Ransomware News: Early July had several cybersecurity events with big impacts on small and mid-sized businesses. Here are three you that should know about.

REvil’s Kaseya Attack Hits Thousands of Businesses Worldwide, US Will Respond

The biggest news story this week was a ransomware attack targeting Kaseya VSA, software used by large businesses and Managed Service Providers to manage software patches and provide user support. The attack used ransomware to target computers under the management of some of the world’s largest MSPs, resulting in the shutdown of thousands of Kaseya VSA servers worldwide. Fortunately, there are no indications of WingSwept or its clients being compromised in this attack.

Russian-based REvil is believed to be responsible for this attack as well as several others aimed at large multinational corporations within the past two years.  This attack was large enough to spur President Biden to call Russian President Putin and press for “action” against the group.

On July 13th, all sites associated with REvil disappeared from the dark web.  It’s not yet clear what action led to their disappearance – but when asked by a Reuters reporter days earlier whether it made sense to attack the Russian servers in intrusions like this one, Biden smiled and said “Yes.”
[Read More at the New York Times]

Director of US Cybersecurity Confirmed by Congress

The United States has lacked a full-time director of the Cybersecurity and Infrastructure Security Agency (CISA) since November 17, 2020; nobody was even nominated for the role until April.  During that time, four of the largest cyberattacks in history have targeted a global meatpacker, a critical interstate gas pipeline and two network infrastructure software companies.

The CISA finally has a leader this week as the Senate as Director confirmed Jen Easterly.

Easterly is an Army veteran and a Rhodes scholar who was stationed in both Baghdad and Kabul to direct cryptography efforts for the NSA.  After serving on the National Security Counsel in the Obama Administration, she joined Morgan Stanley as global head of cybersecurity.  She now joins an already-overextended CISA that is nonetheless receiving more and more responsibilities. Under her leadership, CISA will be enforcing many of the new cybersecurity mandates aimed at government contractors and companies (directly or indirectly) supporting critical US infrastructure.
[Read More at Politico]

PrintNightmare: Cybersecurity Firm Accidentally Exposes Windows Vulnerability

When a security company discovers a software vulnerability, they typically alert the developers and allow them time to patch the problem before disclosing it publicly.  It’s important for security companies to publicly disclose vulnerabilities so other developers can learn how to avoid the same types of mistakes in the future. But it’s just as important for a patch to come before that disclosure so criminals can’t exploit a vulnerability that has no patch available.

Unfortunately, information security group Sangfor Technologies confused one Microsoft patch for another.  Thinking (incorrectly) that Microsoft had released a patch for a vulnerability they discovered, Sangfor released a proof-of-concept exploit called PrintNightmare which used the Windows Print Spooler to run code elsewhere on the network.  This would allow cybercriminals who stole one user’s credentials to use PrintNightmare to run code (such as ransomware) on any other computer on the network, including the domain controller.

This accidental disclosure set off a mad dash to address the problem.  Some system administrators disabled Print Spooler services until Microsoft released a patch, which prevented some users from printing.  A few days later, Microsoft quickly released an out-of-band emergency patch to address one of the two PrintNightmare vulnerabilities, but this patch also prevented some printers from printing.

Microsoft’s work on a patch to completely block the exploit continues. [Read More at Threatpost]