UNSECURITY Episode 138 Show Notes
Hope you had a wonderful Independence Day (July 4th)! We’ve gone through a lot together in this country, and I love this place we call home. Lots to do in making the USA better, but this will always be the case. This is the best country in the world, and I’m grateful!
In case you missed it, two big events last week; the Kaseya ransomware attack and Microsoft’s PrintNightmare.
So, you might have heard. On Friday (going into July 4th weekend), computers around the world (not all of them, but maybe ~1,000,000 of them) started to lock up. The announcement came around midday that Kaseya’s VSA servers were being used to distribute ransomware, primarily to MSP customers. My first thought was “Oh shit! We might have another SolarWinds.” Thank God, this wasn’t the case.
Facts started to come in, and it became evident that this was an attack directed at VSA servers hosted by MSPs. Some MSPs (about 2,200 of them) installed their VSA servers so that they were accessible from the Internet. I’m not a VSA expert, but this high number implies this as standard practice. A zero day vulnerability (and exploit) was discovered by the REvil ransomware gang (or an affiliate) and was used to infect clients.
Kaseya already knew about the vulnerability thanks to the good work by Wietse Boonstra and his compatriots at NIVD. The vulnerability was reported to Kaseya and the two groups were working on a patch at the time of the ransomware attack. The end result was somewhere between 60-70 MSPs affected and somewhere between 1,200-1,500 companies infected. Kaseya did a good job responding, and so did many MSPs. Lessons learned are TBD after the dust settles.
Links referenced in today’s show are below.
If it hadn’t been for Kaseya, this would have been top news. In terms of scope, this is much bigger, affecting many millions of servers (and companies). In terms of potential impact, this also exceeds the Kaseya attack. News broke on June 30th about an impressive and potentially very damaging vulnerability in the Microsoft Print Spooler service. On July 1st, Microsoft released additional information about the vulnerability and offered (un)helpful guidance.
There is an exploit in the wild for this vulnerability that allows complete control over a server (and Active Directory).
We’ll talk a little about this too. Links referenced in today’s show are also below.
OK. Show notes for episode 138…
SHOW NOTES – Episode 138 – Tuesday July 6th, 2021
[Evan] Welcome listeners! It’s good to have you join us. Thanks for tuning into this episode of the UNSECURITY Podcast. This is episode 138, and the date is July 6th, 2021. Joining me is my good friend, Mr. Brad Nigh. Good Morning Brad!
[Evan] Hope you had a wonderful 4th of July. Many people had the day off yesterday, but some people were fighting the fire caused by ransomware deployed through Kaseya’s VSA servers. This is where we’ll start.
Kaseya Ransomware Attack
Here’s a list of links/articles we’re explore in this episode:
- Ransomware crime wave keeps us on edge (https://www.kare11.com/article/news/local/breaking-the-news/ransomware-crime-wave-keeps-nation-on-edge/89-fe259dc6-5021-4fd9-8463-0c06e029b212?) – My (Evan) television interview with KARE11’s John Cronan. John’s a GREAT journalist and easy guy to talk too!
- Kaseya was fixing zero-day just as REvil ransomware sprung their attack (https://www.bleepingcomputer.com/news/security/kaseya-was-fixing-zero-day-just-as-revil-ransomware-sprung-their-attack/)
- Kaseya ransomware attack: 1,500 companies affected, company confirms (https://www.zdnet.com/article/kaseya-ransomware-attack-1500-companies-affected-company-confirms/)
- Kaseya Rules Out Supply-Chain Attack; Says VSA 0-Day Hit Its Customers Directly (https://thehackernews.com/2021/07/kaseya-rules-out-supply-chain-attack.html)
CISA-FBI Guidance for MSPs and their Customers Affected by the Kaseya VSA Supply-Chain Ransomware Attack (https://us-cert.cisa.gov/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa)
All in all, this attack could have been MUCH worse than it was. Incident responders did a great job and communicated well. More to come in time…
This one is a doozy. Here are the three links/articles we’ll reference in this episode:
- Microsoft warns of PrintNightmare vulnerability due to flaw in Windows Print Spooler (https://techxplore.com/news/2021-07-microsoft-printnightmare-vulnerability-due-flaw.html)
- Microsoft sounds an urgent warning about the Windows ‘PrintNightmare’ bug (https://www.yahoo.com/entertainment/microsoft-sounds-urgent-warning-windows-022541397.html?)
- Microsoft Security Update Guide “Windows Print Spooler Remote Code Execution Vulnerability” (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527)
Last week’s show was all about Microsoft security debacles, and now this. A patch is not available yet and many IT teams are scrambling right now. I’m become less and less of a Microsoft fan with each passing day.
That’s it for today’s show. Lots of work to do!
Wrapping Up – Shout Outs
Who’s getting shout outs this week?
Thank you to all our listeners! Thank you Brad for a great conversation! If you have something you’d like to tell us, feel free to email the show at firstname.lastname@example.org. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen, and Brad’s @BradNigh.
Other Twitter handles where you can find some of the stuff we do, UNSECURITY is @unsecurityP, SecurityStudio is @studiosecurity, and FRSecure is @FRSecure.
That’s it. Talk to you all again next week!
…and we’re done.