A sophisticated supply chain attack has targeted Kaseya VSA, a solution used for remote endpoint and network monitoring, impacting more than 1000 businesses with the deployment of ransomware.

At this point, the on-premise deployments on servers have been reported to be vulnerable. Given the visibility and level of access that VSA has inside an organization, the attackers can compromise entire enterprise networks. Kaseya have shut down their software-as-a-service (SaaS) servers as a precautionary measure and it is advised to shutdown any on-premise VSA server.

Ransomware infection

Many Kaseya servers are being used to deploy the Revil (AKA Sodinokibi) ransomware, since VSA is designed to allow administration of systems with high level privileges. The ransomware will be deployed form a task disguised as “Kaseya VSA Agent Hot-fix” that will leverage PowerShell and will disable multiple features from Windows Defender to evade detection and sandbox submission.

The REvil gang have not posted details on their victims on their blog yet, but request a ransom of 70 million USD in bitcoin for the decryptor as shown in the picture below

Mitigation actions

• Currently Disable the on-premise Kaseya VSA servers as soon as possible
• Once the patch is available by Kaseya, ensure that the mitigation steps to increase your security posture are installed prior to restarting the VSA. Updates on the situation by Kaseya can be found here.
• If you suspect your on-premise VSA may be compromised, collect and examine that the logs in the following locations:
  • C:\ProgramData\Kaseya\Log\KaseyaEdgeServices\*.log
  • C:\inetpub\logs\LogFiles\W3SVC#\*.log
  • C:\ProgramData\Kaseya\Kupload\KUpload.log
• To assist organizations in the investigation, Kaseya provides a detection tool, along with runtime instructions to analyze VSA servers or managed endpoint in the link
•  Ensure that other remote administrative utilities like PowerShell, WMI are being used only when needed and a proper user access control with privileges is being used.

A new ransomware campaign by the name BadRabbit has targeted Russia, Turkey, Ukraine, Bulgaria, Japan and other countries.

The Security Operations Center of Obrela Security Industries want to keep our customers continuously updated of the attack and provide threats mitigation and prevention guidance. SOC has increased its readiness and verbosity over anomalies in SMB traffic, communication to list of suspicious IP addresses and domains, and more.

What is it about?

The ransomware infection is originally initiated by visiting compromised websites.

As such, (a) it requires user interaction asking the user to visit the compromised web site, (b) then it is redirected to 1dnscontrol[.]com, (c) in order to download a fake Flash update (install_flash_player.exe).

This executable file (630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da) is the dropper for the malware that infects the target Workstation (the actual malware).

The resulting malware can propagate via SMB, having many similarities to the Petya/Nyetya attack.

It also utilizes a version of mimikatz security tool in order to steal credentials and use them to propagate to other hosts (sim. Nyetya).

Once a windows computer is infected, it reboots the computer, encrypts the hard drive’s master file table (MFT) and replaces the computer’s MBR with its own malicious code to show the ransomware note upon reboot. The encryption of the files is performed by DiskCryptor to do a full drive encryption. Keys are generated and protected by RSA 2048 public key.

What is the impact of this attack?

As result of this attack, the computer is locked and shows a random note asking victims to pay a bitcoin amount to allow getting control back of their systems.

What our customers should do as part of mitigation and prevention actions

• Utilize this signatures in EDR tools or Event Management tools to identify infection using specific hashes:

630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da (Dropper)

8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93 C:\Windows\dispci.exe (diskcryptor client)

682ADCB55FE4649F7B22505A54A9DBC454B4090FC2BB84AF7DB5B0908F3B7806 C:\Windows\cscc.dat (x32 diskcryptor drv)

0b2f863f4119dc88a22cc97c0a136c88a0127cb026751303b045f7322a8972f6 C:\Windows\cscc.dat (x64 diskcryptor drv)

579FD8A0385482FB4C789561A30B09F25671E86422F40EF5CCA2036B28F99648 C:\Windows\infpub.dat

2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035 (mimikatz-like x86)

301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c (mimikat-like x64)

• Identify scheduled tasks that are noticed to be created in Windows hosts:

viserion_

rhaegal

drogon

• Block specific domains / uris in perimeter proxies

1dnscontrol[.]com

/flash_install.php

185.149.120[.]3

Argumentiru[.]com

Fontanka[.]ru

Adblibri[.]ro

Spbvoditel[.]ru

Grupovo[.]bg

www.sinematurk[.]com

caforssztxqzf2nm[.]onion

• Ensure all Windows-based systems are patched with the latest security updates.
• Close all public facing SMB (ports TCP 139, 445)
• Ensure blocking any connections to TOR nodes and TOR -related traffic on network.
• Ensure that anti-malware software is running on all endpoints in the organization and ensure that the software regularly receives malware signature updates.
• Users are strongly encouraged to back up frequently their data to be able to restore them in case their devices have been infected with the malware.
• Users are strongly advised that do not open emails that contain links or attachments from unknown recipients or when the subject or content of the email is unusual to them.