Home / Robin's Newsletter

Robin’s Newsletter #159

Kaseya VSA used to launch 'over 1,000' ransomware attacks. Security researchers cause PrintNightmare. EU grants UK data protection adequacy decision.

 Vol. 4  Iss. 27  04/07/2021   Robin Oldham  ~8 Minutes

Subscribe to Robin's Newsletter

This week

Kaseya remote management software used to launch ransomware attacks against over 1,000 organisations

A popular remote management and monitoring (RMM) product, from vendor Kaseya, has been used by cyber-criminals to launch tens, or hundreds, of ransomware attacks. The timing is deliberate: taking advantage of the Independence Day public holiday in the United States of America, when many IT and security teams will be at reduced capacity.

While fewer than 40 of Kaseya’s customers are reported to have been affected, at least eight of those are IT managed service providers that use the product to more efficiently manage their customer’s IT environments.

That’s a force multiplier for the cybercriminals who have apparently compromised over 1,000 organisations in one go and has led to it being labelled as a ‘supply-chain’ attack by some reports. In Sweden, the Coop supermarket has had to close 800 of its stores due to the incident. The attack has been linked to the REvil group, believed to operate out of Russia, by Huntress Labs.

US President, Joe Biden, has tasked his government’s intelligence agencies with investigating the attack and that the US would respond if it determined Russia was to blame. While the cover of a public holiday may have seemed like a good move to the ransomware group, perhaps Independence Day, with patriotism running high, may have been less canny than they’d thought.

Kaseya VSA user’s with on-prem deployments are being urged to immediately disable the software until a patch is available. Cloud deployments have been disabled by the vendor as a precautionary measure.

I’ve written a risk advisory for senior exec, looking at both these deployments, on the Cydea blog.

If you’re looking for more technical details of the attack, including indicators of compromise (IOCs) have been published by Bleeping Computer.

IT management tools are an attractive target for cyber-criminals seeking to conduct ransomware attacks as they provide the mechanism - by design - to deploy and update software. They use the administrative permissions of these tools to disable security protections and deploy their malicious software.

bbc.co.uk, theguardian.com, ft.com, bleepingcomputer.com, cydea.com

Interesting stats

$600M costs expected from the ransomware attack against Ireland’s Health Services Executive, including $120M in response costs and professional services, and $480M in equipment and systems upgrades scmagazine.com

161% increase in attackers using legitimate cyber tools, such as Cobalt Strike, in their attacks, according to Proofpoint cyberscoop.com

40% increase in reinsurance rates, according to Willis Re, signalling expected price increases in cyber insurance cover reuters.com

Other newsy bits

PrintNightmare after security researcher snafu

A vulnerability in the ‘print spooler’ (which handles interactions between the operating system and USB or network printers) for Microsoft Windows has been identified that allows authenticated users to increase their permissions to those of IT administrators.

IT Administrator accounts are highly prized by cybercriminals and this vulnerability allows them to turn any user account into a valuable asset for them to carry out further malicious activity, or to sell on to other cyber-criminals for nefarious purposes.

The ‘zero-day’ vulnerability is commonly being referred to as “PrintNightmare” (or CVE-2021-34527) and appears to affect almost every current version of Microsoft Windows. The vulnerable service runs by default and does not require a printer to be attached.

Microsoft released a security patch on 8th June, for a print spooler vulnerability tracked as CVE-2021-1675. Security researchers, believing it to be the same as a vulnerability they had identified, released their work, including code that can be used to exploit the bug. “Oops.”

Microsoft has detailed some workarounds to help mitigate the issue while a patch is being prepared. They include disabling the print spool service and reducing group memberships to limit exposure.

Long-term I’d expect this to become a staple of attackers that have compromised low-privileged accounts to try and trivially elevate those accounts to Domain Administrator level. Hopefully, some sensible alerting to those issues will be developed so you’ll be able to just as easily detect it.

theregister.com, microsoft.com, cydea.com

EU confers adequacy on UK data protection regime

The European Union has ruled that UK data protection standards are “adequate” for the continued free-flowing of personal data. The decision is valid for four years, though can be revoked sooner if the UK data protection regime deviates from EU expectations.

That might happen if UK Prime Minister Boris Johnson’s Taskforce on Innovation, Growth and Regulatory Reform get their way. MP’s Sir Iain Duncan Smith, Theresa Villiers and George Freeman quite quickly came to the conclusion that ‘consumer data’ (note: that’s definitely not personal data) is “highly profitable” and that protecting individuals’ rights is just a bit ‘too burdensome’ for business.

