Kovrr will be attending RSA 2023!

Meet our team


A Summer of Exploits

March 21, 2022

Over the past few weeks several dramatic vulnerabilities were exposed in different ubiquitous products and platforms, including the Microsoft Windows OS, the Solarwinds Serv-U Managed File Transfer and Serv-U Secure FTP products, and Kaseya’s services.

1. Print Night Mare
2. Print Nightmare Update
3. Kaseya's Clients Important Notice
4. CISA's public alert
5. Reuters Article about Data ransom
6. Microsoft's emergency patch fails
7. SolarWinds Zero-day vulnerability
8. SolarWinds alerted by Microsoft
9. Kaseya restores services

Summary of the Events


What happened? On July 2nd, a cyber attack was launched against the IT solutions company Kaseya. Kaseya provides IT solutions including VSA, a unified remote-monitoring and management tool for handling networks and endpoints. In addition, the company provides compliance systems, service desks, and a professional services automation platform to over 40,000organizations worldwide.The cyberattack has been attributed to the REvil/Sodinikibi ransomware group whose ransomware was first detected in April 2019. The group’s usual propagation method is phishing emails containing malicious links. Some of the group’s most prominent victim industries in the last two years were healthcare facilities and local governments. REvil has offered a decryption key, allegedly universal - able to unlock all encrypted systems, for the ‘bargain’ price of $70 million via bitcoin (BTC) cryptocurrency. On July 13th, all of REvil’s online activity stopped and the groups data-dump websites were shut down without further information, leaving the victims of their latest attacks hostage with encrypted files and no valid payment address or decryption keys.

Who was impacted? On July 2nd Kaseya claimed that the attack affected only a small number of on-premise clients, In a press release published on July 5th the company estimated that the number of clients impacted by the attack is between 800 and 1500 businesses.


What happened? On June 8th, Microsoft published a CVE advisory for a vulnerability in the Windows PrintSpooler service which is enabled by default in all Windows clients and servers across almost all modern Windows versions. This vulnerability was initially categorized as a low severity local privilege escalation (LPE) vulnerability by Microsoft and a patch for it was released on June 21st. A week later, researchers published a successful PoC of the exploitation and claimed that the vulnerability is in fact a high severity RCE and PE vulnerability. On July 1st, a separate vulnerability in the same Windows Print Spooler service was discovered, similar to the first vulnerability, this new “PrintNightmare’’ was also a RCE andLPE vulnerability that would allow attackers system privileges with which they could install programs; view, change, or delete data; or create new accounts with full user rights.After the high severity of the vulnerability was acknowledged, Microsoft published an out-of band patch on July 6th and claimed to have fully addressed the public vulnerability. However, on July 7th researchers presented additional successful PoCs and claimed that the patch can be bypassed.

Who was impacted? This vulnerability affects all modern unpatched client and server versions of Windows.According to Kaspersky, the vulnerability was already exploited but no further information regarding victims is currently available.


What happened? On July 9th, Solarwinds published an announcement claiming that they were informed by Microsoft of an exploited zero-day vulnerability in their Serv-U Managed File Transfer and Serv-U Secure FTP products.On July 10th, Solarwinds released a patch to fix the vulnerability and claimed that this event is unrelated to the Solarwinds supply chain attack that occurred in December of 2020.The vulnerability allows an attacker to run arbitrary code with privileges, and then install programs; view, change, or delete data; or run programs on the affected system.

Who was impacted? According to the latest published information the alleged victims of the attack are nine U.S. agencies and 100 private companies, although it is claimed that SolarWinds is unaware of the identity of the potentially affected customers. The identity of the attackers also remains unknown at the moment.

Case Study - Kaseya

RansomwareAs the scope and identity of this event’s victims remains mainly unknown it is hard to assess the exact financial damage the affected companies would suffer. In order to demonstrate the potential damage of this event, Kovrr has produced a demo portfolio of 1500 companies containing elements of a typical company buying affirmative cyber insurance coverage in the market. The companies’ sizes, industries, and locations in the portfolio were based on information and ratios from multiple news reports regarding the attack. The financial damage calculation of the portfolio shows that large companies suffer the biggest losses in this situation and account for 69% of the overall damage while being only 7% of all companies in the portfolio.

Geniya Brass Gershovich

Cyber Intelligence Analyst

Ask for a demo
By providing my contact information and ticking the box below, I agree to Kovrr's Privacy Policy and consent to communications from kovrr at the contact information provided.
Thank you!
Your submission has been received!
Oops! Something went wrong while submitting the form.

More Reports

See all Reports