This security advisory was published in July 2021 following reports that a number of managed service providers (MSPs) became victims of a ransomware attack perpetrated by the REvil group through Kaseya VSA. The following is a summary of the attack, the CFC’s response, and initial recommendations for mitigation.
Contents
Summary of the Kaseya VSA Supply Chain Attack
On July 2, 2021, a large-scale supply chain attack operation by the REvil ransomware group affected multiple Managed Service Providers (MSPs) and leveraged the MSP’s Kaseya VSA instances to infect the MSP’s clients. As of this writing, the attack campaign has affected 60 MSPs and over 1,500 end clients.
The attack was executed by compromising self-hosted Kaseya VSA servers. The threat actors appear to have gained access by abusing authentication bypass and command injection bugs present on the management web UI. Once threat actors gained access to the VSA servers, they quickly locked legitimate users out of the systems and delivered a malicious payload to end user systems the compromised IT management tool.
The Kudelski Security Cyber Fusion Center and Kudelski Group were not affected as this solution is not leveraged internally nor externally.
Systems Affected by the Kaseya VSA Attack
All self-hosted VSA servers are affected. Unfortunately, there is currently no patch available. Therefore it is strongly recommended to keep the servers shutdown.
Overview of the Kaseya VSA Attack
Once threat actors gained their initial access to VSA servers, they locked out administrators and leveraged VSA’s update mechanism to deploy their malware as a base64 encoded “.crt” file.
The threat actors then used a powershell command to disable Windows Defender Antivirus, decode the file, and save it in the c:\kworking directory of the Kaseya VSA software (which was typically excluded from AV scanning as recommended by Kaseya).
Finally, the agent.exe malware dropper is started by the Kaseya agentmon.exe binary, gaining system level privileges.
The malware dropper extracted from the encoded agent.crt file was digitally signed with a valid digital signature using the following information:
Name: PB03 TRANSPORT LTD. Email: [Brouilettebusiness@outlook[.]com] SUBJECT: CN=Sectigo RSA Code Signing, CAO=Sectigo Limited, L=Salford, S=Greater Manchester, C=GB Serial #: 119acead668bad57a48b4f42f294f8f0 Issuer: https://sectigo[.]com/
Once executed, the dropper writes the following files to the c:\Windows path:
MsMpEng.exe – a legitimate but very outdated Windows Defender executable Mpsvc.dll – the encryptor payload compiled as a dynamic link library that is sideloaded by the vulnerable Defender executable
Known associated IOCs (SHA256) include:
agent.exe (d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e) mpsvc.dll (e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2) mpsvc.dll (8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd)
The threat actors appear to have performed initial exploitation activity from the following IP addresses:
18.223.199[.]234 (Amazon Web Services) 161.35.239[.]148 (Digital Ocean) 35.226.94[.]113 (Google Cloud) 162.253.124[.]162 (Sapioterra)
CFC Monitoring & Response
Kudelski Security’s Cyber Fusion Center has been actively monitoring this attack campaign and continues to track the situation to keep our clients updated. The CFC will perform threat hunting on the IOCs listed in this advisory and any updated IOCs released in the future.
Additionally, the techniques leveraged by the threat actors in this attack campaign are not unique or novel. Several threat actors have leveraged PowerShell cmdlets to disable security solutions in the past and often use the Certutil binary to decode or download malicious files. The CFC is able to actively monitor and respond to these techniques leveraging Endpoint Detection and Response (EDR) tooling.
Learn more about Kudelski Security’s Managed Endpoint Detection & Response capabilities
Patching Kaseya VSA
Kaseya’s R&D team was able to replicate the attack vector and is working on remediating the malicious code and applying necessary patches.
Temporary Mitigations for the Attack
Kaseya put all Kaseya-hosted VSA servers that are part of Kaseya’s SaaS solution in maintenance mode to prevent further exploitation.
Self-hosted VSA servers should remain shutdown until Kaseya provides a patch for the issue.
