Kaseya VSA Supply-Chain Ransomware Attack

As far as the ransomware payload, agent.exe, AV's only starting detecting it late Friday afternoon per below VT statistics. Also and very scary, note the date first seen "in-the-wild."

 

What that shows IMO is it's a fairly good stake, and no guess, that they pushed out some few isolated dry runs (as is usually the routine) before going full tilt with the target list.

Which also proves some sort of a useful proactive anti-zero day "seems" was never implemented? (or not to it's potential) if there was even any such preventative measure to begin with. And not just another AV Enterprise Suite. Which also shows us the characteristic of just how (vital) and important, even a novelty dedicated anti-ransomware solution along with offline backup storage can be. Or not if there is none. Just apples for the taking when appropriate measures are not taken seriously enough to seal off business networks from getting their clock cleaned.

 

I also came across this 2018 article warning of the dangers of certutil.exe: https://www.bleepingcomputer.com/ne...ckers-to-download-malware-while-bypassing-av/ . At the minimum, any outbound traffic from it needs to be monitored. Unfortunately, that would not have helped in this supply chain attack.

 

I already posted the most obvious one. In corp. environments, "zero trust" needs to be employed against all software updates and installations for that matter. Everything needs to be integrity tested prior to installation.

 

Would those have stopped this attack?

Remember that it was the WD engine process, MsMPEng.exe, that was performing the encryption activities. Do these software's auto white-list it? There was a reason REvil chose to deploy it for encryption activities other than it just being a valid signed executable.

 

Clever indeed. Conjures up the age old saying of where there's a will, there's a way. And boy they have a lot of will. As well as the O/S long list of resources for the ways.

Novelty might have been better expressed as at least a solution which can be proven effective & dedicated solely for Anti-Ransom purposes. That very thing is been a driving force since Windows 98 if not earlier but definitely they have climbed thru every nook and cranny only to find propagating Windows own main security resources a treasure trove of ideas for something just like that once they entered into the platform/framework. Which I might add is chalked full of IMHO way too many avenues of enticement.

 

"REvil is increasing ransoms for Kaseya ransomware attack victims

...the ransomware gang created a base ransom demand of $5 million for MSPs and a much smaller ransom of $44,999 for the MSP's customers who were encrypted...

It turns out this $44 thousand number is irrelevant as in numerous negotiation chats shared with and seen by BleepingComputer, the ransomware gang is not honoring these initial ransom demands...

REvil is...demanding between $40,000 and $45,000 per individual encrypted file extension found on a victim's network.

For one victim who stated they had over a dozen encrypted file extensions, the ransomware gang demanded a $500,000 ransom to decrypt the entire network..."

https://www.bleepingcomputer.com/ne...ransoms-for-kaseya-ransomware-attack-victims/

 

I have pondered the same for some time. I have deduced that if there was an easy way to stop ransomware programmatically, it would have been implemented long ago.

The jest of the problem is encryption use is deeply embedded into the Win OS. Also, many other support process such as certificates. I don't see any of this changing in the foreseeable future.

For corps., ransomware attacks fall into the disaster recovery realm. There is absolutely no reason a ransomware attack should cripple an organization's ability to function given proper disaster recovery planning. The problem is many corps. are unwilling to allocate the required funds to make this happen. Maintaining an alternate hot-site to switch to when a "disaster" like this happens costs $$$$. Corp. management will always look of an easy and cheap solution to a problem. The latest of those is ransomware insurance; at least as long as it continues to exist which appears to be not long.

Now a side-effect of ransomware, data stealing, is another matter. On that regard if data was internally properly encrypted, it would be of no use to an attacker if stolen.

 

A big oops here!

I reviewed the previously posted malware script and saw that cert.exe running from C:\Windows was the main payload that got things rolling. Well, that process doesn't exist by default in the C:\Windows directory.

I then saw this recent posting by bleepincomputer.com:

https://www.bleepingcomputer.com/ne...ransoms-for-kaseya-ransomware-attack-victims/

I suspect that the script posted at Reddit is a "sanitized" one; not showing attacker C&C server IP addresses. I also suspect that certutil.exe was used to download cert.exe. Therefore it is entirely possible that by blocking outbound network traffic from certutil.exe, this attack could have been thwarted. -EDIT- See my later posting.

-EDIT- Sophos shows an additional script noting a different port being deployed: https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers

 

https://www.timesofisrael.com/exper...ssive-ransomware-attack-on-global-businesses/

 

Audio: Interview of Mark Loman, Sophos, on the Kaseya attack (17 minutes).

(Need to play aprox. 25 seconds of ad talk first)

https://www.govinfosecurity.com/int...re-largest-attack-ive-witnessed-so-far-i-4926

 

I was noticed of some Dutch articles; sorry, they are in Dutch.

