Kaseya VSA Supply-Chain Ransomware Attack

Discussion in 'malware problems & news' started by ronjor, Jul 2, 2021.

  1. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    US Software Firm Moves To Restart After Huge Ransomware Attack

    https://www.ibtimes.com/us-software-firm-moves-restart-after-huge-ransomware-attack-3245611


     
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,090
    Location:
    Texas
    Researchers Reproduce Exploit Used in Kaseya Hack
     
  3. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    6,065
    Location:
    DC Metro Area
    "[Kaseya] Updates Regarding VSA Security Incident

    July 7, 2021 - 8:00 AM EDT

    As communicated in our last update, unfortunately, during the deployment of the VSA update an issue was discovered that has blocked the release. We have not yet been able to resolve the issue. The R&D and operations teams worked through the night and will continue to work until we have unblocked the release. We will provide a status update at 12:00PM US EDT..."

    https://www.kaseya.com/potential-attack-on-kaseya-vsa/
     
    Last edited: Jul 7, 2021
  4. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    6,065
    Location:
    DC Metro Area
    "Fake Kaseya VSA security update backdoors networks with Cobalt Strike...

    Threat actors are trying to capitalize on the ongoing Kaseya ransomware attack crisis by targeting potential victims in a spam campaign pushing Cobalt Strike payloads disguised as Kaseya VSA security updates...

    The end goal of such attacks is either that of harvesting and exfiltrating sensitive data or delivering second-stage malware payloads..."

    https://www.bleepingcomputer.com/ne...update-backdoors-networks-with-cobalt-strike/
     
  5. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Ransomware code in Kaseya attack bypasses systems using Russian, related languages

    https://thehill.com/policy/cybersec...attack-bypasses-systems-using-russian-related

     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
  7. plat

    plat Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    2,233
    Location:
    Brooklyn, NY
  8. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    And that @itman is the notable point. This particular group (may be others surely) know their tails are mud if they ransomware the others.

    AND it's not like businesses running networks (MSP's) etc wouldn't or didn't have access to such a simple precaution published time and time again.
     
    Last edited: Jul 7, 2021
  9. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    5,554
    Location:
    USA still the best. But barely.
    I assume this is the installing the Russian language package trick. If so I almost did this but was afraid it'd instantly change the language to Russian. Anybody install the Russian language package?

    Update: I downloaded Russian Language Pack windows6.1-kb972813-x64-ru-ru_f0acfc688d609ee45d43cc60c6412a3071a665bd.exe purportedly will work with my W7P64. It scanned clean with Bitdefender & Malwarebytes. Anybody know if it'll install if I just click on it? And if it'll make the Russian Language an option but it won't change the default English? Thanks all.

    Update 2: That file is only for RTM :(
     
    Last edited: Jul 8, 2021
  10. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,920
    Thanks for the useful info, @itman. I have also created this OSA rule.
     
  11. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,090
    Location:
    Texas
    Kaseya Left Customer Portal Vulnerable to 2015 Flaw in its Own Software
     
  12. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    6,065
    Location:
    DC Metro Area
    "Kaseya Announces New Service Restoration Date...

    In his latest video message to customers posted early Thursday, Kaseya CEO Fred Voccola announced further delays as it patches both the software-as-a-service version of its VSA software, which was not exploited by attackers, as well as the on-premises version, which was used to infect about 60 of its managed service provider customers...

    The company had hoped to restore its VSA SaaS software by Tuesday, in fully patched form, and to issue patches to users for the on-premises version 24 hours later. But in his latest video statement, the bleary-eyed CEO says the company now hopes to patch the SaaS software by 4 p.m. EDT Sunday..."

    https://www.databreachtoday.com/kaseya-announces-new-service-restoration-date-a-17008
     
  13. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    5,554
    Location:
    USA still the best. But barely.
    Anybody know how to install the Russian Language Pack on W7P64? I Googled (a lot) & the solutions & Russian Language Packs I found only work on the RTM version of W7P64.
     
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I've read that Kaseya claims that this wasn't even a true "supply chain attack" since their software was never backdoored. So this means hackers were simply able to login into VSA servers via certain vulnerabilities that were found by some Dutch IT security researchers, but before Kaseya could patch them they were already exploited by the REvil group.

    Yes, according to Sophos, HMPA/Intercept X was able to block it via CryptoGuard and Heap Heap Protect. Actually I just saw that they have even released a video, see second link. It would be cool if other security companies would also open up about this, but the fact that most of them stay quited says enough.

    https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers
    https://vimeo.com/572576580
     
  15. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,649
    Location:
    Paris
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Thanks, finally a clear explanation of this attack and very cool that Comodo was able to block this via zero trust and sandbox technology. However it's not clear to me if their free OpenEDR tool would have stopped it also, or would have only alerted about suspicious behavior. I assume you need Comodo Endpoint Security to actually stop this attack.

    https://enterprise.comodo.com
    https://openedr.com
     
  17. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    This makes sense since it detected the side-loading .dll into vulnerable MSMPENG.EXE version.

    However, Kaseya specifically instructs its customers to whitelist all its processes and files from security solution monitoring:
    https://helpdesk.kaseya.com/hc/en-gb/articles/229014948-Anti-Virus-Exclusions-and-Trusted-Apps

    This includes includes everything in this directory, c:\kworkingagent, where agent.crl; i.e. Kaseya VSA Agent Hot-fix, was dropped.

    Nice try though by Sophos.
     
    Last edited: Jul 10, 2021
  18. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    In reference to this Comodo article: https://techtalk.comodo.com/2021/07...2.1379271154.1625787805-1626816158.1535226689 noted above is this extract:
    Which means Comodo will override specific file/process exclusions which could cause software operational issues.
     
  19. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    4,638
    Yes, I have pointed to it in previous post(s) in this thread. It was in Dutch.
    I assume that you also saw "Nieuwsuur" at the Dutch TV by that time. Two of them were talking about it.
     
  20. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Maybe. But courtesy Comodo's awareness of the drop dumb obvious red flag (RECENTLY SIGNED), taking all clues in consideration, it does press another point on "time/date" factor that you can be 100% certain other top notch security solutions are going to give an other special attention to going forward.

    I find it mildly astonishing the pure complacency that's been so routine in a period of an ongoing massive, and for years now, widely publicized series of malicious digital intrusions of this nature.
     
  21. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
  22. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,090
    Location:
    Texas
    Kaseya Provides Security Updates for VSA On-Premises Software Vulnerabilities
    Original release date: July 12, 2021

     
  23. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Here's something for OSA users to ponder.

    OSA's Trusted Publishers feature assuming it was enabled would have stopped this attack by blocking the signed non-Kaseya executable used. Now the question is if one had done all the Kaseya recommend exclusions to OSA, would the Trusted Publisher feature ignore those as far as its protection is concerned? Something to ask NoVirusTanks.
     
  24. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    6,065
    Location:
    DC Metro Area
    "REvil Ransomware Site Goes Offline

    Multiple websites linked to the infamous ransomware gang REvil are currently offline, according to multiple security researchers.

    REvil is the group linked to the recent hack of information technology firm Kaseya which an REvil affiliate used to then ransom a wealth of other companies around the world...

    Lawrence Abrams, owner of information security publication BleepingComputer, said in a tweet that the downtime extended to 'all' of REvil's sites, including their sites used for ransom payment...

    The reason for the downtime is unclear...The site has been down now for over eight hours..."

    https://www.vice.com/en/article/bvz5m4/revil-ransomware-site-goes-offline
     
  25. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,090
    Location:
    Texas
    Kaseya Ransomware Attack: Guidance and Resources
    .
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.