Details have emerged about a high severity security vulnerability affecting a software driver used in HP, Xerox, and Samsung printers that has remained undetected since 2005.
Tracked as CVE-2021-3438 (CVSS score: 8.8), the issue concerns a buffer overflow in a print driver installer package named “SSPORT.SYS” that can enable remote privilege and arbitrary code execution. Hundreds of millions of printers have been released worldwide to date with the vulnerable driver in question.
However, there is no evidence that the flaw was abused in real-world attacks.
“A potential buffer overflow in the software drivers for certain HP LaserJet products and Samsung product printers could lead to an escalation of privilege,” according to an advisory published in May.
The issue was reported to HP by threat intelligence researchers from SentinelLabs on February 18, 2021, following which remedies have been published for the affected printers as of May 19, 2021.
Specifically, the issue hinges on the fact that the printer driver doesn’t sanitize the size of the user input, potentially allowing an unprivileged user to escalate privileges and run malicious code in kernel mode on systems that have the buggy driver installed. now
“The vulnerable function inside the driver accepts data sent from User Mode via IOCTL (Input/Output Control) without validating the size parameter,” SentinelOne researcher Asaf Amir said in a report shared with The Hacker News. “This function copies a string from the user input using ‘strncpy’ with a size parameter that is controlled by the user. Essentially, this allows attackers to overrun the buffer used by the driver.”
Interestingly, it appears that HP copied the driver’s functionality from a near-identical Windows driver sample published by Microsoft, although the sample project in itself doesn’t contain the vulnerability.
This is not the first time security flaws have been discovered in old software drivers. Earlier this May, SentinelOne revealed details about multiple critical privilege escalation vulnerabilities in Dell’s firmware update driver named “dbutil_2_3.sys” that went undisclosed for more than 12 years.
SolarWinds, the Texas-based company that became the epicenter of a massive supply chain attack late last year, has issued patches to contain a remote code execution flaw in its Serv-U managed file transfer service.
The fixes, which target Serv-U Managed File Transfer and Serv-U Secure FTP products, arrive after Microsoft notified the IT management and remote monitoring software maker that the flaw was being exploited in the wild. The threat actor behind the exploitation remains unknown as yet, and it isn’t clear exactly how the attack was carried out.
“Microsoft has provided evidence of limited, targeted customer impact, though SolarWinds does not currently have an estimate of how many customers may be directly affected by the vulnerability,” SolarWinds said in an advisory published Friday, adding it’s “unaware of the identity of the potentially affected customers.”
Affecting Serv-U version 15.2.3 HF1 and before, a successful exploitation of the shortcoming (CVE-2021-35211) could enable an adversary to run arbitrary code on the infected system, including the ability to install malicious programs and view, change, or delete sensitive data.
As indicators of compromise, the company is urging administrators to watch out for potentially suspicious connections via SSH from the IP addresses 98[.]176.196.89 and 68[.]235.178.32, or via TCP 443 from the IP address 208[.]113.35.58. Disabling SSH access on the Serv-U installation also prevents compromise.
The issue has been addressed in Serv-U version 15.2.3 hotfix (HF) 2.
SolarWinds also stressed in its advisory that the vulnerability is “completely unrelated to the SUNBURST supply chain attack” and that it does not affect other products, notably the Orion Platform, which was exploited to drop malware and dig deeper into the targeted networks by suspected Russian hackers to spy on multiple federal agencies and businesses in one of the most serious security breaches in U.S. history.
A string of software supply chain attacks since then has highlighted the fragility of modern networks and the sophistication of threat actors to identify hard-to-find vulnerabilities in widely-used software to conduct espionage and drop ransomware, in which hackers shut down the systems of business and demand payment to allow them to regain control.
This week, PrintNightmare – Microsoft’s Print Spooler vulnerability (CVE-2021-34527) was upgraded from a ‘Low’ criticality to a ‘Critical’ criticality.
This is due to a Proof of Concept published on GitHub, which attackers could potentially leverage for gaining access to Domain Controllers.
As we reported earlier, Microsoft already released a patch in June 2021, but it wasn’t enough to stop exploits. Attackers can still use Print Spooler when connecting remotely. You can find all you need to know about this vulnerability in this article and how you can mitigate it (and you can).
Print Spooler in a nutshell: Print Spooler is Microsoft’s service for managing and monitoring files printing. This service is among Microsoft’s oldest and has had minimal maintenance updates since it was released.
Every Microsoft machine (servers and endpoints) has this feature enabled by default.
