Kaseya VSA Supply-Chain Ransomware Attack

Discussion in 'malware problems & news' started by ronjor, Jul 2, 2021.

  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    120,849
    Location:
    Texas
    Original release date: July 02, 2021
     
  2. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    5,619
    Location:
    DC Metro Area
    "Ransomware breach at Florida IT firm hits 200 businesses

    WASHINGTON, July 2 (Reuters) - Hundreds of American businesses were hit Friday by an unusually sophisticated ransomware attack that hijacked widely used technology management software from a Miami-based supplier called Kaseya.

    The attackers changed a Kaseya tool called VSA, used by companies that manage technology at smaller businesses. They then encrypted the files of those providers' customers simultaneously.

    Security firm Huntress said it was tracking eight managed service providers that had been used to infect some 200 clients...

    A private security executive working on the response effort said that ransom demands accompanying the encryption ranged from a few thousand dollars to $5 million or more..."

    https://www.reuters.com/technology/...incident-us-it-firm-huntress-labs-2021-07-02/
     
  3. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    5,619
    Location:
    DC Metro Area
    "A New Kind of Ransomware Tsunami Hits Hundreds of Companies

    An apparent supply chain attack exploited Kaseya's IT management software to encrypt a "monumental" number of victims all at once.

    It was probably inevitable that the two dominant cybersecurity threats of the day— supply chain attacks and ransomware—would combine to wreak havoc. That’s precisely what happened Friday afternoon, as the notorious REvil criminal group successfully encrypted the files of hundreds of businesses in one swoop, apparently thanks to compromised IT management software. And that’s only the very beginning..."

    https://www.wired.com/story/kaseya-supply-chain-ransomware-attack-msps/
     
  4. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,724
    Location:
    U.S.A. (South)
    https://www.theverge.com/2021/7/2/2...s-using-kaseyas-remote-it-management-software
     
  5. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    5,619
    Location:
    DC Metro Area
    "Supermarket chain Coop closes 800 stores following Kaseya ransomware attack

    Coop, one of Sweden’s largest supermarket store chains, has shut down nearly 800 stores across the country after one of its contractors was hit by ransomware in the aftermath of the Kaseya security incident on Friday.

    The stores were closed on Friday afternoon after cash registers and self-serving stations went down and prevented Coop employees from processing in-store payments..."

    https://therecord.media/supermarket-chain-coop-closes-800-stores-following-kaseya-ransomware-attack/
     
  6. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    5,619
    Location:
    DC Metro Area
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,398
    Location:
    U.S.A.
    Same old "Petya" story.

    The mitigation is the same, never ever install updates on a corp. network without fully vetting their integrity first.
     
  8. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,724
    Location:
    U.S.A. (South)
    @itman- If you read the article(s) outline in my own quoted reply, and especially Fabian's dissection findings, is it ever occurred to either Microsoft OR Server Admins (if this is even possible), to password protect PowerShell or at the very least make it much a lesser target? (If even that much might make a difference to prevent fully implementing arbitrary code commands) WMI notwithstanding.

    I mean it looks so dumb easy to completely unravel and shutdown/disable Micro-S Defender from A to Z. Since that to the actors is routine and pretty much sets it totally out of their way from any interference.
     
  9. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    5,619
    Location:
    DC Metro Area
    The Coop closures appear to be a result of a Keseya ransomware attack on its software/IT provider Visma Esscom.

    Visma Esscom is one of the leading software/cloud computing companies in Europe with 12,500 employees, and 1,000,000 customers.

    https://twitter.com/GossiTheDog/status/1411313953158963202

    " We try to solve the problems during the day, says Fabian Mogren, CEO of Visma Esscom, which is an IT supplier to Coop."

    https://www.dn.se/ekonomi/global-utpressningsattack-bakom-stangda-coop-butiker/
     
    Last edited: Jul 3, 2021
  10. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    5,619
    Location:
    DC Metro Area
  11. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    5,619
    Location:
    DC Metro Area
  12. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,398
    Location:
    U.S.A.
    This is a great example of how worthless WD Protect Folders protection is:
    https://doublepulsar.com/kaseya-sup...ransomware-event-to-us-companies-76e4ec6ec64b
     
  13. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    5,619
    Location:
    DC Metro Area
  14. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    5,619
    Location:
    DC Metro Area
  15. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,724
    Location:
    U.S.A. (South)
    To the untrained observer it seems a perfect classic example of putting too many eggs in one basket to coin a well known analogy. Or to put it mildly, the domino effect.
    It's as though the proliferation of these such disruption events are in full on mode.
     
