Kaseya VSA Supply-Chain Ransomware Attack

Discussion in 'malware problems & news' started by ronjor, Jul 2, 2021.

  1. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,397
    Location:
    U.S.A.
    As far as the ransomware payload, agent.exe, AV's only starting detecting it late Friday afternoon per below VT statistics. Also and very scary, note the date first seen "in-the-wild."
     
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    120,481
    Location:
    Texas
  3. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,702
    Location:
    U.S.A. (South)
    What that shows IMO is it's a fairly good stake, and no guess, that they pushed out some few isolated dry runs (as is usually the routine) before going full tilt with the target list.

    Which also proves some sort of a useful proactive anti-zero day "seems" was never implemented? (or not to it's potential) if there was even any such preventative measure to begin with. And not just another AV Enterprise Suite. Which also shows us the characteristic of just how (vital) and important, even a novelty dedicated anti-ransomware solution along with offline backup storage can be. Or not if there is none. Just apples for the taking when appropriate measures are not taken seriously enough to seal off business networks from getting their clock cleaned.
     
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,397
    Location:
    U.S.A.
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,397
    Location:
    U.S.A.
    I already posted the most obvious one. In corp. environments, "zero trust" needs to be employed against all software updates and installations for that matter. Everything needs to be integrity tested prior to installation.
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,397
    Location:
    U.S.A.
    Would those have stopped this attack?

    Remember that it was the WD engine process, MsMPEng.exe, that was performing the encryption activities. Do these software's auto white-list it? There was a reason REvil chose to deploy it for encryption activities other than it just being a valid signed executable.
     
  7. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,702
    Location:
    U.S.A. (South)
    Clever indeed. Conjures up the age old saying of where there's a will, there's a way. And boy they have a lot of will. As well as the O/S long list of resources for the ways.

    Novelty might have been better expressed as at least a solution which can be proven effective & dedicated solely for Anti-Ransom purposes. That very thing is been a driving force since Windows 98 if not earlier but definitely they have climbed thru every nook and cranny only to find propagating Windows own main security resources a treasure trove of ideas for something just like that once they entered into the platform/framework. Which I might add is chalked full of IMHO way too many avenues of enticement.
     
    Last edited: Jul 4, 2021
  8. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    5,614
    Location:
    DC Metro Area
    "REvil is increasing ransoms for Kaseya ransomware attack victims

    ...the ransomware gang created a base ransom demand of $5 million for MSPs and a much smaller ransom of $44,999 for the MSP's customers who were encrypted...

    It turns out this $44 thousand number is irrelevant as in numerous negotiation chats shared with and seen by BleepingComputer, the ransomware gang is not honoring these initial ransom demands...

    REvil is...demanding between $40,000 and $45,000 per individual encrypted file extension found on a victim's network.

    For one victim who stated they had over a dozen encrypted file extensions, the ransomware gang demanded a $500,000 ransom to decrypt the entire network..."

    https://www.bleepingcomputer.com/ne...ransoms-for-kaseya-ransomware-attack-victims/
     
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,397
    Location:
    U.S.A.
    I have pondered the same for some time. I have deduced that if there was an easy way to stop ransomware programmatically, it would have been implemented long ago.

    The jest of the problem is encryption use is deeply embedded into the Win OS. Also, many other support process such as certificates. I don't see any of this changing in the foreseeable future.

    For corps., ransomware attacks fall into the disaster recovery realm. There is absolutely no reason a ransomware attack should cripple an organization's ability to function given proper disaster recovery planning. The problem is many corps. are unwilling to allocate the required funds to make this happen. Maintaining an alternate hot-site to switch to when a "disaster" like this happens costs $$$$. Corp. management will always look of an easy and cheap solution to a problem. The latest of those is ransomware insurance; at least as long as it continues to exist which appears to be not long.

    Now a side-effect of ransomware, data stealing, is another matter. On that regard if data was internally properly encrypted, it would be of no use to an attacker if stolen.
     
    Last edited: Jul 4, 2021
  10. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,397
    Location:
    U.S.A.
    A big oops here!

    I reviewed the previously posted malware script and saw that cert.exe running from C:\Windows was the main payload that got things rolling. Well, that process doesn't exist by default in the C:\Windows directory.

    I then saw this recent posting by bleepincomputer.com:
    https://www.bleepingcomputer.com/ne...ransoms-for-kaseya-ransomware-attack-victims/

    I suspect that the script posted at Reddit is a "sanitized" one; not showing attacker C&C server IP addresses. I also suspect that certutil.exe was used to download cert.exe. Therefore it is entirely possible that by blocking outbound network traffic from certutil.exe, this attack could have been thwarted. -EDIT- See my later posting.

    -EDIT- Sophos shows an additional script noting a different port being deployed: https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers
     
    Last edited: Jul 5, 2021
  11. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,702
    Location:
    U.S.A. (South)
    https://www.timesofisrael.com/exper...ssive-ransomware-attack-on-global-businesses/

     
  12. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    5,614
    Location:
    DC Metro Area
    Last edited: Jul 4, 2021
  13. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    3,920
    I was noticed of some Dutch articles; sorry, they are in Dutch.

    NOS (the Dutch public broadcaster):
    "Nederlandse ethische hackers probeerden ransomware-aanval te voorkomen"
    https://nos.nl/artikel/2387973-nede...ers-probeerden-ransomware-aanval-te-voorkomen

    Dutch Newspaper Vrij Nederland (VN):
    Nederlandse hackers probeerden aanval met gijzelsoftware te voorkomen
    https://www.vn.nl/divd/

     
  14. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    5,614
    Location:
    DC Metro Area
    "REvil gang asks for $70 million to decrypt systems locked in Kaseya attack

    The REvil ransomware gang is asking for a $70 million ransom payment to publish a universal decryptor that can unlock all computers locked during the Kaseya incident that took place this past Friday...