NOS (the Dutch public broadcaster):
"Nederlandse ethische hackers probeerden ransomware-aanval te voorkomen"
https://nos.nl/artikel/2387973-nede...ers-probeerden-ransomware-aanval-te-voorkomen

Dutch Newspaper Vrij Nederland (VN):
Nederlandse hackers probeerden aanval met gijzelsoftware te voorkomen
https://www.vn.nl/divd/

 

"REvil gang asks for $70 million to decrypt systems locked in Kaseya attack

The REvil ransomware gang is asking for a $70 million ransom payment to publish a universal decryptor that can unlock all computers locked during the Kaseya incident that took place this past Friday...

In a message posted on their dark web blog, the REvil gang officially took credit for the attack for the first time and claimed they locked more than one million systems during the Kaseya incident..."

https://therecord.media/revil-gang-asks-70-million-to-decrypt-systems-locked-in-kaseya-attack/

 

Sophos has a detailed description of the script used here: https://news.sophos.com/en-us/2021/...ain-exploit-to-attack-hundreds-of-businesses/ .

Also my eyes are getting bad in my old age and I missed the copy command in the script although I suspected later that cert.exe was a copy of certutil.exe:

Also and significant is this same technique can be used to circumvent any LOL binary execution monitoring via a HIPS or the like.

 

Wow, very nice inference.

I'm beginning to wonder whether at least a few members of the REvil group are also part of the Russian intelligence/military "gang." Would not at all be surprising. Or: a front for the actual Russian government agents involved.

This escalation is a literal slap in the face to the Biden administration and its recent "talks" with Putin on ending these cyber-attacks. A joke, even.

 

Yep @itman- You seem to followed the right curiosity on that and correct in the assessment. Classic example of turning machines into their own worst devices. Only in this day and age businesses of all sorts and every sorts rely on it to carry out various industry services and communication until those (Interconnected) machines are fed arbitrary course changes and other unplanned deviations of opportunity not expected.

And this was a biggie. Hence it's noteworthy to repeat once again. Where is the constraint (solution) on such network devices, to avoid what many should have known was always a possibility long ago from previous platforms/versions experiences.

 

I also suspect the same.

Then there is this "tidbit" from the Sophos script analysis linked article:

So why the hell isn't this MSMPENG.EXE version blacklisted or at least treated as a PUA by the AV's? Ah ........... because they will get dinged on a lab test for a FP.

 

Exactly!! And nothing not so new under the sun. One needs only do what most consider heresy, and that is go back in somewhat recent history and look at the results in the before times/or predecessor versions where similar albeit different methods achieved the same purpose.

Which of course is the age old practice of disable or trick the victims AV. The O/S components, many they be, already are ripe as a tomato and each introduction yields little improvement to protecting from arbitrary code influences natively. Seen it too many times. In essence windows can be considered a playland, a toy that is now globally tinkered to the hilt.

Which brings up my own curiosity. WHY NOT has it been considered for such important network systems to employ a virtualization solution if it's so important to their operations to prevent total illusion from taking them over. Try to fudge a virtualized disk or system and a single reset P00f!! the intruder AND ANY CHANGES are flushed and said system(s) returns to a clean state again.

Protecting the linked network from rogue invites is a different matter out of my league. But there are reasonable practices if employed properly can and could minimize wipe outs such as this one IMO.

 

Would it also be a reach to suspect Putin of getting direct cuts of the various ransoms? He is an exceedingly wealthy man already in published reports, never mind in reality. I cannot understand how someone with these allegations flying around his head could theoretically maintain a straight face during these diplomatic talks with victimized nations. Socio.

 

Fallout continues from biggest global ransomware attack
JULY 05, 2021 10:36 AM

https://www.sacbee.com/news/business/article252580443.html

 

Being pro-active, Sophos posted SHA256 hashes of processes used in this attack here: https://github.com/sophoslabs/IoCs/blob/master/Ransomware-REvil-Kaseya.csv .

The SHA256 hash for the vulnerable MSMPENG.EXE version is 33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a. Using this hash value, went to VT and got MD5 hash for the process which is 8cc83221870dd07144e63df594c391d9.

Finally created an OSArmor %PROCESSMD5HASH% block rule. That bugger won't run on my PC!

 

https://news.sophos.com/en-us/2021/...ain-exploit-to-attack-hundreds-of-businesses/

 

"Kaseya’s VSA SaaS restart fails, service restoration delayed by at least ten hours

'During the VSA SaaS deployment, an issue was discovered that has blocked the release. Unfortunately, the VSA SaaS rollout will not be completed in the previously communicated timeline.'

https://www.kaseya.com/potential-attack-on-kaseya-vsa/

The company had previously advised that SaaS restoration had commenced, with individual SaaS servers due to come online 'throughout the night US time'. 'All systems will be online and accessible by July 7th 6AM US EDT,' the advice stated.

Now the company says its next update will come at 8AM US EDT. It has offered no information on likely time of restoration or the nature of the issue that has slowed the SaaS rollout. Nor has Kaseya said if its promise to patch its on-premises VSA software within 24 hours of SaaS restoration remains in force..."

https://www.theregister.com/2021/07/07/kaseya_saas_restart_fails/

 

I can't stand reading the posts about this including my own.

It was what it is always. Greed (not spending enough on IT) & laziness all up & down the line. I blame the corps.