Transcription
Weekly IT Security News Bulletin, 2021-W275 July – 11 July 2021HeadlinesDefense against software supply chain attacksKaseya, an IT solutions developer for managed service providers (MSPs) andenterprise clients, suffered a supply-chain ransomware attack from a threat groupknown as REvil and was being used to conduct attacks targeting multiple MSPs andtheir customers.REvil ransomware (also known as Sodinokibi) is ransomware-as-a-service (RaaS)where an attacker distributes the licensed copy of the ransomware over the internetand the ransom is split between the developers. The group targeted Kesaya’s VirtualSystem/Server Administrator (VSA) product that allows providers to perform patchmanagement and client monitoring for their customers. Leveraging multiple zero-dayvulnerability to gained access to the VSA infrastructure, the group publishedmalicious updates for VSA on-premise servers to deploy ransomware on enterprisenetworks.As a provider of technology to MSPs, the attack against Kaseya had contributed awider software supply chain. Kaseya estimated 60 MSPs using the product weredirectly compromised by the attack, affecting around 1,500 downstreamorganisations. To assist clients in preparing for a return to service and patchdeployment Kaseya has published run books and practice guides for softwarehardening and implementing security best practices.AdviceMaintain an up-to-date inventory of software, and closely collaborate with thesuppliers to swiftly respond to any discovered vulnerabilities in the software.Adopt risk-based approach when selecting software and regularly review and monitorvendors’ capability in vulnerability discovery and patch management.Formulate a resilience plan with failover processes and workarounds for key softwareand identify alternative suppliers.Ensure backups are up to date and stored in an easily retrievable location that is airgapped from the organisational network.SourcesKaseyaUS-CERTZDNetGovCERT.HK Weekly IT Security News Bulletin 2021-W271
Critical vulnerability in the Windows printing functionalityMicrosoft released an emergency security update to address a publicly disclosedvulnerability in the Windows printing functionality that could allow attackers to takecontrol of an affected system. This critical vulnerability, named PrintNightmare, islocated in the Windows Print Spooler service.In June 2021, Microsoft’s monthly update addressed another vulnerability (CVE2021-1675) also being located in the Windows Print Spooler service. Afterwards,two security researchers from Sangfor discovered another similar but actuallydifferent vulnerability from the one addressed in Microsoft’s June update. Theynamed it as PrintNightmare and publicly disclosed their proof-of-concept exploittogether with their analysis.Based on this original exploit, other security researchers also implemented severalnew proof-of-concept exploits with additional attack vectors, resulting in an urgencyof addressing this PrintNightmare vulnerability. An emergency patch was releasedby Microsoft on 6 July 2021 to address the issue. Windows users should apply thisofficial fix as soon as possible.AdviceDisable the Windows Print Spooler service, or inbound remote printing through GroupPolicy on all critical systems to reduce the attack surface.Apply the latest patches on the operating systems in a timely manner to remediateany known SECURELIST by KasperskyGovCERT.HK Weekly IT Security News Bulletin 2021-W272
Product Vulnerability Notes & Security w.debian.org/security/2021/dsa-49363.F5 uard.com/psirt/FG-IR-21-0695.Gentoo /security.gentoo.org/glsa/202107-15GovCERT.HK Weekly IT Security News Bulletin 2021-W273
org/glsa/202107-196.Huawei dvisories/huawei-sa-20180106-01-cpu-en7.IBM InfoSphere Information m.com/support/pages/node/64685818.Johnson Controls Facility n-com-media-imagelist.html10. MDT sa-21-189-0211. Moxa NPort IAW5000A-I/O Series Serial Device -21-187-0112. FFAREA4V/GovCERT.HK Weekly IT Security News Bulletin 2021-W274
13. Oracle -2021-9346.html14. Philips Vue 21-187-0115. Red .com/errata/RHSA-2021:266616. Rockwell Automation MicroLogix 1-189-0117. Sensormatic Electronics C-CURE 1-182-0218. SonicWall 2126470/19. -su-202114761-1/GovCERT.HK Weekly IT Security News Bulletin 2021-W275
20. Trend 88921. untu.com/security/notices/USN-5008-2Sources of product vulnerability information:CentOSDebianF5 ProductFortinetGentoo LinuxHuaweiIBMJoomla!openSUSEOracle LinuxRed HatSonicWallSUSETrend RT.HK Weekly IT Security News Bulletin 2021-W276
Adopt risk-based approach when selecting software and regularly review and monitor . gapped from the organisational network. Sources Kaseya US-CERT ZDNet . GovCERT.HK Weekly IT Security News Bulletin 2021-W27 2 Critical vulnerability in the Windows printing functionality