The, ahem, “TIGRR” team, who going by the name would excel at every task on The Apprentice, urged the PM to adopt wider regulatory reform and that being able to challenge decisions made by algorithms and AI is unnecessary. (Remember the exam results fiasco? (vol. 3, iss. 33)

There’s also the possibility of legal challenge of that decision, too, much like that brought by activist Max Schrems over the EU-US Safe Harbor agreement.

theguardian.com, mishcon.com, TIGRR report: gov.uk (PDF)

Long reads

The curse of binary thinking

Phil Venables on the curse of binary thinking. I’ve seen more and more of this too. Don’t let perfection be the enemy of success! philvenables.com

Cyber insurance’s role in the cyber security challenge

Jamie MacColl, Jason Nurse and James Sullivan have authored a paper for the Royal United Services Institute (RUSI) looking at cyber insurance, the role it can play in helping solve the cyber security challenges we face and, topically, ransomware as a primary concern. There are thirteen recommendations, including some eminently sensible ones like agreeing on minimum baselines for small businesses (<250 employees) required for coverage and teaming up with managed security service providers (MSSPs) to get better telemetry on insureds, in exchange for discounted premiums. Interesting economic point: often paying the ransom is cheaper than security countermeasures. rusi.org

In brief

Attacks, incidents & breaches

  • Insurance broker Arthur J Gallagher’s (AJG) network was compromised for other three months in Summer 2020, according to SEC filing, with personal, financial and health information all potential accessed bleepingcomputer.com
  • Dependency hijacking used to compromise test server for Microsoft’s Halo game bleepingcomputer.com
  • UK arm of charity The Salvation Army hit by ransomware attack theregister.com
  • Mongolian certificate authority believed to have been compromised by Chinese actors eight times, including backdoor to official app therecord.media

Threat intel

  • Session cookies stolen by Vietnamese group to run fraudulent ads, Facebook claims in a lawsuit therecord.media
  • Babuk ransomware builder leaked online, as ‘version 2’ details appear online, suggesting the group is back in the ransomware game therecord.media, bleepingcomputer.com
  • New REvil / Sodinikibi malware for Linux has ESXi virtual machines in its sights bleepingcomputer.com
  • Decryptor available for Lorenz ransomware therecord.media
  • UK, US say Russia’s Fancy Bear using Kubernetes clusters to carry out password spraying, brute force attacks via Tor and commercial VPN providers cyberscoop.com, wired.com

Vulnerabilities

  • Cisco ASA vulnerability, patched in Oct 2020 and Apr 2021, being actively exploited after proof of concept posted on Twitter bleepingcomputer.com
  • Critical remote code execution vulnerability in PowerShell version 7 bleepingcomputer.com
  • Microsoft uncover three bulbs in Netgear routers that would have allowed attacks access to networks zdnet.com

Security engineering

  • US Cybersecurity & Infrastructure Agency (CISA) releases Ransomware Readiness Assessment tool to guide defenders through steps needed to secure their networks cisa.gov
  • IBM licences Kestrel threat hunting language to the Open Cyber Alliance to help SOC analysts “streamline threat discovery” zdnet.com
  • Subdomains, session cookies and security controls: it can all be a bit of a mess, say researchers in “Can I take your subdomain?” paper theregister.com, canitakeyoursubdomain.name
  • Microsoft and MITRE partner to map Azure security controls to ATT&CK framework theregister.com

Internet of Things

  • Zero-day vulnerability used in attacks wiping My Book Live NAS devices, but aided by authentication code being commented out by Western Digital developers arstechnica.com
  • IoT devices, like Amazon Echo Dot, aren’t securely erasing data during factor reset, find researchers, who also discovered 61% of 86 second-hand devices the purchased online hadn’t even been wiped by the seller arstechnica.com

Privacy

  • Intuit QuickBooks have decided that an ‘exciting’ new ‘free’ feature is to share small business customer’s employee payroll data with a credit agency. Intuit customers can opt out before 31st July. krebsonsecurity.com

Law enforcement

  • Dutch police, in co-operation with FBI, U.K. National Crime Agency and Europol, seize DoubleVPN servers and domain, obtain activity logs, after claims the company shielded ransomware gangs cyberscoop.com

Mergers, acquisitions and investments

  • DevOps firm JFrog acquires IoT vulnerability outfit Vdoo for ~$300M techcrunch.com
  • API security-focused Noname Security closes $60M Series B round techcrunch.com

And finally

Google finally to ask developers for legit contact information

It might surprise you to know that, to date, Google didn’t bother asking developers publishing apps on the Google Play Store for an email and phone number. While user’s trust Google, Mountain View didn’t feel the need to establish such trust with developers seeking to publish apps on its platform.

Now, not only with they verify those details, but they’ll also ask for a contact name, physical address and if it’s a personal or business account. Google will also require multi-factor authentication to be turned on to help prevent credential stuffing and account takeovers.

Maybe that might help to keep malicious apps that were downloaded 5.8 million times from the Google Play Store from stealing user’s Facebook passwords. (Ars link.) zdnet.com, arstechnica.com