This security advisory was published in July 2021 following reports that a number of managed service providers (MSPs) became victims of a ransomware attack perpetrated by the REvil group through Kaseya VSA. The following is a summary of the attack, the CFC’s response, and initial recommendations for mitigation. 

Summary of the Kaseya VSA Supply Chain Attack

On July 2, 2021, a large-scale supply chain attack operation by the REvil ransomware group affected multiple Managed Service Providers (MSPs) and leveraged the MSP’s Kaseya VSA instances to infect the MSP’s clients. As of this writing, the attack campaign has affected 60 MSPs and over 1,500 end clients.

The attack was executed by compromising self-hosted Kaseya VSA servers. The threat actors appear to have gained access by abusing authentication bypass and command injection bugs present on the management web UI. Once threat actors gained access to the VSA servers, they quickly locked legitimate users out of the systems and delivered a malicious payload to end user systems the compromised IT management tool.

The Kudelski Security Cyber Fusion Center and Kudelski Group were not affected as this solution is not leveraged internally nor externally.

Systems Affected by the Kaseya VSA Attack

All self-hosted VSA servers are affected. Unfortunately, there is currently no patch available. Therefore it is strongly recommended to keep the servers shutdown.

Overview of the Kaseya VSA Attack

Once threat actors gained their initial access to VSA servers, they locked out administrators and leveraged VSA’s update mechanism to deploy their malware as a base64 encoded “.crt” file. 

The threat actors then used a powershell command to disable Windows Defender Antivirus, decode the file, and save it in the c:\kworking directory of the Kaseya VSA software (which was typically excluded from AV scanning as recommended by Kaseya). 

Finally, the agent.exe malware dropper is started by the Kaseya agentmon.exe binary, gaining system level privileges.

The malware dropper extracted from the encoded agent.crt file was digitally signed with a valid digital signature using the following information:

Name: PB03 TRANSPORT LTD.

Email: [Brouilettebusiness@outlook[.]com]

SUBJECT: CN=Sectigo RSA Code Signing, CAO=Sectigo Limited, L=Salford, S=Greater Manchester, C=GB

Serial #: 119acead668bad57a48b4f42f294f8f0

Issuer: https://sectigo[.]com/

Once executed, the dropper writes the following files to the c:\Windows path:

MsMpEng.exe – a legitimate but very outdated Windows Defender executable

Mpsvc.dll – the encryptor payload compiled as a dynamic link library that is sideloaded by the vulnerable Defender executable

Known associated IOCs (SHA256) include:

agent.exe (d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e)

mpsvc.dll (e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2)

mpsvc.dll (8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd)

The threat actors appear to have performed initial exploitation activity from the following IP addresses:

18.223.199[.]234 (Amazon Web Services)

161.35.239[.]148 (Digital Ocean)

35.226.94[.]113 (Google Cloud)

162.253.124[.]162 (Sapioterra)

CFC Monitoring & Response

Kudelski Security’s Cyber Fusion Center has been actively monitoring this attack campaign and continues to track the situation to keep our clients updated. The CFC will perform threat hunting on the IOCs listed in this advisory and any updated IOCs released in the future.

Additionally, the techniques leveraged by the threat actors in this attack campaign are not unique or novel. Several threat actors have leveraged PowerShell cmdlets to disable security solutions in the past and often use the Certutil binary to decode or download malicious files. The CFC is able to actively monitor and respond to these techniques leveraging Endpoint Detection and Response (EDR) tooling.

Learn more about Kudelski Security’s Managed Endpoint Detection & Response capabilities

Patching Kaseya VSA

Kaseya’s R&D team was able to replicate the attack vector and is working on remediating the malicious code and applying necessary patches.

Temporary Mitigations for the Attack

Kaseya put all Kaseya-hosted VSA servers that are part of Kaseya’s SaaS solution in maintenance mode to prevent further exploitation.

Self-hosted VSA servers should remain shutdown until Kaseya provides a patch for the issue.

References

Bookmark