Syntax Bearror

Top Menu

  • Home
  • PowerShell Resource
  • SpiceWorld 2019 Resources
  • Contact Us
  • About Us

Main Menu

  • Home
  • Blog
  • IT Guides
  • How-To’s
  • IT Fixes
  • Cybersecurity
  • Reviews
  • Home
  • PowerShell Resource
  • SpiceWorld 2019 Resources
  • Contact Us
  • About Us

logo

Header Banner

Syntax Bearror

  • Home
  • Blog
  • IT Guides
  • How-To’s
  • IT Fixes
  • Cybersecurity
  • Reviews
Bear Security
Home›Bear Security›Bear Security – Security News for the Week of July 5th, 2021

Bear Security – Security News for the Week of July 5th, 2021

By Christopher
July 5, 2021
1877
0
Share:

These are the stories that relate to our careers, clients, and businesses in the cybersecurity world for the Week of July 5th, 2021. Watch this in video form over on YouTube, or you can listen on the go with the Bear Security podcast.

Editors Note – Moving forward, we are now publishing Bear Security on Mondays at 8 am Eastern Time! Read more here. 

Kaseya IT Management Product Involved in Supply Chain Attack Affecting Thousands of Companies

Last Friday, Kaseya, a provider of IT management software, found its product at the center of a supply chain attack. The product in question was Kaseya VSA. For those unfamiliar, Kaseya VSA is a Remote Monitoring and Management tool often used by Managed Service Providers or MSPs, to efficiently manage and monitor the networks they are responsible for. As events were unfolding, customers were quickly urged to shut down their local instances of the Kaseya VSA Server, which appeared to be what attackers were using to launch their attacks.

The attack involved the ransomware gang REvil and current details shared by Huntress Labs suggest they used an authentication bypass in the web interface of Kaseya VSA to gain an authenticated session, upload the original payload, and go to work on performing SQL injections, altering Administrative credentials, and then launching the ransomware to all the MSPs customers, including the MSP themselves. So far, ransom demands on organizations impacted reached as high as $5 million, but late Sunday, REvil offered a universal decryptor in exchange for $70 million in cryptocurrency. Companies impacted include MSPs like Avtex, LLC and Synnex Corp, and customers like Swedish grocery chain Coop. It’s believed in all, more than 30 MSP’s and 1,000+ companies have been affected.

Though, this isn’t the first time Kaseya has found itself in this position. Dutch researchers report that they actually alerted Kaseya to the breach and that they were working on a patch and CVE, suggesting that if the details add up, not only did Kaseya know about a potential crippling vulnerability, they failed to notify customers. Historically, this has been an issue as well. Back in 2018, Kaseya VSA was found distributing monero cryptocurrency miners, and in 2019, there was another ransomware deployment incident that had affected over 50 MSPs at the time.

It’ll be some time before we know the full extent of this attack, and potentially have real numbers around how many were affected and the total impact. Though one thing is for sure, the spotlight is now on Kaseya, and if I was an MSP using any of their products, I’d rethink that strategy, just considering their history up until this point.

We’ll continue to monitor the situation and hopefully will have some updates next week. Until then, read the original post we made here on Syntax Bearror, or check out the Reddit Thread from Huntress Labs, or the write-up by Sophos.

Privilege Escalation and RCE in Windows Print Spooler Leading to Printer Service Stoppage

We reported Wednesday on a vulnerability in the print spooler that appears unresolved after an initial patch for CVE-2021-1675 from June’s patch Tuesday. Researchers who were intending to post a proof-of-concept for the vulnerability ended up discovering a Remote Code Execution vulnerability in the process, tracked under CVE-2021-34527 . While both vulnerabilities are similar in the fact they affect the same process call, RpcAddPrinterDriverEx(), what is affected differs according to Microsoft.

The RCE vulnerability requires access to your environment along with the use of an authenticated user and leverages calling RpcAddPrinterDriverEx() via a remote procedure call. An attacker can then load a malicious DLL, even remotely from say a shared folder somewhere else on the network. Once loaded, it provides an attacker with system-level privileges to run code or really, do whatever they want.

Currently, all domain controllers are at risk for this vulnerability, as are any servers or computers that have Point & Print enabled or accept client connections. Recommendations vary depending on the printing needs for the system, which we’ve detailed in a blog you can view on our website.

The Print Spooler has been one of those long-time components of windows that carry around a considerable amount of legacy code intended to maintain compatibility, and there are likely more holes we don’t know about, as suggested by Twitter user @edwardzpeng who mentioned an upcoming talk at BlackHat this year around the topic of exploiting the Windows Print spooler.

System Administrators are encouraged to disable the print spooler from any system that doesn’t need printing, with special attention being given to Domain Controllers since they are pretty critical to a Windows environment.