PrintNightmare vulnerability: As soon as an attacker gains limited user access to a network, he will be able to connect (directly or remotely) to the Print Spooler. Since the Print Spooler has direct access to the kernel, the attacker can use it to gain access to the operating system, run remote code with system privileges, and ultimately attack the Domain Controller.
Your best option when it comes to mitigating the PrintNightmare vulnerability is to disable the Print Spooler on every server and/or sensitive workstation (such as administrators’ workstations, direct internet-facing workstations, and non-printing workstations).
This is what Dvir Goren’s, hardening expert and CTO at CalCom Software Solutions, suggests as your first move towards mitigation.
Follow these steps to disable the Print Spooler service on Windows 10:
Open Start.
Search for PowerShell, right-click on it and select the Run as administrator.
Type the command and press Enter: Stop-Service -Name Spooler -Force
Use this command to prevent the service from starting back up again during restart: Set-Service -Name Spooler -StartupType Disabled
According to Dvir’s experience, 90% of servers do not require Print Spooler. It is the default configuration for most of them, so it is usually enabled. As a result, disabling it can solve 90% of your problem and have little impact on production.
In large and complex infrastructures, it can be challenging to locate where Print Spooler is used.
Here are a few examples where Print Spooler is required:
When using Citrix services,
Fax servers,
Any application requiring virtual or physical printing of PDFs, XPSs, etc. Billing services and wage applications, for example.
Here are a few examples when Print Spooler is not needed but enabled by default:
Domain Controller and Active Directory – the main risk in this vulnerability can be neutralized by practicing basic cyber hygiene. It makes no sense to have Print Spooler enabled in DCs and AD servers.
Member servers such as SQL, File System, and Exchange servers.
Machines that do not require printing.
A few other hardening steps suggested by Dvir for machines dependent on Print Spooler include:
Replace the vulnerable Print Spooler protocol with a non-Microsoft service.
By changing ‘Allow Print Spooler to accept client connections’, you can restrict users’ and drivers’ access to the Print Spooler to groups that must use it.
Disable Print Spooler caller in Pre-Windows 2000 compatibility group.
Make sure that Point and Print is not configured to No Warning – check registry key SOFTWARE/Policies/Microsoft/Windows NT/Printers/PointAndPrint/NoElevationOnInstall for DWORD value 1.
Turn off EnableLUA – check registry key SOFTWARE/Microsoft/Windows/CurrentVersion/Policies/System/EnableLUA for DWORD value 0.
Here’s what you need to do next to ensure your organization is secure:
Identify where Print Spooler is being used on your network.
Map your network to find the machines that must use Print Spooler.
Disable Print Spooler on machines that do not use it.
For machines that require Print Spooler – configure them in a way to minimize its attack surface.
Beside this, to find potential evidence of exploitation, you should also monitor Microsoft-Windows-PrintService/Admin log entries. There might be entries with error messages that indicate Print Spooler can’t load plug-in module DLLs, although this can also happen if an attacker packaged a legitimate DLL that Print Spooler demands.
The final recommendation from Dvir is to implement these recommendations through hardening automation tools. Without automation, you will spend countless hours attempting to harden manually and may end up vulnerable or causing systems to go down
After choosing your course of action, a Hardening automation tool will discover where Print Spooler is enabled, where they are actually used, and disable or reconfigure them automatically.
and other Chinese app makers tumbled on Tuesday after regulators intensified a crackdown on the country’s New York-listed technology companies.
Didi Global (ticker: DIDI) stock fell more than 25% on Tuesday after Beijing’s Cyberspace Administration ordered app stores to remove the Chinese ride-hailing giant’s services from its platforms on Sunday.
The cybersecurity regulator widened its attack on Monday, launching a review of two U.S.-listed Chinese app makers:
Full Truck Alliance
(YMM), which operates truck-hailing apps; and online recruiting app
Kanzhun
(BZ).
The regulator ordered the companies to stop adding users while the investigations were conducted, The Wall Street Journal reported. Full Truck Alliance stock was 20% lower in New York premarket trading on Tuesday, while Kanzhun was down 9%.
And on Tuesday, China released guidelines through state-run Xinhua News Agency that would revise rules and strengthen supervision for companies listed in overseas markets, according to the Journal. The additional scrutiny could make it harder for Chinese companies to raise money in the U.S.,
A spokesperson for Full Truck Alliance told Barron’s the company would fully cooperate with the regulator during the cybersecurity process, saying, “FTA is conducting a comprehensive self-examination of any potential cybersecurity risks and will continue to improve its cybersecurity systems and technology capabilities.”
The spokesperson added: “Apart from the suspension of new user registration in China, FTA and its mobile applications maintain normal operation.”
The trio of Chinese app makers went public in the U.S. last month.
