previously targeted the US software and defense industrial base sector.

Serv-U is a managed file transfer system which allows for secure FTP transfers. SolarWinds claimed to have first learned of the attacks through data reported by Microsoft 365 Defender. Serv-U version 15.2.3 hotfix 1 released May 5th, 2021, and all prior versions contain this vulnerability. A patch Serv-U version 15.2.3 hotfix 2 was released by SolarWinds to patch the vulnerability on July 13th, 2021.

Why it matters: An attacker who successfully exploited this vulnerability could run arbitrary code with high level privileges. An attacker could install and run programs; view, change, or delete data on the exploited systems. Microsoft 365 Defender telemetry data showed Serv-U process spawning anomalous malicious processes. Endpoint detection software can aid in identifying when normally benign programs begin acting abnormally. Through endpoint surveillance these types of flaws can be caught at an early phase of an attack.

 

Microsoft’s Print Nightmare

Summary: On July 1st, 2021, CVE-2021-34527 was issued for the “Print Nightmare” flaw that affects Windows Print Spooler services. Printer Spooler is a service enabled by default on Windows machines that manages print jobs, including receiving, queuing, and scheduling. Microsoft reported that this flaw is similar to CVE-2021-1675 which was patched on June 8th, 2021. This vulnerability allows an attacker to gain remote access to a system with system level control by calling function RpcAddPrinterDriverEx() and specifying a driver on a remote service that could then be used to execute code from DLL (dynamic link library) files via spoolsv.exe. Microsoft’s two published workarounds to this vulnerability are to “disable print spooler” or to “disable inbound remote printing through group policy.”

Why it matters: Microsoft’s Spoolsv.exe exploit allows attackers to take over servers via remote code execution. With escalated system level privileges an attacker could install programs, create accounts or manage data. Microsoft also confirms that attackers are actively exploiting the Print Nightmare vulnerability. In response to news of the vulnerability, Zyston created custom watchlists to identify and protect against known IOCs (indicators of compromise) involved with this with his attact to protect client environments until a patch was released.

 

Petitpotam

Summary: Security research Gille Lionel released a Proof-of-Concept for a NTLM relay attack that allows for the remote takeover of a Windows server or domain controller. NTLM (New Technology LAN Manager) is an authentication protocol widely used with legacy systems despite its susceptibility to brute force attacks. PetitPotam uses Microsoft’s Encrypting File System Remote Protocol to force a target device to authenticate to a threat actor controlled remote NTLM relay. This attack affects organizations that have NTLM enabled and used Active Directory Certificate Services with Certificate Authority Web Enrollment or Certificate Enrollment Web Services

Why It matters: Once authenticated, the threat actor will possess password hashes that can then be easily cracked. NTLM hashes are weak due to the lack of salting, random strings of characters added to make a password’s one-way hash unique even for the same input value. Kerberos has largely replaced NTLM due to stronger security capabilities but for compatibility reasons, NTLM is still in use. Microsoft recommends disabling NTLM authentication on the domain controller if possible or restricting incoming NTLM traffic and disabling NTLM for Internet Information Services running “Certificate Authority Web Enrollment” or “Certificate Enrollment Web Service” services if not.

 

Security Tip Of The Month

Summary: The recent uptick in ransomware attacks has led KrebsOnSecurity to make the following recommendation – Don’t Wanna Pay Ransom Gangs? Test Your Backups. Brian Krebs comments that the issue most organizations have is not that they don’t have backups, but that the backups they have are insufficient for restoring business operations due to unexpectedly long data restoration times or decryption keys/backups that end up encrypted as well.

Why It matters:Why it matters: Backups are only useful when implemented successfully. Test your backups to gauge how long a potential data restoration would take. Make sure that decryption keys and backups are stored safely away from any systems that may become encrypted by ransomware. Have a plan in place for prioritizing restoration of critical systems and simulate ransomware incident response through tabletop exercises to refine business recovery processes