Skip to Content

About: Cloudstar

Recent Posts by Cloudstar

Cyber Security Incident Updates

As a reminder, cyber security incident updates can be found HERE

0 Continue Reading →

Cybersecurity Incident Update August 6th

We have continued to advance our restoration efforts and we now anticipate that we will be able to recover the majority of our customer data. Nevertheless, this process is very complex, and due to the extensive impact that this event had on our systems we are unable to provide a definitive ETA. We expect that this overall process will take several weeks with continued diligent effort. That said, we are continuing to work directly with individual customers to answer their questions and facilitate the return of their data when it is safe to do so.

The singular focus of everyone at our company remains the safe and efficient restoration of our customer’s data and helping them continue their operations as best as we possibly can. We once again thank you for your patience and understanding during this incredibly challenging time.

21 Continue Reading →

Cybersecurity Incident Update July 28

Since our previous update, we have continued to work around the clock to assess the recoverability of customer data. While this process remains ongoing, we are beginning to reach out to certain customers individually in specific instances in which we have identified a path to data recovery. We are committed to providing our customers with updates as soon as we have more information.

The singular focus of everyone at our company is restoring our customer’s data and helping them continue their operations as best as we possibly can. We once again thank you for your patience and understanding during this incredibly challenging time for all impacted by this attack.

16 Continue Reading →

Cybersecurity Incident Update July 23

We are continuing to work around-the-clock in partnership with third-party cybersecurity experts to prepare to reconnect as many of our customers as possible with their data as quickly as we are able to. Due to the extensive nature of this attack, we are still unable to provide a definitive restoration timeline. We are still in contact with law enforcement and are working diligently with our customers to keep them informed and help them continue their business operations as best as possible.

Thank you again for your continued patience and understanding as we work through this incredibly challenging situation.

34 Continue Reading →

Cybersecurity Incident Update July 20

Tuesday July 20

We are continuing to work around the clock with our third-party experts to investigate the nature and scope of this attack.  We are meticulously scanning our systems to determine exactly which ones were impacted by malware, and which ones may still be viable and/or clean to bring back online. We have also been staying in close contact with law enforcement and working with our customers to relay as much information as possible to help them meet their business needs and make go-forward decisions that are in their best interests and that of the industry’s.

 

As soon as we have a definitive timeline to share in terms of when we will be back up and running, we will do so – but we are still very much so in the containment and remediation phase and appreciate our valued partners’ patience at this time.

62 Continue Reading →

Cybersecurity Incident Update July 19

Monday, July 19

Cloudstar is working around the clock to progress our restoration efforts and is committed to keeping our stakeholders informed of our latest updates. Please see below for the current status of our investigation:

 

What happened: On Friday, July 16, Cloudstar discovered it was the victim of a highly sophisticated ransomware attack. Due to the nature of this attack, at this time our systems are currently inaccessible, and although we are working around the clock, we do not have a definitive restoration timeline. Our Office 365 mail services, email encryption offering and some support services are still fully operational.

 

Are all Cloudstar services down?: No. Currently, our Office 365 mail services, email encryption offering, and technical support services are still fully operational and secure. Customers utilizing those services can continue to do so confidently as we work to restore additional systems.

 

When will you know more?: We are working diligently to address this matter as quickly as possible and will keep our stakeholders informed of our progress. Due to the nature of this attack, we do not have a definitive restoration timeline.

 

Was any of my information stolen?: At this time, it is too early to speculate about what data may have been impacted. We are working diligently to address this matter as quickly as possible while investigating the scope of this incident and will keep our stakeholders informed of our progress.

 

How can I keep up to date on the latest updates?: Please refer to our security incident updates posted on https://www.mycloudstar.com/system-status/ for the latest updates on our investigation and restoration process.

24 Continue Reading →

Cybersecurity Incident Update

Sunday, July 18

What happened: On Friday, July 16, Cloudstar discovered it was the victim of a highly sophisticated ransomware attack. Due to the nature of this attack, at this time our systems are currently inaccessible, and although we are working around the clock, we do not have a definitive restoration timeline. Our Office 365 mail services, email encryption offering and some support services are still fully operational.

 

What we are doing: Cloudstar has retained third-party forensics experts Tetra Defense to assist us in our recovery efforts and also informed law enforcement. Negotiations with the threat actor are ongoing. Additionally, we have informed all of our customers and are committed to helping them through this and working in the best interest of the industry. We will continue to investigate this incident and provide updates to our customers as we have additional information to share.

 

What is next: We are working diligently to address this matter as quickly as possible and will keep our stakeholders informed. As we continue to investigate and respond to this incident, we will provide updates as appropriate. 

 

This is an incredibly difficult time for Cloudstar but more importantly, for our customers, whose trust we value so highly. Please check back for updates.

2 Continue Reading →

Possible Service Interruption

Cloudstar is currently experiencing a service interruption which is affecting a portion of our customers. The support team will provide additional information as it becomes available.

