This episode of The Cybersecurity Insider dives into an unfiltered, insightful conversation with host Yigal Behar and cybersecurity expert Seth Melendez of WareGeeks Solutions.
Their wide-ranging discussion covers the alarming rise of supply chain attacks, the insidious nature of botnets, the urgent need for businesses to reassess their cybersecurity practices, and more!
Kaseya Suffers Major Ransomware Attack
Yigal updates Seth on the recent ransomware attack exploiting a vulnerability in Kaseya’s update mechanism.
The attack pushed REvil ransomware to Kaseya’s VSA customers. Notably, the Coop, a Swedish supermarket chain, had to shut down its stores due to the attack. The attackers demand a ransom of 70 million dollars in Bitcoin and claim to have infected over a million devices. They promise to provide a universal decryptor to decrypt the data if Kaseya pays the ransom.
Seth points out that while the details are still emerging, the responsibility ultimately lies with Kaseya as the update originated from them. He emphasizes that the customers did nothing wrong except receive updates from their vendor, which parallels a hypothetical scenario involving a hacked patch from Microsoft. Further, Kaseya’s VSA server has a setting to automatically push updates to agents, which seems to be how the ransomware spreads rapidly.
Zero-Day Exploit & Attack Strategy
Yigal clarifies that the attack only directly impacts customers with on-premise VSA servers. However, Kaseya also shut down its software-as-a-service (SaaS) mechanism as a precaution, affecting customers who manage their VSA agents on the cloud.
Research suggests that the vulnerability exploited in the Kaseya server was a zero-day vulnerability, meaning there was no patch available at the time of the attack. The attackers used this vulnerability to deploy the REvil ransomware through the agent.
They also gained access to Kaseya’s cloud-managed VSA instance server to strategize on maximizing the impact of their attack. Targeting MSPs (managed service providers) would be the most effective approach due to their magnitude of infecting a larger number of systems.
The Double-Edged Sword Of Functionality & Security
Yigal shifts the conversation to discussing remote management tools (RMMs) and their security risks. While RMMs are beneficial for MSPs, they can introduce vulnerabilities from a customer’s perspective. An additional agent with extensive control over devices raises concerns, as demonstrated by the potential for compromised updates from vendors like Microsoft.
The attackers in the Kaseya incident employed a sophisticated approach using an outdated Microsoft endpoint protection certificate to hide their presence and disabling Microsoft Defender for the initial stages of the attack.
They exploited Kaseya’s recommendation not to scan the installation folder for the product to function properly. The irony lies in the fact that the attackers used Kaseya’s tools against them. Yigal says, “So it’s better to break the solution in this case than having a ransomware.”
The Mystery Of The Attack Vector
Seth expresses his curiosity about how the attackers managed to infiltrate the system. He wonders if they breached the deployment server for patches, similar to the SolarWinds attack, or if they found a different vulnerability to exploit. He seeks to understand how the attackers accessed the client sites and planted their backdoor.
He then recalls his experience working with an application company that used Visual Studio suites for software updates. The updates were stored in a repository, and any changes would be automatically applied to the software.
Seth ponders how the attackers bypassed the usual logging and approval process for patches, stressing the need to verify the origin and integrity of updates before they are applied to systems.
Exploiting Weaknesses In The Update Verification Process
According to Seth, it’s important to have a strong system to check updates carefully before sending them to users. He questions how a file with a fake certificate appeared at the distribution point and how it bypassed the standard verification process.
While the exact details remain unclear, Yigal speculates that the attackers might have modified the certificate and renamed the files on the targeted machine. There is uncertainty about what transpired on Kaseya’s systems, but it’s possible the attackers gained control and manipulated existing file names to replace them with their malicious files.
This shows why it’s important to verify file signatures. Failing to do so could lead to attackers exploiting weaknesses in the verification process.
