Cyber Pulse: Edition 157 | 16 July 2021

Kaseya releases patches for vulnerabilities exploited in ransomware attack

IT management solutions provider Kaseya has released patches for the vulnerabilities exploited in the recent ransomware attack, and the company has also started restoring SaaS services. Kaseya shut down its VSA remote monitoring and management product on 2 July, shortly after learning of a ransomware attack targeting the company and its customers. The attackers exploited zero-day vulnerabilities in VSA to deliver REvil ransomware to the MSPs that use the product, as well as to their customers – it’s currently estimated that between 800 and 1,500 organisations were hit. While only on-premises VSA installations were targeted, Kaseya also shut down SaaS services as a precaution. After its initial attempt to restore services failed, the company over the weekend released patches for the on-premises product and started restoration of SaaS services.

The latest update, provided by the company early on Monday morning, said SaaS services had been restored for 95% of customers. As for the patch for on-premises installations, VSA 9.5.7a fixes a total of six security holes: a credentials leak and business logic flaw (CVE-2021-30116); an XSS vulnerability (CVE-2021-30119); a 2FA bypass issue (CVE-2021-30120); an issue related to secure flags not being used for user portal session cookies; a password hash exposure issue that could be useful for brute-force attacks; and an unauthorised file upload vulnerability. The flaws that have been assigned a CVE identifier are three of the seven issues reported to Kaseya in April by the Dutch Institute for Vulnerability Disclosure (DIVD). Kaseya had patched some of the vulnerabilities before the REvil ransomware attack was launched, but some remained unfixed, enabling the attackers to exploit them to achieve their goals.

US government responds to ransomware attacks

As part of the ongoing response, agencies across the US government announced new resources and initiatives to protect American businesses and communities from ransomware attacks. The US Department of Justice (DOJ) and the US Department of Homeland Security (DHS), together with federal partners, have launched a new website to combat the threat of ransomware. StopRansomware.gov establishes a one-stop hub for ransomware resources for individuals, businesses and other organisations. The new StopRansomware.gov is a collaborative effort across the federal government and is the first joint website created to help private and public organisations mitigate their ransomware risk.

“The Department of Justice is committed to protecting Americans from the rise in ransomware attacks that we have seen in recent years,” said Attorney General Merrick B. Garland of the Justice Department.

“Along with our partners in and outside of government, and through our Ransomware and Digital Extortion Task Force, the Department is working to bring all our tools to bear against these threats. But we cannot do it alone. It is critical for business leaders across industries to recognize the threat, prioritize efforts to harden their systems and work with law enforcement by reporting these attacks promptly.”

StopRansomware.gov is the first central hub consolidating ransomware resources from all federal government agencies. Before today, individuals and organisations had to visit a variety of websites to find guidance, the latest alerts, updates and resources, increasing the likelihood of missing important information. 

IoT-Specific malware infections jumped 700% amid pandemic

Researchers identify in a new report that new telemetry on internet of things (IoT) devices demonstrates a dramatic increase in attacks on those devices during the work-from-home phase of the Covid-19 pandemic: There were some 300,000 attack attempts using IoT malware during a two-week period in December 2020.

The IoT malware, blocked by Zscaler, represented a 700% increase in activity against these devices compared with data gathered by the security firm before the pandemic. Nearly all of the IoT malware was the infamous Gafgyt and Mirai families, and more than 500 different types of IoT devices, including printers, digital signs and smart TVs were communicating with corporate IT networks when waves of employees were working from home amid the pandemic.

Nearly 60% of the attacks came out of China, followed by the US and India. Ireland (48%), the US (32%), and China (14%) suffered the most IoT attack attempts, and most attacks hit technology, manufacturing, retail and healthcare organisations. The most targeted IoT devices were set-top boxes (29%), smart TVs (20%), and smartwatches (15%). Meanwhile, most of the risky IoT traffic came from manufacturing and retail devices, including 3D printers, barcode readers, and payment terminal devices.