We apologize for the inconvenience.

68 Continue Reading →

Free Micropatches for PrintNightmare Vulnerability (CVE-2021-34527)

Click HERE to get the patch from patch.

by Mitja Kolsek, the 0patch Team

print-spooler

 

[Note: This blog post is expected to be updated as new micropatches are issued and new information becomes available.]

 

Update 7/5/2021: Security researcher cube0x0 discovered another attack vector for this vulnerability, which significantly expands the set of affected machines. While the original attack vector was Print System Remote Protocol [MS-RPRN], the same attack delivered via Print System Asynchronous Remote Protocol [MS-PAR] does not require Windows server to be a domain controller, or Windows 10 machine to have UAC User Account Control disabled or PointAndPrint NoWarningNoElevationOnInstall enabled. Note that our patches for Servers 2019, 2016, 2012 R2 and 2008 R2 issued on 7/2/2021 are effective against this new attack vector and don’t need to be updated.

 

Introduction

June 2021 Windows Updates brought a fix for a vulnerability CVE-2021-1675 originally titled “Windows Print Spooler Local Code Execution Vulnerability”. As usual, Microsoft’s advisory provided very little information about the vulnerability, and very few probably noticed that about two weeks later, the advisory was updated to change “Local Code Execution” to “Remote Code Execution”.

This CVE ID would probably remain one of the boring ones without a surprise publication of a proof-of-concept for a remote code execution vulnerability called PrintNightmare, indicating that it was  CVE-2021-1675. Security researchers Zhiniang Peng and Xuefeng Li, who published this POC, believed that their vulnerability was already fixed by Microsoft, and saw other researchers slowly leaking details, so they decided to publish their work as well.

It turned out that PrintNightmare was not, in fact, CVE-2021-1675 – and the published details and POC were for a yet unpatched vulnerability that turned out to allow remote code execution on all Windows Servers from version 2019 back to at least version 2008, especially if they were configured as domain controllers.

The security community went scrambling to clear the confusion, identify conditions for exploitability, and find workarounds in absence of an official fix from Microsoft. Meanwhile, PrintNightmare started getting actively exploited, Microsoft has confirmed it to be a separate vulnerability to CVE-2021-1675, assigned it CVE-2021-34527, and recommended that affected users either disable the Print Spooler service or disable inbound remote printing.

In addition to Microsoft’s recommendations, workarounds gathered from the community included removing Authenticated Users from the “Pre-Windows 2000 Compatible Access” group, and setting permissions on print spooler folders to prevent the attack.

All these mitigations can have unwanted and unexpected side effects that can break functionalities in production (1, 2, 3), some including those unrelated to printing.

Patching the Nightmare

 

Long story short, our team at 0patch has analyzed the vulnerability and created micropatches for different affected Windows versions, starting with those most critical and most widely used:

  1. Windows Server 2019 (updated with June 2021 Updates)
  2. Windows Server 2016 (updated with June 2021 Updates)
  3. Windows Server 2012 R2 (updated with June 2021 Updates)
  4. Windows Server 2008 R2 (updated with January 2020 Updates, no Extended Security Updates) 
  5. Windows 10 v20H2 (updated with June 2021 Updates)
  6. Windows 10 v2004 (updated with June 2021 Updates) 
  7. Windows 10 v1909 (updated with June 2021 Updates) 
  8. Windows 10 v1903 (updated with June 2021 Updates)
  9. Windows 10 v1809 (updated with May 2021 Updates – latest before end of support)
  10. Windows 10 v1803 (updated with May 2021 Updates – latest before end of support)
  11. Windows 10 v1709 (updated with October 2020 Updates – latest before end of support)

 

[Note: Additional patches will be released as needed based on exploitability on different Windows platforms.]

Our micropatches prevent the APD_INSTALL_WARNED_DRIVER flag in dwFileCopyFlags of function AddPrinterDriverEx from bypassing the object access check, which allowed the attack to succeed. We believe that “install warned drivers” functionality is not a very often used one, and breaking it in exchange for securing Windows machines from trivial remote exploitation is a good trade-off.

Micropatches for PrintNightmare will be free until Microsoft has issued an official fix. If you want to use them, create a free account at 0patch Central, then install and register 0patch Agent from 0patch.com. Everything else will happen automatically. No computer reboots will be needed.

Compatibility note: Some Windows 10 and Server systems exhibit occasional timeouts in the Software Protection Platform Service (sppsvc.exe) on a system running 0patch Agent. This looks like a bug in Windows Code Integrity mitigation that prevents a 0patch component to be injected in the service (which is okay) but sometimes also does a lot of seemingly meaningless processing that causes process startup to time out. As a result, various licensing-related errors can occur. The issue, should it occur, can be resolved by excluding sppsvc.exe from 0patch injection as described in this article.