Seth adds that many organizations use MD5 hashes or other types of hashes to ensure the integrity of files throughout the update process. These signatures are checked at multiple stages, and any file without the correct signature should not be deployed. The fact that the malicious file in the Kaseya incident bypassed these checks suggests a breakdown in the verification process, leaving systems exposed to the ransomware attack.
Timing Is Key
Yigal theorizes that the attackers strategically launched the attack around the 4th of July holiday, using the reduced capacity for response due to vacations. Evidence suggests that the files were recompiled and prepared on July 1st, with the attack commencing on July 2nd. This timing likely aimed to hinder a swift and effective response from security teams.
While the exact number of affected devices remains uncertain, Kaseya estimates that 800 to 1500 of their MSP customers were impacted. If each MSP manages hundreds of devices, this could translate to a considerable number of compromised systems. Yigal notes the discrepancy between Kaseya’s estimate and the attackers’ claim of infecting a million devices.
Both Yigal and Seth agree that further investigation is needed to understand the attack’s specifics, particularly how the malicious files bypassed the usual signature verification processes.
Yigal reiterates the importance of checking signatures at every stage, as even a minor update should trigger a change in the file’s signature. He adds, “I think the timing was crucial for this attack to be successful. That’s what I believe.”
PrintNightmare Exploits All Versions of Windows
Yigal moves the discussion to another zero-day vulnerability affecting all Windows versions, known as PrintNightmare. A research group discovered the vulnerability and published the proof-of-concept code, which hackers quickly exploited.
Although Microsoft reportedly had a patch, its effectiveness is questioned, as the only workaround so far involves disabling the spooler service, effectively preventing printing from affected computers.
Seth remarks that the printer spooler has been an issue since Windows NT 4.0, so the discovery of this exploit doesn’t surprise him. He likens it to SMB (Server Message Block), another vulnerability frequently targeted if the network is open or accessible.
The practicality of disabling the printer spooler, as printing is still necessary in some cases. Seth suggests that printing isn’t as common as it once was, but believes its occasional use. Yigal adds that exploiting PrintNightmare requires valid credentials, implying that unauthorized access to the system is a prerequisite for the attack.
Seth clarifies that exploiting PrintNightmare requires an authenticated user to call the RPC (Remote Procedure Call) associated with the printer driver. This means that attackers need valid credentials to execute arbitrary code with system privileges, and the vulnerability is not easily exploitable by unauthorized users.
Cyber Insurance’s Limited Impact On Cybersecurity
Yigal and Seth transition to discussing cyber insurance in cybersecurity. Recent findings suggest that cyber insurance doesn’t appear to be improving cybersecurity practices. Seth expects insurance companies to enforce standardized security requirements, similar to other types of insurance like car insurance.
However, the reality is different. Each company is allowed to set its standards, and there is a lack of consistent guidelines from the insurance industry. Consequently, the minimum standard for cyber insurance has shifted, and companies with smaller policies may not undergo thorough vetting despite submitting paperwork. This lack of validation raises concerns about the actual implementation and effectiveness of cybersecurity controls.
Yigal agrees, assuming that insurers would mandate certain standards to improve cybersecurity posture. However, he notes that the current practice primarily focuses on paperwork and policies, without necessarily verifying the presence and effectiveness of the claimed security controls. This disconnect between documentation and implementation stunts the possibility of cyber insurance to drive meaningful improvements in cybersecurity.
Yigal shares findings from a study conducted by the Royal United Services Institute in Britain, which explores the role of cyber insurance in incentivizing better cybersecurity practices. The study reveals that cyber insurance, in its current state, has a limited impact on improving cybersecurity practices among policyholders, contrary to the expectations of policymakers and businesses.
Seth says the problem is that there are no set rules for cyber insurance. Some companies have good rules, but others don’t, and that’s why cyber insurance doesn’t always help. He advises individuals seeking cyber insurance to prioritize standards over price, ensuring that the chosen policy meets or exceeds established frameworks like ISO or NIST.
