The IGI Cybersecurity Team has been closely watching and analyzing the REvil 0-Day Attack (aka Sodinokibi) that occurred to Kaseya’s VSA software, and has some insight on how it can affect those businesses that use their products.
IT solutions developer, Kaseya, announced that it had become the victim of a cyberattack last Saturday, July 2. The notorious Russia-linked REvil cybercrime gang leveraged a SQLi vulnerability and used it to deploy and inject ransomware to those customers who subscribe to the SaaS solution.
The cloud-based IT management and remote monitoring solution for Managed Service Providers (MSPs) uses two-factor authentication, but the cybercriminals exploited an authentication bypass, allowing for an arbitrary file upload and code injection vulnerabilities to gain access to these servers. When this was first announced, one thing was immediately clear: the impact to businesses can be widespread if not contained quickly.
As an experienced security professional who has provided services for clients around the Sodinokibi ransomware, I know that the threat actors are methodical in their attack approach. They typically compromise systems remaining covert inside the environments for many months, creating back doors, navigating throughout the network doing recon work, and compromising privileged accounts to lay “sleeper cell” scripts before launching or being detected. Their focus is to control as many assets as they can, if possible to pivot to any other connected networks, so they have the greatest leverage over how long they can delay or prevent recovery for businesses and garner effortless submission from their victims for the ransom.
First, let's identify any possible indicators of compromise.
Here is what we know from Kaseya:
- In simplest terms of what happened, the REvil group performed a request to download the Kaseya Endpoint agent. Then, the attackers uploaded the malicious file with the payload using the support ticket upload feature, masking it within a digitally signed executable file.
In Technical Detail
- The Ransomware encryptors were dropped to Kaseya's TempPath with the file name agent.exe
- The systems that indicated a compromise show the changes executed from a disguised “Hot Fix” executable file named "Kaseya VSA Agent Hot-fix"
- When the agent.exe runs, the legitimate Windows Defender executable MsMpEng.exe and the encryptor payload mpsvc.dll is dropped into the hardcoded path "c:\\Windows" to perform DLL sideloading.
- The mpsvc.dll Sodinokibi DLL creates the registry key HKEY_LOCAL_MACHINE\SOFTWARE\WOW6434Node\BlackLivesMatter which contains several registry values that store. encryptor runtime keys/configurations artifacts
Cybercriminals have already started taking advantage of this opportunity to leverage the vulnerability to the next level. Phishing campaigns are launching spam emails designed to exploit new victims.
Malspam is a malicious email that contains an attached infected file or a link for users to connect systems to the infected file. It is generally disguised as an imitation link, which, in this situation, led to the Kaseya site and masked as a fix for the Microsoft patch involved in the Kaseya attacks. The link redirects users to servers at 126.96.36.199:1113 and downloads and executes the ploadex.exe where the malicious file exists.
Additionally, Kaseya is alerting its customers of an ongoing phishing campaign that seeks to breach their networks by sending spam emails containing malicious attachments with links posing as legitimate Kaseya security updates. Do not click on links to download attachments purporting to be from the company's "consultants." Fake Kaseya emails with the subject "Our Shipping Renewal" (different) prompts recipients to install updates from Microsoft.
If you think you have been compromised, you'll want to work with cybersecurity professionals like IGI on an Incident Response Plan. In addition, you'll want to take these immediate actions:
- The CISA.gov (U.S. Cybersecurity and Infrastructure Security Agency) has issued an advisory urging Kaseysa customers (with login access) to download the Compromise Detection Tool that Kaseya has made available to identify any indicators of compromise (IoC).
- This link provides instructions along with the downloadable file to enable multi-factor authentication.
- It is also recommended that customers should limit communications with remote monitoring and management (RMM) capabilities to known IP address pairs, and place administrative interfaces of RMM behind a virtual private network (VPN) or a firewall on a dedicated administrative network for now.
Should you have any questions about next steps, please contact the IGI Incident Response team for support.