We are coming out of a week with a lot of news in the cyber security space. Windows has a vulnerability that allows attackers to take control of a workplace network, and a big software vendor was hacked resulting in companies encrypted with ransomware. Here is what you need to know about these 2 events and what you should be doing to protect yourself.

PrintNightmare

The first big incident in the past week is a vulnerability with the print spooler in Windows. This is what handles printing on your computer. This issue is so big, Microsoft recommends turning this off until they can fix it, and who needs to print anyways right? This vulnerability is referred to as PrintNightmare and what it does is allow an attacker to get access to your workplace domain server using a bug in the print spooler service. After exploit they will have full administrator access to anything on the network. This is an extremely severe vulnerability, and thankfully while waiting on a patch, a workaround was discovered to prevent the use of this exploit and we applied this to all servers we manage. Microsoft released another patch today (7/7/21), however within 12 hours it was proven to fail to fully fix the issue.

Update: 7/15/21

To ensure the patch works, you must also apply a change to the registry to prevent the exploit. After applying the update and the registry tweak the systems are fully protected.

What should you do?

If Circuit Saviors is actively managing your infrastructure, then there is nothing you need to do, we have applied the recent patch and applied the registry change to ensure your devices are protected.

If you do not have someone actively managing your IT, you will want to make sure you install the latest updates for your server and workstations as soon as possible. Also ensure you add the registry change advised by Microsoft as well to ensure you are fully protected. We would advise that you reach out to us, or your regular IT vendor to lock down the print spooler until Microsoft releases a patch that works.

Kaseya VSA Hack

The news that overshadowed PrintNightmare was a hack of Kaseya VSA. Most people outside of the IT space will have never heard of this company. They are in the same line of business as SolarWinds, which may sound familiar from the large hack on government systems found out late last year. Kaseya makes software that allows companies like us to control, update, secure, etc lots of computers at one time. We do not and have never used Kaseya, nor Solarwinds remote monitoring and management products.

On Friday 7/2, reports started spreading that Kaseya was under attack and that clients running their software were getting hit with ransomware. Currently there is no way to get an exact number of computers and businesses effected, but best guesses from reputable sources is around 1500 companies were effected, which is massive. The hacker group behind this attack, REvil, was also behind the recent attack on JBS, the meat packing plant. They utilized an exploit they found in Kaseya’s code to get around the authentication requirements, and deliver the malware to tens of thousands of computers at one time. The story is still developing, and the issue is still not patched as of 7/7/21.

Update: Kaseya has released a patch that has been independently confirmed to protect against all exploits used in this attack.

What should you do?

If we are monitoring your devices, we have been scanning for the presence of this software, and have disabled any Kaseya software we found. If we do not monitor your devices: In windows, go to the C drive on your computer, and look for the folder titled kworking. If you do not see this folder, then you have nothing to worry about as there is no Kaseya software on your computer. If you do have this folder, contact us immediately so we can help you disable this service for you.

I hope you find this information useful. If you have any questions or would like assistance with either of these issues, or any other issues, please click here to get in touch and we will be happy to help.