Bear Security – Security News for the Week of July 12th, 2021
These are the stories that relate to our careers, clients, and businesses in the cybersecurity world for the Week of July 12th, 2021. Watch this in video form over on YouTube, or you can listen on the go with the Bear Security podcast.
Kaseya Releases Patches for VSA to Address Multiple Zero-Day
Kaseya has released a patch related to the REvil ransomware assault on their customer base that used their VSA Software, but it contained more than just a fix for the authentication bypass. The patch was published late Sunday, and it addresses a number of vulnerabilities including a credentials leak and business logic flaw, cross-site scripting, 2FA bypass, issues with the secure flag not being used on session cookies, addressing API responses that would contain a password hash, and a vulnerability that allows unauthorized uploads to the file server.
In addition to these fixes, users will be forced to change their passwords, and various features are being limited or disabled. If you use Kaseya’s VSA software as part of your managed services offering, you’ll definitely want to get up to speed on all the changes before deploying the patch. These changes will also impact users of Kaseya’s SaaS version of VSA.
Learn all about the patch and what you need to know by reviewing the Kaseya KB.
PrintNightmare Patch Released, Registry Keys Required
We reported on Friday that Microsoft’s PrintNightmare patch was released, though it comes with a few requirements. Installation of the patch is not sufficient on its own. Similar to other major vulnerabilities, there are three registry keys that need to be created and set, which impact the Point and Print functionality. These settings limit printer driver installation to Domain or System Administrators unless they are signed, and push for UAC to prompt on driver installations and changes. Also, verify that UAC is enabled to ensure the proper functionality of the controls.
You should of course test the patch if you can prior to deploying it, as some administrators and users have found that Zebra printers stop working after the patch has been installed. Other user issues seem to be resolved by reinstalling the printer as an Administrator.
Read the full update over on our blog.
Kaseya VSA Users Being Targeted in Fraudulent Email Campaign
If the ransomware incident wasn’t enough already for Kaseya VSA customers, a new malicious email campaign is the next thing looking to exploit them according to Windows Central. The campaign, detailed by Malwarebyte’s Threat Intelligence Team, attempts to take advantage of users by asking them to install a security update via email claiming to have been published by Microsoft. The emails seem to contain an attachment called SecurityUpdates.exe, but also direct’s users to download an additional payload from a website, both of which contain CobaltStrike malware.
With thousands of businesses still recovering from the ransomware incident with Kaseya, this is one more thing people need to worry about. Users are encouraged to only visit the official Kaseya site, www.kaseya.com for details surrounding any updates and for patches as mentioned earlier in the show.
Hackers Find a New Way to Disable Macro Security Warnings in Microsoft Office
The Hacker News is reporting that McAfee Labs has discovered a new method by which the ZLoader malware is being delivered. The method involves the delivery of a phishing email that contains a Microsoft Word document that, when opened, downloads a password-protected Excel file from a remote server. From there, Word reads cells from the XLS to assemble the macro’s code, followed by disabling the Excel Macro Warning in the registry. After which, the malicious macro function is run, it downloads the ZLoader payload, and then executes it under RunDLL32.exe.
Now, it is important to note that by default, macros are disabled in Word to attempt to avoid this common exploitation method, but depending on the configuration of your environment, this may not be the case. Additionally, the delivered Word document often contains language intended to lure users into enabling macro’s if the option is available to them, which then triggers the infection.
Insurance Firms Form Collective to Address Cyber Risks
Cyberscoop is reporting that in the past few weeks, insurers have joined together to address the growing issues and concerns around ransomware and cyber attacks. The first significant event came from the top seven insurance companies forming CyberAcuView back in Mid-June. CyberAcuView is a company intended to combine the insurance firm’s data collection and analysis efforts to assist in strengthening their risk mitigation. The second came last week from the American Property Casualty Insurance Association or APCIA, which released their guiding principles and their view on regulation related to cyber extortion and ransomware.
Both these actions come as credit agency AM Best warned of a “grim” cyber insurance market with the average growth of claims having been more than 39% and that ransomware now accounts for 75% of claims. Through both these actions, insurers are hoping to improve the data by which law enforcement, the government, and insurers have to understand losses and improve overall risk mitigation.
Stories Not Included in This Week’s Episode
- Dark Reading has an interesting story on how attacks on Kaseya VSA went from breach to infection in under two hours.
- AT&T Alien Labs has published research related to the evolution and TTPs of the Lazarus campaign.
- Sophos has acquired Capsule8.
- Buck Woody and David Seis have posted a workshop on GitHub of tools and processes to bolster business computer security.