Kaseya VSA Ransomware Attack Recap

It appears that this Kaseya VSA ransomware attack is connected to the Russian hacker gang known as REvil—but it has not been determined if it's them or an affiliate.

Kaseya VSA, a remote management software, experienced a breach over the holiday weekend that is already impacting a number of clients. It appears that this Kaseya VSA ransomware attack is connected to the Russian hacker gang known as REvil—but it has not been determined whether or not it is the work of REvil itself or an affiliate in their Ransomware as a Service (RaaS) program (and yes, that’s a thing). Evan and Brad break down the attack on this week’s UNSECURITY episode. Additionally, and flying under the radar because of Kaseya, news broke on June 30th about an impressive and potentially very damaging vulnerability in the Microsoft Print Spooler service. This has actually impacted a larger number of customers than Kaseya (millions of servers) and likely would have been bigger news had it not been for Kaseya.

Protect Your Organization from Cybersecurity Threats

SecurityStudio helps information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Evan Francen: All right. Welcome listeners. It’s good to have you join us. Thanks for tuning in to this episode of the Unsecurity podcast. This is episode 138 and the date is July six 2021. Joining me is my good friend. Mr Brad Nigh. Good morning Brad.

[00:00:38] Brad Nigh: Good morning Evan.

[00:00:40] Evan Francen: You have did we have yesterday off? We did, yeah. Yeah. So Independence Day, Happy Birthday America 245 years old. Yeah, lot of years old. Yeah. Mhm Good. Yeah, it’s good. I think it was nice to see people out this year. You know celebrating after last year. Yeah.

[00:01:01] Brad Nigh: Yeah. It was the only unfortunate part. It was so freaking hot here.

[00:01:06] Evan Francen: Oh God, yeah. Yeah, there was a ton of, lot of fireworks in our neighborhood and then around here and it was probably until was later. I mean more fireworks than usual and later than usual I think.

[00:01:21] Brad Nigh: Yeah. What school is? We can see our house faces the back of the house faces almost due south And we’re kind of on top of the hill. So we can see, we could watch the fireworks go from east to west, across the horizon over the like the tree line. So we got to watch fireworks from about 945 till 1030 just across the back of the house was kind of cool.

[00:01:44] Evan Francen: It is cool. That’s very cool. Also, another thing happened this weekend. It was friday I think second and news broke about casa. So I I don’t think there’s, you know, we can talk about a lot of things, but I mean it’s hard to not talk about cassia with, you know, kind of everything that’s been going on the last few days. Yeah. So you were mentioning before we got on line uh ri our team at fr secure is gotten hit as well, right? With incident response calls? Yeah,

[00:02:16] Brad Nigh: looks like there’s a, there’s been a couple there that have come in there looks like donkey, they’ll be busy here for a little bit.

[00:02:25] Evan Francen: Yeah. What’s good to keep them busy. It’s bad that here we are again talking about something really impactful I think across the globe. But then, you know, as your reports start to come in more and you start to dissect what actually took place, you know, it is a big deal, but I’m not sure it’s as big a deal as maybe we’re making it out to be. Yeah, I mean, I hate to minimize stuff that affects people personally, but when you look at the numbers, it’s

[00:02:56] Brad Nigh: like it could have been way worse, right

[00:03:01] Evan Francen: one. And when you first heard about it, did you think, Oh my God, here we are, another solo rents.

[00:03:06] Brad Nigh: Yeah, I was like, well I was like my, my initial thought was, oh this is going to be worse.

[00:03:13] Evan Francen: Yeah. Yeah, because that’s what I thought, you know, at first when I heard about it on friday was probably mid day and uh, you know, my first thought was I hope it’s not another solar winds attack. And thankfully it’s not right. This isn’t your traditional supply chain type, not like that, right? Because he has code based wasn’t affected.

[00:03:36] Brad Nigh: No, this was more that traditional attack, the zero day that out of law. And it just so happens that the software they found the flying is used by MSP s and is in installed in, you know, hundreds of thousands of businesses. So it wasn’t like, yeah, they they got the source code and compromise that it was what I would consider a more traditional attack.

[00:04:09] Evan Francen: Yeah, exactly. So the attack, you know, for listeners this was, you know, the essay servers and these were on premise, the essay servers, right, allegedly cassius still holding to the story that, you know, their cloud based servers were not affected by this. And there’s really no indication to questionnaire right now. But the B. S. A. Servers, these are things, you know, traditionally used well in mostly used by M. S. P. S. Managed service providers. And yesterday I was on the Here 11 News and I didn’t realize that uh, even in the news guy was talking to didn’t know what MSP stood for.

[00:04:51] Brad Nigh: I think that’s crazy because we just take so much of this for granted, we’ve talked about that how many times, you know? So wow.

[00:05:01] Evan Francen: Yeah, she was like well what’s an MSP? And I’m like, okay, if you’re, you know, usually a smaller company or you know, maybe a larger company that needs help with managing it, you know, you might engage with a managed service provider so they just provide these services that maybe you can’t afford or they don’t make sense for you to buy. Okay, so in this case the servers are used to remotely manage other systems to do patching to do monitoring, you know, do all that kind of stuff. And these Vanessa servers were on premise at MSP. S and they were also accessible from the internet. That’s not like you don’t want to rush to judgment and say, well how dare you make these servers accessible from the internet? It was

[00:05:51] Brad Nigh: common really. And I’ll be honest, is I don’t know enough about the software, Is was that necessary? Right? Like I don’t know when I don’t think we shouldn’t have it, but

[00:06:07] Evan Francen: yeah, I don’t think it was. I don’t think it was. I mean, I think you could have put this probably behind a VPN, you know, with multifactor. Maybe that’s where MSP s are going to go next with this. But I have done a lot of work with M. S. P. S. And you know, from an I. T perspective, keeping systems running, maintaining systems, you know from an I. T. Perspective they’re pretty good at that but honestly most MSP. S. Oh are not going to security at all.

[00:06:36] Brad Nigh: Uh Yeah are from experiencing some of the stuff we’ve seen. Uh No

[00:06:45] Evan Francen: but you know I know I think they want to and I think they want to get better. I was down at connectwise conference and Orlando I think a week before last on a panel and and and it’s all in this piece right connectwise is all MSP. S. Two. And we were talking about security stuff and the impression I got was there’s an admission that they don’t no lot about security but they want to they’re committed to it.

[00:07:15] Brad Nigh: I’ll say this there we worked with several bits. Oh yeah the one I think that’s the big thing is is if you don’t know don’t pretend right it’s okay to say I don’t know I’m not the expert in that right? And we worked with several that have said okay let’s do this. How can we do this? Right. And and honestly I’ve been really impressed with those and we get asked all the time for you know hey do you have any recommendations? Well I’m going to recommend the ones that we know are working to do things correctly and care right like there’s plenty that are not that way we’ll just believe it at that.

[00:07:58] Evan Francen: Well yeah and I sort of get it to write it. You see the same thing play out when you got your own internal IT department and you have security reporting up to I. T. All right yep this isn’t an I. T. Issue and sometimes I. T. And security are at odds with each other. So then it’s just another case for breaking that thing out. Breaking it out another group.

[00:08:20] Brad Nigh: Yeah and then and that’s a good point. No you know trying to put anybody down right? You know it’s not their thing but don’t pretend that it is because we do see that that’s those are the ones that bother me

[00:08:35] Evan Francen: when they’re dangerous. Right? I mean those MSP. S who think they’re more capable of more capable than they are or they’re trying to do kind of everything.

[00:08:45] Brad Nigh: Uh

[00:08:46] Evan Francen: You know you see a lot of these issues right now uh that are happening I think in our industry with companies who want to do everything right? I mean Cosio wants to do everything right? So you put all this trust into this Bs a. Server or this you know or something else right? And then when there’s a compromise on that thing that controls so many other things it becomes a really really big issue.

[00:09:13] Brad Nigh: Yeah. Yeah. Uh huh. Yeah it’s like I know how many how often do we have to if he feels like we just keep talking about the same things.

[00:09:27] Evan Francen: Oh yeah man for 25 30 years.

[00:09:30] Brad Nigh: Nice like uh

[00:09:32] Evan Francen: Well it’s funny like you know you’re you’re wise grandfather, grandmother or whatever on the farm. You know and they said don’t put all your eggs in one basket. I mean there was wisdom there and I think we’re just like whatever I can do that. The software and well maybe I mean you do you do run this risk right? You do gain some efficiencies by only having to pay one bill and everything in one place. And it’s really nice convenient. But it also comes with this other side of risk. And I don’t think we often think all the way through. Right. Right. Tell something like this happens. Yeah. So the thing that this happened. So this wasn’t a Solomon cyberattack. Nobody broke into the CIA in this attack. I’m not going to say nobody’s broken into cassia. But um This was a zero day uh C. B. E. 2021-30116. Is the vulnerability is given by an SD three. And in this case uh the the company that was actually found it was I think a company

[00:10:38] Brad Nigh: from

[00:10:43] Evan Francen: touch right? D. I. D. D. I believe is the researcher victor givers. I’m not mistaking uh

[00:10:53] Brad Nigh: her vulnerability disclosure.

[00:10:56] Evan Francen: Yeah. So D. I. V. D. Researcher uh week I must say it wrong wheat. See Boonstra. So W. I. E. T. S. E Boonstra. Um They are the ones who discovered the vulnerability. And then they reported it as you know as good citizens to cassia it seems like our sounds like cassia according to, you know, dived very amenable to patching with very responsive work. Yeah.

[00:11:27] Brad Nigh: Yeah. It’s just bad luck.

[00:11:31] Evan Francen: Well, you know, and it will be used to see what else comes out about that because it was really, they already had the patch. They were testing it. I think I’m ready getting really close to the appointment and then you know, our level are evil or an affiliate. We don’t even know if it’s our evil directly. It might be an affiliate. They run a whole ransomware as a service operation. Right?

[00:11:53] Brad Nigh: Yeah, nuts.

[00:11:55] Evan Francen: Yeah. You know, Prior to that, you know July two right? That that nation and you wonder part of me that’s not clear yet. Is did they have inside knowledge that this patch was coming or was it truly coincidence or luck Because I don’t think it was. I actually think they have some inside information that this was coming?

[00:12:22] Brad Nigh: Yeah. It’ll be interesting to see. I wonder they yeah, that’ll be an interesting thing, you know, where were they testing it? Did they push it out to like a beta group and they whatever the packers ended up being. I saw that when I’m to execute right like there’s there, it’s interesting this will be interesting to see the details

[00:12:41] Evan Francen: right? Or was there or is there an actual actual leak or an attacker within cassia Yeah. You know, sharing information or you know, they’re monitoring communications. But anyway, that’s that’s all speculation. So the attack vector and it wasn’t until I would say maybe 24 hours later when you know, I became aware that this wasn’t a solar winds attack. That this was an attack directly at the esa servers that are accessible from the internet and D I P D D. I think that a great job, you know, they scanned for the servers And prior to the announcement there were about 2200 the servers that were accessible from the internet. Yeah. And within, I don’t know, a day or two, it was down to 140. I don’t know what, I don’t know what the current number is. So it was good to see such a quick reaction, especially over a holiday weekend.