    Last edited: Jul 3, 2021
  16. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    5,619
    Location:
    DC Metro Area
    Kaseya VSA criminals may have weaponized links in ransom negotiations

    From latest Kaseye press release:

    "We have been advised by our outside experts, that customers who experienced ransomware and receive a communication from the attackers should not click on any links – they may be weaponized."

    https://www.kaseya.com/potential-attack-on-kaseya-vsa/
     
  17. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    5,619
    Location:
    DC Metro Area
    From Symantec Enterprise Blog:

    "What was the motivation for the attacks?

    REvil attacks are usually financially motivated. However, there are some signs that the attacks may be politically motivated disruption. The attackers have, on occasion, appeared to have a political motive in their selection of targets.
    In this attack, strings in the payload made references to President Joe Biden, ex-president Donald Trump, and Black Lives Matter. The attackers demanded a ransom of $45,000, which may be another reference to Trump, who was the 45th president of the U.S.

    Furthermore, REvil’s Tor payment site is down at the time of writing, meaning victims will have no way of paying a ransom. Whether the group is having technical difficulties or whether it never intended to collect a ransom remains unclear..."


    https://symantec-enterprise-blogs.s...t-intelligence/kaseya-ransomware-supply-chain
     
  18. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,724
    Location:
    U.S.A. (South)
    https://venturebeat.com/2021/07/03/...reds-of-victims-with-ransomware-what-we-know/

     
  19. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    5,619
    Location:
    DC Metro Area
    "Widespread ransomware attack likely hit ‘thousands’ of companies on eve of long weekend...

    Because Kaseya’s software is used by large IT companies that offer contract services to hundreds of smaller businesses, the hack could have spread to thousands of victims...

    'I wouldn’t be surprised if it was thousands of companies' said Fabian Wosar, the chief technology officer of Emsisoft...We just don’t know yet because of the long weekend in the U.S.'...

    The companies affected could include a wide range of small to large firms, and many are likely to be small to midsize businesses that use managed IT services...:

    https://www.washingtonpost.com/technology/2021/07/02/kaseya-ransomware-attack/
     
  20. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    3,928
    For the Dutchies:
    Mark Loman was this evening on the Dutch TV News (het NOS Journaal).
    Article also at the NOS site, in Dutch:
    https://nos.nl/artikel/2387823-ook-...en-bedrijven-getroffen-door-ransomware-aanval
     
  21. plat1098

    plat1098 Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    1,150
    Location:
    Brooklyn, NY
  22. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    5,619
    Location:
    DC Metro Area
    "Holiday-Weekend Ransomware Attack Leaves Companies Scrambling...

    ...'The number of victims here is already over 1,000 and will likely reach into the tens of thousands' said cybersecurity expert Dmitri Alperovitch [co-founder and former chief technology officer of CrowdStrike]...No other ransomware campaign comes even close in terms of impact.'

    The cybersecurity firm ESET says there are victims in least 17 countries, including the United Kingdom, South Africa, Canada, Argentina, Mexico, Kenya and Germany..."

    https://www.voanews.com/silicon-val...ransomware-attack-leaves-companies-scrambling
     
    Last edited: Jul 4, 2021
  23. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    5,619
    Location:
    DC Metro Area
  24. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    5,619
    Location:
    DC Metro Area
    This attack is particularly heinous because it is hitting so many small and medium-sized businesses.

    Here's a tiny sample of victims of this attack:

    "a large New Jersey educational services company, an outpatient surgical center in South Carolina and a mid-size law firm in Florida...

    ...stores that use Visma [electronic payments] 'cannot charge their customers' ...

    SoCal Computers, a small company that manages online services for about a dozen California businesses...

    the local Teamsters 2010 [California]..."

    https://www.nbcnews.com/tech/security/ransomware-attack-software-manager-hits-200-companies-rcna1338
     
  25. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,398
    Location:
    U.S.A.
    Here's the details of this attack per bleepingcomputer.com: https://www.bleepingcomputer.com/ne...00-plus-companies-in-msp-supply-chain-attack/
    Points to note:

    1. PowerShell was only used to disable Windows Defender.
    2. The main attack was launched via LOL bin, certutil.exe.
    3. An older version of WD's engine, MsMPEng.exe, was actually used to perform the encryption activities. Now that "really takes the cake" doesn't it?

    Also of note is the parameter string used by certutil.exe. I reviewed a couple of articles on detection of malicious use of certutil.exe with one noting YARA rules used by Carbon Black and what parameters it scans for. Appears REvil did "its homework" on how to bypass those.

    -EDIT- Although not specifically noted above, I am assuming that it is not unusual for a Kaseya VSA Agent Hot-fix to deploy a command script which really started the whole process. Hence, no unusual activity detection on that. Plus no detection of the script by WD AMSI scanning; note that WD would still be active at script execution time.
     
    Last edited: Jul 4, 2021
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.