News has been surfacing throughout the day on July 3, 2021, of a seemingly large ransomware attack affecting hundreds of organizations following a software supply chain compromise at the supplier of software to managed service providers (MSPs).
This incident is thought to have commenced with the compromise of 'Kaseya', a US-based software developer that supplies MSPs, and it is understood that their network management software, VSA, was used to deploy a ransomware threat to other organizations in a situation somewhat reminiscent of the SolarWinds supply chain attack.
According to reports, these 'downstream' victims have been identified as organizations in some seventeen countries across the world including those operating in Africa, Europe, South America and North America.
Whilst no threat actor has yet claimed responsibility for the attack, the big game hunter group 'REvil' were named as the perpetrators based on an analysis of the dropped ransomware payload.
Notably, REvil make no mention of this incident on their 'Happy Blog', a Tor onion site used to name and shame their extortion victims, and it is unclear if the group have stolen data during this incident for use in their typical double extortion schemes.
Based a notice was published  by Kaseya on July 3, 2021 at 10:00hrs EDT, this incident was first identified at around 12:00hrs EST on Friday July 2, 2021 as the exploitation of a vulnerability within their 'Kaseya VSA'
Kaseya VSA is an endpoint management and network monitoring tool (Figure 1), used by managed service providers (MSPs), and is therefore an ideal target for compromise as it, by design, will likely have full administrative privileges on any client system to allows it to perform common tasks such as patch management.
Figure 1 - Kaseya VSA (https://www.kaseya.com/products/vsa/)
Having been identified, Kaseya shutdown their software-as-a-service (SaaS) severs as a precautionary measure and advised their customers to shutdown any on-premise VSA server.
Post-compromise, it is understood that the group responsible for the attack shifted their attentions to users of the VSA system and, reportedly taking advantage of the product's patch management functionality, delivered an REvil ransomware threat as well as resetting administrative access to ensure that the threat actor would retain control of any compromised host.
Believed to have been configured as a rogue task named Kaseya VSA Agent Hot-fix, the threat was then deployed to all client machines that, in the case of an MSP victim, would include the delivery of the ransomware payload to their customers.
As such, the impact of the incident is far more wide-reaching than the relatively small number of 'Kaseya customers' and will have impacted customers of their customers.
Having been delivered to a victim machine, the rogue update process uses PowerShell to disable multiple features within Windows Defender:
- Disable real-time monitoring:
- DisableRealtimeMonitoring $true
- Disable the Intrusion Prevention System (IPS), used to protect against the exploitation of known vulnerabilities:
- DisableIntrusionPreventionSystem $true
- Prevent downloaded files and attachments from being scanned:
- DisableIOAVProtection $true
- Disable the scanning of scripts:
- DisableScriptScanning $true
- Disable ransomware protection:
- EnableControlledFolderAccess Disabled
- Curiously set the network protection feature, used to protect users from dangerous domains, to AuditMode that will result in sites that 'would have been blocked' to be logged in the Microsoft -Windows-Windows-Defender/Operational event log with an Event ID 1125.
- EnableNetworkProtection AuditMode
- Prevent malicious samples from being shared with Microsoft:
- MAPSReporting Disabled
- SubmitSamplesConsent NeverSend
With Windows Defender disabled, the Windows certificate utility, certutil.exe, is used to decode a dropped certificate file in c:\kworking\agent.crt leading to the extraction of a signed executable in the same directory named agent.exe.
The script then deletes the initial agent.crt file, and executes agent.exe which drops an older version of the legitimate Windows Defender executable, MsMpEng.exe, as well as the REvil ransomware payload, mpsvc.dll, into the Windows (%WINDIR%) directory.
Utilizing this old Defender executable, the ransomware dynamic-link library (DLL) is loaded and, as is to be expected, follows the behaviours of a typical ransomware threat by first attempting to terminate processes and services related to common applications, backup programs, endpoint security solutions and server software.
For reference, a list of the processes and services terminated by this threat are provided in Appendix A.
Once the encryption process is complete, a message is displayed on the victim's desktop informing them that All of your files are encrypted! and that they need to refer to the ransomware note (Figure 2), named <EXT>-readme.txt (where <EXT> matches the encrypted file extension).
---=== Welcome. Again. ===---
[+] What guarantees? [+]
Warning: secondary website can be blocked, thats why first variant much better and more available.
Figure 2 - Example REvil ransom note
◼ Organizations using Kaseya VSA on-premise are advised to keep their servers offline until further notice and to monitor Kaseya's website for further information.
◼ It is understood that those using VSA will need to download and install a patch prior to restarting their servers although, for safety, steps should be taken to verify the source of any update prior to installation.
Additionally, organizations should consider the following recommendations to limit the impact of similar ransomware attacks:
◼ Consider monitoring for, and alerting on, the anomalous modification of security settings or configurations, such as those observed with Windows Defender.
◼ Continuously monitor endpoint security events as an early warning of suspicious behavior, for example, host-to-host communications indicating lateral movement or high-volume disk operations indicating mass file encryption or exfiltration.
◼ Limit user permissions according to the principal of least privilege (POLP).
◼ Secure sensitive data, adhering to any legal or regulatory requirements, to prevent unauthorized access, be that internal or external in origin.
◼ Utilize application permit and deny lists to prevent the execution of unauthorized or unknown executables, such as those delivered as part of a broader attack.
◼ Ensure that disaster recovery plans and backup policies take into account regular backups, verification of data integrity and offline storage to facilitate restoration in the event of a catastrophic incident.
◼ Make use of network segregation to limit communications between nodes, especially end-points, to provide damage limitation and limit the propagation of threats.
◼ Disable administrative tools and script interpreters to prevent misuse by malicious payloads or threat actors.
INDICATORS OF COMPROMISE
Whilst ransomware payloads typically differ between victims, this supply chain compromise would likely see the same threat being delivered to multiple victims. As such, the following indicators of compromise (IOC) have been observed thus far and are believed to be associated with this incident.
- Initial executable payload, c:\kworking\agent.exe
- Legitimate Windows Defender executable, %WINDIR%\MsMpEng.exe
- REvil Ransomware DLL, %WINDIR%\mpsvc.dll
The following registry key has also been observed as being created during the execution of the ransomware payload:
APPENDIX A - PROCESS/SERVICE TERMINATION
Processes and services matching the following application, data backup and endpoint security identifiers are terminated by the REvil ransomware threat upon its execution: