<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2815180&amp;fmt=gif">

Update on PrintNightmare & Kaseya Ransomware

Over the 4th of July weekend, two breaches were brought to Castra's attention pertaining to PrintNightmare and Kaseya.

Details on PrintNightmare 

While you likely do not have Print Servers exposed to the world (we hope not), we also wanted to note that we are aware of this and have diligently reviewed detection methodology. POC code has been found, so our recommendation is to disable all Microsoft Print Spooler Services and ensure you have this patch applied.

This is a remote code execution vulnerability that affects the Windows Print Spooler, which has CVE-2021-34527 assigned to the vulnerability. An attacker can use this vulnerability to run arbitrary code with SYSTEM privileges. This could give an attacker full access to the system, leading to administrative privilege and lateral movement in the environment.

While, in theory, the Print Spooler should only be run if needed, it is always enabled by default. Microsoft released security updates on June 8, 2021, that should be applied to mitigate this vulnerability.

If you cannot apply this patch immediately, we strongly advise that you turn off all print spoolers following the process documented here.

Other Resources for PrintNightmare:

https://us-cert.cisa.gov/ncas/current-activity/2021/06/30/printnightmare-critical-windows-print-spooler-vulnerability

https://www.tenable.com/blog/cve-2021-1675-proof-of-concept-leaked-for-critical-windows-print-spooler-vulnerability

Important Notice from Kaseya:

“We (Kaseya) are experiencing a potential attack against the VSA that has been limited to a small number of on-premise customers only as of 2:00 PM EDT today.

We (Kaseya) are in the process of investigating the root cause of the incident with an abundance of caution, but we (Kaseya) recommend that you IMMEDIATELY shut down your VSA server until you receive further notice from us (Kaseya).

It is critical that you do this immediately because one of the first things the attacker does is shut off administrative access to the VSA.”

If your organization has experienced any difficulties with either are these breaches, don't hesitate to get in touch with us. Castra is here to help.