Kaseya’s VSA Supply Chain Ransomware

Posted in: Resources » Cyber Heads-up

TL;DR

A supply chain exploit of Kaseya’s VSA Remote Management service puts customers of managed service providers (MSPs) using this tool at risk of REvil ransomware.  Assura recommends anyone using Kaseya VSA to follow Kaseya guidance on server hardening when available, and also download and run the indicator of compromise (IOC) scanning tool linked below as soon as possible.

Overview

REvil is a ransomware-as-a-service (RAAS) focused on attacking MSPs as a shortcut to large-scale ransomware infections.  Prior to this current outbreak, they’ve been associated with a 2019 attack that affected over 20 small local governments in Texas.  The scope of the current attack is still unknown, particularly in the U.S., as the July 4th holiday delayed detection and reporting, but worldwide impacts include a supermarket chain in Sweden and in New Zealand, where schools and kindergartens were knocked offline.

On July 5, 2021 at 9:30 p.m. EDT, Kasaya released an advisory stating:

“Kaseya’s VSA product has unfortunately been the victim of a sophisticated cyberattack. Due to our teams’ fast response, we believe that this has been localized to a very small number of on-premises customers only.”

The Kaseya team reports that fewer than 60 Kaseya customers, all who were using the VSA on-premises product, were directly compromised by the attack.  That adds up to less than 1,500 downstream customers according to their advisory.  REvil’s blog post claims over 1 million individual infected systems.

What we know

The outbreak was delivered via a malicious update payload sent out to VSA servers, and in turn to the VSA agent applications running on managed Windows devices.  It appears this is achieved using a zero-day exploit of the server platform.

After deploying the payload, the Kaseya agent then runs the following Windows shell commands, concatenated into a single string:

This string starts a timer, randomized by VSA server, then disables core malware and anti-ransomware protections offered by Microsoft Defender.  The next few commands create Living-Off-the-Land Binaries (LOLBin)s that allow the ransomware apps to escape detection while downloading and decoding web-encoded content.  Further commands decode the payload into an executable, which ultimately encrypts local and remote disks.  Finally, the payload applications are deleted and the executable run.

The REvil designers used an older, vulnerable application from Windows Defender (MSMPENG.EXE, ver 4.5.218.0, signed by Microsoft on March 23, 2014) dropped on the system by agent.exe, to run their malicious .dll and evade detection.

Thanks to the team at Sophos Labs for the clear breakdown of the attack and a video explanation of the malware located on their blog.

Assura Recommendations

Kaseya has taken their SAAS servers offline, with a planned return to operation on July 6, between 2:00 p.m. and 5:00 p.m. EDT.  They also continue to recommend on-premises servers remain offline pending a set of system and network hardening requirements they’ll release in coordination with the FBI/CISA.

Kaseya has also released a Compromise detection tool at VSA Detection Tools.zip | Powered by Box.  This tool analyzes a system (either VSA server or managed endpoint) and determines whether any indicators of compromise (IoC) are present. Assura recommends any customer that have concerns regarding any potential REvil infection run this tool on their systems.

Further advisories from Kaseya:

  • All on-premises VSA Servers should continue to remain offline until further instructions from Kaseya about when it is safe to restore operations.  A patch will be required to be installed prior to restarting the VSA and a set of recommendations on how to increase your security posture.
  • We have been advised by our outside experts, that customers who experienced ransomware and receive communication from the attackers should not click on any links – they may be weaponized.

Indicators of Compromise

The following list of IOCs were provided by Kaseya:

The following IP addresses were seen accessing VSA Servers remotely to perform the attack sequence:

35.226.94[.]113

161.35.239[.]148

162.253.124[.]162

Endpoint IOCs

The following files were used as part of the deployment of the encryptor:

FilenameFilenameFilename
cert.exeN/A – Legitimate File with random string appendedLegit certutil.exe Utility 
agent.crt939aae3cc456de8964cb182c75a5f8ccEncoded malicious content
agent.exe561cffbaba71a6e8cc1cdceda990ead4Decoded contents of agent.crt
mpsvc.dlla47cf00aedf769d60d58bfe00c0b5421Ransomware Payload

Web Log Indicators

The following are excerpts from the IIS access logs of a compromised VSA server. They depict a sequential series of HTTP requests that the threat actor made to perform their attack. If this sequence of requests is present in the IIS logs of a VSA server, it suggests the threat actor either attempted to or successfully used it to perform their attack.

POST /dl.asp curl/7.69.1
GET /done.asp curl/7.69.1
POST /cgi-bin/KUpload.dll curl/7.69.1
GET /done.asp curl/7.69.1
POST /cgi-bin/KUpload.dll curl/7.69.1
POST /userFilterTableRpt.asp curl/7.69.1

Assura’s Response

If you are an Assura Managed SIEM client, our Security Operations Center has updated our Indicator of Compromise (IOC) database and monitoring for this attack. If you have any questions, please contact your Assura point-of-contact or feel free to contact us through the Assura website.

References: