Kaseya VSA Supply-Chain Ransomware Attack

"Ransomware breach at Florida IT firm hits 200 businesses

WASHINGTON, July 2 (Reuters) - Hundreds of American businesses were hit Friday by an unusually sophisticated ransomware attack that hijacked widely used technology management software from a Miami-based supplier called Kaseya.

The attackers changed a Kaseya tool called VSA, used by companies that manage technology at smaller businesses. They then encrypted the files of those providers' customers simultaneously.

Security firm Huntress said it was tracking eight managed service providers that had been used to infect some 200 clients...

A private security executive working on the response effort said that ransom demands accompanying the encryption ranged from a few thousand dollars to $5 million or more..."

https://www.reuters.com/technology/...incident-us-it-firm-huntress-labs-2021-07-02/

 

"A New Kind of Ransomware Tsunami Hits Hundreds of Companies

An apparent supply chain attack exploited Kaseya's IT management software to encrypt a "monumental" number of victims all at once.

It was probably inevitable that the two dominant cybersecurity threats of the day— supply chain attacks and ransomware—would combine to wreak havoc. That’s precisely what happened Friday afternoon, as the notorious REvil criminal group successfully encrypted the files of hundreds of businesses in one swoop, apparently thanks to compromised IT management software. And that’s only the very beginning..."

https://www.wired.com/story/kaseya-supply-chain-ransomware-attack-msps/

 

https://www.theverge.com/2021/7/2/2...s-using-kaseyas-remote-it-management-software

 

"Supermarket chain Coop closes 800 stores following Kaseya ransomware attack

Coop, one of Sweden’s largest supermarket store chains, has shut down nearly 800 stores across the country after one of its contractors was hit by ransomware in the aftermath of the Kaseya security incident on Friday.

The stores were closed on Friday afternoon after cash registers and self-serving stations went down and prevented Coop employees from processing in-store payments..."

https://therecord.media/supermarket-chain-coop-closes-800-stores-following-kaseya-ransomware-attack/

 

"Kaseya VSA Ransomware Attack Hits Nearly 40 MSPs...

The cyberattack against Kaseya’s VSA remote monitoring and management software has affected nearly 40 of the company’s on-premises MSP customers, according to CEO Fred Voccola..."

https://www.crn.com/news/security/kaseya-vsa-ransomware-attack-hits-nearly-40-msps

 

Same old "Petya" story.

The mitigation is the same, never ever install updates on a corp. network without fully vetting their integrity first.

 

@itman- If you read the article(s) outline in my own quoted reply, and especially Fabian's dissection findings, is it ever occurred to either Microsoft OR Server Admins (if this is even possible), to password protect PowerShell or at the very least make it much a lesser target? (If even that much might make a difference to prevent fully implementing arbitrary code commands) WMI notwithstanding.

I mean it looks so dumb easy to completely unravel and shutdown/disable Micro-S Defender from A to Z. Since that to the actors is routine and pretty much sets it totally out of their way from any interference.

 

The Coop closures appear to be a result of a Keseya ransomware attack on its software/IT provider Visma Esscom.

Visma Esscom is one of the leading software/cloud computing companies in Europe with 12,500 employees, and 1,000,000 customers.

https://twitter.com/GossiTheDog/status/1411313953158963202

" We try to solve the problems during the day, says Fabian Mogren, CEO of Visma Esscom, which is an IT supplier to Coop."

https://www.dn.se/ekonomi/global-utpressningsattack-bakom-stangda-coop-butiker/

 

"...Al Saikali, partner at law firm Shook, Hardy & Bacon LLP, told The Wall Street Journal that ransom demands in six Kaseya-related attacks it is consulting on range from $25,000 to $150,000. But for large service providers impacted by the attack, the ransom demands have been as high as $5 million..."

https://www.businessinsider.com/rev...es-again-attacks-hundreds-of-companies-2021-7

 

"A Massive Ransomware Attack Has Hit More Than 1,000 Companies...

A massive ransomware attack on the software supply chain has impacted more than 1,000 businesses so far, and the number may continue to grow, according to the cybersecurity firm Huntress Labs Inc...."

https://www.bloomberg.com/news/arti...ontinues-to-grow-in-massive-ransomware-attack

 

This is a great example of how worthless WD Protect Folders protection is:

https://doublepulsar.com/kaseya-sup...ransomware-event-to-us-companies-76e4ec6ec64b

 

I doubt we will ever know the full extent of this attack.

For example, one of the effected MSP's is Synnex

https://finance.yahoo.com/news/massive-ransomware-attack-hit-more-142607052.html

Synnex has over 25,000 customers.

https://www.synnexcorp.com/about-synnex/overview/

 

"...Sebastian Elfors, a cybersecurity researcher for the security company Yubico said a Swedish railway and a major pharmacy chain had also been affected by the Kaseya attack. 'It’s totally devastating,' he said..."

https://www.nytimes.com/2021/07/02/...rom-sweden-to-us-affected-by-cyberattack.html

 

To the untrained observer it seems a perfect classic example of putting too many eggs in one basket to coin a well known analogy. Or to put it mildly, the domino effect.
It's as though the proliferation of these such disruption events are in full on mode.

