Security operations · 3 MIN READ · BEN BRIGIDA, MATTHEW BERNINGER, JON HENCINSKI, EVAN REICHARD AND RAY PUGH · JUL 6, 2021 · TAGS: Alert / MDR
It was a few hours before the start of a holiday weekend, and attackers decided to strike.
What type of attack? You guessed it – ransomware.
There’s been a steep rise in supply chain ransomware attacks like this one since 2017, and we have no doubt that we’ll continue to see these types of attacks. Unlike the smaller payout bad actors may earn using cheap tactics, a sophisticated attack like this latest REvil ransomware attack can mean big money. So constantly evolving their tactics is an investment attackers are willing to make.
But here’s your reminder to not panic.
The community rallied quickly, creating awareness and providing guidance on how to guard against this attack. And we’ll continue to do so in the face of events like this.
What happened
Kaseya, an IT solutions company used by many Managed Security Providers (MSPs) and enterprise orgs, announced on July 2, 2021 that it was the victim of a large-scale supply chain attack.
Kaseya VSA, a remote monitoring and management (RMM) tool, was exploited via a zero-day vulnerability (CVE-2021–30116) to deploy ransomware to MSPs and at least hundreds of US businesses. The ransomware was deployed through an automated malicious Kaseya VSA software update. The ransomware threat group REvil, also known as Sodinokibi, claimed responsibility.
The Kaseya SaaS VSA servers were shut down and the company recommended that all local VSA servers be shut down immediately. Kaseya’s team worked quickly and believes the attack is localized to a few on-prem customers. On July 4, 2021, Kaseya announced that all VSA SaaS servers will remain in maintenance mode.
Below is a recap of what we know so far.
Technical details
- REvil ransomware encryptor is dropped at c:kworkingagent.exe
- Further files are dropped in c:windows:
- MsMpEng.exe (legitimate Microsoft Defender copy)
- mpsvc.dll (Malicious REvil DLL)
- The malicious mpsvc.dll is side-loaded into the legitimate Microsoft Defender copy (MsMpEng.exe)
Indicators and warnings
- c:kworkingagent.exe
- c:kworkingagent.crt
- 45aebd60e3c4ed8d3285907f5bf6c71b3b60a9bcb7c34e246c20410cf678fc0c (agent.crt)
- d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e (agent.exe)
- 8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd (mpsvc.dll)
- e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2 (mpsvc.dll)
- hxxp://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd[.]onion
What you can do right now to keep your org safe
First and foremost – don’t click on any links!
Kaseya warned that links sent by the attackers “may be weaponized.” They’ve also shared a new Compromise Detection Tool to help determine if there are indicators of compromise on a VSA served or managed endpoint.
There are also a few steps you can take right now to protect against this attack. If you haven’t already done so, we recommend you immediately:
- Shutdown VSA server
- Disable / Uninstall Agent
- Block all known malicious hashes:
- d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e (agent.exe)
- 8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd (mpsvc.dll)
- e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2 (mpsvc.dll)
Lastly, make sure you incorporate these learnings into your detection strategy.
After notifying our customers of the situation, Expel deployed “be on the lookout” detections – where customers are immediately notified of a detection – for the two known malicious hashes, and for the known file paths the attackers have been reportedly using. Expel has also begun pushing out more generalized logic rules to catch variants of these attack vectors.
What you should keep in mind
We get it. Saying “don’t panic” is easier said than done. Constant news of emerging threats can be nerve-wracking and downright frustrating.
But it’s important to remember that in the minutes and hours after an announcement like this, certain things are key: communication, action and integration.
Communicating with our customers and notifying them of new threats is critical. Not only do they need to know that you’re on it, but this also gives them the chance to take their own actions. So, whether it’s with customers or your internal teams, make sure everyone is in the loop.
Time is of the essence. Depending on the situation, taking action could mean deploying new signatures, implementing a new hunting strategy, responding to active attackers or – if you’ve evaluated the information and there’s really nothing to do – sometimes nothing.
And during an attack outbreak like this, burnout can happen quickly. The mental strain of being in constant emergency mode will only exacerbate burnout and lead to alert and response fatigue. Remember that resiliency also includes keeping your team safe from burnout.
While, fortunately, Expel’s customers were not impacted, this serves as a great reminder that during any incident, it’s important to understand what completion looks like. As we respond to urgent incidents like this, we’re also working to integrate whatever actions we took or are taking back into our usual operational cadence here at Expel.
Finally, be sure to stay informed on the developments of this newest ransomware attack by regularly checking Kaseya’s updates.
