TL;DR
A supply chain exploit of Kaseya’s VSA Remote Management service puts customers of managed service providers (MSPs) using this tool at risk of REvil ransomware. Assura recommends anyone using Kaseya VSA to follow Kaseya guidance on server hardening when available, and also download and run the indicator of compromise (IOC) scanning tool linked below as soon as possible.
Overview
REvil is a ransomware-as-a-service (RAAS) focused on attacking MSPs as a shortcut to large-scale ransomware infections. Prior to this current outbreak, they’ve been associated with a 2019 attack that affected over 20 small local governments in Texas. The scope of the current attack is still unknown, particularly in the U.S., as the July 4th holiday delayed detection and reporting, but worldwide impacts include a supermarket chain in Sweden and in New Zealand, where schools and kindergartens were knocked offline.
On July 5, 2021 at 9:30 p.m. EDT, Kasaya released an advisory stating:
“Kaseya’s VSA product has unfortunately been the victim of a sophisticated cyberattack. Due to our teams’ fast response, we believe that this has been localized to a very small number of on-premises customers only.”
The Kaseya team reports that fewer than 60 Kaseya customers, all who were using the VSA on-premises product, were directly compromised by the attack. That adds up to less than 1,500 downstream customers according to their advisory. REvil’s blog post claims over 1 million individual infected systems.
What we know
The outbreak was delivered via a malicious update payload sent out to VSA servers, and in turn to the VSA agent applications running on managed Windows devices. It appears this is achieved using a zero-day exploit of the server platform.
After deploying the payload, the Kaseya agent then runs the following Windows shell commands, concatenated into a single string:
This string starts a timer, randomized by VSA server, then disables core malware and anti-ransomware protections offered by Microsoft Defender. The next few commands create Living-Off-the-Land Binaries (LOLBin)s that allow the ransomware apps to escape detection while downloading and decoding web-encoded content. Further commands decode the payload into an executable, which ultimately encrypts local and remote disks. Finally, the payload applications are deleted and the executable run.
The REvil designers used an older, vulnerable application from Windows Defender (MSMPENG.EXE, ver 4.5.218.0, signed by Microsoft on March 23, 2014) dropped on the system by agent.exe, to run their malicious .dll and evade detection.
Thanks to the team at Sophos Labs for the clear breakdown of the attack and a video explanation of the malware located on their blog.
Assura Recommendations
Kaseya has taken their SAAS servers offline, with a planned return to operation on July 6, between 2:00 p.m. and 5:00 p.m. EDT. They also continue to recommend on-premises servers remain offline pending a set of system and network hardening requirements they’ll release in coordination with the FBI/CISA.
Kaseya has also released a Compromise detection tool at VSA Detection Tools.zip | Powered by Box. This tool analyzes a system (either VSA server or managed endpoint) and determines whether any indicators of compromise (IoC) are present. Assura recommends any customer that have concerns regarding any potential REvil infection run this tool on their systems.
Further advisories from Kaseya:
- All on-premises VSA Servers should continue to remain offline until further instructions from Kaseya about when it is safe to restore operations. A patch will be required to be installed prior to restarting the VSA and a set of recommendations on how to increase your security posture.
- We have been advised by our outside experts, that customers who experienced ransomware and receive communication from the attackers should not click on any links – they may be weaponized.
Indicators of Compromise
The following list of IOCs were provided by Kaseya:
The following IP addresses were seen accessing VSA Servers remotely to perform the attack sequence:
35.226.94[.]113
161.35.239[.]148
162.253.124[.]162
Endpoint IOCs
The following files were used as part of the deployment of the encryptor:
| Filename | Filename | Filename |
| cert.exe | N/A – Legitimate File with random string appended | Legit certutil.exe Utility |
| agent.crt | 939aae3cc456de8964cb182c75a5f8cc | Encoded malicious content |
| agent.exe | 561cffbaba71a6e8cc1cdceda990ead4 | Decoded contents of agent.crt |
| mpsvc.dll | a47cf00aedf769d60d58bfe00c0b5421 | Ransomware Payload |
Web Log Indicators
The following are excerpts from the IIS access logs of a compromised VSA server. They depict a sequential series of HTTP requests that the threat actor made to perform their attack. If this sequence of requests is present in the IIS logs of a VSA server, it suggests the threat actor either attempted to or successfully used it to perform their attack.
POST /dl.asp curl/7.69.1
GET /done.asp curl/7.69.1
POST /cgi-bin/KUpload.dll curl/7.69.1
GET /done.asp curl/7.69.1
POST /cgi-bin/KUpload.dll curl/7.69.1
POST /userFilterTableRpt.asp curl/7.69.1
Assura’s Response
If you are an Assura Managed SIEM client, our Security Operations Center has updated our Indicator of Compromise (IOC) database and monitoring for this attack. If you have any questions, please contact your Assura point-of-contact or feel free to contact us through the Assura website.