[00:13:42] Brad Nigh: Oh my gosh. Yeah. Yeah. Well, and you know that me that act is part of why I’m like, maybe it was just timing because you do have a holiday here in the US Now, Brandon this was a worldwide, you know, there’s companies all over the the world that got hit by this. But was that part of it? Hey, it’s the whole it’s the holiday weekend. People aren’t paying attention with, they’ve been cooped up for a year.

[00:14:15] Evan Francen: All right. Well, and so that makes me think of another thing too. We are, we’ve kind of, I don’t know if in our industry we’ve we’ve blown things out of proportion. I think sometimes where, you know we use here to sell more stuff. So so far, you know what we know in terms of numbers of organizations that were affected and this is worldwide 60 MSP s And 1500 downstream businesses. So we put that into context, I mean, how put that in the context of the number of cassia customers and you know, obviously that’s pretty significant, but but in the context of like the world, You’re more, you know, 1500 downstream businesses, how many businesses are there just in the United States alone? Mhm. So kind of know, it’s a big deal. Yes, it’s something that needs to be accounted for and address, but I don’t think it’s, you know, because I’ve heard some people say, well this is the biggest attack ever. Mm I don’t know,

[00:15:21] Brad Nigh: it could have been, but I think we got lucky.

[00:15:26] Evan Francen: Well there’s that too, we may have gotten lucky. So it was a direct attack against the V. S. A. Servers and then once you exploited the zero day and there’s a bunch of good IOC data out there.

[00:15:38] Brad Nigh: Oh, and and I’ll say this say, did you see they put out a tool that you can run like all things considered, it looks like they’re handling this correctly, you know, being very open, Their communication has been fantastic. Um yeah, putting out tools, but yes, so forth, I think you had it in the length has a really good write up of technical write up of what exactly it does, which, you know, from an incident response standpoint. It makes life a lot easier.

[00:16:13] Evan Francen: No, for sure. Yeah, that was good to see to it. You know how our community, you really got at it. And I think we had good IOC s like almost immediate. Seems like yeah,

[00:16:28] Brad Nigh: you know, and so just kind of going off topic a little bit. What’s funny is this has been so dominating that the whole thing, I was thinking we were gonna talk Windows principle or for remote code

[00:16:39] Evan Francen: execution too.

[00:16:41] Brad Nigh: That is like not even on anybody’s radar at this point. And I saw that last week on when that came out, Wednesday said that over the team and we were like, uh huh. So you can not friend or uh that this could be ugly. And then to see it happen, it’s just like good wars.

[00:17:02] Evan Francen: Well maybe we’ll talk about that too briefly, you know, in today’s show because that is really important and we can kind of, you know, we always go off topic anyway, so that’s easy enough for us to address that it’s

[00:17:15] Brad Nigh: still in the same vein. Right?

[00:17:17] Evan Francen: Right, for sure. For sure. So it’s funny that so they this hits and really, you know, one of the first thing that happened, it drops, you know, through a power Shell script, you know, drops the script and defense. Uh sorry disables Excellent defender for endpoint protection, which is so common, uh, uses certain util to decode malicious. You know, it’s malicious execute herbal uh, agent dot E x E. That’s a legitimate binary. Uh, M S M P E N G dot T X C, which is an older version of Microsoft defender and a malicious library and sort of sort of goes, you know, from there. The the attack vector is similar. We’ve seen this before. It’s not.

[00:18:13] Brad Nigh: Oh yeah,

[00:18:14] Evan Francen: that was another thing that I heard, you know, at the very beginning, I think we rush to judgment. Too many people rush to judgment because we heard from the very beginning. Oh, this was ultra super sophisticated. Mm No,

[00:18:25] Brad Nigh: no. This is almost like when you look at the attacks, we think we see they’re running encoded power shell that Exactly. Well, I mean not exactly this, but basically this is what you see. This is a fairly standard attack, which, you know, I don’t want to set downplayed or this time defensive, but it’s what you see.

[00:18:53] Evan Francen: Right? Well, that’s what makes me think too because we haven’t, you know, we haven’t determined whether it was art evil themselves or where there was, you know, a an affiliate because like I said, are evil runs a ransomware as a service. Yeah. You know, I can go rent right now. Yeah. Go ransom somebody because it doesn’t look, but I’m not, you know, I’m not in the weeds with authority incident response team or the incident response team, you know, fire I or anybody else. But it doesn’t seem all that ultra sophisticated I think especially if you had insider information on this vulnerability, ah, you know, if you knew this vulnerability was there or you know,

[00:19:37] Brad Nigh: well and the researchers that found it said it wasn’t hard to find, it was pretty easy to, to just attacked and yeah, okay. Not surprising that

[00:19:50] Evan Francen: Right. Well, yeah, because that was one of the questions I think posted on twitter was the question is how are evil got their hands on it or perhaps more accurately how the affiliate did That was from July three and then victor givers, You know, the researchers have found it and if I show you the PLC, you would know how and why instantly. I mean, I guess it’s like

[00:20:18] Brad Nigh: sounds pretty, it’s pretty obvious. So I’m gonna throw this in the chat. I don’t know if you’ve seen it, but this is why we preach turn on power Shell logging. We’ve been, I’ve been saying that everybody for a long time and Uh, actually if you just turn off, if you just Google power shell logging, there’s a fire I blog from 2016.

[00:20:40] Evan Francen: Also that’s not new. No,

[00:20:42] Brad Nigh: it’s been out for five years, 5.5 years. Turn it on because that’s what they’re using for a cat. And if you want to know what happened, you need to have that logging turned on. If you don’t have it turned on, it’s you’re going to be blind, you’re just not going to see what happens.