Ahead of Didi’s initial public offering, which raised $4.4 billion, reports emerged the company was facing an antitrust probe by China’s State Administration for Market Regulation (SAMR) over whether its pricing mechanism is transparent enough and whether it has been unfairly squeezing out smaller rivals.
Didi made its U.S. debut on Wednesday before attracting the attention of another regulator on Sunday. The cyberspace regulator removed Didi’s Chinese services from their platforms, citing illegal collection of personal data, the Journal reported.
“China is cracking down on big tech, but the decision to remove the app from domestic platforms appears to be timed for maximum impact and embarrassment,” said Markets.com analyst Neil Wilson. “China’s Communist Party is bristling at the number of Chinese companies listing in the U.S. this year, but there is genuine concern at the heart of this—regulators are not impressed with the way Didi and other Chinese tech companies handle data,” he added.
Wedbush analyst Brad Gastwirth struck a similar note, writing that “while Chinese regulators are pointing to Didi’s collection of user data as the impetus for their actions, with the move coming right after its US IPO, there is speculation that China targeting Didi because of its decision to list outside of China.”
In a statement, Didi said that users who had already downloaded and installed the app could continue using it, though it would no longer be available in China.
“The Company will strive to rectify any problems, improve its risk prevention awareness and technological capabilities, protect users’ privacy and data security, and continue to provide secure and convenient services to its users,” Didi said on Sunday. “The Company expects that the app takedown may have an adverse impact on its revenue in China.”
Kanzhun said on Monday it would fully cooperate during the review process. “The Company plans to conduct a comprehensive examination of cybersecurity risks and continue to enhance its cybersecurity awareness and technology capabilities.”
Perhaps not unrelated, Chinese social-media company
Weibo
(WB) on Tuesday jumped 15% on reports it’s planning to go private.
Write to Callum Keown at callum.keown@dowjones.com
Amidst the massive supply-chain ransomware attack that triggered an infection chain compromising thousands of businesses on Friday, new details have emerged about how the notorious Russia-linked REvil cybercrime gang may have pulled off the unprecedented hack.
The Dutch Institute for Vulnerability Disclosure (DIVD) on Sunday revealed it had alerted Kaseya to a number of zero-day vulnerabilities in its VSA software (CVE-2021-30116) that it said were being exploited as a conduit to deploy ransomware. The non-profit entity said the company was in the process of resolving the issues as part of a coordinated vulnerability disclosure when the July 2 attacks took place.
More specifics about the flaws were not shared, but DIVD chair Victor Gevers hinted that the zero-days are trivial to exploit. At least 1,000 businesses are said to have been affected by the attacks, with victims identified in at least 17 countries, including the U.K., South Africa, Canada, Argentina, Mexico, Indonesia, New Zealand, and Kenya, according to ESET.
Kaseya VSA is a cloud-based IT management and remote monitoring solution for managed service providers (MSPs), offering a centralized console to monitor and manage endpoints, automate IT processes, deploy security patches, and control access via two-factor authentication.
REvil Demands $70 Million Ransom
Active since April 2019, REvil (aka Sodinokibi) is best known for extorting $11 million from the meat-processor JBS early last month, with the ransomware-as-a-service business accounting for about 4.6% of attacks on the public and private sectors in the first quarter of 2021.
The group is now asking for a $70 million ransom payment to publish a universal decryptor that can unlock all systems that have been crippled by file-encrypting ransomware.
“On Friday (02.07.2021) we launched an attack on MSP providers. More than a million systems were infected. If anyone wants to negotiate about universal decryptor – our price is 70,000,000$ in BTC and we will publish publicly decryptor that decrypts files of all victims, so everyone will be able to recover from attack in less than an hour,” the REvil group posted on their dark web data leak site.
Kaseya, which has enlisted the help of FireEye to help with its investigation into the incident, said it intends to “bring our SaaS data centers back online on a one-by-one basis starting with our E.U., U.K., and Asia-Pacific data centers followed by our North American data centers.”
On-premises VSA servers will require the installation of a patch prior to a restart, the company noted, adding it’s in the process of readying the fix for release on July 5.
CISA Issues Advisory
The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue an advisory, urging customers to download the Compromise Detection Tool that Kaseya has made available to identify any indicators of compromise (IoC), enable multi-factor authentication, limit communication with remote monitoring and management (RMM) capabilities to known IP address pairs, and Place administrative interfaces of RMM behind a virtual private network (VPN) or a firewall on a dedicated administrative network.
“Less than ten organizations [across our customer base] appear to have been affected, and the impact appears to have been restricted to systems running the Kaseya software,” said Barry Hensley, Chief Threat Intelligence Officer at Secureworks, told The Hacker News via email.