    In a message posted on their dark web blog, the REvil gang officially took credit for the attack for the first time and claimed they locked more than one million systems during the Kaseya incident..."

    https://therecord.media/revil-gang-asks-70-million-to-decrypt-systems-locked-in-kaseya-attack/
     
  15. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,397
    Location:
    U.S.A.
    Sophos has a detailed description of the script used here: https://news.sophos.com/en-us/2021/...ain-exploit-to-attack-hundreds-of-businesses/ .

    Also my eyes are getting bad in my old age and I missed the copy command in the script although I suspected later that cert.exe was a copy of certutil.exe:
    Also and significant is this same technique can be used to circumvent any LOL binary execution monitoring via a HIPS or the like.
     
  16. plat1098

    plat1098 Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    1,134
    Location:
    Brooklyn, NY
    Wow, very nice inference.

    I'm beginning to wonder whether at least a few members of the REvil group are also part of the Russian intelligence/military "gang." Would not at all be surprising. Or: a front for the actual Russian government agents involved.

    This escalation is a literal slap in the face to the Biden administration and its recent "talks" with Putin on ending these cyber-attacks. A joke, even.
     
  17. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,702
    Location:
    U.S.A. (South)
    Yep @itman- You seem to followed the right curiosity on that and correct in the assessment. Classic example of turning machines into their own worst devices. Only in this day and age businesses of all sorts and every sorts rely on it to carry out various industry services and communication until those (Interconnected) machines are fed arbitrary course changes and other unplanned deviations of opportunity not expected.

    And this was a biggie. Hence it's noteworthy to repeat once again. Where is the constraint (solution) on such network devices, to avoid what many should have known was always a possibility long ago from previous platforms/versions experiences.
     
  18. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,397
    Location:
    U.S.A.
    I also suspect the same.

    Then there is this "tidbit" from the Sophos script analysis linked article:
    So why the hell isn't this MSMPENG.EXE version blacklisted or at least treated as a PUA by the AV's? Ah ........... because they will get dinged on a lab test for a FP.:rolleyes:
     
  19. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,702
    Location:
    U.S.A. (South)
    Exactly!! And nothing not so new under the sun. One needs only do what most consider heresy, and that is go back in somewhat recent history and look at the results in the before times/or predecessor versions where similar albeit different methods achieved the same purpose.

    Which of course is the age old practice of disable or trick the victims AV. The O/S components, many they be, already are ripe as a tomato and each introduction yields little improvement to protecting from arbitrary code influences natively. Seen it too many times. In essence windows can be considered a playland, a toy that is now globally tinkered to the hilt.

    Which brings up my own curiosity. WHY NOT has it been considered for such important network systems to employ a virtualization solution if it's so important to their operations to prevent total illusion from taking them over. Try to fudge a virtualized disk or system and a single reset P00f!! the intruder AND ANY CHANGES are flushed and said system(s) returns to a clean state again.

    Protecting the linked network from rogue invites is a different matter out of my league. But there are reasonable practices if employed properly can and could minimize wipe outs such as this one IMO.
     
  20. plat1098

    plat1098 Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    1,134
    Location:
    Brooklyn, NY
    Would it also be a reach to suspect Putin of getting direct cuts of the various ransoms? He is an exceedingly wealthy man already in published reports, never mind in reality. I cannot understand how someone with these allegations flying around his head could theoretically maintain a straight face during these diplomatic talks with victimized nations. Socio.
     
  21. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,702
    Location:
    U.S.A. (South)
    Fallout continues from biggest global ransomware attack
    JULY 05, 2021 10:36 AM

    https://www.sacbee.com/news/business/article252580443.html

     
  22. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,397
    Location:
    U.S.A.
    Being pro-active, Sophos posted SHA256 hashes of processes used in this attack here: https://github.com/sophoslabs/IoCs/blob/master/Ransomware-REvil-Kaseya.csv .

    The SHA256 hash for the vulnerable MSMPENG.EXE version is 33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a. Using this hash value, went to VT and got MD5 hash for the process which is 8cc83221870dd07144e63df594c391d9.

    Finally created an OSArmor %PROCESSMD5HASH% block rule. That bugger won't run on my PC!
     
  23. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,702
    Location:
    U.S.A. (South)
    https://news.sophos.com/en-us/2021/...ain-exploit-to-attack-hundreds-of-businesses/
     
  24. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    5,614
    Location:
    DC Metro Area
    "Kaseya’s VSA SaaS restart fails, service restoration delayed by at least ten hours

    'During the VSA SaaS deployment, an issue was discovered that has blocked the release. Unfortunately, the VSA SaaS rollout will not be completed in the previously communicated timeline.'

    https://www.kaseya.com/potential-attack-on-kaseya-vsa/

    The company had previously advised that SaaS restoration had commenced, with individual SaaS servers due to come online 'throughout the night US time'. 'All systems will be online and accessible by July 7th 6AM US EDT,' the advice stated.

    Now the company says its next update will come at 8AM US EDT. It has offered no information on likely time of restoration or the nature of the issue that has slowed the SaaS rollout. Nor has Kaseya said if its promise to patch its on-premises VSA software within 24 hours of SaaS restoration remains in force..."

    https://www.theregister.com/2021/07/07/kaseya_saas_restart_fails/
     
    Last edited: Jul 6, 2021
  25. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    5,140
    Location:
    USA still the best. But barely.
    I can't stand reading the posts about this including my own.

    It was what it is always. Greed (not spending enough on IT) & laziness all up & down the line. I blame the corps.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.