Kaseya supply chain attack delivers mass ransomware event to US companies | by Kevin Beaumont | Jul, 2021 | DoublePulsar
Kaseya supply chain attack delivers mass ransomware event to US companies
Kaseya VSA is a commonly used solution by MSPs — Managed Service Providers — in the United States and United Kingdom, which helps them manage their client systems. Kaseya’s website claims they have over 40,000 customers.
Four hours ago, an apparent auto update in the product has delivered REvil ransomware.
By design, it has administrator rights down to client systems — which means that Managed Service Providers who are infected then infect their client’s systems.
Infected systems look like this:
How this first unfolded
Initial entry was using a zero day vulnerability in Kaseya VSA. This was CVE-2021–30116 (details have not been entered into CVE database, however it has been allocated for this). More CVEs may be issued.
So even if the latest version is used, at time of attack, attackers could remotely execute commands on the VSA appliance. Technical details of how to exploit the vulnerability are not being provided until the patch is available.
It is not a great sign that a ransomware gang has a zero day in product used widely by Managed Service Providers, and shows the continued escalation of ransomware gangs — which I’ve written about before.
Kaseya are preparing an software update to fix the vulnerability, which will be available in the coming days — until then, they advise all customers to leave their VSA switched off.
Delivery of ransomware is via an automated, fake, software update using Kaseya VSA. The attacker immediately stops administrator access to the VSA, and then adds a task called “Kaseya VSA Agent Hot-fix”. This fake update is then deployed across the estate — including on MSP client customers’ systems — as it a fake management agent update. This management agent update is actually REvil ransomware. To be clear, this means organisations that are not Kaseya’s customers were still encrypted.
These files are dropped on client systems:
Propagation
By design Kaseya is designed to allow administration of systems with high level privileges. So ransomware can push itself to systems. The attackers pushed an management agent update, which is automatically installed on all managed systems — which means very wide impact.
Additionally, Kaseya recommend antivirus exclusions on some folders used during deployment of this malware:
Tampering with Microsoft Defender for Endpoint
The following command is run, which:
Disables Real Time Monitoring
Disables IPS
Disables Cloud Lookup
Disables script scanning
Disabled Controlled Folder Access (ransomware preventation feature)
Disables Network Protection
Stops cloud sample submission
powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Tampering with other security products
The deployment also attempted to tamper with products for other vendors, such as Sophos.
Ransomware
The ransomware portion is REvil. It deliberately targets backup systems, to hinder restoration.
Statement from Kaseya
We are in the process of investigating the root cause of the incident with an abundance of caution but we recommend that you IMMEDIATELY shutdown your VSA server until you receive further notice from us. Its critical that you do this immediately, because one of the first things the attacker does is shutoff administrative access to the VSA.
IoCs
d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e
8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd
e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2
REvil ransomware configuration dump
Kaseya REvil configuration dump (github.com)
Digital signatures for signing
Name PB03 TRANSPORT LTD.
Issuer Sectigo RSA Code Signing CA
Thumbprint 11FF68DA43F0931E22002F1461136C662E623366
Serial Number 11 9A CE AD 66 8B AD 57 A4 8B 4F 42 F2 94 F8 F0
Hunting
Crappy AHQ for Microsoft 365
ThreatHunting/KaseyaRansomwarePayload.ahq at master · GossiTheDog/ThreatHunting (github.com)
Finding running versions of Kaseya VSA in Microsoft Defender for Endpoint:
GossiTheDog/ThreatHunting
DeviceProcessEvents | where FolderPath contains "kaseya" | where FileName == "AgentMon.exe" | project DeviceName…
github.com
Kaseya VSA is a commonly used solution by MSPs — Managed Service Providers — in the United States and United Kingdom, which helps them manage their client systems. Kaseya’s website claims they have over 40,000 customers.
Four hours ago, an apparent auto update in the product has delivered REvil ransomware.
By design, it has administrator rights down to client systems — which means that Managed Service Providers who are infected then infect their client’s systems.
Infected systems look like this:
How this first unfolded
Initial entry was using a zero day vulnerability in Kaseya VSA. This was CVE-2021–30116 (details have not been entered into CVE database, however it has been allocated for this). More CVEs may be issued.
So even if the latest version is used, at time of attack, attackers could remotely execute commands on the VSA appliance. Technical details of how to exploit the vulnerability are not being provided until the patch is available.
It is not a great sign that a ransomware gang has a zero day in product used widely by Managed Service Providers, and shows the continued escalation of ransomware gangs — which I’ve written about before.
Kaseya are preparing an software update to fix the vulnerability, which will be available in the coming days — until then, they advise all customers to leave their VSA switched off.
Delivery of ransomware is via an automated, fake, software update using Kaseya VSA. The attacker immediately stops administrator access to the VSA, and then adds a task called “Kaseya VSA Agent Hot-fix”. This fake update is then deployed across the estate — including on MSP client customers’ systems — as it a fake management agent update. This management agent update is actually REvil ransomware. To be clear, this means organisations that are not Kaseya’s customers were still encrypted.
These files are dropped on client systems:
Propagation
By design Kaseya is designed to allow administration of systems with high level privileges. So ransomware can push itself to systems. The attackers pushed an management agent update, which is automatically installed on all managed systems — which means very wide impact.
Additionally, Kaseya recommend antivirus exclusions on some folders used during deployment of this malware:
Tampering with Microsoft Defender for Endpoint
The following command is run, which:
Disables Real Time Monitoring
Disables IPS
Disables Cloud Lookup
Disables script scanning
Disabled Controlled Folder Access (ransomware preventation feature)
Disables Network Protection
Stops cloud sample submission
powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Tampering with other security products
The deployment also attempted to tamper with products for other vendors, such as Sophos.
Ransomware
The ransomware portion is REvil. It deliberately targets backup systems, to hinder restoration.
Statement from Kaseya
We are in the process of investigating the root cause of the incident with an abundance of caution but we recommend that you IMMEDIATELY shutdown your VSA server until you receive further notice from us. Its critical that you do this immediately, because one of the first things the attacker does is shutoff administrative access to the VSA.
IoCs
d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e
8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd
e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2
REvil ransomware configuration dump
Kaseya REvil configuration dump (github.com)
Digital signatures for signing
Name PB03 TRANSPORT LTD.
Issuer Sectigo RSA Code Signing CA
Thumbprint 11FF68DA43F0931E22002F1461136C662E623366
Serial Number 11 9A CE AD 66 8B AD 57 A4 8B 4F 42 F2 94 F8 F0
Hunting
Crappy AHQ for Microsoft 365
ThreatHunting/KaseyaRansomwarePayload.ahq at master · GossiTheDog/ThreatHunting (github.com)
Finding running versions of Kaseya VSA in Microsoft Defender for Endpoint:
GossiTheDog/ThreatHunting
DeviceProcessEvents | where FolderPath contains "kaseya" | where FileName == "AgentMon.exe" | project DeviceName…
github.com
