Kaseya - REvil Ransomware Distributed via Compromise at IT Solutions Provider

By Jonathan Leach, Cyber Security Anaylst, CyberGuard Technologies:

Summary



Threat actors behind the notorious REvil cybercrime operation appear to have pushed ransomware via an update to Kaseya's IT management software, hitting around “40” customers worldwide, in what is an instance of a widespread supply-chain ransomware attack.

This was a statement shared on Friday by the company’s CEO Fred Voccola:

“Kaseya’s VSA product has unfortunately been the victim of a sophisticated cyberattack.   Due to our teams’ fast response, we believe that this has been localized to a very small number of on-premises customers only.”

Available information indicates that PINCHY SPIDER, or an affiliate, compromised Kaseya via unknown means and used that access to deliver REvil to victims via Kaseya’s VSA product.

Kaseya has acknowledged “a potential attack against the VSA that has been limited to a small number of on-premise customers.” Other sources reported multiple managed service providers (MSPs) using the VSA product were victimized in this incident.

Details / IOCs

CrowdStrike Falcon OverWatch observed Kaseya’s monitor process write a single, encoded file to disk and execute a series of commands to disable security controls, decode a payload, and execute REvil. The encoded payload (agent.crt) is written to to a staging directory (often C:kworking) and is decoded and executed with the following series of cmd.exe commands:

 

  1. ping 127.0.0[.]1 -n 4786 is executed to provide an initial delay
  2. PowerShell is used to disable Microsoft Windows Defender-related security controls
  3. The Windows Certificate Utility (certutil.exe) is copied to C:Windowscert.exe
  4. cert.exe is executed to decode agent.crt to agent.exe in the staging directory
  5. The encoded payload (agent.crt) is deleted
  6. The payload (agent.exe) is executed


The agent.exe payload is a dropper that contains REvil ransomware and a legitimate Microsoft Windows Defender executable. The dropper writes the ransomware payload to C:Windowsmpsvc.dll, the Windows Defender executable to C:WindowsMsMpEng.exe, and executes it using CreateProcessW. This legitimate Microsoft Windows Defender executable was signed on 2014-03-24 01:34:00 (UTC) and is vulnerable to DLL search-order hijacking. Once executed, this signed, legitimate Microsoft binary loads and executes the REvil ransomware binary (mpsvc.dll). Technical analysis of the REvil payload is still ongoing.

Indicators of compromise (IOCs) observed in connection with this activity are listed in Table 1:

Table 1: IOCs related to July 2021 Kaseya Incident
DESCRIPTION FILE NAME SHA256 HASH

REvil Dropper, Encoded

agent.crt

bca0cf628473f78c3d906641d682984677ffd56587a62fe9a5643386a80d14b0

REvil Dropper, Decoded

agent.exe

d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e

REvil Ransomware

mpsvc.dll

8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd

Legitimate Windows Defender executable

MsMpEng.exe

33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a

 

Mitigation recommendations

The following Prevention Policy setting is enabled to protect against this specific activity:

  • Kaseya has issued a statement advising Kaseya customers to immediately shut down their VSA servers until further notice.
  • A new Compromise Detection Tool will be available to Kaseya VSA customers. Request by sending an email to [email protected] with the subject “Compromise Detection Tool Request”.
  • All On-Premises VSA Servers should continue to remain offline until further instructions from Kaseya about when it is safe to restore operations.

 

For further information and the latest information from Kaseya: 

https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-July-2nd-2021

 


Sources:

- https://falcon.crowdstrike.com/intelligence 

- https://thehackernews.com/2021/07/kaseya-revil-ransomware-attack.html

- https://www.theverge.com/2021/7/2/22561252/revil-ransomware-attacks-systems-using-kaseyas-remote-it-management-software

- https://blog.talosintelligence.com/2021/07/revil-ransomware-actors-attack-kaseya.html

- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/kaseya-ransomware-supply-chain