Microsoft announces 117 new flaws, including 9 zero-days

Microsoft rolled out Patch Tuesday updates for the month of July with fixes for a total of 117 security vulnerabilities, including nine zero-day flaws, of which four are said to be under active attacks in the wild, potentially enabling an adversary to take control of affected systems. Of the 117 issues, 13 are rated Critical, 103 are rated Important, and one is rated as Moderate in severity, with six of these bugs publicly known at the time of release. The updates span across several of Microsoft's products, including Windows, Bing, Dynamics, Exchange Server, Office, Scripting Engine, Windows DNS, and Visual Studio Code.

July marks a dramatic jump in the volume of vulnerabilities, surpassing the number Microsoft collectively addressed as part of its updates in May (55) and June (50).

Chief among the security flaws actively exploited are as follows:

• CVE-2021-34527 (CVSS score: 8.8) - Windows Print Spooler Remote Code Execution Vulnerability (publicly disclosed as "PrintNightmare")
• CVE-2021-31979 (CVSS score: 7.8) - Windows Kernel Elevation of Privilege Vulnerability
• CVE-2021-33771 (CVSS score: 7.8) - Windows Kernel Elevation of Privilege Vulnerability
• CVE-2021-34448 (CVSS score: 6.8) - Scripting Engine Memory Corruption Vulnerability

Microsoft also stressed the high attack complexity of CVE-2021-34448, specifically stating that the attacks hinge on the possibility of luring an unsuspecting user into clicking on a link that leads to a malicious website hosted by the adversary and contains a specially-crafted file that's engineered to trigger the vulnerability.

The other five publicly disclosed, but not exploited, zero-day vulnerabilities are listed below:

• CVE-2021-34473 (CVSS score: 9.1) - Microsoft Exchange Server Remote Code Execution Vulnerability
• CVE-2021-34523 (CVSS score: 9.0) - Microsoft Exchange Server Elevation of Privilege Vulnerability
• CVE-2021-33781 (CVSS score: 8.1) - Active Directory Security Feature Bypass Vulnerability
• CVE-2021-33779 (CVSS score: 8.1) - Windows ADFS Security Feature Bypass Vulnerability
• CVE-2021-34492 (CVSS score: 8.1) - Windows Certificate Spoofing Vulnerability

Ransomware targeting VMware ESXi platforms

HelloKitty ransomware gang is using a Linux variant of their malware to target VMware ESXi virtual machine platform. A Linux variant of the HelloKitty ransomware was employed in attacks against VMware ESXi systems. The move of the ransomware gang aims at expanding the operations targeting enterprises that are largely adopting virtualising platforms. Targeting VMware ESXi systems, threat actors could encrypt as many virtual machines as possible with a significant impact on the victims.

Researchers from MalwareHunterTeam spotted multiple Linux ELF64 versions of the HelloKitty ransomware designed to target VMware ESXi servers and encrypt virtual machines hosted on them. HelloKitty ransomware isn’t the only threat that targets ESXi servers, Babuk, RansomExx, Mespinoza, and DarkSide ransomware also implement this capability. In June, MalwareHunterTeam researchers spotted a Linux version of the REvil ransomware that also targets ESXi platform.

D-LINK wireless router vulnerabilities

Cisco Talos recently discovered multiple vulnerabilities in the D-LINK DIR-3040 wireless router. The DIR-3040 is an AC3000-based wireless internet router. These vulnerabilities could allow an attacker to carry out a variety of malicious actions, including exposing sensitive information, causing a denial of service and gaining the ability to execute arbitrary code. TALOS-2021-1281 (CVE-2021-21816) and TALOS-2021-1282 (CVE-2021-21817) are information disclosure vulnerabilities in the router that could be triggered by a specially crafted network request. An attacker could exploit these vulnerabilities to view the device’s system log. 

TALOS-2021-1283 (CVE-2021-21818) and TALOS-2021-1285 (CVE-2021-21820) are both hardcoded password vulnerabilities. However, TALOS-2021-1283 could cause a denial of service, while TALOS-2021-1285 could allow an attacker to execute code on the router. Users are encouraged to update these affected products as soon as possible: D-LINK DIR-3040 router, version 1.13B03. Talos tested and confirmed these versions of the DIR-3040 could be exploited by this vulnerability.