F-Secure statement on July 2nd Kaseya VSA incident - WithSecure Community
<main>
<article class="userContent">
<p>On July 2nd, Kaseya learned of a cyber attack affecting their VSA Remote Monitoring and Management (RMM) software. Reporting suggests that the attackers were able to deliver ransomware to managed service providers (MSPs) using the software, and potentially, to those MSPs’ clients. Threat actors apparently used an authentication bypass combined with an SQL injection vulnerability to execute commands on the victim hosts. The actor ultimately deployed the ransomware payload as a DLL that was sideloaded into Microsoft Defender. </p><p>F-Secure has observed this ransomware deployed across victims in 6 countries: Argentina, Ireland, Italy, Norway, Sweden, and the United States.</p><p>For more information and updates, see:</p><p>Kaseya’s note on the incident</p><p><a href="https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689" rel="nofollow noreferrer ugc">https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689</a></p><p>CISA-FBI Guidance</p><p><a href="https://us-cert.cisa.gov/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa" rel="nofollow noreferrer ugc">https://us-cert.cisa.gov/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa</a> </p><p><br></p><p><strong>ARE F-SECURE CUSTOMERS PROTECTED?</strong></p><p>Yes. F-Secure has monitored this situation as it developed since July 2nd. Companies using our various EPP and/or EDR services currently enjoy a number of security capabilities that protect them from the ransomware attacks associated with this incident. </p><p>Currently, our EPP solutions (including F-Secure Elements EPP, F-Secure Client Security and F-Secure SAFE) use cloud-based reputation blocking for files and domains, as well as the following local detections to prevent theses attacks (asterisks signify inclusion of associated variants):</p><p>• Trojan:W32/REvil.B</p><p>• Trojan.TR/AD.SodinoRansom.*</p><p>• Trojan.TR/Crypt.Agent.*</p><p>• Trojan.TR/Redcap.*</p><p>Our EPP solutions also block traffic to command-and-control servers associated with the attackers (a full list is available here: <a href="https://gist.github.com/fwosar/a63e1249bfccb8395b961d3d780c0354#file-revil-json-L142" rel="nofollow noreferrer ugc">https://gist.github.com/fwosar/a63e1249bfccb8395b961d3d780c0354#file-revil-json-L142</a>).</p><p>The Dataguard Access Control functionality in F-Secure Elements EPP is also able to prevent the files from being encrypted if the REvil ransomware manages to execute in the system.</p><p>Additionally, our EDR solutions detect a variety of activities taken by the Kaseya attackers, including:</p><p><strong>EPP tampering</strong></p><p>Leveraging these capabilities, attacker can exclude malicious files/directories from being scanned.</p><p><em>EDR will detect:</em></p><p>1) Defender settings being altered from PowerShell.</p><p>2) Registry to turn off Windows Defender Antivirus modified.</p><p><br></p><p><strong>LOLBAS Certutil</strong></p><p>The adversaries use certutil.exe for base64 decoding of the malicious payload. </p><p><em>EDR will detect:</em></p><p>1) Suspicious Certutil execution with -decode switch detected.</p><p><br></p><p><strong>For REvil ransomware detection, EDR will alert the following activities:</strong></p><p>1) Process and system information enumeration.</p><p>2) A single process modified several different document file types for detecting activity of modified files by ransomware.</p><p>3) Deletion of shadow volume copy.</p><p>Our solutions have a variety of mechanisms intended to trigger alarms when anyone attempts to disable or otherwise tamper with our security software, preventing attackers’ efforts to circumvent F-Secure’s security controls as they’ve been observed doing with Microsoft Defender and other security products (<a href="https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b" rel="nofollow noreferrer ugc">https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b</a>). </p><p><br></p><p><strong>WHAT TO LOOK FOR?</strong></p><p>Below is a list of common indicators of compromise (IoC) observed in Kaseya-related attacks. Please note this list is not comprehensive. </p><p>The agent.exe “dropper” will start MsMpEng.exe to run the REvil ransomware i.e. Mpsvc.dll and drop the following files:</p><p>• C:\Windows\MsMpEng.exe or C:\Users\<user>\AppData\Local\Temp\MsMpEng.exe</p><p>• C:\Windows\Mpsvc.dll or C:\Users\<user>\AppData\Local\Temp\Mpsvc.dll</p><p>Processes created:</p><p>• MsMpEng.exe (side loading of the REvil ransomware DLL file Mpsvc.dll)</p><p>Registries created:</p><p>• HKEY_CURRENT_USER\SOFTWARE\BlackLivesMatter</p><p>• HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BlackLivesMatter</p><p>Services created:</p><p>• None</p><p>Ransomware note filename:</p><p>• <extension>-readme.txt</p><p>Wallpaper:</p><p>• "Your files are stolen and encrypted. Find <extension>-readme.txt and follow instructions."</p><p><br></p><p>This information can be used by threat hunters and similar security personnel to manually search for signs of a compromise.</p><p>More information on IoCs is available in this spreadsheet: <a href="https://docs.google.com/spreadsheets/d/11AFPdK5A-7g484lfc0HmXdBrZpYI-Jhx4N1VwFXrcrQ/edit#gid=1201846661" rel="nofollow noreferrer ugc">https://docs.google.com/spreadsheets/d/11AFPdK5A-7g484lfc0HmXdBrZpYI-Jhx4N1VwFXrcrQ/edit#gid=1201846661</a></p><p><br></p><p><strong>ADDITIONAL INFORMATION</strong></p><p>As the situation is still in progress, it is difficult to say with any degree of certainty the scale of the damage. REvil, the ransomware group currently thought to be behind the attack, claimed that the attack has affected over 1,000,000 endpoints (<a href="https://twitter.com/marcwrogers/status/1411871388529397767" rel="nofollow noreferrer ugc">https://twitter.com/marcwrogers/status/1411871388529397767</a>). However, this information should hardly be considered trustworthy. </p><p>CISA and FBI recommend that all affected MSP customers:</p><p>• Ensure backups are up to date and stored in an easily retrievable location that is air-gapped from the organizational network</p><p>• Revert to a manual patch management process that follows vendor remediation guidance, including the installation of new patches as soon as they become available;</p><p>• Implement a) multi-factor authentication and b) principle of least privilege on key network resources admin accounts.</p><p> If you believe you have been compromised, please contact our Incident Response team (<a href="https://www.f-secure.com/en/consulting/incident-response" rel="nofollow noreferrer ugc">https://www.f-secure.com/en/consulting/incident-response</a>).</p>
</article>
</main>