As Microsoft rushed out an emergency patch for PrintNightmare, the cloud-based Kaseya suffered a nightmare of their own.
This occurred when hackers used Kaseya’s server management software to deliver ransomware.
These and similar ransomware attacks raised the awareness of malware to the point that both the White House and the Deputy National Security Advisor both issued warnings last week.
Of course, other types of vulnerabilities exist beyond ransomware, and obsolete technology continues to create problems for companies of all sizes.
As security professionals, we need to do more than just communicate vulnerabilities.
We also need to make the business case that the risks of old equipment represents a future cost that requires budgeting for replacement.
PrintNightmare affects servers that not only provide Active Directory services, but also manage print jobs.
The problem arose when the vulnerability was discovered, and then accidently made public by researchers who thought it had already been resolved.
Due to the public awareness of the problem, a patch was needed immediately.
On Tuesday, July 6, Microsoft released a special emergency patch for some versions of Windows. The next day, they followed up with a patch update that covered the remaining supported versions of Windows.
If you haven’t already applied the update, you’ll want to make it a point to do so as soon as possible.
Kaseya Double Threat
Kaseya provides cloud-based server management software used by some Managed Software Providers. Researchers informed Kaseya about a zero-day flaw, and they went to work to correct it.
However, as Kaseya’s software team was in the process of testing patches, the REvil gang exploited the flaw, delivering ransomware before the systems were secured.
Of the approximately 1 million potential victims, less than 1,500 are estimated to be compromised. However, the ransomware gang claims a higher number, and initially demanded a staggering ransom – $70 million in bitcoin.
The attack itself occurred quickly, with most servers receiving their first authentication bypass attacks just two hours before the ransomware attacks began.
While few can respond to attacks withing two hours, the quick attack also provided a hidden blessing – the attackers used payloads familiar to many anti-virus programs.
Even though Kaseya and anti-virus programs have the attack contained, the story is not over.
Other cybercriminals began spamming Kaseya customers with fake Microsoft patches for the Kaseya vulnerability that deliver a malicious payload.
Even if your security teams are top-notch, it’s still important to take the time to communicate your attack status, potential vulnerabilities, and new types of attacks.
Well-meaning team members can be tricked into clicking on phishing attacks if they are not fully informed.
White House Warnings
The White House Press Secretary addressed the Kaseya attack as an are of concern to discuss with the Russian government.
The U.S. issued a warning to Russia that if they do not crack down on attackers operating within Russia (such as REvil), then the U.S. will be forced to act directly.
While the nature of any potential action is unclear, the FBI and other law enforcement agencies have already seized servers and funds from several large malware gangs in the past year.
The Deputy National Security Advisor, Anne Neuberger, requested US mayors to meet with state agencies to formally evaluate their cybersecurity posture.
The government hopes that such discussions will lead to improvements to counter cyberattacks that disrupt our lives and waste public funds.
A previous article covered the attack on Western Digital’s legacy My Book NAS solution, and used it as a reminder to check for other obsolete hardware.
Now, a similar vulnerability is found to exist in the My Cloud NAS devices running the My Cloud 3 operating system.
While the issue was addressed in the current My Cloud 5 OS, the upgrade also broke functionality, meaning not all users have upgraded. The researchers who discovered the vulnerability have created their own patch, but it needs to be applied every time the device is rebooted. It’s not exactly a convenient solution.
It can be hard to replace old equipment that’s already paid off. It seems free, right?
However, the security risk they pose represent future expenses for your business in the form of damages from breaches, device failure, etc.
It seems as though every week brings new challenges to the world of cybersecurity.
It’s an ongoing process that requires you to stay on top of your game and follow best practices.
The Kaseya breach serves as a reminder that it’s not only your business that can suffer, but the lives and businesses of anyone you’re connected with.
Always apply patches when available, such as the one for PrintNightmare, and don’t hang on to obsolete equipment when at all possible.
Ideal Integrations can help your organization inventory legacy devices, scan for vulnerabilities, and perform penetration tests to provide a third-party report card of your organization’s exposure. Call us at 412-349-6680 or fill out the form below and let us know how we can help your team improve its IT and security.