Kaseya VSA Supply-Chain Attack: Everything We Know...so far

-

On July 2nd, 2021, the IT management software company, Kaseya, disclosed to the public that they had a security incident on their hands impacting their on-premises version of Kaseya's Virtual System Administration (VSA) platform. Kaseya VSA is a cloud-based MSP platform used by customers to perform patch management and monitoring for clients. 

The company issued a security advisory warning customers to immediately shut down their VSA server to keep from propagating the malware.

"We are experiencing a potential attack against the VSA that has been limited to a small number of on-premise customers only as of 2:00 PM EDT today. We are in the process of investigating the root cause of the incident with an abundance of caution but we recommend that you IMMEDIATELY shutdown your VSA server until you receive further notice from us. Its critical that you do this immediately, because one of the first things the attacker does is shutoff administrative access to the VSA."

Security researchers, like John Hammond of Huntress, have attributed the ransomware deployments on what appears to be a supply-chain attack leveraged through Kaseya's VSA. The Kaseya VSA software drops an agent.crt file to the path < OS_Installed_Partition >:\kworking, distributed as an update titled 'Kaseya VSA Agent Hot-Fix'. Once this is done, a PowerShell command is executed that disabled multiple Microsoft Defender features like real-time monitoring, script planning, network protection and Controlled Folder Access. It then decodes the dropped agent.crt file using built-in Windows certutil.exe to extract agent.exe. This is then launched to begin encryption of the drive.

Signed by "PB03 TRANSPORT LTD", agent.exe includes an embedded "MsMpEng.exe" and "mpsvc.dll"; the latter of which being the REvil encryptor. Once these are extracted, both entities are placed in the < OS_Installed_Partition>:\Windows. TheMsMpEng.exe is a legacy version of a legitimate Microsoft Defender executable used as a LOLBin to execute the encryptor DLL and encrypt the drive(s) through a trusted executable.

This particular variant of REvil ransomware leverages multiple techniques to evade security controls. The malware is using a customized packer with the REvil payload being distributed as a portable executable with a modified header. This is most likely done to circumvent security products that are not capable of properly handling portable executable files that have been altered. The variant's binary has an embedded encrypted configuration, using RC4 at runtime. This configuration houses settings for the malware and is stored in a JSON format with the following parameters:
REvil will encrypt files not contained in the whitelisted filenames fields (stored in configurations). The malware reads each file before encrypting the contents and writing the results back to the original file to prevent recovery. Once encryption is finished, a footer is written to the end of each file and the encrypted file is renamed using a new extension. REvil combines use of Curve25519 (asymmetric) and Salsa20 (symmetric) encryption algorithms. Salsa20's encryption key is derived from the target's public key and secret key of the pair created for each file. In order to decrypt the files, the victim's secret key and file public key have to be known. REvil writes a footer that is 232 bytes (0xE8) at the end of every file and contains the following metadata:
After encryption, it's time for a ransom note. The REvil ransom note follows the following format:
{random alphanumeric characters} - readme.txt

The ransomware drops the content into a file from the img config value in the victim's Windows %temp% directory and adds a new wallpaper to using this file.

Currently, the REvil ransomware operator(s) are demanding $70 million in Bitcoin for a master decryption tool and have already leaked some details to their REvil ransomware leak site.

Indicators of Compromise
https://github.com/cado-security/DFIR_Resources_REvil_Kaseya/tree/main/IOCs
agent.crt - 2093c195b6c1fd6ab9e1110c13096c5fe130b75a84a27748007ae52d9e951643
agent.exe - d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e
mpsvc.dll - e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2
mpsvc.dll - 8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd

Relevant Articles
https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-1-000-plus-companies-in-msp-supply-chain-attack/
https://www.zscaler.com/blogs/security-research/kaseya-supply-chain-ransomware-attack-technical-analysis-revil-payload
https://unit42.paloaltonetworks.com/revil-threat-actors/





Comments

Post a Comment

Popular posts from this blog

-
Image
ESET's APT Activity Report Q4 2023-Q1 2024 summarizes observations of various advanced persistent threat (APT) groups documented by ESET researchers between October 2023 and March 2024. Their observations highlight the broader threat landscape investigated during this period of time and details trends, developments and tooling used by these threat actors. The public report proclaims to contain a fraction of what private ESET customers receive. China Chinese-aligned cyber espionage groups have traditionally targeted public facing applications for obtaining initial access on a target network. In many campaigns investigated by ESET and others, the groups leveraged one-day vulnerabilities against a range of appliances and software including VPNs, firewalls, Confluence, Exchange, and others. See ESETs report linked below for their detailed analysis on Chinese threat activity.  Middle East According to ESET's research, a potentially Iranian-aligned threat group BladedFeline continued...
Read more

Russian GRU Unit 29155 recent operations

-
Image
Background Russian GRU military intelligence Unit 29155 (aka Cadet Blizzard, Ember Bear, FrozenVista, UNC2589) is a covert subunit of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), primarily tasked with conducting high-stakes and clandestine operations abroad. Established under the GRU, Unit 29155 gained public attention due to its involvement in activities that align with Russia's asymmetric warfare objectives, particularly in Europe, Ukraine, and NATO-affiliated regions. Unit 29155 operates in several domains, from traditional espionage and sabotage to cyber operations. Figure 1 WANTED: GRU Unit 29155 [1] Unit 29155 has significantly intensified operations since 2020, pivoting from covert actions in Europe toward a greater emphasis on cyber operations with a focus on undermining Ukraine and NATO allies through espionage, data manipulation, and sabotage. Primary TTPs Espionage and Data Theft Unit 29155 conducts extensive espionage ca...
Read more
-
Image
Microsoft recently released their findings after a lengthy investigation into activity conducted by the Russian state-sponsored APT28 group using a unique tool for privilege escalation and credential harvesting on victim networks. Microsoft refers to the custom tool as GooseEgg and claim that the group has been observed leveraging this tool since at least June 2020. GooseEgg The custom toolset leverages CVE-2023-38208 in the Windows Print Spooler service which changes a JavaScript constraints file and executes it with SYSTEM permissions. Based on their findings, Microsoft believes GooseEgg is deployed after initial access to elevate access to targeted systems with the end goal of harvesting credentials and data. Unsurprisingly, targeting includes Ukrainian, Western European and North American entities across several sectors including government, non-government, education and transportation. After initial access of victim device, researchers observed APT28 deploying GooseEgg to escalate...
Read more