Kaseya VSA incident
On Friday July 2nd, the Revil ransomware group compromised third party companies by exploiting a 0day vulnerability in Kaseya VSA. Kaseya VSA is a remote system monitoring and management solution widely used by Managed Service Providers (MSPs) in the US and UK. The compromise of this solution allowed attackers to gain access to the workstations and corporate networks of hundreds of MSP customers to install their payload and encrypt their files. According to Huntress’ traceability of the incident, the attack vector was an authentication bypass flaw in the Kaseya VSA web interface, which allowed unauthorised code execution via SQL injections. The Revil ransomware group has asked for 70 million US dollars to decrypt the affected systems. In terms of the impact of the incident, it was confirmed that it was focused on VSA servers in customer premises (on-premises), so the impact was reduced to around 40 customers, according to the company. Therefore, the rest of the VSA solutions in the cloud and associated SaaS services would not be affected, even though initially when the incident became known, the disconnection of all SaaS servers was requested. Despite a more limited number of potentially affected customers, the risk arises from the fact that some of these customers are managed service providers (MSPs), which could in turn affect their customers. According to the telemetry of ESET, which applied detection rules for the Win32/Filecoder.Sodinokibi.N ransomware variant on July 2, the bulk of the compromises appear to be taking place in the UK, South Africa, Canada, Germany, the US and Colombia. So far, on a preventative level, it remains recommended that customers using Kaseya VSA on-premises disconnect VSA servers and make use of the tool provided by Kaseya to locate IoCs on VSA servers and VSA-managed machines to rule out possible compromise.
Cobalt Strike distribution using the Kaseya VSA incident as a lure
Malwarebytes researchers have detected a malspam campaign that is using the fallout from the Kaseya incident as a pretext to distribute Cobalt Strike to potential victims, masquerading as Microsoft security updates. In this campaign, the attackers attach a malicious file with the name “SecurityUpdates.exe” as well as a link that redirects to a URL (hxxp://45.153.241[.]113/download/pload.exe). From this URL, a supposed Microsoft update is downloaded to help protect against ransomware threats. It is worth noting that this same methodology was used by threat actors to also distribute Cobalt Strike after the Colonial Pipeline incident.
All the details: https://twitter.com/MBThreatIntel/status/1412518446013812737
Microsoft update does not always fix PrintNightmare
Microsoft has released an urgent security update to patch the critical vulnerability known as PrintNightmare (CVE-2021-34527) for which only mitigating actions have been provided so far. This vulnerability allows remote code execution with system privileges through the Windows Print Spooler service, giving an attacker the ability to install programs, view, modify or delete data, and even create new accounts with full user rights. Once the patch was released, several prominent security researchers reported that they have managed to bypass, under certain conditions, the Windows security update released to patch PrintNightmare, again replicating locally and remotely the vulnerability in the printing protocol. The origin of the vulnerability lies in a poor implementation of the updated code, which would allow an attacker to remotely execute arbitrary code when PointAndPrint policies are active and warnings are disabled when installing new drivers (PointAndPrint NoWarningNoElevationOnInstall = 1). Microsoft has not yet made any statements on the subject. Therefore, it is still recommended to disable the print function on any system where it is not strictly necessary, whenever possible.
All the details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
Analysis of the GrimAgent malware, linked to Ryuk’s operations
Group-IB researchers have carried out a technical analysis of the GrimAgent malware, a new backdoor related to Ryuk’s operations following the dismantling of previously used infection vectors such as Emotet and Trickbot. The link between this malware and Ryuk was established through analysis of GrimAgent’s C2 servers, as when a request was made to the malware’s C2 domain, it returned content designed for Ryuk’s victims. Based on this relationship, the researchers suggest that GrimAgent is being used as part of Ryuk’s operations. They also note that no sales on underground forums related to this malware have been identified, nor any use of the malware in the infection processes of other ransomware families. GrimAgent’s main functions include the collection of system information (IP, location, OS, usernames, privileges, etc.) and the download and execution of shellcodes and DLLs. Researchers also highlight the ability to circumvent different security measures, which indicates that we are dealing with a meticulous and highly capable actor.
More info: https://blog.group-ib.com/grimagent
Vulnerability in access to QNAP NAS devices
QNAP has fixed an unauthorised access vulnerability in the security of its network-attached storage (NAS) devices. This vulnerability (CVE-2021-28809), discovered by researchers at TXOne IoT/ICS Security Research Lab, is due to a bug in the software code that does not properly restrict access privileges, allowing an attacker to escalate privileges, execute remote commands and compromise the security of the device, gaining unauthorised access to sensitive information. QNAP recommends upgrading to the latest version available for its HBS 3 devices: QTS 4.3.6: HBS 3 v3.0.210507 or later, QTS 4.3.4: HBS 3 v3.0.210506 or later, and QTS 4.3.3: HBS 3 v3.0.210506 or later. QNAP NAS devices running QTS 4.5.x with HBS 3 v16.x are not affected. This is not the first time QNAP has had to fix vulnerabilities of this type recently, having had to fix in April this year a poor access management issue that gave backdoor access to its devices, and which ended up being used by several ransomware operators Qlocker, Agelocker or eChoraix.