Kaseya With a Helping of PrintNightmare

I have been deep in to researching (AKA: Twitter-ing) the Kaseya Attack and the PrintNightmare vulnerability. I’m going to keep it somewhat short. First, lets look at the technical perspective and how organizations are dealing with PrintNightmare and Kaseya attack. I will then focus on why it’s important to keep an eye out for these issues, particularly Kaseya attack.

PrintNightmare Vulnerability

PrintNightmare, has been… well… a nightmare. It affects every version of Windows, and Windows Server. There is no update to remediate the issue as the print spooler is working as originally intended. While looking at PrintNightmare, the first illustration for the vulnerability is Stan Hegt’s Twitter post. But as time progressed this got updated. When I began research into this issue, I was baffled by the quickly new information was published. Cybersecurity research in a lab setting is not easy and can be confusing.

In a statement from SANS Internet Storm Center, they state:

The main issue with “printnightmare” was the ability of regular users to load their own printer drivers. One issue the patch fixes is that normal users are only allowed to provide digitally signed printer drivers. Unsigned drivers may only be installed by Administrators, reducing the privilege escalation issue of normal users installing malicious printer drivers.

Your system may, however, still be vulnerable if you have “Point&Print” enabled. The patch does not prevent users using “Point&Print” from installing their own, possibly malicious, printer drivers.

SANS Internet Storm Center

Warning: Applying the mitigation below as a blanket policy on all computer can cause many issues, so please be careful when applying. You will want to start with a small test group and then grow slowly from there. Please make sure you have an inventory of which servers and workstations need to keep print spooler enabled.

UPDATE: From new information it seems that the original flow chart by Stan Hegt may not be accurate. Please see Benjamin Deply’s post. So far the best advice is to follow Microsoft’s plan in the following link: CVE-2021-34527 – Security Update Guide – Microsoft – Windows Print Spooler Remote Code Execution Vulnerability

However if you are not able to push this patch, you can still follow the mitigation guide:

Looks like there have been two update: older update Benjamin Deply. Newer, most recent update.

UPDATE: Windows is releasing an OOB update to PrintNightmare KB5005010: CVE-2021-34527 – Security Update Guide – Microsoft – Windows Print Spooler Remote Code Execution Vulnerability

Here is the latest flowchart. This comes from Will Dormann on Twitter. This is by far the most accurate one I’ve seen so far. Much more detailed than some of the others. It also includes what to do after you install update.

UPDATE: can break printers. https://www.bleepingcomputer.com/news/microsoft/windows-security-update-kb5004945-breaks-printing-on-zebra-printers/

Kaseya Supply-Chain Attack

Now, for the Kaseya ransomware attack. I was able to get information from other cybersecurity professionals, like Brett Callow’s retweet of Florian Roth on Kevin Beaumont‘s information. (That was a mouthful)

They are focusing on finding the hashes and signatures associated with this attacks. Below are the links for the google doc, the github, and the blogpost for more information:

IOC: Kaseya IOCs – Google Sheets

YARA: signature-base/crime_revil_general.yar at master · Neo23x0/signature-base · GitHub

Blog Post: Kaseya supply chain attack delivers mass ransomware event to US companies | by Kevin Beaumont | Jul, 2021 | DoublePulsar

The idea is to share as much information as I can in hope that it will help other organizations. You can also see a demonstration from Sophos.

7/5/2021 9:30PM UPDATE: Kaseya has released new information regarding the attack.

7/6/2021 UPDATE: Kaseya Rules Out Supply-Chain Attack; Says VSA 0-Day Hit Its Customers Directly (thehackernews.com), Up to 1,500 businesses affected by ransomware attack, U.S. firm’s CEO says | Reuters

Why Supply-Chain Attacks are Important

If you are currently working as an cybersecurity professional, you may understand already why this is a big deal. Kaseya is software that is used for maintaining technology policies for the organization, and will help you manage endpoints on the organizations network. It’s another monitoring tool to help with updates and usually helps with securing the IT infrastructure. Kaseya, like the SolarWinds, was compromised to allow unauthorized access to their customers organizations. While the SolarWinds attack was focused on stealing information and espionage, the Kaseya attack focused on using ransomware on hundreds of organizations computers.

What are supply-chain attacks? Supply-Chain attacks are different than most attacks that cybersecurity has dealt with. These attacks are not focused on access to one organization, but can gain access to many. There are attacks that focus on credential-stealing websites, or misconfigured websites to steal information but supply-chain attacks focus on gaining access to a venders, the its customers. The most recent supply-chain attacks are focused on IT department’s vendor tools that are used for securing information technology. How much do you know about your organizations vendors and their cybersecurity practices? If you don’t know much, well you are not alone. The supply-chain attacks can get more complicated than just immediate customers of a vendor. Security researcher at UC Berkley, Nick Weaver, said “You’re trusting every vendor whose code is on your machine, and you’re trusting every vendor’s vendor” (Wired Magazine). This is why these supply-chain attacks are very important. It is because, its becoming more difficult to trust overarching software that is suppose to protect us. This ends up affecting not just Kaseya’s customer, but also their customer’s customers. Now to explain how these attacks has been a long time coming. However recent updates suggest that the Kaseya attack was not a Supply-chain attack, however details are still quite fuzzy. It really seems that Kaseya is downplaying the attack. I’ll be updating as news comes in.

To understand better, I found an interview with John Hammond who explains why these type of attacks are important.

Our Worst Fears Catching Up

Since Stuxnet, the Cyber-War attacks have been steadily getting worse. Now, in the aftermath of another horrid second supply-chain attack, we are at a pinnacle point in which we need to take information security and assurance more serious. Many organization continue to make cybersecurity an afterthought, while those who have been breached try their best to get a handle on these security situations. We continue to see the zero trust architecture become the most effective protection to help organizations. But the lack of buy-in from many organizations, CEOs, and IT professionals circumnavigate the NIST framework and the Zero Trust Architecture. Looking at the Kaseya, one of the contributing factors was how much we had to whitelist the environments. It’s not the fault of the organizations but it is their responsibility to minimize anything that can potentially compromise their organizations environment.

I am hoping people take a serious look at their organization and help get a hold of their cybersecurity framework, and implementation, because I promise that the attacks will only get worse.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: