Bear Security – Security News for the Week of July 5th, 2021
These are the stories that relate to our careers, clients, and businesses in the cybersecurity world for the Week of July 5th, 2021. Watch this in video form over on YouTube, or you can listen on the go with the Bear Security podcast.
Editors Note – Moving forward, we are now publishing Bear Security on Mondays at 8 am Eastern Time! Read more here.
Kaseya IT Management Product Involved in Supply Chain Attack Affecting Thousands of Companies
Last Friday, Kaseya, a provider of IT management software, found its product at the center of a supply chain attack. The product in question was Kaseya VSA. For those unfamiliar, Kaseya VSA is a Remote Monitoring and Management tool often used by Managed Service Providers or MSPs, to efficiently manage and monitor the networks they are responsible for. As events were unfolding, customers were quickly urged to shut down their local instances of the Kaseya VSA Server, which appeared to be what attackers were using to launch their attacks.
The attack involved the ransomware gang REvil and current details shared by Huntress Labs suggest they used an authentication bypass in the web interface of Kaseya VSA to gain an authenticated session, upload the original payload, and go to work on performing SQL injections, altering Administrative credentials, and then launching the ransomware to all the MSPs customers, including the MSP themselves. So far, ransom demands on organizations impacted reached as high as $5 million, but late Sunday, REvil offered a universal decryptor in exchange for $70 million in cryptocurrency. Companies impacted include MSPs like Avtex, LLC and Synnex Corp, and customers like Swedish grocery chain Coop. It’s believed in all, more than 30 MSP’s and 1,000+ companies have been affected.
Though, this isn’t the first time Kaseya has found itself in this position. Dutch researchers report that they actually alerted Kaseya to the breach and that they were working on a patch and CVE, suggesting that if the details add up, not only did Kaseya know about a potential crippling vulnerability, they failed to notify customers. Historically, this has been an issue as well. Back in 2018, Kaseya VSA was found distributing monero cryptocurrency miners, and in 2019, there was another ransomware deployment incident that had affected over 50 MSPs at the time.
It’ll be some time before we know the full extent of this attack, and potentially have real numbers around how many were affected and the total impact. Though one thing is for sure, the spotlight is now on Kaseya, and if I was an MSP using any of their products, I’d rethink that strategy, just considering their history up until this point.
We’ll continue to monitor the situation and hopefully will have some updates next week. Until then, read the original post we made here on Syntax Bearror, or check out the Reddit Thread from Huntress Labs, or the write-up by Sophos.
Privilege Escalation and RCE in Windows Print Spooler Leading to Printer Service Stoppage
We reported Wednesday on a vulnerability in the print spooler that appears unresolved after an initial patch for CVE-2021-1675 from June’s patch Tuesday. Researchers who were intending to post a proof-of-concept for the vulnerability ended up discovering a Remote Code Execution vulnerability in the process, tracked under CVE-2021-34527 . While both vulnerabilities are similar in the fact they affect the same process call, RpcAddPrinterDriverEx(), what is affected differs according to Microsoft.
The RCE vulnerability requires access to your environment along with the use of an authenticated user and leverages calling RpcAddPrinterDriverEx() via a remote procedure call. An attacker can then load a malicious DLL, even remotely from say a shared folder somewhere else on the network. Once loaded, it provides an attacker with system-level privileges to run code or really, do whatever they want.
Currently, all domain controllers are at risk for this vulnerability, as are any servers or computers that have Point & Print enabled or accept client connections. Recommendations vary depending on the printing needs for the system, which we’ve detailed in a blog you can view on our website.
The Print Spooler has been one of those long-time components of windows that carry around a considerable amount of legacy code intended to maintain compatibility, and there are likely more holes we don’t know about, as suggested by Twitter user @edwardzpeng who mentioned an upcoming talk at BlackHat this year around the topic of exploiting the Windows Print spooler.
System Administrators are encouraged to disable the print spooler from any system that doesn’t need printing, with special attention being given to Domain Controllers since they are pretty critical to a Windows environment.
To learn about the various mitigation options available, you can read full details here.
Dell BIOSConnect Vulnerability Leaves Millions of Systems Vulnerable
Dell recently updated their advisory regarding vulnerabilities found in Dell BIOSConnect and the HTTPS Boot Features which affect more than 128 different Dell models. The first vulnerability which affects the Dell BIOSConnect and HTTPS boot features of Dell systems is a defect in certificate validation, which enables a remote unauthenticated attacker to perform a man-in-the-middle which can result in a denial of service or payload tampering.
The other vulnerability which affects just the Dell BIOSConnect feature enables an authenticated malicious admin with local access to run arbitrary code and bypass the UEFI restrictions. Since these are considered a chain of vulnerabilities, the cumulative score comes in at about 8.3.
