Kaseya Critical Updates to be Released on Sunday 11 July; Flawed Microsoft Emergency Fix Doesn’t Stop PrintNightmare; Cyber-insurers Form Consortium to Address Cyberinsurance Policy Deficiencies and Losses

Be aware of fake updates circulating. These fake updates will attempt to install backdoors instead of fixing the flaw. Be careful with any detection tools, patches, or protection tools distributed and always verify the source as well as the integrity of the file.

Johannes Ullrich

The Kaseya article below lays out what you need to do for an on-premise server to prep for the upcoming patch, including isolation and checking for provided IOCs. Note that they have an agreement with FireEye to provide complementary endpoint security agents for your VSA server which you should implement.

Lee Neely

Windows suffers from an architectural problem in running printer drivers as SYSTEM. The only way to properly mitigate this risk is to allow only administrators to install printer drivers. The latest patch does offer this option and it should be enabled.

Johannes Ullrich

If you’ve already pushed out the patch, as many did, enable the “RestrictDriverInstallationToAdministrators” registry value to only allow administrators to install printer drivers. If end users are operating with administrative privileges on their endpoints, make sure that UAC is set to always prompt for credentials, which slows inadvertent installations. Other UAC settings have historically had bypass options which reduces their effectiveness. Test these settings before deploying widely.

Lee Neely

In the long run, an effort like CyberAcuView could have positive impact by standardizing insurer requirements for “essential security hygiene” based on meaningful standards such as the CIS Critical Security controls. But, two things to keep in mind: (1) Long term means no likely meaningful impact before 2023 at the earliest; and (2) in both the long term and the short term, the presence or absence of cyberinsurance does not reduce what needs to be done to protect business and customer data and services.

John Pescatore

The phrase “closing the barn door after the horse has bolted” came to mind when reading this. There is a very strong argument that cyber insurance companies encouraged the growth in ransomware attacks by their preference to pay ransom demands for their clients who fell victim to attacks. It also highlights that cybersecurity has many complex challenges and simple solutions that seem attractive to business sponsors, such as cyber insurance, may not work as expected and can have serious implications in the long term.

Brian Honan

Cyber insurance companies got really good at negotiating payments for ransomware, resulting in a position where payment was virtually assured. Subsequently, while the rise in premiums in the last year has been 20%, the rise in claims has been 39% which results in a financially unsustainable position for the insurance companies. The good news is this has forced them to publish guiding principles and form alliance such as CyberAcuView to strengthen risk mitigation and stem this tide.

Lee Neely

Insurance, the assignment of risk to underwriters, should be used for things that have low rates of occurrence, high consequences, and which are difficult to mitigate.

William Hugh Murray

I hesitate to call this a supply chain attack as the malicious actors didn’t compromise the code base as much as they exploited a zero-day flaw. Even so, read and implement the guidance from CISA and Kaseya on improving your VSA instance security before returning it to operational status.

Lee Neely

It does look like Kaseya dropped the ball fixing these vulnerabilities, causing harm to its customers. A robust vulnerability remediation program is a must-have for a software company and interactions with researchers reporting vulnerabilities need to be managed well. A well-managed bug bounty program can help streamline the process and set expectations for researchers reporting vulnerabilities.

Johannes Ullrich

Prioritization of fixes is tricky. Kaseya is a great example of working with researchers who disclosed vulnerabilities, and assisted in verifying the patches resolved the issues. As with any vulnerability, there is a race condition of developing, verifying and deploying fixes versus malicious actors discovering and exploiting those weaknesses. In this case, one flaw – CVE-2021-30116, slated for a June patch release, lost the race. While it’s easy to second-guess here, note that the rapidly released PrintNightmare fixes fell short of resolving that issue, resulting in added fixes which can be just as disruptive as failing to release an update at all.

Lee Neely

This failure raises a number of questions. During this window, did Kaseya caution their customers or suggest workarounds? Did they have a duty to do so? Is our infrastructure too porous? Can we live with an infrastructure that is based upon late quality by patching? Raise your own questions, as well.

William Hugh Murray

The beauty of hiring an MSP is that they have expertise you don’t, common tools and processes, including 24x7 support for less than you can insource. That comes with a cost of having remote privileged access to your systems, and the risk of compromise, either through a flaw in their tools or staff. In a little to no IT staff model, make sure that you still have staff that knows how and where to shutdown impacted services as well as clear understanding of what service restoration entails. Lastly, irrespective of IT staff size, make sure that you have proven fallback procedures for IT failures.

Lee Neely

Small businesses and state, local, and tribal agencies that are totally dependent on service providers will unfortunately always have this kind of risk. However, one common “trick” that Leonardtown, MD was able to use to start restoring backups manually was to have a at least one PC that is never used be part of the backup strategy. Leonardtown (and others in the past) have taken advantage of the PCs of employees who were on vacation when the malware attack hit – have one PC where the user is always “on vacation.”

John Pescatore

Managed Service Providers owe a high standard of care.

William Hugh Murray

Specific attribution is tricky as the REvil Ransomware Service is available to any affiliate to use, for a percentage of the ransom collected. Also Russia historically has had a “so long as you don’t hack us we’re good” posture for malicious actors operating there. The recent stories of takedown of international operations, similar to REvil, depend on cooperation of law enforcement in all countries involved, without which shuttering the service, or determining the actual actors behind any given attack become moot.

Lee Neely

Be careful what you ask for, you might get it. Agriculture and Cyber are different environments. The Apple founders fell out over the issue of “closed versus open” systems. I, for one, am glad that Jobs won.

William Hugh Murray

Attackers are going after applications (like Solar Winds, Kaseya, etc.) that get the highly privileged access inside networks, and ERP and financial management apps are certainly targets. SAP, Oracle, and Workday are the “big dogs” in this market but Sage, along with Acumatica, Financial Force and Infor customers should review segmentation around these products and accelerate patching.

John Pescatore