Frequently Asked Questions

Q: Which Windows versions are affected by PrintNightmare?

Answer updated 7/5/2021: Due to the discovery of a new attack vector, which also affects non-DC servers and Windows 10 machines in their default configuration, the set of affected Windows platforms has significantly expanded. The current status, according to our tests, is this:

  • Windows Server 2019, whether DC or not – affected
  • Windows Server 2016, whether DC or not – affected
  • Windows Server 2012 R2, whether DC or not – affected
  • Windows Server 2012 non-R2, whether DC or not – not affected
  • Windows Server 2008 R2, whether DC or not – affected
  • Windows Server 2008 non-R2, whether DC or not – not affected
  • Windows Server 2003, whether DC or not – not affected
  • Windows 10 (all versions), domain-joined – not affected
  • Windows 10 (all versions), non domain-joined – affected
  • Windows 7 – not affected

 

Our remote attacks on Windows 10 were so far not successful against domain-joined Windows 10 machines, where the attack would be most worrisome. We were so far only able to launch the exploit using credentials of a local user on a non-domain Windows 10 machine, and such credentials are likely not known to an attacker. So these tests so far only confirm a possible local privilege escalation (a local user exploiting PrintNightmare to gain local System privileges).

 

Our current understanding is that without any custom configuration and with June 2021 Windows Updates applied, only Windows Servers that act as a domain controller are affected (confirmed for versions 2012, 2016 and 2019). The reason seems to be that when a server is a domain controller, a Pre-Windows 2000 Compatible Access group is created for some legacy compatibility, and the Authenticated Users group is a member of this group. This makes all domain users a member of Pre-Windows 2000 Compatible Access group, which is an important piece of the puzzle for exploiting this vulnerability.

However, non-DC servers and Windows 10 systems with June 2021 updates can also be vulnerable in at least these cases:

  • UAC (User Account Control) is completely disabled [source], or
  • PointAndPrint NoWarningNoElevationOnInstall is enabled [source].

 

 

Q: How about Windows systems without June 2021 Windows Updates?

We believe that without June 2021 Windows Updates, all supported Windows systems, i.e., all servers from 2012 up and all Windows 10 systems, are affected [source].

 

Q: What will happen with these micropatches when Microsoft issues their own fix for PrintNightmare?

First off, we absolutely recommend you do install all available security updates from original vendors.When Microsoft fixes PrintNightmare, their update will almost certainly replace localspl.dll, where the vulnerability resides, and where our micropatches are getting applied. Applying the update will therefore modify the cryptographic hash of this file, and 0patch will stop applying our micropatches to it. You won’t have to do anything in 0patch (such as disabling a micropatch), this will all happen automatically by 0patch design.

When the official fix is available, our micropatches will stop being free, and will fall under the 0patch PRO license. This means that if you wish to continue using them (and many other micropatches that the PRO license includes), you will have to purchase the appropriate amount of licenses.

Q: We have a lot of affected computers. How can we prepare for the next Windows 0day?

Obviously deploying 0patch in an enterprise production environment on a Friday afternoon is not something most organizations would find optimal. As with any enterprise software, we recommend testing 0patch with your existing software on a group of testing computers before deploying across your network. Please contact [email protected] for setting up a trial, and when the next 0day like this comes out, you’ll be ready to just flip a switch in 0patch Central and go home for the weekend.

Credits

We’d like to thank Will Dormann of CERT/CC for behind-the-scenes technical discussion that helped us understand the issue and decide on the best way to patch it.

Please revisit this blog post for updates or follow 0patch on Twitter.

 

0 Continue Reading →

Cloudstar to Sponsor & Exhibit at 2021 National Settlement Services Summit

Cloudstar is pleased to sponsor the 2021 The National Settlement Services Summit (NS3).  This years conference will be held between August 31st – September 2nd, 2021 in beautiful Naples, Florida.

NS3 is the premier annual destination for all professionals involved in the real estate transaction to come together for unrivaled networking and education including:

  • Executives
  • Title agents
  • Underwriters
  • Attorneys
  • Settlement services providers
  • Real estate agents
  • Mortgage lenders
  • Compliance officers
  • Technology solution providers
  • Regulators
  • Sales and marketing managers
  • Operations officers

What is NS3?

NS3 brings together more than 700 professionals from across the country for an educational experience unlike any other. For three days a roster of expert speakers and noted industry veterans share their experience with their partners across the real estate transaction.

Attendees return year after year to earn CE/CLE credits, learn about the latest strategies to advance their businesses and to stay current on regulatory developments. NS3 2021 will continue to offer numerous networking events all included in the price of registration!

Cloudstar looks forward to meeting with many of our customers, colleagues, and industry friends; we wish everyone safe travels!

National Settlement Services Summit

1 Continue Reading →

 

Recent Comments by Cloudstar

    No comments by Cloudstar