Cybersecurity is no longer a liberty or a privilege, it is a necessity. Over the course of 2021, there have been over 21,000 confirmed ransomware threats, and as technology continues to advance, so do the capabilities of those who wish to exploit software vulnerabilities to attack companies.
The latest noteworthy exploit leveraged a vulnerability in Microsoft’s Print Spooler Service to target IT Solutions company, Kaseya. Publicly known as “PrintNightmare,” CVE-2021-34527 is a security flaw that allowed attackers to access local networks and possibly escalate system privileges of more vulnerable environments once inside.
There are countless teams of security researchers around the globe. These research teams spend their days looking for new vulnerabilities in software and are an invaluable part of the cybersecurity ecosystem, identifying security holes for software vendors to patch, thus strengthening the security of the product and its end users. Their efforts do not go unrewarded – many companies such as Google, Microsoft, and Apple offer thousands of dollars in what’s referred to as a “bug bounty.” They incentivize security researchers to notify software vendors of issues or bugs in their software. This is where the concept of “responsible disclosure,” also referred to as “coordinated vulnerability disclosure,” comes into play.
Security researchers are supposed to disclose the security flaws privately to the software vendor, giving them time to develop a patch. So, before the vendor discloses the vulnerability publicly, they will wait to announce it until they can release a patch that’s ready to fix the issue at hand.
Security researchers often also enjoy the prestige that comes with presenting their novel exploits at security conferences such as Black Hat. This was the case of the Chinese security research team, Sangfor The team discovered a critical security flaw in Microsoft’s Print Spooler service which allowed local privilege escalation and remote code execution exploits. In other words, the vulnerability could allow a remote non-administrator user to run arbitrary code with administrative privileges.
Not only did they discover the vulnerability, but they also produced a proof-of-concept exploit script and posted a teaser gif of the exploit in action on their Twitter feed. Although this did not explain exactly how to execute the exploit, it was enough for Sangfor to secure a presentation slot at Black Hat 2021.
Amidst their excitement, it appears they inadvertently published the full exploit to their public GitHub page before making the appropriate responsible disclosure to Microsoft. By the time they realized their mistake, the GitHub page had been cloned and made permanently available to everyone on the internet. Rather than getting their prestige and bug bounty payments, they had inadvertently unleashed a zero-day, dubbed PrintNightmare.
Related Reading: The Rise of RaaS Gangs + What You Need to Know
The exploit was made public on Wednesday, June 30th. Other security researchers quickly sprang into action trying to find a way to remediate the vulnerability prior to a patch being available, as well as ways to detect the exploit if a vulnerable system was compromised. Microsoft was notably silent during this initial period — many assumed Microsoft was waiting to have a developed patch ready before announcing the security flaw.
It was not until that Friday that Microsoft even acknowledged the issue by assigning a new CVE number to track the vulnerability. A patch was not released until the following Tuesday, after the 4th of July holiday weekend, and even then, it only addressed the issue on some of the Windows operating systems that were affected.
By the very next day, security researchers were able to prove that the patch did not actually fix the vulnerability. Minor modifications to the proof-of-concept exploit could produce the same remote code execution and privilege escalation attacks, even on a patched system. As bad as that all sounds, what happened the afternoon of Friday, July 2nd made the PrintNightmare exploit seem like just a bad dream.
REvil, the notorious ransomware-as-a-service organization, took advantage of the upcoming July 4th holiday weekend to unleash a devastating supply chain attack against the remote management software, Kaseya, the MSPs who use that software to manage their customers’ infrastructure, and the end customer organizations themselves.
When cybersecurity professionals classify the severity of security incidents, they ask themselves the following:
Although the PrintNightmare exploit satisfied the first two questions in terms of severity, it did not appear that the exploit was being widely used by threat actors. The Kaseya attack, on the other hand, satisfied all three questions of severity. Security teams who were already overtaxed by the mostly theoretical PrintNightmare scenario were suddenly faced with a real adversary with malicious intent.
Related Resource: 6 Steps to Implementing a Zero Trust Network
Kaseya received reports from customers and others indicating that endpoints managed by Kaseya’s VSA on-premises software were behaving strangely. Customer reports revealed that ransomware was being executed on endpoints shortly after that. As a result, Kaseya decided to take steps to prevent malware from spreading.
They notified on-premises clients to shut down their VSA servers, on top of shutting down their own VSA SaaS infrastructure. The event was swiftly investigated by Mandiant. Together, Kaseya and Mandiant focused on determining the nature and scope of the attack. Both teams also worked closely with federal authorities to ensure they had the information needed to investigate the attack.
As we now know, REvil was able to circumvent authentication and execute arbitrary commands by exploiting zero-day vulnerabilities in the VSA software. These bad actors were able to use the typical VSA product capabilities to distribute ransomware to endpoints as a result.
Kaseya’s VSA codebase has not been deliberately modified, according to the evidence. To date, less than 60 Kaseya customers were directly harmed by this incident, all of whom were using the VSA on-premises software. While many of these customers provide IT services to several other organizations, Kaseya believes the total impact to date has been limited to less than 1,500 secondary companies. Fortunately, there is no evidence that any of Kaseya’s SaaS clients have been hacked.
REvil has since vanished from the internet, amid speculation of government retaliation. Others believe it’s simply the organization rebranding or laying low after the high-profile attack.
Avertium’s technology partner, AdvIntel, discovered evidence on dark web forums using their Andariel threat intelligence tool, which indicates threat actors are becoming fearful that Russia may not be the hacker haven that it once was. With operations against DarkSide to recover the bitcoin ransom paid for the Colonial Pipeline attack and President Biden’s executive order to strengthen US cybersecurity operations, retaliation against ransomware organizations has increased in recent months. Whatever the case, we can expect these hackers to resurface at some point in the future.
Following the SolarWinds attack earlier in the year, the Kaseya incident was the second major supply chain compromise of 2021. The increased frequency of this type of attack highlights the need for organizations to evaluate their 3rd party and Nth party risk.
Avertium’s technology partner, Black Kite, used their 3rd party risk monitoring software to detect an increase in Kaseya’s Ransomware Susceptibility Index prior to the attack, which could have been used by MSPs and their customers to provide an early warning to a potential incident.
The fact is, it is no longer sufficient for organizations to secure just their own internal environments. With the risks introduced by 3rd party organizations, such as MSPs, who have access to client networks, as well as the software and tools used, it’s important for organizations to also stay vigilant and aware of who can be trusted.