//Week in review - 9 Jul 2021

AusCERT Week in Review for 9th July 2021


What a big week! A lot to get on top of this week between Kaseya and PrintNightmare.

Of note, Microsoft released updated patches to address PrintNightmare. This is related to the Windows Print Spooler Remote Code Execution Vulnerability, CVE-2021-34527 and CVE-2021-1675. Be sure to catch up on this alert via our highlighted AusCERT Security Bulletin details below.

For those of you based in the Greater Brisbane area we are excited to announce a new date for our NAIDOC Week 2021 gathering. Hear more about the work done by colleagues at Baidam Solutions, come and join us on Monday 26 July, 2 – 4pm. For further details and to RSVP, visit the AusCERT website here.

Until next week everyone, have a great weekend.

Kaseya supply-chain ransomware attack hits MSP customers
Date: 2021-07-03
Author: iTnews

A supply-chain attack on Kaseya, which provides management, monitoring and automation software for managed service providers (MSPs), has led to ransomware infections among the company’s customers around the world.

Microsoft Urges Azure Users to Update PowerShell to Patch RCE Flaw
Date: 2021-07-04
Author: The Hacker News

Microsoft is urging Azure users to update the PowerShell command-line tool as soon as possible to protect against a critical remote code execution vulnerability impacting .NET Core.
The issue, tracked as CVE-2021-26701 (CVSS score: 8.1), affects PowerShell versions 7.0 and 7.1 and have been remediated in versions 7.0.6 and 7.1.3, respectively. Windows PowerShell 5.1 isn’t impacted by the flaw.

QNAP fixes critical bug in NAS backup, disaster recovery app
Date: 2021-07-05
Author: Bleeping Computer

Taiwan-based network-attached storage (NAS) maker QNAP has addressed a critical security vulnerability enabling attackers to compromise vulnerable NAS devices’ security.
The improper access control vulnerability tracked as CVE-2021-28809 was found by Ta-Lun Yen of TXOne IoT/ICS Security Research Labs in HBS 3 Hybrid Backup Sync, QNAP’s disaster recovery and data backup solution.
The security issue is caused by buggy software that does not correctly restrict attackers from gaining access to system resources allowing them escalate privileges, execute commands remotely, or read sensitive info without authorization.

Treasury revisits cyber terrorism insurance cover
Date: 2021-07-05
Author: IT News

Treasury will consider whether cyber terrorism that causes physical property damage should be added to the national terrorism insurance scheme for a second time in three years.
Treasury said that like the 2018 review, the 2021 review will look at “whether a sufficient rationale has emerged to include cyber terrorism causing physical property damage within the scheme”.

Email fatigue among users opens doors for cybercriminals
Date: 2021-07-07
Author: Bleeping Computer

Given the mass migration to remote work, more critical business data is being shared by email than ever before. Users can now receive hundreds of emails a day, and sifting through them is time-consuming and exhausting.
Faced with that skyrocketing volume, it’s no wonder that there’s a growing email fatigue. Unfortunately, that fatigue makes it more likely users will click on a malicious email without knowing it – which explains why 94% of malware is now delivered via email.

Microsoft’s incomplete PrintNightmare patch fails to fix vulnerability
Date: 2021-07-07
Author: Bleeping Computer

[See related ALERT bulletin ASB-2021.0123.4 which AusCERT updated on the 8th July]
Researchers have bypassed Microsoft’s emergency patch for the PrintNightmare vulnerability to achieve remote code execution and local privilege escalation with the official fix installed.
According to Mimikatz creator Benjamin Delpy, the patch could be bypassed to achieve Remote Code Execution when the Point and Print policy is enabled.

ASB-2021.0123.4 – UPDATE ALERT Microsoft Print Spooler: Multiple vulnerabilities

Our update was made to draw attention to Microsoft’s revised advisory announcing patches are now available for additional Windows versions

ESB-2021.2341 – apache2: Multiple vulnerabilities

Several vulnerabilities have been found in the Apache HTTP server, which could result in remote code execution and denial of service.

ESB-2021.2332 – Cisco Web Security Appliance: Multiple vulnerabilities

This Cisco product was affected by vulnerabilities which prior to fix had provided attackers opportunity to execute remote code and compromise root.

ESB-2021.2344 – MDT AutoSave: Multiple vulnerabilities

A perfect 10.0 (CVSS 3.0), albeit appliance based. Successful exploitation of associated vulnerabilities could lead to full remote execution on the Remote MDT Server without an existing user or password.

Stay safe, stay patched and have a good weekend!

The AusCERT team