Cyber Security Update July 2021

SoftwareONE believes there is a need for additional information when it comes to cybersecurity, as organizations have made it clear that investment in a proper security strategy is paramount. SoftwareONE’s monthly Cyber Security Update provides information on the most recent threats and breaches and how to react to them in order to stay on top of malware and ransomware threats.

Massive supply-chain attack against Kaseya: Up to 1,500 businesses affected. It was the worst ransomware attack to date because it spread through software that managed service providers use to administer multiple customer networks and deliver software updates and security patches.

Elekta data breach is impacting over 64K McLaren patients’ protected health information (PHI). Five McLaren Health Care hospitals and three medical clinics are among 169 other health systems affected.

Hackers Access Personal and Call Information and Port Numbers in Mint Mobile Data Breach. The hackers potentially accessed subscribers’ personal information, including call history, names, addresses, emails, and Mint mobile passwords.

Hundreds of touchscreen ticket machines of the Northern rail company (UK) were offline after a ransomware attack. Customers were urged to use the mobile app, website or ticket offices while the ticket machines remained disrupted.

A new massive LinkedIn breach exposed the data of 700M users, more than 92% of the total 756M users. The exposed records include email addresses, full names, phone numbers, physical addresses, geolocation records, LinkedIn username and profile URLs, personal and professional experiences/ backgrounds, genders, and other social media accounts and usernames. Passwords are not included in the archive.

Windows Print Nightmare Vulnerability: If the vulnerability remains unpatched, it's a ripe target for malicious actors to escalate privileges and the perfect ingredient for an exploit kit.

New cloud data breach report: Almost all organizations suffered at least one data breach in the past 18 months.

Atlassian asks customers to patch a critical Jira vulnerability in many versions of its Jira Data Center and Jira Service Management Data Center products.

Data breaches from insiders can cost as much as 20% of annual revenue. As companies emerge from the pandemic, and 40% of employees are planning to switch jobs, corporate data is at risk.

Tokyo Olympics could be threatened by a cyberattack. The FBI cited the potential for Distributed Denial of Service (DDoS) attacks – where computers are rendered unavailable to an organization – possibly targeting TV broadcasters, hotels, mass transit, ticketing services and event security infrastructure.

CISA and FBI guidance for MSPs and their customers affected by the Kaseya VSA supply-chain Ransomware attack.

Apple Mac users are warned to check for new Xloader malware. The very malicious malware was found stealing credentials, logging keystrokes and recording screenshots.

Microsoft warns over this unusual LemonDuck crypto mining malware that targets Windows and Linux. The coin-mining malware also targets older vulnerabilities that defenders may have forgotten.

Lately, security technologists far and wide rushed to perform an out-of-band patch for a Microsoft zero day vulnerability dubbed PrintNightmare (CVE-2021-34527) affecting all versions of Windows. Windows has a vast footprint, accounting for 73% of operating systems on desktop PCs, according to Statista data.

PrintNightmare affects all users on supported versions of Windows, which has the print spooler service enabled by default to allow users to print, either locally or over a network. According to Microsoft, an attacker could exploit PrintNightmare to run arbitrary code with system privileges. This could allow them to install programs, view, change, or delete data and create new accounts with full user rights.

Windows client and server computers that aren't domain controllers can be affected if Point and Print is enabled or the Authenticated Users group is nested within another group in the mitigation section.

What you can do if your organization is affected

We recommend applying the following manual solutions suggested by Microsoft:

Solution 1. Disable the Print Spooler service

If your company can properly disable the printer spooler service, use the following PowerShell command:

Stop-Service -Name Spooler -Force

Set-Service -Name Spooler -StartupType Disabled

Disabling the print spooler service disables local and remote printing features.

Solution 2. Disable Inbound Remote Printing via Group Policy

You can configure the setting to disable inbound remote printing through group policy as follows:

• Computer Configuration/ Administrative Templates/ Printers
• Disable the ‘Allow Print Spooler to accept client connections:’ policy to block remote attacks
• Restart the print spooler service for group policy to take effect

This policy blocks inbound remote printing operations, blocking remote attack vectors. The system no longer functions as a print server. However, local printing to directly connect the device is still available.