Attackers prey on remote access infrastructure and web application flaws for entry points into the network. Vulnerabilities are exposures that can be exploited and can be in the form of a software defect, configuration error, or basic human error. Ransomware strains are increasingly using software vulnerabilities as the initial attack vector, with ransomware groups targeting Oracle WebLogic (CVE-2019-2729) and Pulse Secure (CVE-2019-11510) vulnerabilities. These flaws tend to be older and well known, so it is essential to continuously assess the entire attack surface as the environment changes and new vulnerabilities appear – especially web applications, remote access infrastructure, and Operational Technology (OT).
As information about new vulnerabilities is discovered and released into the public domain, Tenable Research designs programs to detect them. Each plugin contains vulnerability information, a simplified set of remediation actions and the algorithm to test for the presence of the security issue. Tenable Research has published over 165,000 plugins, which can be found on the Tenable Plugins Page.
Zero-day vulnerabilities are a unique class of vulnerabilities because there is no patch available for them. Organizations, both benign and malicious, strive to keep knowledge of zero-day vulnerabilities private: the former, so they can be more easily exploited, and the latter to buy time until a patch is developed and tested. The tricky part is when a zero-day vulnerability becomes public before a patch is available, triggering a mad scramble for malicious attackers to exploit the vulnerability while security professionals research, test, and deploy patches and mitigation on the fly, such as an IPS signature. Vulnerabilities in widely used libraries, such as log4j and Apache Struts, present a larger nightmare, since these libraries are used by many applications that all must be patched and tested before deployment. Commonly, zero-day patches are updated as more information about the vulnerability is discovered. Once patches or mitigation are put in place, Nessus can be run with the appropriate plugins to verify that the vulnerability is not available for remote exploitation.
While the release of a zero-day vulnerability certainly causes headlines, there are other attacks that generate a news frenzy because of their impact. Such headline attacks can cause headaches for harried security professionals who must repeatedly report to management and third parties where the organization stands in relation to the attack. The good news is that organizations that keep up-to-date with patching and mitigation can produce dashboards that demonstrate readiness for such an attack.
On July 2, 2021, MSPs using Kaseya Virtual System Administrator (VSA) were targeted by a coordinated ransomware attack attributed to REvil, one of the world's most active Ransomware-as-a-Service (RaaS) groups. Tenable's Security Response Team (SRT) published a blog post regarding this attack, which can be viewed here: CVE-2021-30116: Multiple Zero-Day Vulnerabilities in Kaseya VSA Exploited to Distribute REvil Ransomware. Tenable has released plugins that will detect the presence of Kaseya VSA and the Kaseya Agent for Windows, as well as Indicators of Compromise (IoCs) that relate to the Kaseya ransomware attack.
|Plugin ID||Plugin Name||Type||Severity|
|151371||Kaseya Agent Installed (Windows)||Local||Informational|
|151372||Kaseya Virtual System Administrator (VSA) Detection||Remote||Informational|
|151424*||Potential exposure to Kaseya VSA ransomware attack||Local||Critical|
*Plugin 151424: Potential exposure to Kaseya VSA ransomware attack detects the potential presence of agent.exe or agent.crt IoCs on remote host machines. This can indicate that the host might have been targeted in the Kaseya VSA ransomware attack. Tenable strongly recommends manually verifying the results and taking appropriate remediation actions, if the compromise is confirmed.
For more information about displaying and tracking common exploits in the environment, see the Defending Against Ransomware (ACT) Dashboard Widget explanations.