[00:21:02] Evan Francen: Well it’s it’s you know, and it’s easy to play Monday morning quarterback. It’s speculated all kinds of things, you know, like because as I’m sitting here, I’m thinking, you know, if these Visa servers, I don’t know, like I said, I don’t want to say a Visa either. But if these things are accessible from the internet, you know, how hardened are they? You know, would you have things like, you know, as part of the standard deployment to turn on power, shell script, you know, logging uh do these things have to be accessible from the internet or is it possible to put them behind a Bpm with multifactor authentication? So I’m guessing if the nature of the V. S. A. Server is for remote administration and all those other things. The only reason why I have it accessible from the internet and was so my technicians could potentially log into it and conduct, you know, some of their tasks which

[00:21:51] Brad Nigh: Okay, VPN.

[00:21:53] Evan Francen: Exactly. So yeah, and I don’t want to, like I said, it’s easy to play uh you know, monday morning quarterback, but I wonder and because I saw the guide institute that came from, you know, C. S. A. I’m sorry Sisa. And in the FBI. And as I was reading and I was like, okay, here’s what they recommend for MSP s enable and enforce multifactor authentication on every single account that is under the control of the organization. Okay it seems I mean enabling enforcing MFA for every single account that’s going to be hard that kind of exceed it’s a best practice and I’m for it but it sort of exceeds what we would normally suggest as a best practice because it is very destructive to do that.

[00:22:41] Brad Nigh: Yeah. Yeah so I just while you were talking about google to see and he says uh process server requires access to the internet for the following functions. Patch management reaches out to Microsoft, it’s patch information and then reaches out to cassia to get ancillary tiles and then hot fixes for the casino server. So downloading those so from a yeah sounds like from like a day to day perspective no it just needs to be able to reach out to Microsoft and cassia for the most part

[00:23:14] Evan Francen: and thats egress right? So yeah I need anything ingress.

[00:23:18] Brad Nigh: No that doesn’t sound like it because the question was I’m setting it up in an environment that doesn’t have internet connectivity. Well here’s what you need so worry that it no it doesn’t.

[00:23:30] Evan Francen: Huh interesting that was one of my big beats about solar mens says you know it was so super uh sophisticated and it was sophisticated that there was no way to mitigate it that’s like okay there’s always a way to mitigate things, right?

[00:23:47] Brad Nigh: So we saw it the I. R. S. Didn’t have their solar winds and they didn’t get hit, you know, they didn’t have it accessible from the internet. I mean, it kind of proves the concept, like it’s our that’s seriously Yes.

[00:24:03] Evan Francen: Yeah, it’s interesting the this is kind of for somebody reminded me of a talk I’m giving in Israel at cyber week on, I don’t know With its six today, uh 21st I think, but this is what it’s about, right? This is what the talk is and this is a worldwide audience really. The talk is it’s titled they’re winning, right? And the reason why they’re winning, if you look at like sports, you and I both played sports right? If there’s one thing I noticed about the best players, it was how hard they practiced and mastered the fundamentals

[00:24:47] Brad Nigh: 100%

[00:24:49] Evan Francen: right, whether it be footwork, whether it be uh you know, positioning uh head, whatever it was, you, it got drilled into every practice after, you know, it’s like I’ve done this same drill 250 billion times and here I am doing it again, and the reason why it’s business, the fundamentals, that’s what makes you, I mean there’s gifts and all those other things, but if you don’t have the fundamentals of your crap, if you’re in a position, if your footwork sucks, if your body position ain’t right? Yeah, forget about it. And so when you talk about their winning and the reason why they’re winning because we’re not doing the fundamental stuff. We’re going too damn fast. We’re um adopting technology much faster than we can secure it. And uh

[00:25:38] Brad Nigh: mm hmm. Yeah. So yeah, I agree. I mean, and we’ve been, This is what episode 138 I think we said fundamentals probably every single episode like it’s not going away. And you know, I, I would say the companies that make me feel good. Like I just had a call last week with somebody who’s going from exchange on prim oh 3 65 and they were migrating and they said, but the whole thing was, can you guys help us secure that as we move so that it’s done properly. We want to make sure because we don’t know. And a little yes, thank you. Yeah. That’s awesome to hear.

[00:26:23] Evan Francen: Well it is, man. I mean, I think, yeah, and you can see where we’re suffering in so many different places because we’re not doing the fundamental. So when you look at like President biden’s executive order, the reason why that’s so much stuff in there so fast so soon is because it’s almost like you got to start over a lot of places right? Because you didn’t do it right from the beginning and sometimes you do need to do a rip and replace we do that an incident response sometimes.

[00:26:49] Brad Nigh: Yeah. Well you mean, yeah, you see it. People, how many times have you seen or heard from the software company like you go in why is this this service account running is administrator. Well that’s how we could get it to work or the company the software company the vendor says well it just needs to be no explaining why because we couldn’t get it to work the other way or it was too much work. It was slowing things down. Well okay I guess that’s your risk tolerance and you’re willing to take that as long as you know. But this is stupid

[00:27:32] Evan Francen: this shit. Well that’s the thing with you know like you know when you plot one it’s I. T. Right? So I. T. Folks they are motivated to get things working once you know book I may not put in the extra effort to secure it. I just need to get to work

[00:27:49] Brad Nigh: well and I mean I’ve been in I. T. Like I totally get it. Your ideas is almost usually a thankless job right? You’re typically thought of as a cost center if you don’t if the company doesn’t see you doing anything you know that things are working. They’re like well what are they what are those guys doing? And then if something goes wrong it’s we’ll get it fixed right. It’s a very not like no win situation a lot of times. So yeah

[00:28:17] Evan Francen: there that’s for I. T. It’s even worse for security people

[00:28:20] Brad Nigh: for sure. Yeah I went from I. T. Security. So that says a lot about

[00:28:26] Evan Francen: you like paying

[00:28:28] Brad Nigh: right? Uh I like the challenge but yeah I mean I totally understand it because that’s the bit their job is to keep things up and running for the business. And that sometimes means you know not doing things securely but that’s again that’s not that shouldn’t be its job necessarily. It’s a mess. We’re at least we got we don’t have to worry about not having work.