It’s important to note that both vulnerabilities require a user or physical access to the device in order to initiate the features and then attempt to exploit, but you should still look to update the BIOS as soon as you can.
Read the full detail from Dell.
Cisco ASA Bug Being Actively Exploited in the Wild
A Cisco ASA vulnerability from October 2020 is now being actively exploited in the wild. Threatpost is reporting back on June 25th, that security researchers on Twitter released a proof-of-concept (PoC) exploit for the cross-site scripting vulnerability. Soon after, it began being exploited in the wild.
Researchers for Positive Technologies, one of the research groups that published the PoC was quoted as saying that a heap of researchers were chasing after an exploit for the bug, which they termed as “low hanging” fruit. Other researchers believe the PoC and others recently published could indicate that a Cross-Site Request Forgery is also possible.
The last round of updates for this vulnerability were posted back in late April, so if you haven’t had a chance to upgrade your ASA’s and you utilize the VPN functionality, now’s a great time to get that done. In the past year we’ve seen a myriad of vulnerabilities and exploits against VPN services from all different vendors leading to successful breaches, with no signs of slowing down.
Read the full story over on Threatpost or read the recently updated advisory from Cisco.
Zyxel Firewalls and VPNs Being Targeted by Threat Actors
The Daily Swig posted on Monday that Zyxel customers received an email warning them that a sophisticated threat actor is targeting a small subset of their security appliances that have remote management or SSL VPN enabled. The product lines mentioned included the USG/ZyWAll, USG Flex, ATP, and VPN series running on-premises ZLD firmware, while those using the Nebula cloud management mode are unaffected.
The vulnerability allows an attacker to bypass authentication and establish SSL VPN tunnels with random unknown user accounts with a prefix of zyxel_ in the name, and to manipulate the device’s configuration.
Zyxel is encouraging customers to disable the HTTP/HTTPS services from outside, but if they can’t, to enable policy control to only allow access from trusted source IP addresses, and enable GeoIP filtering.
You can read more over at The Daily Swig.
Microsoft Discovers Auth Bypass Bug in Netgear Router
Threatpost is reporting that Microsoft researchers discovered 3 different bugs in the Netgear DGN-2200v1 series router’s firmware. Collectively the bugs allow an attacker to bypass authentication and access the management pages of the router, allowing them to take ownership or control of the device, as well as employ a cryptographic side-channel attack to retrieve stored credentials.
Netgear has patched the vulnerabilities and recommends users update immediately. The vulnerabilities affect Netgear DGN2200v1 series devices running firmware versions prior to v1.0.0.60.
You can read more over on Threatpost or check out the security advisory posted by Netgear.
Microsoft Ends Up Signing Netfilter Driver with Rootkit Malware Inside
The Hacker News is reporting that Microsoft is investigating an incident of a malicious driver that was submitted via the Windows Hardware Compatibility Program. The malicious driver was discovered about two weeks ago after Karsten Hahn of GData Software mentioned on Twitter that they were investigating a suspicious driver. The driver appears to have first made an appearance on VirtusTotal back on March 17, 2021. When the driver gets installed, it establishes a connection to a C2 server to retrieve configuration, installs a root certificate that could be used to intercept SSL traffic, perform IP redirection, or even self-update.
Microsoft stressed that the techniques employed occur post-exploitation, and require that they already had administrative privileges or tricked a user into installing it. The install believes to have been sourced from a GPS spoofing application used to manipulate where the reported location of your computer.
You can read the full breakdown from Karsten Hahn or read the story over on The Hacker News.
WD MyBook Exploited by Attackers to Factory Reset Devices
DarkReading reported on Wednesday that legacy zero-day vulnerabilities from 2018 were recently used in attacks against Western Digital MyBook network-attached storage devices. This comes after Western Digital began investigating a series of incidents with customers who suddenly discovered that their NAS’s were factory reset, and their data gone. Western Digital says based on their review of the log files of some of the affected customers, the same attacker leveraged two vulnerabilities on the device. The first was exploited to install a malicious binary to the device, and the second was later exploited to reset the device.
The company warned back in 2018 that NAS systems either directly connected to the internet or via port forwarding, were vulnerable to exploitation and that they should be disconnected from being accessible from the internet. The devices affected by this attack included the My Book Live and My Book Live Duo which have not been updated since 2015.
Read the full story over at DarkReading.
Stories Not Included in This Week’s Episode
- Federal Judge Blocks Florida’s Social Media Law for violating the First Amendment.
- Recent LinkedIn data scrape from an API being used in a targeted campaign.
That’s all for this week’s security news. Come back every Monday morning for the next rendition or check it out over on YouTube or on podcast. Stay safe out there friends.
Part of this week’s Photo by Mikhail Nilov from Pexels