To learn about the various mitigation options available, you can read full details here.

Dell BIOSConnect Vulnerability Leaves Millions of Systems Vulnerable

Dell recently updated their advisory regarding vulnerabilities found in Dell BIOSConnect and the HTTPS Boot Features which affect more than 128 different Dell models. The first vulnerability which affects the Dell BIOSConnect and HTTPS boot features of Dell systems is a defect in certificate validation, which enables a remote unauthenticated attacker to perform a man-in-the-middle which can result in a denial of service or payload tampering.

The other vulnerability which affects just the Dell BIOSConnect feature enables an authenticated malicious admin with local access to run arbitrary code and bypass the UEFI restrictions. Since these are considered a chain of vulnerabilities, the cumulative score comes in at about 8.3.

It’s important to note that both vulnerabilities require a user or physical access to the device in order to initiate the features and then attempt to exploit, but you should still look to update the BIOS as soon as you can.

Read the full detail from Dell.

Cisco ASA Bug Being Actively Exploited in the Wild

A Cisco ASA vulnerability from October 2020 is now being actively exploited in the wild. Threatpost is reporting back on June 25th, that security researchers on Twitter released a proof-of-concept (PoC) exploit for the cross-site scripting vulnerability. Soon after, it began being exploited in the wild.

Researchers for Positive Technologies, one of the research groups that published the PoC was quoted as saying that a heap of researchers were chasing after an exploit for the bug, which they termed as “low hanging” fruit. Other researchers believe the PoC and others recently published could indicate that a Cross-Site Request Forgery is also possible.

The last round of updates for this vulnerability were posted back in late April, so if you haven’t had a chance to upgrade your ASA’s and you utilize the VPN functionality, now’s a great time to get that done. In the past year we’ve seen a myriad of vulnerabilities and exploits against VPN services from all different vendors leading to successful breaches, with no signs of slowing down.

Read the full story over on Threatpost or read the recently updated advisory from Cisco.

Zyxel Firewalls and VPNs Being Targeted by Threat Actors

The Daily Swig posted on Monday that Zyxel customers received an email warning them that a sophisticated threat actor is targeting a small subset of their security appliances that have remote management or SSL VPN enabled. The product lines mentioned included the USG/ZyWAll, USG Flex, ATP, and VPN series running on-premises ZLD firmware, while those using the Nebula cloud management mode are unaffected.

The vulnerability allows an attacker to bypass authentication and establish SSL VPN tunnels with random unknown user accounts with a prefix of zyxel_ in the name, and to manipulate the device’s configuration.

Zyxel is encouraging customers to disable the HTTP/HTTPS services from outside, but if they can’t, to enable policy control to only allow access from trusted source IP addresses, and enable GeoIP filtering.

You can read more over at The Daily Swig.

Microsoft Discovers Auth Bypass Bug in Netgear Router

Threatpost is reporting that Microsoft researchers discovered 3 different bugs in the Netgear DGN-2200v1 series router’s firmware. Collectively the bugs allow an attacker to bypass authentication and access the management pages of the router, allowing them to take ownership or control of the device, as well as employ a cryptographic side-channel attack to retrieve stored credentials.

Netgear has patched the vulnerabilities and recommends users update immediately. The vulnerabilities affect Netgear DGN2200v1 series devices running firmware versions prior to v1.0.0.60.

You can read more over on Threatpost or check out the security advisory posted by Netgear.

Microsoft Ends Up Signing Netfilter Driver with Rootkit Malware Inside

The Hacker News is reporting that Microsoft is investigating an incident of a malicious driver that was submitted via the Windows Hardware Compatibility Program. The malicious driver was discovered about two weeks ago after Karsten Hahn of GData Software mentioned on Twitter that they were investigating a suspicious driver. The driver appears to have first made an appearance on VirtusTotal back on March 17, 2021. When the driver gets installed, it establishes a connection to a C2 server to retrieve configuration, installs a root certificate that could be used to intercept SSL traffic, perform IP redirection, or even self-update.

Microsoft stressed that the techniques employed occur post-exploitation, and require that they already had administrative privileges or tricked a user into installing it. The install believes to have been sourced from a GPS spoofing application used to manipulate where the reported location of your computer.

You can read the full breakdown from Karsten Hahn or read the story over on The Hacker News.

WD MyBook Exploited by Attackers to Factory Reset Devices

DarkReading reported on Wednesday that legacy zero-day vulnerabilities from 2018 were recently used in attacks against Western Digital MyBook network-attached storage devices. This comes after Western Digital began investigating a series of incidents with customers who suddenly discovered that their NAS’s were factory reset, and their data gone. Western Digital says based on their review of the log files of some of the affected customers, the same attacker leveraged two vulnerabilities on the device. The first was exploited to install a malicious binary to the device, and the second was later exploited to reset the device.