[00:28:59] Evan Francen: Right one. And so like to see a, right I mean when you set up the CIA you allow listed right or white listed as the traditional you know so that it can talk to everything or you know you at least certain directories because it’s going to act like malware. Right. Yeah and that’s what happens when you install this system and that’s when you look at the technical details and so forth. That’s exactly what you know how you install it. And so that’s naturally where the attacker is going to go. Right going after systems like the esa. Perfect. Right Because under the esa promise or you know replace binaries whatever I’m doing uh I have free reign.

[00:29:42] Brad Nigh: Oh yeah I mean well it’s yeah and again this is what we see right the Attackers will take a valid process and inject the power shell into it and then it’s running under a valid process. Well in this case it was even worse because it’s not just like caliper note pad or whatever it is, which you wouldn’t traditionally like exclude from scans. Right. Right. Right. This is a software that you would tip me to exclude or because of its actual behavior and yeah, it’s not, yeah, it’s a mess.

[00:30:25] Evan Francen: Yeah, one in this case. So it hit on Tuesday. I’m sorry friday. Ah This the expanse of the attack 60, 60 casa well, they are aware of You were than 60 cassia customers have been affected. They were all Visa on premise servers. So there’s probably, I’m guessing well today some people get back to work today. Right. Some people had the fifth off because you know it was a holiday because the fourth, so sunday uh so that number might go up a little bit, you know, some people believe it or not won’t know until they come into the office like, hey My stuff is not working. Um but fewer than 60 casino customers known so far, all of whom, all of them were using psA on premise products. Um they were directly compromised by the attack. Right? So all those things had to be true. The customers downstream that were affected. You were then 1500 and this is all according to Cassia in one of their last updates. Right? When they have done a good job, I think in communicating uh when you put that into perspective, we’ve had much bigger attacks before. Yeah,

[00:31:45] Brad Nigh: I think the issue is the the number of companies. Right. Yeah, I think uh, are evil put out a million individual in points have been affected, which is a lot overall, but we’ve seen bigger impact. But it’s the number of companies that got it.

[00:32:09] Evan Francen: Well, they’re motivated, they’re motivated to inflate that number because they’re seeking a $70 million, You know, ransom. And I think they dropped that out of 50 million and basically stated they’re willing to uh, negotiate. Which is like, it’s always awesome when you have people that these guys are good coders and all that other stuff, but they’re not very good at negotiation because dropped from 70 to 50 you named to higher price probably at the beginning and now you’ve dropped it to 50 and then said you were willing to negotiate. Well that shows you’re desperate because you’re probably not going to get anywhere near that because we have our hands around it and you know that.

[00:32:49] Brad Nigh: Yeah. Yeah. It’ll be interesting. I don’t, yeah, it’ll be interesting to see what happens. I saw one article that was saying that they put out that one price for the universal unlock her because they were banking on insurance companies to say, well, it will be cheaper to just pay once and well, let’s all just split the cost. Right? Right. You know, we’re seeing more and more where insurance isn’t willing to pay that and they’re getting a little bit, I think they’re finally realizing. Oh,

[00:33:24] Evan Francen: right. When I wonder if, you know, yeah, Insurance eventually may not cover these at all anymore. And if you haven’t done certain things,

[00:33:32] Brad Nigh: we’re definitely seeing that we’re, I’m actually working on putting together a list of requirements. And you know, we’re seeing if you don’t have an M. F. A. On everything external. A lot of times they’re just not, I’m not going to cover you

[00:33:45] Evan Francen: period. Thank God. I mean we’ve been yelling and screaming that. Seriously. It is, it is absolutely. It’s negligence you to have something sitting on the internet without multifactor authentication.

[00:34:00] Brad Nigh: Yeah. Yeah. And you know, the other thing we’re seeing is uh, mm hmm. Critical systems internally, uh, will lower premiums. And then we had one customer that was going through the process and they said, okay. So they filled out the questionnaire and it’s one of them was, you know, around the incident response and playbooks and they came back and said, okay. You have, you say you have them show this one right now like immediate. Like you’ve got to produce this

[00:34:31] Evan Francen: nice yeah. People and lives because I don’t want that. There’s nothing that irritates the crap out of me, man. When people don’t tell the truth. Uh, there’s two different kinds of lies next. So there’s so many times. This is our number one core value at first you’re right. Tell the truth. Two different types. There’s omission and commission the old mission ones are things I didn’t tell you that I should have told you. And then the Commissioner when I the commission ones are the ones where I straight out tell you something. That’s not true. Yeah. And they’re both eyes and torch me, man. Because you know, we’re talking about doing business together, becoming partners, right? Use these big, you know, we’re going to be a partner and you tell me the truth, right?

[00:35:15] Brad Nigh: I can’t. Yeah. And that’s, you know, when we do the risk assessment, it’s, hey look, don’t try to make yourself look better. Just let’s, let’s be honest, I know what’s going on. So if we can help you, like if you’re going to tell us, you know, Oh yeah, we’ve got that. You don’t, you’re not helping yourself.

[00:35:38] Evan Francen: I don’t think anybody.

[00:35:39] Brad Nigh: Right? So yeah.

[00:35:43] Evan Francen: Yeah. People people have lots of reasons they do that, I suppose. Um Alright. So no other casino products were compromised. Yeah. Which is good. Which also is another indicator that this was a direct attack at the affected B. S. A. Servers themselves and not the code. So that just reinforces that Uh cassia has developed the patch for customers running VSE on their own servers. A patch should be available within 24 hours. I thought

[00:36:13] Brad Nigh: that their afternoon, the online version will be available today and the on their side bringing the on prim tomorrow.

