On July 2nd, Kaseya learned of a cyber attack affecting their VSA Remote Monitoring and Management (RMM) software. Reporting suggests that the attackers were able to deliver ransomware to managed service providers (MSPs) using the software, and potentially, to those MSPs’ clients. Threat actors apparently used an authentication bypass combined with an SQL injection vulnerability to execute commands on the victim hosts. The actor ultimately deployed the ransomware payload as a DLL that was sideloaded into Microsoft Defender.
F-Secure has observed this ransomware deployed across victims in 6 countries: Argentina, Ireland, Italy, Norway, Sweden, and the United States.
For more information and updates, see:
Kaseya’s note on the incident
https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689
CISA-FBI Guidance
https://us-cert.cisa.gov/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa
ARE F-SECURE CUSTOMERS PROTECTED?
Yes. F-Secure has monitored this situation as it developed since July 2nd. Companies using our various EPP and/or EDR services currently enjoy a number of security capabilities that protect them from the ransomware attacks associated with this incident.
Currently, our EPP solutions (including F-Secure Elements EPP, F-Secure Client Security and F-Secure SAFE) use cloud-based reputation blocking for files and domains, as well as the following local detections to prevent theses attacks (asterisks signify inclusion of associated variants):
• Trojan:W32/REvil.B
• Trojan.TR/AD.SodinoRansom.*
• Trojan.TR/Crypt.Agent.*
• Trojan.TR/Redcap.*
Our EPP solutions also block traffic to command-and-control servers associated with the attackers (a full list is available here: https://gist.github.com/fwosar/a63e1249bfccb8395b961d3d780c0354#file-revil-json-L142).
The Dataguard Access Control functionality in F-Secure Elements EPP is also able to prevent the files from being encrypted if the REvil ransomware manages to execute in the system.
Additionally, our EDR solutions detect a variety of activities taken by the Kaseya attackers, including:
EPP tampering
Leveraging these capabilities, attacker can exclude malicious files/directories from being scanned.
EDR will detect:
1) Defender settings being altered from PowerShell.
2) Registry to turn off Windows Defender Antivirus modified.
LOLBAS Certutil
The adversaries use certutil.exe for base64 decoding of the malicious payload.
EDR will detect:
1) Suspicious Certutil execution with -decode switch detected.
For REvil ransomware detection, EDR will alert the following activities:
1) Process and system information enumeration.
2) A single process modified several different document file types for detecting activity of modified files by ransomware.
3) Deletion of shadow volume copy.
Our solutions have a variety of mechanisms intended to trigger alarms when anyone attempts to disable or otherwise tamper with our security software, preventing attackers’ efforts to circumvent F-Secure’s security controls as they’ve been observed doing with Microsoft Defender and other security products (https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b).
WHAT TO LOOK FOR?
Below is a list of common indicators of compromise (IoC) observed in Kaseya-related attacks. Please note this list is not comprehensive.
The agent.exe “dropper” will start MsMpEng.exe to run the REvil ransomware i.e. Mpsvc.dll and drop the following files:
• C:\Windows\MsMpEng.exe or C:\Users\<user>\AppData\Local\Temp\MsMpEng.exe
• C:\Windows\Mpsvc.dll or C:\Users\<user>\AppData\Local\Temp\Mpsvc.dll
Processes created:
• MsMpEng.exe (side loading of the REvil ransomware DLL file Mpsvc.dll)
Registries created:
• HKEY_CURRENT_USER\SOFTWARE\BlackLivesMatter
• HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BlackLivesMatter
Services created:
• None
Ransomware note filename:
• <extension>-readme.txt
Wallpaper:
• "Your files are stolen and encrypted. Find <extension>-readme.txt and follow instructions."
This information can be used by threat hunters and similar security personnel to manually search for signs of a compromise.
More information on IoCs is available in this spreadsheet: https://docs.google.com/spreadsheets/d/11AFPdK5A-7g484lfc0HmXdBrZpYI-Jhx4N1VwFXrcrQ/edit#gid=1201846661
ADDITIONAL INFORMATION
As the situation is still in progress, it is difficult to say with any degree of certainty the scale of the damage. REvil, the ransomware group currently thought to be behind the attack, claimed that the attack has affected over 1,000,000 endpoints (https://twitter.com/marcwrogers/status/1411871388529397767). However, this information should hardly be considered trustworthy.
CISA and FBI recommend that all affected MSP customers:
• Ensure backups are up to date and stored in an easily retrievable location that is air-gapped from the organizational network
• Revert to a manual patch management process that follows vendor remediation guidance, including the installation of new patches as soon as they become available;
• Implement a) multi-factor authentication and b) principle of least privilege on key network resources admin accounts.
If you believe you have been compromised, please contact our Incident Response team (https://www.f-secure.com/en/consulting/incident-response).