 

Kaseya VSA criminals may have weaponized links in ransom negotiations

From latest Kaseye press release:

"We have been advised by our outside experts, that customers who experienced ransomware and receive a communication from the attackers should not click on any links – they may be weaponized."

https://www.kaseya.com/potential-attack-on-kaseya-vsa/

 

From Symantec Enterprise Blog:

"What was the motivation for the attacks?

REvil attacks are usually financially motivated. However, there are some signs that the attacks may be politically motivated disruption. The attackers have, on occasion, appeared to have a political motive in their selection of targets.
In this attack, strings in the payload made references to President Joe Biden, ex-president Donald Trump, and Black Lives Matter. The attackers demanded a ransom of $45,000, which may be another reference to Trump, who was the 45th president of the U.S.

Furthermore, REvil’s Tor payment site is down at the time of writing, meaning victims will have no way of paying a ransom. Whether the group is having technical difficulties or whether it never intended to collect a ransom remains unclear..."


https://symantec-enterprise-blogs.s...t-intelligence/kaseya-ransomware-supply-chain

 

https://venturebeat.com/2021/07/03/...reds-of-victims-with-ransomware-what-we-know/

 

"Widespread ransomware attack likely hit ‘thousands’ of companies on eve of long weekend...

Because Kaseya’s software is used by large IT companies that offer contract services to hundreds of smaller businesses, the hack could have spread to thousands of victims...

'I wouldn’t be surprised if it was thousands of companies' said Fabian Wosar, the chief technology officer of Emsisoft...We just don’t know yet because of the long weekend in the U.S.'...

The companies affected could include a wide range of small to large firms, and many are likely to be small to midsize businesses that use managed IT services...:

https://www.washingtonpost.com/technology/2021/07/02/kaseya-ransomware-attack/

 

For the Dutchies:
Mark Loman was this evening on the Dutch TV News (het NOS Journaal).
Article also at the NOS site, in Dutch:
https://nos.nl/artikel/2387823-ook-...en-bedrijven-getroffen-door-ransomware-aanval

 

Sadly but not surprisingly, the recent Biden talks with Putin about these attacks apparently went nowhere.

Mr. Wosar made an interesting comment about this on his Twitter page.

https://twitter.com/fwosar/status/1411281334870368260

 

"Holiday-Weekend Ransomware Attack Leaves Companies Scrambling...

...'The number of victims here is already over 1,000 and will likely reach into the tens of thousands' said cybersecurity expert Dmitri Alperovitch [co-founder and former chief technology officer of CrowdStrike]...No other ransomware campaign comes even close in terms of impact.'

The cybersecurity firm ESET says there are victims in least 17 countries, including the United Kingdom, South Africa, Canada, Argentina, Mexico, Kenya and Germany..."

https://www.voanews.com/silicon-val...ransomware-attack-leaves-companies-scrambling

 

"...Kaseya was initially breached through a previously unknown vulnerability in its systems

Dutch researchers said they had reported the vulnerability to Kaseya, but the company was still working on a patch when it was breached and its software updates were compromised, according to people briefed on the timeline..."

https://www.nytimes.com/2021/07/02/technology/cyberattack-businesses-ransom.html

https://csirt.divd.nl/2021/07/03/Kaseya-Case-Update/

 

This attack is particularly heinous because it is hitting so many small and medium-sized businesses.

Here's a tiny sample of victims of this attack:

"a large New Jersey educational services company, an outpatient surgical center in South Carolina and a mid-size law firm in Florida...

...stores that use Visma [electronic payments] 'cannot charge their customers' ...

SoCal Computers, a small company that manages online services for about a dozen California businesses...

the local Teamsters 2010 [California]..."

https://www.nbcnews.com/tech/security/ransomware-attack-software-manager-hits-200-companies-rcna1338

 

Here's the details of this attack per bleepingcomputer.com: https://www.bleepingcomputer.com/ne...00-plus-companies-in-msp-supply-chain-attack/

Points to note:

1. PowerShell was only used to disable Windows Defender.
2. The main attack was launched via LOL bin, certutil.exe.
3. An older version of WD's engine, MsMPEng.exe, was actually used to perform the encryption activities. Now that "really takes the cake" doesn't it?

Also of note is the parameter string used by certutil.exe. I reviewed a couple of articles on detection of malicious use of certutil.exe with one noting YARA rules used by Carbon Black and what parameters it scans for. Appears REvil did "its homework" on how to bypass those.

-EDIT- Although not specifically noted above, I am assuming that it is not unusual for a Kaseya VSA Agent Hot-fix to deploy a command script which really started the whole process. Hence, no unusual activity detection on that. Plus no detection of the script by WD AMSI scanning; note that WD would still be active at script execution time.