[00:36:25] Evan Francen: Yeah, Customers should have the patches between two and 5 eastern today maybe.

[00:36:32] Brad Nigh: Yeah. Well, you know, we’ll see how that goes. But I think the fact that You’re looking at less than what four or 5 days. And they had the patch, they were they were on top of it. In terms of like already working through this, you can tell that they had been doing something. You don’t just turns out around that fast. Right?

[00:36:54] Evan Francen: Exactly. Yeah. They well, they like they said, you know, it reinforces what they were saying to that they already had a patch.

[00:37:02] Brad Nigh: Yeah.

[00:37:02] Evan Francen: Yeah. They were still testing it before they released it when this thing went down. Yeah, interesting, interesting story. I think we will survive. We will move forward. You know, I’m looking forward to the lessons learned. I’m guessing uh the lessons learned aren’t going to be all that different than the best practices we’ve been preaching from the get go. I don’t I don’t want to rush to judgment and start condemning people on this because I don’t have enough details. But believe me, when we do have enough details, if there’s something to condemn all condemn it.

[00:37:38] Brad Nigh: Mhm. Yeah. He said at this point, we know, I mean, what is the a lot of the number of bugs per, you know how many lines of code you have per bug or whatever it is. It’s going to happen, right? But it will be interesting to see what it was and truly have been something that was caught in the test QA process. How did it get this, But how they responded. I mean, I’m like the sandy, it’s textbook correct way to respond, right, controlling the communication being open and you know, not trying to hide behind, you know, like you said was omission type. You know, hey, this is what happened here, is what you need to do. Thank you sir, robert. Hey, turn them off or get them off line, right, get them off the internet.

[00:38:35] Evan Francen: And my bigger concern is, you know, the MSP s and the MSP deployments, you know, I’m not right. How do you, like if I was working at an MSP, you know, being a security guy and you told me you were going to bring this server thing online and it was going to do these things, would I have secured it different? I don’t know, you know what I put it behind a VPN, could it operate behind a VPN with multifactor authentication versus just let it kind of dangle. Could I harden this server or does it have to be a default sort of installation the way it is. You know, those are the questions that I’m looking at. Two because there are so many MSP s and there are so many customers who trust these MSP s and the third Timpson things we can do to improve their service ultimately, you know, protecting their customers because that’s the part that pisses me off, I think the most right now is you have small to mid sized businesses, you know, dentist’s office and you know, small retailers who Won’t recover, they will be put out of business out of that 1500 customers downstream that were affected, some percentage of those will be out of business. You destroyed their business. Either the MSP or Kazan, it doesn’t really matter who you want to blame. The fact of the matter is they’re out of business. So, you know, it, if the MSP can do things better to make sure that that happens less often, that’s kind of the stuff I’m looking for, you know?

[00:40:05] Brad Nigh: Yeah. Yeah, it’ll be yeah,

[00:40:09] Evan Francen: that’ll be interesting because I think because he is not going to suffer from this to say I will hardly suffer and and neither will probably the MSP and if I’m that small business and I’m like sitting there going, oh, great amount of business or recourse do you have, you know what I mean?

[00:40:26] Brad Nigh: Yeah, Yeah. And that’s what, and a lot of times that’s who gets hit, right? That’s who’s using these NSPS are those small mid sized companies that don’t have their own IT staff and yeah, that’s what sucks. Right?

[00:40:44] Evan Francen: So we’ll see what comes of it, you know, once things kind of settle down a little bit and we get started getting more details about, maybe I’ll do some research and find out more details about the NSA server product and how MSP s might be able to deploy that better.

[00:40:57] Brad Nigh: Yeah. Just reading more and more, it’s really interesting to see uh it was really looking at Hunter’s has a right up and it looks like there was a screenshot dot jpeg that was part of the attack chain that’s actually execute. Herbal does a bunch of cleanup, but looks like it may maybe a simple injection as a final vector for code execution, not strictly, but another form. So and they’ve got the actual code that is run, so yeah, it could have been just getting in and that’s how they they got in. Yeah, it’ll be interesting to read.

[00:41:39] Evan Francen: It will be, yeah. And I think my conclusion at this point is it’s not it’s a big deal. I’m not going to minimize it that much, but it’s not a big as big a deal as we made it out to be at the beginning. I think we jumped to a lot of conclusions just in the,

[00:41:55] Brad Nigh: well, I mean, like I said, it could have been a really big deal if I M S P s hadn’t responded and taken all those servers offline that quickly. Right. You know, this could have been exponentially worse. Yeah,

[00:42:13] Evan Francen: acquisition If the IDD 2200 servers And only and we only know about 60 that got hit. Yeah, it could have been much worse, yep.

[00:42:27] Brad Nigh: Yeah,

[00:42:27] Evan Francen: but I’m also not sure about the timing of their scans, these scans, that

[00:42:32] Brad Nigh: will be, I’m not I don’t have enough detail on that to know either. But

[00:42:37] Evan Francen: I wonder if they did these scans, you know when they were working on the patch and before any kind of detonation or anything or if this was after that. Yeah, we’ll figure that out too. Yeah, there’s a lot. There’s

[00:42:53] Brad Nigh: a lot that I mean this is still so new. Right? We still I mean you said it it typically takes, you know, a couple weeks to fully understand what do you do all the forensics and understand what exactly what happened. So

[00:43:13] Evan Francen: And and according to the governor’s quote in his tweet, the last, he said during the last 48 hours Number of the ece instances that are reachable from the Internet has dropped from 200 to less than 140. So that would have been Till June July two. Would have been the 48 hours. So yeah, would have been really close to the time that the ransomware hit. So it went from 2200 or less than 140. That’s quick. Yeah, that’s good.