“We have not seen evidence of the threat actors attempting to move laterally or propagate the ransomware through compromised networks. That means that organizations with wide Kaseya VSA deployments are likely to be significantly more affected than those that only run it on one or two servers.”
By compromising a software supplier to target MSPs, who, in turn, provide infrastructure or device-centric maintenance and support to other small and medium businesses, the development once again underscores the importance of securing the software supply chain, while also highlighting how hostile agents continue to advance their financial motives by combining the twin threats of supply chain attacks and ransomware to strike hundreds of victims at once.
“MSPs are high-value targets — they have large attack surfaces, making them juicy targets to cybercriminals,” said Kevin Reed, the chief information security officer at Acronis. “One MSP can manage IT for dozens to a hundred companies: instead of compromising 100 different companies, the criminals only need to hack one MSP to get access to them all.”
Tech companies are turning their attention to statehouses across the country as a wave of local bills opens a new frontier in the push to limit Silicon Valley’s power.
Arizona, Maryland and Virginia are among states where lawmakers are seeking to limit the power of tech companies like
Alphabet Inc.’s
GOOG -2.50%
Google and
Apple Inc.
AAPL -0.76%
on a range of issues, from online privacy and digital advertisements to app-store fees. State policy proposals have bipartisan support from lawmakers who want to temper companies’ influence and financial clout, which have grown during the pandemic.
Google, Apple and others are hiring local lobbyists and immersing themselves in the minutiae of proposed legislation, according to state representatives. Tech companies face potential rules that would curb the reach of their platforms, crimp revenues with taxes or force them to facilitate additional privacy disclosures.
While federal lawmakers have held hearings and are in discussions about policies to regulate tech companies, debates and votes could occur in states first. If passed, state laws matter because they can become de facto national standards in the absence of federal action, as with California’s 2018 privacy law, which gave consumers both the right to access personal information that businesses collect from them and the right to request that data be deleted and not sold.
Facebook Inc.
FB -2.00%
initially opposed the California measures, but supported them after they took effect. Companies such as
Microsoft Corp.
have opted to honor the new rules across the country.
“So much has happened since California passed the original [data] privacy act” in 2018, said
Sam McGowan,
a senior analyst at policy research firm Beacon Policy Advisors LLC. Lawmakers’ concerns now stretch well beyond privacy to such topics as anticompetitive behavior and how social-media companies police content, he said.
In Arizona, a closely watched bill regarding app-store payments has cleared the state House and is expected to be debated in the Senate in the next several weeks. The legislation would free some software developers from fees that Apple and Google place on apps, which can run up to 30% of sales from paid apps and in-app purchases. App developers would be able to charge people directly through the payment system of their choice. The bill would apply to Arizona-based app developers and consumers yet could set a wider precedent.
Newsletter Sign-up
Technology
A weekly digest of tech reviews, headlines, columns and your questions answered by WSJ’s Personal Tech gurus.
Republican state
Rep. Regina Cobb,
the legislation’s chief sponsor, said the bill is about “consumer protection and transparency,” and said a final vote could take place within the next month. Ms. Cobb said she believes there are sufficient votes to pass the bill in the narrowly divided Senate. Apple and Google have lobbied heavily against the bill, Ms. Cobb said.
Apple declined to comment on lobbying in Arizona. A company spokeswoman said Apple “created the App Store to be a safe and trusted place for users to download the apps they love and a great business opportunity for developers. This legislation threatens to break that very successful model and undermine the strong protections we’ve put in place for customers.”
Google declined to comment on the legislation or any lobbying efforts in the state.
In February, Maryland lawmakers passed legislation that would tax the revenue of companies such as Google, Facebook and
Amazon.com Inc.
from digital ads. This month
Virginia Gov. Ralph Northam
signed into law new privacy rules similar to those in California, with added limits on the consumer data that companies can collect online.
Washington state has introduced privacy legislation. Some states have targeted online content moderation, with Texas proposing a measure that would prohibit social-media companies from banning users based on their viewpoints. New York state recently looked into changing its antitrust laws to make it easier for it to sue tech companies.
SHARE YOUR THOUGHTS
What steps, if any, should lawmakers take to rein in the power of tech companies? Join the conversation below.
States may have an easier path to pass laws than Congress does, Mr. McGowan said, because many state governments have fairly short legislative sessions lasting a few weeks or months, meaning bills can swiftly make their way through committees and to votes.
Tech companies’ soaring growth and influence during the pandemic has raised urgency at the state level, according to
Robert Siegel,
a lecturer in management and a business-strategy researcher at Stanford University.
