Kaseya VSA Users Should Disconnect Until Patched; ACH Network Demands Account Numbers be Unreadable if Stored; Turn Off Windows Print Spooler

Ransomware actors have been hitting MSPs for a while now. The advantage of attacking MSPs is that they provide trusted access to multiple organizations and a bigger "bang for the buck." Now REvil did "take it up a notch" by simultaneously exploiting software used by MSPs. The entire scope of this attack will probably take a few more days to become clear and this will be a bad return to work from a long holiday weekend for many. If you are not affected by this attack: Take half a day this week to brainstorm how similar scenarios could affect your network: Which trusted suppliers have access to your network, and what software are you using to manage your network. How are you ensuring the integrity of this software after updates? And please: Do not exempt this software from anti-malware scans. Sometimes it is better to let the software break vs having the software break you.

Johannes Ullrich

Your MSP has potentially sensitive access to your IT and is using their preferred tools to support your business. When you setup that access, you probably verified the security of the tools used and the scope of permissions granted to their accounts. Are you monitoring for a change in scope? Could you detect their tool going bad? Have you walked down what would happen if you turned that off? Kaseya advises on-premise VSA users to turn systems off until a patch can be deployed. The patch is planned for release 24 hours after the SaaS service is restored. The flaws exploited appear to be Zero-day vulnerabilities rather than a supply chain attack.

Lee Neely

This is a worrying change in tactics for those behind ransomware attacks as they move from phishing emails to ways to infiltrate the supply chain for many vendors. It is a reminder that given the modern business reliance on third party vendors and their downstream suppliers, we need to move beyond simply checklist exercises for managing third party risk. Any vendors who deploy tools or systems into our environments need to be assessed with additional scrutiny and appropriate controls. In particular, any software that requires excessive permissions, administrator access, or to be excluded from anti-virus software, as is the case with Kaseya.

Brian Honan

Kaseya has a relatively small market share in the client management market, but (like system management and Solar Winds) attackers are targeting product areas where one compromise not only gives them deep access but that same access across many targets. Larger competitors to Kaseya VSA include BMC, CA, IBM Big Fix and ManageEngine – if you are using them, use this as spur to make sure you’d quickly notice if they went bad and to test resiliency plans if you had to shut them off in the event of compromise.

John Pescatore

With cyber criminals becoming so brazen, I wonder if / when they will begin to not only attack and ransom large corporations, but start ransoming entire countries, especially countries that don’t have the resources to retaliate.

Lance Spitzner

Caveat emptor! However, the buyer will rarely have sufficient visibility into the supply chain to adequately resist such attacks. The deeper down in the chain the supplier, the greater the potential damage. We must hold suppliers accountable for what they distribute or the services that they offer. Such accountability will include timely remedies but also consequential damages.

William Hugh Murray

This was pushed back from 2020, so good to see NACHA making this long delayed move. Encryption is not required (truncation, tokenization, deletion are compliant) but this should provide a boost for persistent data encryption solutions, a good thing to aim for.

John Pescatore

In 2020, there were about 27 billion ACH payments for about $62 trillion USD. In Q1 of 2021, $17.3 trillion was processed. One accepted approach is to render the data, notably account numbers and routing numbers, unreadable via the use of tokenization. If that rings a bell, this is used by Apple, Google, and Samsung pay. The new regulations state passwords are not sufficient protection, and full-disk-encryption requires accompanying prescribed physical security measures.

Lee Neely

Participation in a cross-enterprise application carries responsibility. Fortunately for us, the requirements are only for things that we ought to be doing anyway.

William Hugh Murray

Save your network (and the environment): Turn off your print spooler. Sadly, the best way to protect yourself from exploitation is to disable printing. There are a number of other methods proposed (like limiting permissions on the directory used to store printer drivers), but it isn't clear if they fully protect systems. For high value assets like domain controllers, turning off printing should be a no-brainer. Exploitation does require valid user credentials, and this will likely be the lateral movement and privilege escalation technique of choice years to come.