Yigal concurs that the issue lies not with the insurance companies but with the policyholders themselves. Policyholders often opt for insurance with minimal requirements and the least amount of effort needed to obtain coverage. However, when a cyber attack occurs, these policyholders face the consequences due to their lack of due diligence in protecting their data. Ultimately, they bear the brunt of the attack’s impact.
Choosing A Reputable Cyber Insurance Provider
Seth draws a parallel with car insurance, pointing out that some companies offer lower prices by excluding certain coverage or minimizing payouts for specific incidents, like accidents and personal injury.
Seth says it’s really important to pick a good cyber insurance company. Reputable providers are more likely to enforce standards and provide better coverage in protecting you in the event of a cyber attack. He also relates stories of people who had problems with less reputable insurance companies, contrasting this with the smoother claims process with well-established providers like Geico.
Yigal says that having cyber insurance, even if it’s just for covering forensic investigations and other incident-related costs, is better than having no coverage at all.
Microsoft Investigates Malicious Driver Certified Through Its Program
Yigal and Seth turn their attention to another Microsoft incident. Microsoft is investigating how its Windows Hardware Compatibility Program certified a malicious driver known as Netfilter. This driver, used in gaming environments, can decrypt internet traffic and send it to another machine. Microsoft has taken action by suspending the account responsible for submitting the driver.
Seth says that the gaming community is a big market, and the potential impact of this malicious driver extends beyond just gaming machines. Yigal maintains that the driver possibly exists on other Windows machines, exploiting the fact that drivers load before the operating system, granting them higher privileges. He explains that antivirus solutions often run at the driver level to intercept data before it reaches the disk. Both Yigal and Seth express concerns because these attacks are getting more difficult and complex.
New Activity From SolarWinds Threat Actor
Yigal brings up another news item regarding Microsoft. The Microsoft Security Response Team is tracking new activity from the notorious SolarWinds threat actor. This activity involves password spray and brute-force attacks, with the actor compromising a computer used by a Microsoft customer support employee to launch targeted attacks.
Seth lacks surprise about the ongoing nature of such threats. He admits that he hasn’t heard much about this specific incident but understands that there have been several other security issues involving Microsoft recently, including PrintNightmare and vulnerabilities in Netgear routers. He also mentions seeing another issue related to PowerShell, indicating a broader range of security concerns for Microsoft.
Yigal mentions receiving frequent emails from Microsoft about vulnerabilities and patches and how quickly hackers try to exploit these newly discovered weaknesses.
Seth explains the technique of reverse password guessing, where attackers try different usernames with the same password instead of the usual method of trying different passwords with the same username. This approach avoids triggering account lockout policies, which is a stealthier method for gaining unauthorized access.
Both Yigal and Seth strongly recommend using MFA as the best security control available to protect against these types of attacks.
Attack On Zyxel Firewalls & VPNs
Yigal brings up another news item regarding Zyxel, a network security appliance vendor. Zyxel recently published an advisory warning about a sophisticated attack targeting six of their security appliances, specifically those with remote management or SSL VPN enabled in the USG (Unified Security Gateway), USG FLEX, ATP, and VPN series.
The attacker attempts to gain access to these devices through the WAN zone using brute-force attacks, a method where they systematically try different combinations of usernames and passwords until they find the correct one.
The Limitations Of All-in-One Security Appliances
Seth mentions owning a mini Wi-Fi box from Zyxel and wonders if it needs updating. He doubts the device’s ability to handle commercial use, as it is designed for home and small applications.
Yigal agrees that enterprise-level security requires separate devices for different functions, unlike the all-in-one solutions typically used in homes. He recognizes that unified devices, where a single appliance serves as a firewall, VPN, web proxy, and more, have become common due to market demand for simplified management.
