Weekly threat roundup: Kaseya, PrintNightmare, Sage

Graphic showing a red unlocked padlock surrounded by blue locked padlocks
(Image credit: Shutterstock)

Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.

Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.

REvil exploits Kaseya flaw to target customers

The REvil ransomware operators are demanding $70 million after compromising Kaseya’s VSA IT management and remote monitoring product and infecting its customers and partners. Huntress Labs estimates that more than 1,000 businesses have been hit.

The cyber gang exploited a zero-day flaw to remotely access internet-facing VSA servers. Given the software is used by many Managed Service Providers (MSPs), this route also gave them a pathway into their customers. The firm was targeted because a key feature in VSA is to push software and automated IT tasks on request, without checks.

The vulnerability, tracked as CVE-2021-30116, was discovered by researchers with DIVD CSIRT as part of a wider research project. The firm was actually working with Kaseya on a patch only for REvil to exploit the vulnerability before it could be issued.

Cyber agencies warn against global ‘brute force’ campaign


IT Pro 20/20: Does cyber security's public image need a makeover?

Issue 18 of IT Pro 20/20 looks at recent efforts to retire the 'hacker' stereotype, and how the threat landscape has changed over the past 20 years


US and UK cyber security agencies have warned businesses that the Russian intelligence agency (GRU) is orchestrating password-spraying attacks on a massive scale, while also exploiting Kubernetes clusters to compromise cloud environments.

One of the units, known as ATP2, masquerading under the guise of Fancy Bear, is accused of a widespread and distributed brute force campaign against hundreds of government entities and private sector companies. These include military organisations as well as political consultants, and critical infrastructure companies.

The attacks have been ongoing since mid-2019, and also involve the exploitation of a range of vulnerabilities including CVE-2020-0688, embedded in Microsoft Exchange servers.

Kaspersky Password Manager passwords can be cracked ‘in seconds’

Kaspersky Password Manager (KPM) was embedded with a vulnerability that meant hackers could game its method for generating unique passwords and crack them using brute force techniques without much difficulty.

The mechanism KPM used to generate random passwords is complex, but effectively means letters such as q, z and x are more likely to appear than common vowels. Once any letter is generated, however, it skews the probability of other letters appearing in the same string. The only source of entropy, meanwhile, is time, which means that if every KPM user generated a password at the precise same time, they would see the same string.

This method was implemented to trick standard cracking tools, according to Ledger Donjon researcher Jean-Baptiste Bédrune. Hackers, therefore, would need to wait a long time before they encounter a KPM password when attempting to crack a password. If, however, an attacker knows the password was generated using KPM, they can adapt their tool to the method KPM uses and determine the likely password within seconds.

Kaspersky recognised this as a vulnerability and assigned it CVE-2020-27020. It was first reported in 2019 and has now been patched on Windows, iOS, and Android.

PrintNightmare emergency patch can be bypassed

Microsoft’s emergency, out-of-band fix for the Print Spooler remote code execution (RCE) flaw, for which an exploit code was leaked last week, is incomplete and leaves some Windows users open to attack.

Microsoft patched CVE-2021-34527 with an emergency update on Tuesday - days after researchers published an exploit code for the previously undisclosed bug in a case of mistaken identity. Researcher Benjamin Delpy, however, found he could demonstrate successful exploitation on a Windows Server 2019 deployment with the patch installed, and the ‘point and print’ feature enabled.

This is a tool that makes it much easier for users within a network to obtain printer drivers, and queue documents to print. Microsoft acknowledged in its security alert that the feature isn’t directly related to the flaw, but could still weaken a user’s security posture to the extent the bug would be exploitable. Despite the patch, hackers can still target systems with point and print enabled.

Multiple flaws found in Sage X3

Sage has fixed four vulnerabilities embedded in its enterprise resource planning (ERP) platform Sage X3, including two protocol-related issues involving remote administration of Sage X3, and two web app flaws.

The flaws are tracked as CVE-2020-7387 through to CVE-2020-7390, with the most severe rated a perfect ten out of ten on the CVSS threat severity scale, meaning it’s particularly devastating and straightforward to exploit. This critical bug is described as an “unauthenticated command execution bypass by spoofing in AdxAdmin” and has been patched alongside the other three bugs in version Sage X3 Version 9, Sage X3 HR & Payroll Version 9, Sage X3 Version 11, and Sage X3 Version 12. Version 10 was never released.

Rapid7 researchers, who discovered the flaws, claim that Sage X3 installations should never be exposed directly to the internet, and should instead be made available using a secure VPN connection. Doing so effectively mitigates all four vulnerabilities.

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.