Welcome to Cyber Security Today. This is the Week in Review edition for the week ending Friday July 9th. From my studio in Toronto, I’m Howard Solomon, contributing writer on cybersecurity for ITWorldCanada.com.
With me today to discuss events is Dinah Davis, Canadian-based vice-president of research and development at Arctic Wolf. We’ll chat in a few minutes. But first a look back at some of the news from the past seven days:
The big news, of course, was the huge ransomware attack that spread to some 1,500 companies using or customer of managed service providers using the Kaseya VSA remote IT monitoring product. This attack raises a lot of questions about the readiness of organizations to face cyber attacks, and whether this attack could have been worse. Dinah and I will tackle these and other questions.
Microsoft has created patches for a security vulnerability in Windows print spooler called PrintNightmare, which allows an attacker to infiltrate networks through a print server. Administrators are urged to install the patch immediately, although there are reports it doesn’t completely close the hole. Dinah and I will talk about this.
Separately, Microsoft urged Windows administrators to update PowerShell to close a serious vulnerability.
Police in Morocco arrested a veteran cybercriminal who allegedly went by the name Dr. Hex and attacked or helped attack French telecom companies, banks and corporations. He is believed to have created and sold phishing and credit card theft kits. The investigation was the joint work of authorities in Morocco, the Interpol police co-operative and a Singapore-based threat intelligence company called Group-IB.
U.S.-based insurance brokerage Arthur J. Gallagher has now acknowledged suffering a ransomware attack nine months ago. It took until May to confirm how much personal data was accessed. It included persons’ names, dates of birth, social security or tax identification numbers, driver’s licence numbers, passport numbers, financial account or credit card information and more. The company has been notifying victims for several weeks. The press statement doesn’t say how many people were affected or what countries they live in.
Finally, government cyber agencies in the U.S. and United Kingdom warned that Russia’s military intelligence unit is using brute force password attacks against governments and companies. Target applications include cloud services like Microsoft’s Office 365. Russia issued a statement on Facebook denying the involvement of Russian government agencies in cyber attacks. This is another thing Dinah and I will be talking about.
(The following is an edited transcript. To hear the full discussion play the podcast)
Howard: First I want to look at the ransomware attack on users of the on-premise versions of Kaseya VSA’s remote IT monitoring application. This is one of the biggest attacks since perhaps ransomware attacks started a decade ago. Tell us about it.
Dinah: It’s unique, it’s a little bit different. So let’s just remind everybody what Kaseya VSA is. It’s a unified remote monitoring management system. It means that small businesses and MSPs, who are managed service providers, use it to update all the systems. So basically they have a nice little console and they can say, ‘Go update that computer or that computer, that server,’ and they can automate these actions. So VSA then has very high level permissions inside these client environments because it needs to do the job that it wants to do. The hackers have leveraged that through vulnerabilities.
On April 6th the Dutch Institute for Vulnerability Disclosure disclosed seven CVEs to Kaseya. A CVE is a numbered vulnerability. On April 10th, Kaseya issued a patch for one of those vulnerabilities, and it was fully available to all of their clients by the 15th .… On May 8th, they issue another patch that it covers three more CVEs and that’s updated to all clients by the 19th. On June 28th, they issue a patch for more CVEs with a schedule to have it fully available to all clients by July 10th.
Of those two CVEs, one is a two-factor [authentication] bypass vulnerability. And another is a cross-site scripting vulnerability. For those of you who may not know, a cross-site scripting vulnerability is a type of injection attack where a script is injected into a website.
These CVE had not been made public yet. They [Kaseya] just said, we’ve got some security patches coming. [But on] July 2nd REvil launches their attack. Very interesting timing there, right? And their attack uses both of these vulnerabilities. It indicates that there may have been some inside knowledge that these vulnerabilities were there … Kaseya has about 40,000 [customer] organizations. So they’ve been saying only 50 of our 40 of our [managed service provider or direct customer] clients have been hit. That means that they could have hundreds of [their] customers [hit] … But I just wanted to make clear that REvil did not get into Kaseya and release [malware] like attackers did with Solarwinds.
Howard: One thing I want to make clear is that the software-as-a-service version of VSA was not effected. This only affects the on-premise software that’s used either by managed service providers or by enterprises.
Dinah: Let’s talk about how REvil used these two vulnerabilities to get in. For each one of the 40 Kaseya victims the attacker used the authentication vulnerability to gain access to those VSA management consoles. Then the attacker used the cross-site scripting vulnerability to inject code into that console that told it to go download the ransomware onto multiple computers and servers and endpoints in client environment.
Howard: So what we’ve got here is 40 to 60 managed service providers initially compromised. And then from there, it cascades down to about 1,500 of their customers.
Dinah: And on July 2nd Kaseya shuts down all of their cloud VSA and servers just to be safe, even though it hasn’t necessarily attacked, and recommend shutting down the on-prem version …
Howard: And unfortunately, as we learned [Wednesday] night, a patch and plus returning service to the online version of VSA won’t happen until this Sunday, July 11th.
The interesting thing is the REvil gang must have put quite a bit of research and effort into this because they had to find the 40 to 60 managed service providers and, and prepare to attack them. So my suspicion is the work for this attack had been going on for weeks before it was launched on this last holiday weekend.
… And the other thing is that unlike other ransomware attacks by REvil, this attack didn’t involve data theft. What usually happens is they hack into a company, they find out where the sensitive data is, they steal copies of the data so that they can do a double extortion. They can not only launch the ransomware attack and demand money for the ransomware, but then also threaten the company saying if you don’t pay for the ransomware decrypter, we’re going to release your data. They didn’t do that. The attack, according to a webinar from Sophos that I tuned in, happened in minutes. It was like as soon as they broke into the company, they deployed the ransomware. There was no opportunity or very little opportunity, to have detection that this attack was on the way.
Dinah: One of the recommendations that we’ve put out to our clients at Arctic Wolf is that they have endpoint detection on their [computers and servers]. You can still detect these things by the behavior. Ransomware usually reaches out to a command and control sever. Usually if you’ve got behavioral analysis things like this, you can see that behavior, because it’s not usual.
Howard: So how else can IT departments protect their organizations from this kind of attack?
Dinah: There’s a lot out there for protecting yourself against cross-site scripting. OWASP (the Open Web Security Application Project) has great tools to help you find cross-site scripting issues in your software. If the SQL injection wasn’t possible this attack would have been a way harder.
Howard: I certainly want to stress that organizations have to use sophisticated endpoint detection and remediation, as opposed to just plain antivirus, you need both detection and prevention.
I want to emphasize as well the importance, having a layered defense. It’s not just rely on your antivirus and your firewall. You’ve got to evaluate the risks of your partners. And of course, you’ve got to have an incident response plan just in case everything fails.
(We also discussed a report that Russian military intelligence is continuing to hack governments and companies with brute force attacks. Dinah made the point that multifactor authentication and timeout limitations will help foil these kinds of attacks. We also talked about the Windows Print Spooler vulnerability. Dinah said Windows administrators should disable all print spooler services on any Windows machine that’s not ever used for printing. To hear those parts of the discussion play the podcast).