Johannes Ullrich

Disable the print service with a GPO, allowing it only on defined print servers, to minimize risk of re-enablement. Don’t use a domain controller as a print server. The Print Spooler service is enabled by default.

Lee Neely

These were discovered by Microsoft’s 365 Defender Research Team, formerly ReFirm Labs. Expect more disclosures as they work to expand their capabilities. If you have a Netgear router, make sure that you’re keeping the firmware updated, either via the management app, such as their Oribi, NightHawk, or Insight app (which are product specific), or by logging into the router and checking. If possible, setup automated updates in the middle of the night.

Lee Neely

The side channel vulnerability, while not the most serious issue, is something all developers should be looking out for. I am pretty sure that under the hood, many applications suffer from this same problem and yes, it is exploitable.

Johannes Ullrich

Mitigations include not only using MFA for all your externally reachable services, including cloud, but also making sure that account time-out and lockout settings are active to shutdown attempts to access accounts illicitly. Examine access to your externally facing services, and consider denying access from a-typical locations, such as TOR or other anonymizing VPNs; make sure that anomalous user detection is enabled and configured.

Lee Neely

Another example of how / why 2FA is becoming such a critical control in today’s world.

Lance Spitzner

Such attacks are characterized by an unusually high rate of failed logon attempts and are resisted by strong authentication (at least two kinds of evidence, at least one of which is resistant to replay) and by raising the cost to attackers by slowing the subsequent prompts after failed attempts.

William Hugh Murray

The RRA provides a consistent basis to evaluate your IT and OT/ICS security practices, using a graduated approach from basic controls, to advanced questions and tutorials; and includes a dashboard to track readiness/progress. Even if you think you have a solid posture and plan, (which was hard enough to do without guidance like this) it’d be a good idea to cross check with the RRA tool to see if you have gaps or missed some new data points. If you’ve been struggling to create your plan and assess your ransomware preparedness, this is the answer you’re looking for.

Lee Neely

I have looked at this tool and it is a very good start for organizations to determine how prepared they are against ransomware attacks. Another freely and useful resource is the Europol sponsored NoMoreRansom website www.nomoreransom.org which has lots of information in various languages on how to prevent and deal with ransomware.

Brian Honan

Ransomware requires a compromise of the target network. It is only one of many bad things that can happen to you after a breach. However, extortion has been so profitable and with so little risk that it has resulted in an increased rate of attacks and breaches. Resist breaches. Employ strong authentication (at least two kinds of evidence, at least one of which is resistant to replay) and end-to-end application-layer encryption or structured networks.

William Hugh Murray

Don’t expose NAS devices to the Internet. Login to your QNAP device, update the OS and all loaded applications, remove/uninstall unused applications.

Lee Neely

If you’re using PowerShell to manage your Azure resources, including MS 365, you need to apply this update PDQ. There are no workarounds and the fix for CVE-2021-26701 was released in the February 2021 update. The weakness is a flaw in the "System.Text.Encodings.Web" package, which provides types for encoding and escaping strings for use in JavaScript, HTML, and URLs.

Lee Neely

Google is providing updates and fixes five years from product launch, not your purchase date. Keep an eye on their support page, particularly for things like your Nest Thermostat and safety/security devices (Hello, Cameras, Locks, Protect) which are easily overlooked and forgotten. https://support.google.com/googlenest/answer/9327662?p=connected-devices

Lee Neely

Google and Nest have been using Internet of Secure Things Alliance standards and certifications which started up in 2018 or so and now has six authorized testing labs, a strong list of alliance members and certificated products, and Amazon, Facebook, Google, Honeywell and Silicon Labs on their board of directors. This critical mass makes it a usable standard to spec in procurements and RFPs.

John Pescatore

Technical controls are key to securing smart home devices like these, but so is making them easy for people to use / secure. Having the best technical standards in the world does little if the interface is confusing and people have no idea how to change the default password or enable automatic updating.

Lance Spitzner