Widespread MSP Ransomware Incident & PrintNightmare

July 7, 2021 by
Widespread MSP Ransomware Incident & PrintNightmare
Lighthouse IT Solutions, Matthew Almendinger

The Lighthouse IT Podcast: BONUS EPISODE - July 7th, 2021

A few events happened last week that we felt it necessary to talk about them here. Take a listen as we go through PrintNightmare and the huge ransomware attack on Kaseya's VSA remote management service. (We want to iterate that Lighthouse IT does not use VSA, but this is a huge hit to almost 60 manage service providers just like ourselves.)

Listen here!


Kaseya VSA Attack

On July 2, while many businesses had staff either already off or preparing for a long holiday weekend, an affiliate of the REvil ransomware group launched a widespread crypto-extortion gambit. Huntress found and tracked about 30 MSPs across the world where Kaseya VSA was used to encrypt around 1,500 (unconfirmed, might be more) businesses and are working in collaboration with many of them. All of these VSA servers are on-premises and Huntress has confirmed that cybercriminals have exploited an arbitrary file upload and code injection vulnerability and have high confidence an authentication bypass was used to gain access into these servers.

Check out a good overview of the attack here: READ MORE

You can also see Huntress' updates here for the more up-to-date technical news: READ MORE

Critical 'PrintNightmare' vulnerability

"We recommend that you install these updates immediately," says Microsoft. "The security updates released on and after July 6, 2021 contain protections for CVE-2021-1675 and the additional remote code execution exploit in the Windows Print Spooler service known as 'PrintNightmare', documented in CVE-2021-34527."

After security researchers accidentally published proof-of-concept (PoC) exploit code. Microsoft has issued out-of-band security updates to address the flaw, and has rated it as critical as attackers can remotely execute code with system-level privileges on affected machines.

Microsoft is even patching Windows 7...


Check out Matt's official statement regarding the Kaseya VSA breach here.