SECURITY GUIDANCE – Kaseya Ransomware Attack

On Friday 2nd July 2021 (EST time) Kaseya, an IT Management software company, became aware that their product was being used as part of a ransomware campaign. Quorum Cyber have produced the below Quick Info if you are worried about the impact of their security incident.

What is it?

Late on Friday afternoon Kaseya shut down its SaaS service and advised customers to close down their on-premise versions of the product after becoming aware that their VSA product was being used as part of a sophisticated cyber-attack. Coinciding with the American Independence Day weekend, this was a conscious decision by the threat actors to inflict damage when there would be reduced resources to deal with it.

The attack has largely been attributed to REvil, is a ransomware family that has been linked to the GOLD SOUTHFIELD group and operated as ransomware-as-a-service (RaaS) since at least April 2019. REvil is highly configurable and shares code similarities with the GandCrab RaaS. One of the Tactics Techniques and Processes (TTPs) of the group is to exfiltrate data from an organisation in order to increase the pressure on them to pay the ransom. At this time, there has been no indication of data exfiltration attributed to this incident though sites continue to be monitored.

The threat of exploit by the vulnerability was identified as a result of alerting by the vendor and subsequent social media posts as incidents at other MSPs were reported and were being responded to.

The vendor provided the recommendation of isolating Kaseya devices by turning them off. Ideally, this would have been network isolation or device hibernation in order to facilitate memory forensics.

What is the Impact?

The attack has been seen, in early stages, to use the SQL Service account to disable the VSA Admin account thereby preventing access to the console. The malware then creates a new account with automatic sign-in capability and the password of DTrump4ever (capitalisation has been seen to vary).

Files are then deployed to managed devices and placed in C:\kworking directory. The file is named agent.crt and a PowerShell script is run which attempts to disable real time monitoring, script scanning, intrusion prevention systems, input/output antivirus protections, and network protections. The script then runs legitimate Microsoft utilities in order to unpack the malware.

The malware executable is named agent.exe and is digitally signed with a valid digital certificate. Once run, the executable copies the encrypter payload called mpsvc.dll into C:\Windows from where it is side loaded into the legitimate Microsoft Defender MSMPEng.exe.

Files on the device are then encrypted and a ransom message is displayed.

Are my systems vulnerable?

Quorum Cyber’s Security Operation Centre received the notification and started threat hunting and incident response processes for affected customers from 9pm (BST).

Affected customers were contacted on Friday (02/07/2021) and incident response processes enacted. At this time we are not tracking any active incidents due to Kaseya breaches, though some remedial and forensic work is being performed.

How do I mitigate this threat?

Kaseya have distributed information indicating their belief that they have identified the mechanism for compromise and that they are actively working on a patch to remediate it. Kaseya’s briefing indicates that they will email customers regarding the patch and the process for applying it and that the instructions will also be posted on their website.

It is highly recommended that instructions from the website, and not an email, are followed and that the site is accessed via it’s URL and not via an email link as Kaseya does not have DMARC or SPF protections in place to prevent spoofing.

Kaseya Notices : https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-July-3rd-2021 and https://www.kaseya.com/potential-attack-on-kaseya-vsa/

A Compromise Detection Tool has been released by Kaseya to help customer detect if their Kaseya server has been compromised, this can be obtained by contacting Kaseya support : [email protected] with the subject “Compromise Detection Tool Request.”

If you have any questions or concerns, please contact us immediately.