REvil Ransomware attack at 200 Companies via Kaseya VSA and Management Service Provider (MSP)

Sicherheit (Pexels, allgemeine Nutzung)[German]It is once again a nightmare come true for the IT landscape. The REvil ransomware group has succeeded in an attack via management service providers (MSPs). As a result, the servers of 200 companies were encrypted by the ransomware. It looks like the Kaseya IT management platform has been compromised. The whole thing is something like the SolarWinds supply chain attack, only this time it was ransomware.


Advertising

What is Kaseya VSA?

Kaseya VSA is a cloud-based MSP platform that allows vendors to perform patch management and client monitoring for their customers.  The vendor describes VSA as remote access and endpoint management applications. The software, Kaseya VSA, is popular with so-called managed service providers (MSPs), which provide IT infrastructure to companies that prefer to outsource these things rather than run them themselves. Hacking the MSP via compromised software like Kaseya VSA means having access to its customers.

Kaseya VSA likely compromised

Brett Callow, security analyst at Emsisoft, pointed on Twitter to the message from the Kaseya help desk indicating a hack and recommends customers using Kaseya VSA directly shut down their servers. This is because there is a risk of losing administrative access in the event of an attack.

Kaseya VSA compromised

An attack is confirmed on the helpdesk pages of the provider Kaseya, where it says July 2, 2021:

Important Notice July 2nd, 2021

We are experiencing a potential attack against the VSA that has been limited to a small
number of on-premise customers only as of 2:00 PM EDT today.

We are in the process of investigating the root cause of the incident with an abundance
of caution but we recommend that you IMMEDIATELY shutdown your VSA server until
you receive further notice from us
.

Its critical that you do this immediately, because one of the first things the attacker does
is shutoff administrative access to the VSA.

Kaseya notice


Advertising

The vendor confirms an attack on its VSA product that affected a small number of on-premises customers. It all sounds very harmless up to this point.

REvil infects at least 200 companies

On reddit.com, there has been this thread for a few hours now, informing about a major ransomware attack. It says here:

Update 1 – 07/02/2021 – 1417 ET

We are tracking four MSPs where this has happened and working in close collaboration with two of them. Although all four are running Kaseya VSA, we have not validated that VSA is being exploited (not fair at this time to say "Kaseya has been hacked" without evidence). Here's validated indicators of compromise:

  • Ransomware encryptor is dropped to c:\kworking\agent.exe
  • The VSA procedure is named "Kaseya VSA Agent Hot-fix"

Andy Greenberg addressed the incident within the following tweet, and speaks of a monomental cyber-attack and a nightmare scenario, something that came like a tsunami before the 4th of July (US Independence Day).

Revil infects 200 Kaysea customers

Currently, the whole thing is still developing, but Greenberg sums it up on Wired. Apparently, the REvil Group managed to hack the Kaseya VSA product. Subsequently, the compromised VSA software was used to take over the managed service providers (MSPs) that use the product. Shortly after the attack, administrators lose administrative access to the VSA servers. And subsequently, customers' server instances are encrypted with the REvil ransomware.

Bleeping Computer colleagues were provided with information by security researcher John Hammond (Huntress) and Mark Loman(Sophos). Both confirm that there was probably a supply chain attack on Kaseya VSA.

  • According to Hammond, Kaseya VSA drops an agent.crt file in the c:\kworking folder used for updates to VSA.
  • A PowerShell command is then run to decrypt the agent.crt file using the Windows certutil.exe command and extract an agent.exe file to the same folder.
  • The agent.exe is signed with a certificate from "PB03 TRANSPORT LTD" and contains an embedded 'MsMpEng.exe' and 'mpsvc.dll', where the DLL is the REvil encryptor.
  • The MsMPEng.exe is used as LOLBin to launch the DLL, whereupon the system is encrypted.

Bleeping Computer has gathered more details in its post.  They have an extortion letter from the REvil ransomware gang demanding $5 million ransom for decryption. Whether the demand is that high for all victims is unknown.

Anyway, the damage that could be successfully done with the supply chain attack is quite high now. I think this matter will stir up a lot of dust in the USA, so that the people behind the REvil group will be hunted down intensively.


Cookies helps to fund this blog: Cookie settings
Advertising


This entry was posted in Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published.