The biggest five companies—Amazon, Google, Facebook, Apple and Microsoft—all saw staggering growth in 2020, as stuck-at-home Americans and businesses turned to online shopping, software and cloud-computing services, smart devices and video streaming. Those companies’ combined revenue grew by a fifth, to $1.1 trillion, and their collective market capitalization soared to $8 trillion during the pandemic.
Given the stakes and what some view as the inevitability of more regulation, tech companies must play a more active role in influencing legislation, Mr. Siegel said. Facebook and Google are among tech companies now calling for federal rules on issues such as data privacy and artificial intelligence.
“Large technology companies have no choice but to engage,” Mr. Siegel said. “So much money has been made by these companies, and that has everyone gunning for them. They have a size and scale and reach that nobody has.”
Facebook Vice President of State and Local Policy
Will Castleberry
said the company “will continue to support bills that are good for consumers, but a patchwork approach to privacy doesn’t give the consistency or clarity that consumers or businesses need. That’s why we hope Congress will pass a national privacy law.”
Technology companies have stepped up legislative spending at different levels of government recently. Facebook and Amazon outspent all other U.S. companies in federal lobbying last year, The Wall Street Journal reported in January.
Facebook spent nearly $20 million, up about 18% from the previous year, while Amazon spent about $18 million last year, up about 11%. Apple disclosed $6.7 million in lobbying spending, down from a record $7.4 million in 2019, and Google also reported a drop, spending $7.5 million. Google and Facebook are facing multiple antitrust lawsuits, and Amazon and Apple have been the subject of preliminary inquiries that could advance further under the Biden administration.
States are also using courts to seek change. A Colorado-led coalition of attorneys general filed an antitrust suit against Google in December over its dominance in online search. Meanwhile, California is looking into how Amazon treats sellers in its online marketplace, and authorities in Connecticut are investigating how Amazon sells and distributes digital books.
Amazon declined to comment.
Write to Sebastian Herrera at Sebastian.Herrera@wsj.com and Dan Frosch at dan.frosch@wsj.com
China-based government hackers have exploited a bug in Microsoft’s email server software to target U.S. organizations, the company said Tuesday.
Microsoft
MSFT,
-1.30%
said that a “highly skilled and sophisticated” state-sponsored group operating from China has been trying to steal information from a number of American targets, including universities, defense contractors, law firms and infectious-disease researchers.
Microsoft said it has released security upgrades to fix the vulnerabilities to its Exchange Server software, which is used for work email and calendar services, mostly for larger organizations that have their own in-person email servers. It doesn’t affect personal email accounts or Microsoft’s cloud-based services.
The company said the hacking group it calls Hafnium was able to trick Exchange servers into allowing it to gain access. The hackers then masqueraded as someone who should have access and created a way to control the server remotely so that they could steal data from an organization’s network.
Microsoft said the group is based in China but operates from leased virtual private servers in the U.S., which helps it avoid detection.
The company declined to name any specific targets or say how many organizations were affected.
Reston, Virginia-based cybersecurity firm Volexity, which Microsoft credits for helping to detect the intrusions, said its network security monitoring service began picking up on a suspiciously large data transfer in late January.
“They’re just downloading email, literally going to town,” said Steven Adair, Volexity’s president, who said the targets have included “defense contractors, international aid and development organizations, the NGO think-tank community.”
Adair said he’s concerned that the hackers are going to accelerate their activity in the coming days before organizations are able to install Microsoft’s security upgrades.
“As bad as it is now, I think it’s about to get a lot worse,” he said. “This gives them a limited amount of opportunity to go and exploit something. The patch isn’t going to fix that if they left their backdoor behind.”
A hacker claims to have stolen files belonging to the global law firm Jones Day and posted many of them on the dark web.
Jones Day has many prominent clients, including former President Donald Trump and major corporations.
Jones Day, in a statement, disputed that its network has been breached. The statement said that a file-sharing company that it has used was recently compromised and had information taken. Jones Day said it continues to investigate the breach and will continue to be in discussion with affected clients and appropriate authorities.
The posting by a person who self-identified as the hacker, which goes by the name Clop, includes a few individual documents that are easily reviewed by the public, including by The Wall Street Journal. One memo is to a judge and is marked “confidential mediation brief,” another is a cover letter for enclosed “confidential documents.” The Journal couldn’t immediately confirm their authenticity.
The Journal was able to see the existence of many more files—mammoth in size—also purported to belong to Jones Day, posted by the hacker on the so-called dark web. Hackers typically post such stolen information after the hacked entity fails to pay a ransom. The Journal was able to contact the hacker using an email on its blog.