Seth contrasts this with companies that offer a unified management console for multiple separate devices, providing a “single pane of glass” view while maintaining the benefits of specialized hardware. He mentions Ubiquiti and pfSense as examples of such solutions. He asserts that all-in-one devices inevitably sacrifice some level of security to achieve their versatility.
Choosing The Right Equipment For The Job
Seth shares his personal experience with a Ubiquiti router, realizing that it wasn’t a business-grade device until experiencing speed loss during packet inspection. The device couldn’t handle packet inspection beyond 70 Mbps, forcing him to upgrade to a higher-tier model.
Yigal says that consumer-level devices, especially those designed for home use, are not equipped to handle the bandwidth demands of larger connections or activities like gaming. These devices can easily become overloaded with gigabit speeds and multiple connections.
Proper sizing is important when selecting network equipment. It’s best to ensure that the chosen device can adequately process the bandwidth requirements of the ISP and the expected usage. Seth explains that lower-tier devices often sacrifice certain features or performance aspects to reduce costs, resulting in a “watered-down” version compared to their higher-end counterparts.
Yigal and Seth recognize that consumer-grade routers like Netgear and Linksys are not recommended for business use, although some people may use them in small business settings. Seth adds, “One of the other issues is that’s been the problem with the home users, because now you’re going into [an] environment with consumer-grade stuff working from home, and you have to protect a business now, or your business data. That’s been one of the biggest issues [sic] young companies will send you equipment.”
Cisco ASA Vulnerability Actively Exploited After Exploit Released
Seth brings up a Cisco ASA vulnerability actively exploited by hackers after a proof of concept was published on Twitter. Cisco initially disclosed this vulnerability and released a patch in October 2020, followed by another fix in April.
Seth strongly criticizes those who haven’t applied these patches as it’s their responsibility to keep their systems updated. He questions the blame on Cisco when they proactively addressed the issue multiple times, shifting the responsibility to the users who haven’t taken action.
Yigal maintains that MSPs (Managed Service Providers) should inform their clients about relevant security vulnerabilities and threats and take responsibility for keeping their clients’ environments secure. If an MSP fails to provide adequate information or take action, Yigal encourages business owners to directly call them and demand a better response.
Yigal points out that MSPs should be transparent and proactive about security issues, just as his team does. He believes open communication and taking action are key to maintaining trust and ensuring effective cybersecurity.
Importance Of Patch Verification & Reporting
Seth urges the need to make sure that patches are installed correctly, as they don’t always install successfully. He suggests using vendor-provided tools, like those offered by Microsoft and Cisco, to scan and ensure all patches are in place. He insists that “a lot of the vendors give you the tools to validate that you are up-to-date and if something didn’t patch properly, then you can repatch that.”
He explains that after conducting vulnerability and patch testing, they generate reports for their clients, detailing the status of their systems and confirming that everything is up to date. This transparency keeps clients informed and reassured about their security posture.
Seth also points out that not all patches are relevant to every piece of equipment. For instance, the Cisco ASA patch might not apply to specific models.
The Need For Self-Assessment In The MSP Industry
Yigal shares an anecdote about a conversation with a New York-based MSP who expressed interest in penetration testing for their clients. However, he observes that even among MSPs and IT professionals, there’s often a lack of understanding about the specifics of their requests.
He accepts that the MSP’s interest in assessing their clients’ security is a positive sign, but also highlights the need for them to evaluate their own environment as well. Yigal stresses that MSPs should also conduct penetration testing on their own systems to ensure comprehensive security.
Protecting MSPs & Their Clients
Seth adds that a recent discussion in one of their professional groups focused on steps individuals and businesses should take to secure their environments. He and Yigal have discussed this topic before and consider compiling a list of recommendations.
Seth points to the growing trend of attackers targeting vendors and their software, particularly in the MSP space.
He cites examples like the recent Kaseya breach and the earlier SolarWinds incident, where attackers compromised software providers to gain access to their clients.
