Kaseya VSA Supply-Chain Ransomware Attack

*A Special Briefing webinar will be held on 7.7.21. Visit https://grf.org/digital-series to register via the Global Resilience Federation.

Kaseya provides software tools to Managed Services Providers (MSPs) that typically handle IT and back-office work for companies too small or modestly-resourced to have their own departments. One of Kaseya’s tools, the Virtual System Administrator (VSA), was subverted on Friday July 2nd, allowing ransomware actors to paralyze hundreds of businesses on five continents. 

Please see Kaseya's latest update below.

The attackers were able to exploit a zero-day vulnerability (CVE-2021-30116) in the VSA product to bypass authentication and run arbitrary command execution. This allowed the attackers to leverage the standard VSA product functionality to deploy ransomware to endpoints. VSA is an RMM (Remote Monitoring and Management) software commonly used by MSPs to manage clients’ networks. Kaseya was in the process of patching the zero-day vulnerability reported privately by researchers. However, the ransomware affiliate behind the attack obtained the zero-day's details and exploited it to deploy the ransomware before Kaseya could start rolling a fix to VSA customers.  

According to Huntress, ransomware encryptors were dropped to Kaseya's TempPath with the file name agent.exe (c:\kworking\agent.exe by default). This is configurable within HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Kaseya\Agent\<unique id>. The VSA procedure used to deploy the encryptor was named "Kaseya VSA Agent Hot-fix”.

There is no evidence that Kaseya’s VSA codebase has been maliciously modified.  Mandiant was engaged to investigate the incident and assess the manner and impact of the attack.  Kaseya is also cooperating with federal law enforcement to ensure that they have the information they need to investigate this attack.

Although most of those affected have been small offices - like dentists' offices or accountants’ - the disruption has been felt in Sweden, where hundreds of supermarkets had to close because their registers were inoperative and New Zealand, where 11 schools and kindergartens were knocked offline. About a dozen different countries have had organizations affected by the breach in some way, according to research published by cybersecurity firm ESET

The hackers who claimed responsibility for the breach have demanded $50 million for a universal decryptor to reportedly restore all the affected businesses' data encrypted in over 1,000,000 systems. The ransomware is being widely attributed to the REvil gang.

• Kaseya is sharing information in an Incident Overview & Technical Details document

• Kaseya is aware of fewer than 60 Kaseya customers - all using the VSA on-premises product - who were directly compromised by this attack. Many of these customers provide IT services to multiple other companies

• Kaseya has not found evidence that any of their SaaS customers were compromised.

• Kaseya has had no new reports filed of compromises for VSA customers since Saturday July 3rd.

• VSA is the only Kaseya product affected by the attack and all other IT Complete modules are not impacted.

Process for bringing SaaS and on-premises customers back online:

• The current estimate for bringing SaaS servers back online is July 6th between 4:00 PM – 7:00 PM EDT.

• The On-Premises patch timeline is 24 hours (or less) from the restoration of SaaS services. Kaseya is focused on shrinking this time frame to the minimal possible – but if there are any issues found during the spin-up of SaaS, they want to fix them before bringing their on-premises customers up.

The enhanced security measures that will be brought online are:

• 24/7 Independent SOC for every VSA with the ability to quarantine and isolate files and entire VSA servers.

• A complementary CDN with WAF for every VSA (Including on premise that opt-in and wish to use it).

• Customers who whitelist IPs will be required to whitelist additional IPs.

• An article on the SOC, CDN, and Whitelisting details will be published later this afternoon and linked on the Kaseya website.

Kaseya will be releasing VSA with staged functionality to bring services back online. The first release will prevent access to functionality used by a very small fraction of the user base, including:

• Classic Ticketing

• Classic Remote Control (not LiveConnect).

• User Portal

Kaseya will release a customer-ready statement for clients to use to communicate to their customers on the incident and the security measures in place.

Recommendations

A new version of the Kaseya Compromise Detection Tool can be downloaded at the following link: VSA Detection Tools.zip | Powered by Box

• This tool analyzes a system (either VSA server or managed endpoint) and determines whether any indicators of compromise (IoC) are present.

• The latest version searches for the indicators of compromise, data encryption, and the REvil ransom note. We recommend that you re-run this procedure to better determine if the system was compromised by REvil.

All on-premises VSA Servers should continue to remain offline until further instructions from Kaseya about when it is safe to restore operations. A patch will be required to be installed prior to restarting the VSA.

Kaseya met with the FBI/CISA to discuss systems and network hardening requirements prior to service restoration for both SaaS and on-premises customers. A set of requirements will be posted prior to service restart to give Kaseya’s customers time to put these counter measures in place in anticipation of a return to service on July 6th.

Customers who experienced ransomware and receive communication from the attackers should not click on any links – they may be weaponized.

ATT&CK IDs:

T1195 - Supply Chain Compromise
T1560 - Archive Collected Data
T1018 - Remote System Discovery
T1471 - Data Encrypted for Impact

CVE(s) CVE-2021-30116

Threat Indicator(s)

MD5:
561cffbaba71a6e8cc1cdceda990ead4
a47cf00aedf769d60d58bfe00c0b5421
939aae3cc456de8964cb182c75a5f8cc

IP(s):
35[.]226[.]94[.]113
162[.]253[.]124[.]162
161[.]35[.]239[.]148

Network IOCs The following IP addresses were seen accessing VSA Servers remotely to perform the attack sequence:

35.226.94[.]113

161.35.239[.]148

162.253.124[.]162

Web Log Indicators The following are excerpts from the IIS access logs of a compromised VSA server. They depict a sequential series of HTTP requests that the threat actor made to perform their attack. If this sequence of requests is present in the IIS logs of a VSA server, it suggests the threat actor either attempted to or successfully used it to perform their attack.

 POST /dl.asp curl/7.69.1
GET /done.asp curl/7.69.1
POST /cgi-bin/KUpload.dll curl/7.69.1
GET /done.asp curl/7.69.1
POST /cgi-bin/KUpload.dll curl/7.69.1
POST /userFilterTableRpt.asp curl/7.69.1

A list of Indicators and YARA rules can also be found on Alien Vault

Reference(s) kaseya, CISA, Bleeping Computer, huntress

Info Source Intel Agency (FBI, NSA, etc.), Online / Press, ProSIX

Risk 6

Credibility 5 - Verified

Urgency 3 - Action Highly Recommended

Severity 3 - Moderate Impact (Normal)

TLP WHITE