[00:43:44] Brad Nigh: Yeah. I think the yeah. Yeah. I feel bad. The biggest one that I’ve seen is that the Swedish grocery grocery chain That most 800 stores will be closed for a second day because the cash register software supplier was crippled.

[00:44:02] Evan Francen: So the Swedes are resilient there. Was that where the Vikings come from.

[00:44:05] Brad Nigh: I think so up in that area. But I mean the dad shows right that here’s a grocery store. It has 800 locations closed because their supplier got hit by this. So it’s not just like that, that down stream impact is going to be, you know, that’s going to take a while to understand as well. Yeah.

[00:44:29] Evan Francen: Mhm. Yeah. That’s the part that ticks me off more than anything is the the people who suffer, you know, I mean, that’s what motivates me every day is trying to help people not suffer right to say it’s big enough that they’re not going to suffer too much. Actually. They’ll probably come out well in the end because of their good response. They did do a good job responding. And that’s that shows the importance of having a good incident response plan, strategy and getting ahead of the communications so that you can control and craft the message. They did, they did a wonderful job on that.

[00:45:06] Brad Nigh: Yeah. And again, it’s not just, it doesn’t seem to be just lip service either. Right. They’ve they’ve actually given tools and and you know, similar what we were seeing with with solar winds in terms of the communication and being open and you know, it’s what we need. Yeah, true.

[00:45:30] Evan Francen: All right. Well, good. I think we’re going to live through that most of us, um, and we’ll provide an update next maybe next week if there’s something to update. Otherwise we probably won’t talk much about CAssie anymore.

[00:45:43] Brad Nigh: Yeah. Just whenever we hear more like it’ll be probably a couple months from now when we finally get that report and see what happened.

[00:45:54] Evan Francen: Yeah, yeah, certainly there’s a Senate Intelligence Committee meeting. I’ll definitely tune into that. I love watching those. I’m weird like that. Yeah. All right. So the other one, yeah, that you mentioned and then this was this, you mentioned it it was Wednesday ish of last week. Uh, Microsoft had an pretty neat announcement about zero. Really is your day? It was, but it’s a vulnerability in the Prince cooler remote, what’s called? Windows permit, Windows Print Schooler, remote code execution vulnerability. Cbe 2021 345-7 released July one. That would have been Thursday. We might have heard about it on Wednesday.

[00:46:41] Brad Nigh: What’s what’s interesting on this one is they actually uh, put a release out in june and it apparently didn’t fix the issue.

[00:46:54] Evan Francen: Right groups.

[00:46:55] Brad Nigh: And then this was uh, what I’ve seen, it was accidentally disclosed to because the researchers that disclosed that we’re planning on doing a presentation at Black Hat and it got out or I’m not sure exactly what they did, but it was not intended to be released. But yeah, the biggest thing is, you know, there’s a whole list of uh, Bruce that basically would allow anyone in the domain if to exploit the domain controller. Right? And I mean, it’s a big list of recruits, uh, you know, admin, domain controller read only. Domain controller enterprises read only Domain controllers. Third admin schema. Admins group policy, admin power user system operator, print operator, Eco operator. Ah yeah, it’s that’s and uh yeah, I’m surprised we haven’t heard of this actually because there’s proof of concept that we’re out on Wednesday,

[00:48:04] Evan Francen: right? Oh, somebody’s been hit multiple people, I’m sure have been hit because it’s explainable from the network, right? I don’t so that’s fairly easy. The complexity is very low. Mhm. I don’t really need, I just need basic user privileges in order to run this. So how hard is it to get a user account? You just need to authenticate? You don’t need to have privileged authentication or to exploit. So

[00:48:32] Brad Nigh: I will say that the name of this was that on print, Nightmare. Yeah, I read that and I was like, oh, this is gonna be a nightmare. Oh, it’s pretty nightmare. Cool.

[00:48:42] Evan Francen: Alright. Yeah, totally.

[00:48:45] Brad Nigh: Yeah. All Windows versions.

[00:48:48] Evan Francen: Yeah. And when I had friends last week, I was talking to somebody and yeah, I was like, oh man, how you doing, what’s going on? He’s like, I got my whole team right now disabled principle or you know, throughout the entire environment. I’m like, oh because I hadn’t heard about it yet. I’m like, oh well it’s good to disable principle or if you’re not printing. So that’s that’s a good thing. He’s like, no, there’s a bad vulnerability. And like, again,

[00:49:13] Brad Nigh: Exactly.

[00:49:15] Evan Francen: But then you said, yeah, this is the one from, you know before, I’m like, oh, okay.

[00:49:20] Brad Nigh: Yeah. Yeah. Again, you know it sucks. We know in software there’s gonna be bugs. It just happens. It just seems like we’ve had some pretty high profile on our abilities lately.

[00:49:39] Evan Francen: Yeah. Yeah, for sure. We’ll put the post, I’ll put the post in the in the show notes for the, you know, Microsoft security update guide which labels this vulnerability and kind of tells you more about, you know how it operates. But if you google print nightmare, you’ll you’ll find plenty of good stuff about it. The sad thing is right now there is no patch and it’s not clear when Microsoft will have a patch. So for now it’s just disabled principle or that’s your isolate isolate the systems that actually need to have printing but Well who prints anymore?

[00:50:15] Brad Nigh: The nice thing is that they did put out a work around where you can disable the inbound remote printing through group policy. Right? So yeah, the server is no longer a print server but you can see that would allow people to still print locally if needed. Yeah, there are some don’t work around but yeah, I’m glad I’m not 90 right now.

