A weekly recap of pertinent security events you need to be aware of and can read in 7 seconds (or so...)

Affected by the Kaseya Attack?

Do this: The FBI and CISA recommends shutting down your VSA servers immediately, reporting your compromise to the FBI at ic3.gov, and performing the following mitigation steps as soon as possible:

  • Download the Kaseya VSA Detection Tool. This tool analyzes a system (either VSA server or managed endpoint) and determines whether any indicators of compromise (IoC) are present.
  • Enable and enforce multi-factor authentication (MFA) on every single account that is under the control of the organization, and—to the maximum extent possible—enable and enforce MFA for customer-facing services.
  • Implement allow listing to limit communication with remote monitoring and management (RMM) capabilities to known IP address pairs, and/or
  • Place administrative interfaces of RMM behind a virtual private network (VPN) or a firewall on a dedicated administrative network.
Why: The REvil ransomware group attacked the Kaseya Virtual System/Server Administrator (VSA) platform which is used to remotely monitor and administrator software and network infrastructure to spread ransomware to around 60 Kaseya customers.

Additional Info: https://threatpost.com/kaseya-attack-fallout/167541/

Affected by the Microsoft 'PrintNightmare' Vulnerability?

Do this: Microsoft has released guidance for CVE-2021-34527 however, these updates do not protect against the PrintNightmare vulnerability universally. Microsoft also recommends to:

  • Stop and disable the Print Spooler service via PowerShell:
    • Stop-Service -Name Spooler -Force
    • Set-Service -Name Spooler -StartupType Disabled.
  • Disable inbound remote printing through Group Policy by disabling the “Allow Print Spooler to accept client connections” policy to block remote attacks, and then restart the system. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.
Why: "Microsoft has released an emergency patch for the PrintNightmare, a set of two critical remote code-execution (RCE) vulnerabilities in the Windows Print Spooler service that hackers can use to take over an infected system. However, more fixes are necessary before all Windows systems affected by the bug are completely protected, according to the federal government."

Additional Info: https://threatpost.com/microsoft-emergency-patch-printnightmare/167578/

About the Author

Ryan Bradbury, CISSP, OSCP
Principal Consultant & Cofounder

As a founding partner and principal consultant at SEVN-X, Ryan employs his training, experience, and expertise in helping organizations assess and protect their information security assets as well as respond to cybersecurity events. Ryan’s skillset has been forged from an extensive amount of field work—across various verticals—serving in both strategic and tactical security roles. SEVN-X requires all of its team members to be experts in information security and that starts from the top down.