What to do about the Kaseya and PrintNightmare vulnerabilities

Christopher Budd 9 Jul 2021

Here are three clear steps to help keep yourself and your businesses as safe as possible

“It never rains but it pours.” It’s the saying that describes situations in which several bad things happen at once, and these situations are ones that security incident teams know well. In fact, security teams across the globe have quite recently been experiencing such a situation in regards to the active, formidable PrintNightmare and Kaseya threats.

For those who don’t have dedicated security teams, such as home users and small and medium businesses (SMBs), it can be both confusing and overwhelming to understand what you need to do about either of these security events.

In this post, I’ll briefly but clearly walk you through what you need to do to help keep yourself and your businesses as safe as possible. It comes down to three simple steps:

  1. If you use Kaseya VSA, disconnect your Kasya VSA servers as instructed by Kaseya.

  2. Immediately install the newly released security update from Microsoft for the Print Spooler vulnerability (also referred to as the PrintNightmare vulnerability).

  3. Continue to monitor for information from Kaseya and Microsoft for any new steps you may need to take.

Disconnect Kaseya VSA servers

Kaseya makes software to help manage computers and servers. On July 2, 2021, Kaseya learned that they experienced an attack trying to spread ransomware to the computers and servers managed with their software. An indirect attack like this is sometimes referred to as a supply chain attack and is similar to the SolarWinds attacks in December 2020.

This “chain” of attack becomes more complicated because many of the same end customers who use Kaseya VSA and could be at risk are also using this product as customers of managed service providers (MSPs). These customers may not think of themselves as “Kaseya customers” but instead customers of their specific MSP, even though in this situation, they’re at risk as users of Kaseya’s VSA product. 

Kaseya has been working to prevent the spread of ransomware through their product and they have given clear guidance for their customers for now: If you have a Kaseya VSA server, you should take it offline until further notice from Kaseya.

This step breaks the “chain” in this supply chain attack and is the best step that any Kaseya customer can take. This can prevent the ransomware payload that attackers placed in the Kaseya distribution chain from reaching and infecting your systems.

If you are the customer of an MSP who uses Kaseya, you might not have a Kaseya VSA server yourself: your MSP may have it. The best thing you can do here is to contact your MSP and ask them if they’re aware of Kaseya’s guidance, what they’re doing in response to it, and which steps you’ll need to take in order to stay protected.

Kaseya has indicated that this step is a temporary step to protect their customers while they work on this situation. They expect to instruct their customers to take their VSA servers back online once their investigation and remediation work is done.

Install the security update for the PrintNightmare vulnerability

On July 1, 2021, it was reported that there was a new unpatched vulnerability affecting the Print Spooler in all versions of Microsoft Windows. The Print Spooler is responsible for handling formatting, submitting and managing print jobs in Windows and runs by default on all systems with the same privileges as the operating system. The potential impact of a successful attack against this vulnerability would be to give an attacker complete control over the system. This is particularly dangerous for domain controllers because an attack against these systems could give someone complete control over the entire network, not just a single system.

As of July 6, 2021, Microsoft has released an emergency out-of-band security update to address this vulnerability.

It’s a mark of how serious this vulnerability is that not only has Microsoft released an emergency security update for it, but they’ve also released security updates for versions of Windows that are otherwise no longer supported.

What you should do in this situation is simple: Download and install this security update for every and all Windows systems as soon as possible.

If you’re running a version of Windows that’s no longer supported, like Windows 7, you should also look to migrate to a version of Windows that is supported as soon as you can after installing this security update. Out-of-support versions of Windows are vulnerable to a number of other security vulnerabilities, and being on an out-of-support version is inherently unsafe and dangerous.

As of right now, there are no known widespread attacks against this vulnerability. 

Continue to monitor for new information

Both of these situations are still in progress and new information can (and will) develop. For instance, Kaseya has indicated that their customers should be prepared to bring their Kaseya VSA servers back online when instructed to do so.

Also, whenever there is an emergency patch like the one that Microsoft has released, there’s always a chance that there will be new developments after it has been released.

For these reasons, after taking the steps outlined in this post, you should continue to watch the Kaseya and Microsoft websites for any further steps.

If you take the aforementioned steps and continue to monitor for new information, you will have done all you can to most effectively protect yourself, your systems and your business from these two major concurrent security events.

--> -->