[00:50:42] Evan Francen: Right. Especially in a company that is heavy print like like law offices, legal firms uh others but thanks health care. Oh my God. Yeah.

[00:50:56] Brad Nigh: Mhm.

[00:50:56] Evan Francen: Alright. Well there you go. So as soon as the patch was released and I haven’t heard when Microsoft we’ll be issuing a patch.

[00:51:06] Brad Nigh: Uh as far as I know, see I’m looking at their actual I don’t know. I don’t think I haven’t seen a date. Yeah, no dates at this point. It says they just say apply the security updates released uni and review the work around sections for how to protect.

[00:51:29] Evan Francen: That’s how you get.

[00:51:32] Brad Nigh: Yeah. Yeah. They don’t have an export yet.

[00:51:36] Evan Francen: There are exploits in the wild. Yeah. Yeah. Okay. Right. Well there’s that uh this was always going to farming go, you know, it seems well that’s that’s wrong. Probably more rewarding and probably more healthy.

[00:51:58] Brad Nigh: Yeah, that’s probably the last one. For sure.

[00:52:02] Evan Francen: Yeah.

[00:52:02] Brad Nigh: A lot more moving. I wouldn’t be sitting at my desk for and realizing that I haven’t moved for six hours.

[00:52:10] Evan Francen: Yeah. Exactly. All right, so just summarize today’s show uh you say uh that attack at not gonna die?

[00:52:23] Brad Nigh: Probably. No, it could have been much worse

[00:52:26] Evan Francen: have been much worse. Yeah. And I think lots of good things came of it and I’m excited, you know that you can do a little bit more and find out what else we can learn from it. It’s not like most most attacks, you know, you look at them and you’re like I’m really angry because you missed this. That and the other thing at this point I think I’m not angry with me. Say I think I’m probably going to have some anger about M. S. P. S. When we started digging in on that a little bit. Mhm. Uh But even then so far, I mean the way they responded quickly if they did indeed shut down that many servers that quickly. That’s pretty damn cool.

[00:53:02] Brad Nigh: Yeah, maybe this is the wake up call for MSP s who haven’t been taking it seriously because you know this again, this could have been really bad. And those ones that got hit, what do you what happens when you have that have you know, affect you. Every one of your competitors is going to be calling your customers and saying didn’t happen to us.

[00:53:23] Evan Francen: Yeah. We were running the same software. Funny.

[00:53:26] Brad Nigh: Yeah, our customers weren’t ransom.

[00:53:29] Evan Francen: Yeah, exactly. So there’s that. And then the other summary is just uh Yeah, they have the next soft principal. Er We’ll put the link in a if you google it, print nightmare, you’ll find it. But we’ll put the link in the show notes. Not much you can do about it other than uh mitigate the risk. You can’t catch it yet. Both the one make soft issues something. Yeah. Alright, that’s that’s all I got the shout out for you.

[00:53:58] Brad Nigh: Ah you know it’s funny. I know we’re gonna do this every week and I never think about it but I don’t right now um shout out to my family for putting up with me hobbling around all weekend on a broken toe and complaining.

[00:54:15] Evan Francen: There you go. I’m gonna give a shout out to a sales guy, believe or not. But it’s a safe. Yeah, I’m going to give a shout out to juve. Okay. Uh I got the sit in for uh john harmon Last week on some sales calls for three days and was fun to hang out with them. And I love the fact that our, our sales people do it right. They don’t compromise our mission or value. They believe it, it was amazing. So shout out to him and the whole sales, you know.

[00:54:49] Brad Nigh: I will say I’ve said that before too. But uh yeah, brought me in on calls where they’re, they’re like, hey, the customer just wants to clarify or understand this better. Can you, can you jump on a call with them? I love it there. They do that vs just tell the customer what they want to hear, right? Like, and it’s not always in the best interests of the sale necessarily, but it’s the right thing to do.

[00:55:17] Evan Francen: That’s it. I mean they take it to heart man and it’s so rare to find that with salesman because they do get held to of accountable to a number, just like anybody else in sales. You have to sell a quota and all that other stuff. But they do it right.

[00:55:34] Brad Nigh: Well, and honestly that the fact that they do it right is why they’re doing so well. I mean, you get a reputation and that’s good thing. People talk, Yeah, totally. These guys did the right thing.

[00:55:49] Evan Francen: So totally yeah, gives me a lot of trust in the management team, you know, all the way down to you and to Drew and Oscar it’s just it’s really cool. They have so many people with real integrity, you know, working beside you.

[00:56:07] Brad Nigh: It’s the no a horrible and it it is from top to bottom.

[00:56:13] Evan Francen: Yeah, that’s cool. I love it. All right, thank you to our listeners. Thank you brad. It’s good to see you man. And we’ll catch up some more. Uh if you have something like to tell us if you email us at the show on security of proton mail dot com. I think this might be the last time I announced that because nobody really emails us because wants to talk to us.

[00:56:33] Brad Nigh: I mean they just reach out directly. Yeah. You don’t go to the

[00:56:37] Evan Francen: podcast. If you have a social type socialize with us on twitter, I’m working on some cool projects so you’ll see some stuff coming eventually from that. But I’m @EvanFrancen Brad you’re @BradNigh twitter handles handles that. Don’t really matter. But they do matter, but you don’t have to follow them insecurity is @UnsecurityP security studios @StudioSecurity and that FRSecure @FRSecure. There’s a lot of good stuff there. But that’s also like I just gave you five twitter handles. I’m like two minutes. So that’s a lot of all right. That’s it, man. We’ll talk to you next week.

No items found.
Sign up for our newsletter

Receive monthly news and insights in your inbox. Don't miss out!

Industry insights