About Us

Microsoft, CISA recommend Mitigations for Zero-Day RCE vulnerability in Windows

Microsoft and government cybersecurity authorities are recommending businesses to implement mitigations to prevent a zero-day remote control execution (RCE) vulnerability in Windows operating systems cybercriminals to create malicious Microsoft Office documents.

Microsoft released a statement on their website –

“Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents.

An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Microsoft Defender Antivirus and Microsoft Defender for Endpoint both provide detection and protections for the known vulnerability. Customers should keep antimalware products up to date. Customers who utilize automatic updates do not need to take additional action. Enterprise customers who manage updates should select the detection build 1.349.22.0 or newer and deploy it across their environments. Microsoft Defender for Endpoint alerts will be displayed as: “Suspicious Cpl File Execution”.

Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.”

CompTIA Members offer assistance to victims of Ransomware Attacks

CompTIA, the non-profit association for the information technology (IT) industry and workforce, announced a number of initiatives to assist IT companies affected by the global ransomware outbreak.

CompTIA member organisations are assisting and supporting other IT companies and via them the customers who have been affected by the ransomware attack.

MJ Shoer, senior vice president and executive director of the CompTIA ISAO said “Within hours of the attack being discovered more than three dozen members of the CompTIA Information Sharing and Analysis Organization (ISAO) offered assistance, including driving or flying to impacted companies to provide additional ‘boots on the ground,’ as well as sharing communications, incident response strategies, technical support and other resources.”

CompTIA is creating a Rapid Response Team, comprising of internal and member resources, to assist any IT firm that is the victim of a cyberattack, whether or not they are a CompTIA member.

In addition, the CompTIA ISAO’s Cyber-Forum is giving near-real-time updates on the attack, with the information open to the entire industry, not just ISAO members.

“This was a global attack impacting companies around the world, reminding us that we face unprecedented threats from cyberattacks, unlike any threat we have collectively faced in the past. That is why it is critical that we engage in an active discourse that discourages ‘cyber-shaming’ and encourages public and private organizations to come forward immediately and share as much threat intelligence as possible to limit the damage of these attacks and to ward off future incursions.” Shoer said.

“Kaseya just holds the unfortunate distinction of being the company attacked, even as they were working on closing down the very vulnerability that the attackers used,” he said. “Kaseya is to be commended for their transparency throughout this attack.”

Revil Ransomware Cyberattack, The Year’s Biggest Cyberattack on Kaseya Ltd: FBI, CISA Offer Guidance

The REvil cybergang claimed responsibility for the large ransomware attack on managed service provider Kaseya Limited. The ransomware attack is huge and it is considered the single largest worldwide ransomware attack ever this year. Financial services, tourism, retail and government computer systems in several nations are all affected. The attackers claim to have infected 1 million Kaseya-connected computers and are seeking $70 million in bitcoin in exchange for a decryption key. The number of enterprises affected is estimated to be in the thousands, according to federal authorities.

The attack is massive and considered the single biggest global ransomware attack on record. Affected are financial services, travel and leisure and public sector computer systems located across many countries.

The infamous cybergang REvil claimed responsibility for the attack in a posting posted to a hacker site on Sunday. The message was as follows:

“On Friday (02.07.2021) we launched an attack on MSP providers. More than a million systems were infected. If anyone wants to negotiate about universal decryptor – our price is 70 000 000$ in BTC and we will publish publicly decryptor that decrypts files of all victims, so everyone will be able to recover from attack in less than an hour. If you are interested in such deal – contact us using victims “readme” file instructions.” – REvil.

The gang (also known as Sodinokibi ransomware group) has been operating since April 2019 when the GrandCrab cybergang split, according to a detailed investigation of the REvil attack by Kaspersky. “REvil ransomware has been advertised on underground forums for three years and it is one of the most prolific Ransomware as a Service (RaaS) operations,” researchers wrote.

Later, Deputy National Security Advisor Anne Neuberger issued a statement stating that US President Joe Biden had “directed the full resources of the government to investigate this incident” and urging anyone who believes they have been hacked to contact the FBI.

