IT management software vendor Kaseya whose VSA software platform is used by other tech companies to monitor and manage customers’ IT networks, has been the victim of an audacious cyberattack. On July 2, the business issued a security advisory urging its customers to immediately shut down versions of VSA running on their own servers. It also suspended its own cloud-based VSA service.

Kaseya VSA is a remote management platform for MSPs that provides solutions such as automated patch management. According to Kaseya, the platform has been used by more than 36,000 MSP customers worldwide.

"Beginning around mid-day (EST/US) on Friday, July 2, 2021, Kaseya's Incident Response team learned of a potential security incident involving our VSA software," the company's CEO Fred Voccola said in a statement shared late Friday.

Kaseya's official recommendation is to:"IMMEDIATELY shutdown your VSA server until you receive further notice from us."

Quote

We are experiencing a potential attack against the VSA that has been limited to a small number of on-premise customers only as of 2:00 PM EDT today. We are in the process of investigating the root cause of the incident with an abundance of caution but we recommend that you IMMEDIATELY shutdown your VSA server until you receive further notice from us. Its critical that you do this immediately, because one of the first things the attacker does is shutoff administrative access to the VSA.

This attack already has compromised eight of Kaseya's MSP customers with 200 businesses linked to three of the victims reporting instances of file encryption. This Reddit post from huntresslabs show the progress of sorting out how to fix this ransomeware attack.

On Friday, Mark Loman, a malware analyst at security firm Sophos, tweeted the hackers demanded $5 million as ransom in exchange for the file decryptor. Image comes from thehackernews.com.

This seems to be quite nasty and here in Sweden it has affected one of our chain of groceries stores as they are unable to make payments due to this affecting their cashiers. In the US hundreds of companies have been affected and it is safe to assume that many companies in the EU and elsewhere might be affected as well.

If you have the "Print Spooler" service enabled (which is the default), it means that anyone with access can execute code as SYSTEM against the Windows domain controller. At present, there is no patch from Microsoft. So take a break from your vacation and turn off the service immediately.

From Tenable's blog:

Quote

Exploitation of CVE-2021-1675 could give remote attackers full control of vulnerable systems. To achieve RCE, attackers would need to target a user authenticated to the spooler service. Without authentication, the flaw could be exploited to elevate privileges, making this vulnerability a valuable link in an attack chain.

More information from Microsoft: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675

A new security flaw has been identified in the sudo software. Sudo, which is installed by default in many operating systems, is by default setuid root. This means that any shortcomings can lead to local users being able to obtain root permissions.

Over the years, sudo has also become larger and more features have been added. This has i.a. led to OpenBSD now having an option called doas.

Yesterday, the American security company Qualys reported that they had identified a vulnerability in sudo (CVE-2021-3156). The vulnerability allows a local user to exploit a heap vulnerability and thus become rooted. The bug has been around since 2011 and is found in the standard configuration. It is important to point out that it is included in the standard configuration, as many vulnerabilities discovered in sudo require special configurations.

The vulnerability is found in the set_cmnd () function and can be most easily triggered by using sudoedit and the following command:

sudoedit -s '\' `perl -e 'print "A" x 65536'` 

And if you are vulnerable, you get a segfault. Please note that you need a local account but not a member of sudoers or similar. And that not all installations have sudoedit, such as macOS.

Video from Qualys showing vulnerability:

A new report from the security company RiskIQ inform of a new phishing kit that use JavaScript to manipulate the DOM, which allows for the script to dynamically alter the visible content and HTML form data within a page without user interaction.  This Phishing kit,  called LogoKit has seen a significant upswing in usage over the last month.

Phishing has been on the rise lately, following the increased usage of data communication in the wake of COVID-19. This new phishing kit seem to have attracted attention lately due to its flexibility and very fast application compared to building websites manually  as is the common practice.

Quote

In the case of LogoKit, a victim is sent a specially crafted URL containing their email address. Once a victim navigates to the URL, LogoKit fetches the company logo from a third-party service, such as Clearbit or Google’s favicon database. The victim email is also auto-filled into the email or username field, tricking victims into feeling like they have previously logged into the site. Should a victim enter their password, LogoKit performs an AJAX request, sending the target’s email and password to an external source, and, finally, redirecting the user to their corporate web site.

This is both interesting and scary as it allows for very fast and dynamic application for bad elements and since it looks quite real and have your email already filled in, chances are that a lot of people will fall for this. Fortunately you often can see in the URL that something is not right. In LogoKit you can often see your email in the url, which look something like this:

phishingpage[.]site/login.html#victim@company.com

Sadly this is not a sure way to detect  phishing attack as there are other ways to forward data, but if you see this then at least you know to look at the page you entered a bit more carefully.

LogoKit has seen a big increase in usage in the last month with over 700 unique domains running it. Targeted services range from generic login portals to false SharePoint portals, Adobe Document Cloud, OneDrive, Office 365, and interestingly enough Cryptocurrency exchanges. So be alert (as always) when accessing your external cloud services and portals.

RiskIQ have concluded that this is a threat on the rise due to it's simplicity and ease of use.

Quote

The LogoKit presents a unique opportunity for attackers, allowing for easy integration into either existing HTML pretext templates or building simple login forms to mimic corporate login portals. Also, with the flexibility of either leveraging compromised infrastructure, attacker-hosted infrastructure, or object storage, attackers can quickly change their delivery source. With LogoKit’s intended functionality to be centered around singular emails per URL and extracting company logos, this dramatically improves ease of carrying out targeted attacks against organizations; and reusing pretexts without changing templates.

Yesterday I received an email that the American company Ubiquiti has been hacked. Ubiquiti is i.a. one of the world's largest manufacturers of base devices for WiFi communication. The email contains relatively little information because the company states that they do not know the extent yet.

Although it has been a long time since I myself used Ubiquiti's cloud service, I assume that it is entirely possible to gain access to the local network via Ubiquiti's central service, hence this is extra serious. I can also imagine that DNS can be reconfigured, firmware can be changed, etc.

What appears in the email is that the username, hashed password, address and telephone number may have been leaked. It also appears that this is a third-party supplier where the leak must have taken place.

The mailing has also been confirmed by Ubiquiti themselves, see forum thread here (via the Security Bubble). The mailing went via Mailchimp and used i.a. tracking links, which made it initially difficult to determine the authenticity of the email.