Seth asserts that the threat extends beyond MSPs, as attackers can target any software provider, including major players like Microsoft, VMware, and SentinelOne. Yigal chimes in, “I’m sure all those companies are now a valid target for any kind of a threat actor these days.”
“If you think you’re not a target then you’re mistaken,” Seth warns.
The Illusion Of Not Being A Target
Seth recounts a conversation from a previous meeting where someone claimed that their company wasn’t a target for cyberattacks. Yigal doesn’t recall the specific incident, prompting Seth to elaborate.
Seth explains that the individual, in response to concerns about increased email spam and ransomware attacks, dismissed the threat by claiming they weren’t a notable target. Yigal promises to review the recording of the meeting, but Seth assures him that the individual explicitly stated their perceived immunity.
Seth expresses his disbelief at this sentiment, questioning the reality in which people believe they are not targets for cyberattacks, especially when their company falls into the category of businesses frequently targeted by threat actors.
Seth says that the size or nature of a business doesn’t matter when it comes to being targeted for cyberattacks. Even a small corner store selling candy can become a target if it has a computer, as attackers often don’t care about the specific data or assets a business holds.
He explains that the attackers’ primary goal is to exploit compromised computers as resources in attacks against others. By infecting multiple machines, they create a network of bots that can be used to launch attacks on a larger scale. Even if a small business doesn’t possess valuable data, its computer can still be used to attack other companies, amplifying the attacker’s reach.
Seth describes how these attacks can occur unnoticed, with the computer’s CPU spiking during off-hours as it participates in attacks on other targets.
Silent Threat Of Botnets
Yigal compares being an unknowingly compromised computer to being a passive smoker, unwittingly contributing to a larger harmful activity.
Seth explains that these compromised machines become part of a botnet, a network of computers used by attackers to carry out malicious actions like DDoS attacks or vulnerability scanning.
A botnet of a thousand computers can collect a vast amount of information through vulnerability scans within a week. Attackers exploit this collective computing power to target other systems, even major vendors.
The insidious nature of these attacks lies in the fact that the infected computer’s owner might never realize their machine is part of a botnet army. There might be no visible signs of compromise unless the user notices unusual CPU spikes or finds suspicious logs. The computer remains functional, making it difficult for the owner to detect the malicious activity “until it’s very late,” Yigal chimes in.
In fact, the owner might attribute any performance issues to other causes, such as the need for more memory or maintenance. They might even unknowingly grant remote access to their MSP for troubleshooting, likely giving the attackers further access and control.
Seth shares his experience with people complaining about slow computers, where they rarely consider the possibility of being part of a botnet. He recommends regularly cleaning and checking computers, suggesting the use of performance monitoring tools to track unusual activity.
Seth adds that even those with powerful gaming servers can be unknowingly infected. He suggests a simple method for detecting a compromise: monitoring computer performance. If resources spike unexpectedly during idle times, it’s a strong indicator of being part of a botnet.
Botnets Are The Hidden Power Of Compromised Computers
Seth recalls a program called Folding@home, which allows users to donate their computer’s processing power to scientific research, like mapping genomes. This program operates by sending threads of work to users’ computers during idle times. He uses this as an analogy to explain how botnets work, where hackers use compromised computers for their own purposes without the owners’ knowledge.
Seth shares his personal experience of seeing a botnet control console. He describes it as a tool similar to Outlook, where hackers can view a list of infected machines and access their cameras, desktops, and hard drives. Yigal suggests that MSPs could potentially use similar tools for management purposes.
Seth describes the irony that the tools used by hackers are often more sophisticated than those used by legitimate IT professionals. He warns that attackers can easily distribute malicious tasks across their network of compromised machines, using the collective computing power for various purposes. This exploitation of resources often goes unnoticed by users, who might simply experience a slower computer.
Don’t miss out on our other insightful episodes covering a wide range of cybersecurity topics. You can find The Cybersecurity Insider podcast on YouTube, Apple Podcasts, and Spotify!
