Please see Security Advisories for the week ending July 2, 2021
- Critical: Kaseya VSA supply chain ransomware attack
- Windows PrintNightmare Vulnerability Exploited in the Wild
- Emergency Palo Alto Networks Content Update
- NSA-CISA-NCSC-FBI Joint Cybersecurity Advisory on Russian GRU Brute Force Campaign
- Cisco ASA Bug Now Actively Exploited as PoC Drops
- CISA’s CSET Tool Sets Sights on Ransomware Threat
_______________________________
Critical: Kaseya VSA supply chain ransomware attack
Situation
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) has issued an advisory for supply-chain ransomware attacks leveraging a vulnerability found in Kaseya VSA software against multiple managed service providers (MSPs) and their customers.
Problem
Kaseya’s VSA product have been the target of a sophisticated cyberattack, deploying ransomware into a victim’s environment, with the attackers exploiting a zero-day vulnerability. The attackers are believed to be an affiliate of the REvil ransomware group. This outbreak appears to be delivered via a malicious update payload sent out to VSA servers, and in turn to the VSA agent applications running on managed Windows devices.
Implication
If an attacker is able to perform this attack it can allow them to deploy ransomware in their environment.
Need
The CISA and FBI recommend affected MSPs to:
- Contact Kaseya at support@kaseya.com with the subject “Compromise Detection Tool Request” to obtain and run Kaseya’s Compromise Detection Tool available to Kaseya VSA customers. The tool is designed to help MSPs assess the status of their systems and their customers’ systems.
- Enable and enforce multi-factor authentication (MFA) on every single account that is under the control of the organization, and—to the maximum extent possible—enable and enforce MFA for customer-facing services.
- Implement allowlisting to limit communication with remote monitoring and management (RMM) capabilities to known IP address pairs, and/or
- Place administrative interfaces of RMM behind a virtual private network (VPN) or a firewall on a dedicated administrative network.
CISA and FBI also recommend affected MSP customers to:
- Ensure backups are up to date and stored in an easily retrievable location that is air-gapped from the organizational network;
- Revert to a manual patch management process that follows vendor remediation guidance, including the installation of new patches as soon as they become available;
- Implement:
- Multi-factor authentication
- Principle of least privilege on key network resources admin accounts.
Additional information can be found in the links below.
CISA-FBI Guidance:
Kaseya VSA security advisory:
https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689
Sophos writeup:
________________________________
Windows PrintNightmare Vulnerability Exploited in the Wild
Situation
Microsoft Windows critical “PrintNightmare” vulnerability (CVE-2021-34527) has been seen currently being exploited in the wild.
Problem
The PrintNightmare vulnerability is a remote code execution vulnerability that exists when the Windows Print Spooler service improperly performs privileged file operations.
Implication
An attacker who is successfully able to exploit this vulnerability could run arbitrary code with SYSTEM privileges and take control of the affected device.
Need
Microsoft recommends applying the most recent security updates to help protect your system from this vulnerability. Additional information can be found in the link below.
For a more technical overview:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
________________________________
Emergency Palo Alto Networks Content Update
Situation
Palo Alto Networks released an emergency content update to add coverage for an Apache Dubbo Remote Code Execution Vulnerability (CVE-2021-30180). They’ve also sent out an Action Required notice to their customer regarding the end-of-life for Panorama appliances running PAN-OS 7.1 or 8.0. They’ve also announced that they will be implementing changes to the OSIsoft Process Information (PI) App-ID with the Applications and Threats content release scheduled for August 17, 2021. In addition to modifying the existing App-ID, they will add two new App-IDs to provide visibility and control over different protocol implementations associated with OSIsoft PI traffic. They will also be expanding next-generation firewall (NGFW) content service infrastructure with service in the Cloud to provide content updates, including signatures and applications.
Problem
Due to challenges faced by Palo Alto customers during the COVID-19 pandemic, they extended the availability of WildFire, Antivirus, and Applications and Threats content updates for Firewalls and Panorama appliances running PAN-OS 7.1 or PAN-OS 8.0 releases through June 30, 2021. Now that this extension has passed, appliances running PAN-OS 7.1 or PAN-OS 8.0 releases are no longer be able to download new content updates. To resume the ability to download content updates for WildFire, Antivirus, or Applications and Threats going forward, impacted firewalls and Panorama appliances must be upgraded to PAN-OS 8.1 or a later release.
Implication
If Palo Alto customers do not upgrade impacted firewalls and Panorama appliances to PAN-OS 8.1 or a later release, they leave themselves vulnerable to emerging and evolving techniques and resources of malicious entities.
Need
Palo Alto strongly encourages Palo Alto customers to upgrade impacted firewalls and Panorama appliances to PAN-OS 8.1 or a later release.
For a summary of Panorama & PAN-OS versions nearing end-of-life:
https://www.paloaltonetworks.com/services/support/end-of-life-announcements/end-of-life-summary
For questions regarding the expansion of NGFWs for Mainland China:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oM2x
For questions regarding changes to configurations of NGFWs for Static Update Customers:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000001UtRCAU
________________________________
NSA-CISA-NCSC-FBI Joint Cybersecurity Advisory on Russian GRU Brute Force Campaign
Situation
The National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the UK’s National Cyber Security Centre (NCSC) have released Joint Cybersecurity Advisory (CSA).
Problem
The CSA, “Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments”, addresses a world-wide endeavor by the Russian General Staff Main Intelligence Directorate 85th Main Special Service Center to use a Kubernetes cluster to obtain credentials via brute force, then using a variety of known vulnerabilities to gain further network access via lateral movement and remote code execution.
Implication
If recommended mitigation strategies are not implemented accordingly, government and corporate entities could fall victim to this campaign.
Need
CISA strongly encourages users and administrators to review the Joint CSA for GTSS tactics, techniques, and procedures, as well as mitigation strategies.
For a brief overview:
For a more technical overview:
________________________________
Cisco ASA Bug Now Actively Exploited as PoC Drops
Situation
Researchers have dropped a proof-of-concept for a known cross-site scripting (XSS) vulnerability in the Cisco Adaptive Security Appliance (ASA).
Problem
Researchers at Positive Technologies published the PoC for the bug (CVE-2020-3580). The move comes as reports surface of in-the-wild exploitation of the bug.
Implication
Failure to patch systems could result in loss of control of affected systems. Possible compromise of system and network integrity.
Need
Cisco advises patching to the most recent security update.
For a brief overview:
https://threatpost.com/cisco-asa-bug-exploited-poc/167274/
________________________________
CISA’s CSET Tool Sets Sights on Ransomware Threat
Situation
CISA has released a new module in its Cyber Security Evaluation Tool (CSET): The Ransomware Readiness Assessment (RRA). CSET is a desktop software tool that guides network defenders through a step-by-step process to evaluate their cybersecurity practices on their networks and enables users to perform a comprehensive evaluation of their cybersecurity posture using many recognized government and industry standards and recommendations. The RRA is a self-assessment based on a tiered set of practices to help organizations better assess how well they are equipped to defend and recover from a ransomware incident.
Problem
Companies and organizations may not be ensuring that the cybersecurity practices they implement in their network environments are comparable to government and industry standards and recommendations.
Implication
Failing to ensure that in-house cybersecurity practices are in accordance with government and industry standards and recommendations may leave one vulnerable to and/or unable to recover from ransomware incidents.
Need
CISA strongly encourages all organizations to take the CSET Ransomware Readiness Assessment, available at https://github.com/cisagov/cset/releases/tag/v10.3.0.0.
For a brief overview: