Kaseya VSA Incident Update
After news of the attack by the REvil ransomware group using Kaseya VSA on July 2nd, on Sunday July 11th, Kaseya released the patch for its VSA software (VSA 9.5.7a), which is available for VSA On-Premises and VSA SaaS customers. The update fixes vulnerabilities listed as CVE-2021-30116, CVE-2021-30119 and CVE-2021-30120, which allowed credential leakage, Cross Site Scripting (XSS) and two-factor authentication bypass, respectively. This new version also fixes a bug that allowed unauthorised file uploads to a VSA server, in addition to using the security flag for user portal session cookies since it was no longer being used; security enhancements to API responses have also been implemented. Regarding the incident, it is also worth noting the publication this Saturday of an article in Bloomberg, which includes statements from several former employees of the company who claimed that for years they had warned about serious problems in the software that had not been taken into account or fixed.
SolarWinds fixes a new actively exploited 0-day
Software company SolarWinds, which last year experienced one of the most sophisticated cyber-espionage campaigns of recent times, has released an update for a 0-day vulnerability listed as CVE-2021-35211, which is reportedly affecting its Serv-U product. According to SolarWinds’ own advisory, Microsoft researchers informed the technology company of a remote code execution (RCE) vulnerability that was being actively exploited. When exploited, a malicious actor could gain privileged access to the host hosting the Serv-U product. The actual scope of the flaw is unknown, and no further details have been provided by the company. The affected products are Serv-U Managed File Transfer and Serv-U Secure FTP from version 15.2.3 HF1 and earlier. SolarWinds has enabled a secure update to version 15.2.3 HF2, and it is recommended to upgrade to this version.
After SolarWinds update Microsoft published the details of the investigation where they specified that they detected an exploit used in targeted attacks against SolarWinds’ Serv-U product. During the investigation, Microsoft noted that the targets of the campaign were US entities in the software and defence sectors. They claim that the activity of the group, which they refer to as DEV-0322, was located in China and used commercial VPN solutions as well as compromised routers as attack infrastructure.
Critical RCE vulnerability in ForgeRock Access Manager actively exploited
Cyber Security Agencies in Australia and the United States are warning of a critical remote code execution (RCE) vulnerability in ForgeRock Access Management. The vulnerability is an open-source application used to manage permissions in internal applications and is listed as CVE-2021-35464. The flaw was discovered and disclosed on June 29th by Michael Stepankin, security researcher at PortSwigger. ForgeRock indicates that this flaw affects Access Management (AM) versions prior to 7.0 that run Java 8. The company recommends applying the patches published on June 29th immediately since the vulnerability has been actively exploited.
Microsoft’s monthly bulletin
Microsoft has published its July security bulletin which includes fixes for 117 vulnerabilities, thirteen of them critical. Among the flaws are nine 0-days, four of which are believed to be actively exploited:
- CVE-2021-34527 (PrintNightmare): Remote code execution vulnerability in the Windows print manager
- CVE-2021-33771: Privilege scalation vulnerability in the Windows kernel
- CVE-2021-34448: Scripting Engine Memory Corruption Vulnerability
- CVE-2021-31979: Windows kernel privilege escalation vulnerability
In addition, it is important to mention 3 Remote Code Execution (RCE) vulnerabilities which are affecting Microsoft Exchange Server (CVE-2021-31206), the Windows DNS server (CVE-2021-34494) and the Windows Kernel (CVE-2021-34458). Microsoft recommends updating the affected assets.
Ransomware distribution exploiting SonicWall firmware
SonicWall has issued an urgent security advisory following the detection of a ransomware campaign based on the exploitation of a vulnerability in the firmware of some of its products. The vulnerable devices are Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products that are running firmware versions 8.x. The firm is urgently recommending that the products are upgraded to version 9.x. If it is not possible to upgrade, they propose the following mitigation measures: immediate disconnection of vulnerable SMA and SRA devices, resetting of passwords and activation of multi-factor authentication (MFA) measures. Although SonicWall’s advisory does not provide details of the specific vulnerability that is being exploited, security researchers at Crowdstrike, who discovered and warned of a flaw in this firmware last June, confirm that it is the same vulnerability they detailed in their article a few weeks ago, which they identified as CVE-2019-7481. For their part, SonicWall’s incident response team have also published an alert to warn of this flaw, without associating it with the identifier that Crowdstrike linked in their article, but giving it a severity of CVSSv3 9.8.