The company warned back in 2018 that NAS systems either directly connected to the internet or via port forwarding, were vulnerable to exploitation and that they should be disconnected from being accessible from the internet. The devices affected by this attack included the My Book Live and My Book Live Duo which have not been updated since 2015.

Read the full story over at DarkReading.

Stories Not Included in This Week’s Episode

  • Federal Judge Blocks Florida’s Social Media Law for violating the First Amendment.
  • Recent LinkedIn data scrape from an API being used in a targeted campaign.

That’s all for this week’s security news. Come back every Monday morning for the next rendition or check it out over on YouTube or on podcast. Stay safe out there friends.

Part of this week’s Photo by Mikhail Nilov from Pexels

TagsBIOSConnectCiscoCross-Site ScriptingDellKaseyaKaseya VSAMalicious DriversMicrosoftMoneroNetgearPrintNightmareRansomwareREvilVPN VulnerabilitiesVSAWD MyBookZyxel
Previous Article

PrintNightmare Part II – Print Spooler Remains ...

Next Article

PrintNightmare Part III – Patching and Remediation ...

Share:

Christopher

Christopher Clai is a Senior Security Engineer, IT Generalist, and Developer from Chicago, IL with over 20 years of experience in Information Technology ranging from small businesses to Fortune 500's. Chris loves the Pacific Northwest, Sushi, Invader Zim, Rugby, World of Warcraft, raves, and is an avid user of Microsoft and Linux-based technologies.

Related articles More from author

  • Collage of Hundred Dollar Bills and Bitcoin Coins in Silver and Gold
    Bear Security

    Bear Security – Security News for the Week of July 26th, 2021

    July 26, 2021
    By Christopher
  • Looking Disappointed at a Dell Desktop
    Bear Security

    Bear Security – Security News for Week of May 8th, 2021

    May 8, 2021
    By Christopher
  • Colorado Flag Waving
    Bear Security

    Bear Security – Security News for the Week of July 19th, 2021

    July 19, 2021
    By Christopher
  • Bear Security

    Bear Security – Security News for Week of June 5th, 2021

    June 5, 2021
    By Christopher
  • Green Code on Laptop Screen with Hand on Keyboard
    Bear Security

    Bear Security – Security News for Week of June 19th, 2021

    June 20, 2021
    By Christopher
  • Bear Security

    Bear Security – Security News for Week of June 12th, 2021

    June 12, 2021
    By Christopher

Leave a reply Cancel reply

  • Picture of Service Listing with Print Spooler in Center
    Blog

    Disable Print Spooler on Domain Controllers (If You Can)

  • Blog

    Should the EC-Council Remain a Standard in Cybersecurity After Sexist Poll?

  • Bestek Desk Mountable Plugs and USB Charger
    Reviews

    Reviewing the Mountable Bestek Power Strip with USB

Follow Us on Social

See the Syntax at These Events

All appearances for 2020 have been cancelled due to COVID-19. Stay safe out there and see you all at events in 2021!

Like This Content?

Help Sytnax Bearror create more content, videos, podcasts, scripts, and more by contributing to our caffiene and technology addictions.

Subscribe to our Patreon

Buy Us a Coffee

Most Popular

IT Fixes

Dell Laptops Showing “Press Power Button and Volume Down to Login”

  • How to Root AT&T Samsung S5 G900A (Up to Lollipop 5.0)

    By Christopher
    May 21, 2015
  • Fixing APC PowerChute Personal Edition Not Detecting UPS on Windows 10

    By Christopher
    March 15, 2021
  • Windows 10 Locking Up Intermittently with File Operations

    By Christopher
    October 24, 2015
  • PrintNightmare Part II – Print Spooler Remains Vulnerable Across Windows

    By Christopher
    July 3, 2021

Latest Tweets

  • My time on this social network has come to an end. Fair winds my friends. Find me at: https://t.co/G1ygbdZ5Cd:… https://t.co/qEwtgbJlJm

    Nov 20, 2022
  • Midterms must not have been loud enough. Millennials and Gen Z, get louder.

    Nov 14, 2022
  • Given the direction of things, I'll likely be leaving the bird app. Let's connect via other platforms!… https://t.co/4bl04V46mz

    Oct 31, 2022
  • If you are a member of ISC2, this is a good thread to read on the upcoming vote. I agree with the author, these are… https://t.co/O1dFGUbQQG

    Oct 17, 2022
  • Maybe unpopular opinion? Microsoft needs to make Threat Explorer a part of the Defender for 365 P1 License. Threat… https://t.co/1x0qnoMRrb

    Oct 12, 2022

Categories

Bear Security Blog Cybersecurity How To's IT Fixes Reviews

Copyright Statement

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
©2014 - 2021 - SyntaxBearror.io. All rights reserved unless otherwise noted.