In related news, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) of the United States offered support to those affected by the massive cyberattack.

“We encourage all who might be affected to employ the recommended mitigations and for users to follow Kaseya’s guidance to shut down VSA servers immediately. As always, we stand ready to assist any impacted entities,” according to a security alert.

“If you feel your systems have been compromised as a result of the Kaseya ransomware incident, we encourage you to employ all recommended mitigations, follow guidance from Kaseya and the Cybersecurity and Infrastructure Security Agency (CISA”) to shut down your VSA servers immediately and report your compromise to the FBI.

Kaseya helpdesk stated –

“On Friday, July 2nd, Kaseya received reports from customers and others suggesting unusual behavior occurring on endpoints managed by the Kaseya VSA on-premises product.  Shortly thereafter, customer reports indicated that ransomware was being executed on endpoints.  In light of these reports, the executive team convened and made the decision to take two steps to try to prevent the spread of any malware:  we sent notifications to on-premises customers to shut off their VSA servers and we shut down our VSA SaaS infrastructure.

The attackers were able to exploit zero-day vulnerabilities in the VSA product to bypass authentication and run arbitrary command execution.  This allowed the attackers to leverage the standard VSA product functionality to deploy ransomware to endpoints.  There is no evidence that Kaseya’s VSA codebase has been maliciously modified.   

Mandiant was quickly engaged to investigate the incident.  We have been actively engaged with Mandiant to assess the manner and impact of the attack.  We are also cooperating with federal law enforcement to ensure that they have the information they need to investigate this attack.  Below, we provide some of the technical details that we have been able to confirm in the course of the investigation.

To date, we are aware of fewer than 60 Kaseya customers, all of which were using the VSA on-premises product, who was directly compromised by this attack.  While many of these customers provide IT services to multiple other companies, we understand the total impact thus far has been to fewer than 1,500 downstream businesses.  We have not found any evidence that any of our SaaS customers were compromised.

We have begun our restoration process and are developing and readying for deployment to our VSA customers a fix for this issue.  On July 3rd, Kaseya released a Compromise Detection Tool to customers.  This tool analyzes the user’s system (either VSA server or managed endpoint) and determines whether any indicators of compromise (IOC) are present.  To date, over 2,000 customers have downloaded the tool.  Updates on this are being posted at the following link: https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689.  We are working to bring our SaaS environment up safely and provide an update for on-premises customers.

We know there is a lot of information circulating about this incident.  Some of it is accurate, much of it is not.  We will continue our efforts to keep you updated as we have solid, actionable information to share.”

Newly Discovered Dell BIOS Bugs Impact 129 Models around 30 Million PCs

After uncovering various vulnerabilities that might allow attackers to execute arbitrary code in Dell PC’s BIOS, security researchers have warned that 129 models and at least 30 million Dell PCs could be at risk.

Eclypsium Discovered the security flaw in the BIOS system and they stated “Eclypsium researchers have identified multiple vulnerabilities affecting the BIOSConnect feature within Dell Client BIOS. This chain of vulnerabilities has a cumulative CVSS score of 8.3 (High) because it allows a privileged network adversary to impersonate Dell.com and gain arbitrary code execution at the BIOS/UEFI level of the affected device. Such an attack would enable adversaries to control the device’s boot process and subvert the operating system and higher-layer security controls.”

“The Eclypsium team has coordinated with Dell PSIRT throughout the disclosure process. Dell has issued a Dell Security Advisory and is scheduling BIOS/UEFI updates for affected systems and updates to affected executables from Dell.com” mentioned Eclypsium.

“These vulnerabilities enable an attacker to remotely execute code in the pre-boot environment. Such code may alter the initial state of an operating system, violating common assumptions on the hardware/firmware layers and breaking OS-level security controls. As attackers increasingly shift their focus to vendor supply chains and system firmware, it is more important than ever that organizations have independent visibility and control over the integrity of their devices,” said Eclypsium.