Newsletter
07.06.2021 | 4'' read
Microsoft Print Spooler, Kesaya ransomware mega-hack
- The most clicked link from last week’s issue was my SecurityWeek story on Microsoft’s misdiagnosing of the severity of a dangerous Print Spooler vulnerability and the fallout from the ‘PrintNightmare’ demo exploit.
- Last and final call: Request an invite for the book-signing cabana-con I’m co-hosting with Crossbeam CISO Chris Castaldo on Wednesday, August 4 alongside Black Hat in Las Vegas.
- Was this newsletter forwarded to you? Sign up here! Say hello on Twitter (DMs are open).
Monday blues.
After a week of stumbling and bumbling, Microsoft has shipped an emergency patch for the ‘PrintNightmare’ zero-day I wrote about last week.
While Windows fleet admins scramble to apply this patch (please do!), the evidence is clear that Microsoft has a severe patch-quality problem that’s now being compounded by poor communications, lack of transparency, and festering feuds with prominent white-hat hackers.
When the demo exploit for ‘PrintNightmare’ appeared online, Microsoft was so slow to react that defenders relied on Twitter threads to determine if the flaw was zero-day or introduced code execution risks. Outsiders outpaced Microsoft at diagnosing its own security problems, often correcting Microsoft’s own mitigation guidance.
While this issue brings the embarrassment to the front burner, anyone paying attention could see it coming. When folks like Google’s James Forshaw and CrowdStrike’s Alex Ionescu go public with their vuln-disclosure frustrations while dealing with Microsoft, it’s clear the problems run deep.
It’s tempting to point-and-laugh but there’s a sobering reality at play here: Microsoft’s code quality affects all of us. We should all be demanding better.
Sponsor message: MongoDB supports the Diana InitiativeMongoDB is the leading modern, general purpose database platform, designed to unleash the power of software and data for developers and the applications they build. The company is proud to support and sponsor The Diana Initiative, an event focused on women, diversity and inclusion in information security. Register here for the virtual conference, scheduled for July 16-17, 2021.
The big Kaseya hack.
- The big Kaseya zero-day hack is dominating the headlines. Ed Kovacs is reporting the victim toll nears 1,500 companies, including a Swedish grocery chain.
- According to everyone in the know, Kaseya’s security response team has been transparent, forthcoming and admirable throughout this crisis. Pay attention to this page with all the official documentation directly from Kaseya.
- Shout-out to the folks at Huntress for the early warnings and ongoing updates on this major ransomware incident. This live blog from John Hammond has been golden for defenders.
- In an op-ed for Lawfare, Corellium’s Matt Tait (aka pwnallthethings) calls the Kaseya hack “the cybersecurity event of the year, bigger than Solarwinds, Colonial Pipeline of the Microsoft Exchange 0days.
- Of course, there’s a geo-political Biden/Putin cyber-warfare angle to be covered.
New podcast conversation.
On the show this week, I sat down with Algirde Pipikaite from the World Economic Forum to discuss security as a business enabler, the surge in ransomware attacks, the U.S. government response, and crucial conversations happening between the public and private sector. It’s an important conversation, have a listen!
Readables.
- Since at least mid-2019 through early 2021, Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS), military unit 26165, used a Kubernetes cluster to conduct widespread, distributed, and anonymized brute force access attempts against hundreds of government and private sector targets worldwide. The NSA has issued an advisory (PDF) with mitigation guidance.
- The Center for Security an Emerging Technology (CSET) has published a paper on machine learning and cybersecurity that’s well worth your time.
- An empirical study of ransomware attacks on organizations: an assessment of severity and salient factors affecting vulnerability.
- It’s refreshing to see the word “firmware” appear twice in the NSA’s top-ten cybersecurity mitigation strategies. Also see the Essential Eight from the Australians.
- This paper explores whether cyber insurance can incentivize better cyber security practices among policyholders. It finds that the shortcomings of cyber insurance mean that its contribution to improving cyber security practices is more limited than policymakers and businesses might hope.
- Taking over Uber accounts through voicemail <– research by Shubs Shah.
- Fail2exploit: a security audit of Fail2ban.
- A very useful list of Chrome extensions for OSINT 101.
* My thanks to all the podcast and newsletter sponsors: MongoDB, Uptycs, Eclypsium and SecurityWeek. Our partnership with these companies help to keep our reporting independent and vendor-agnostic.
* Full podcast episodes are available on the SecurityConversations.com home page, and on all major platforms. Directly subscribe from these links: Apple/iPhone, Google/Android, Spotify and Amazon/Audible.