The attack was first detected on 2nd July and had spread to over over 30 MSPs and over 1,500 businesses in the US, AUS, EU, LATAM and Asia.
The customers received the malicious “VSA agent hotfix” pack that was able to overcome anti-virus protections by leveraging the old flawed version of the Microsoft Defender application.
Kaseya supply chain attack resulted in more than a million individual devices being encrypted and frozen out of operation, according to the update on the official REvil blog.
Security company SOPHOS had performed a detailed forensic analysis of the ransomware. The attack narration in this document is created based on that information and other publicly available information on the internet.
Attack Narration
Infect Supplier Chain
The researchers believe that REvil threat actors managed to exploit a zero-day vulnerability in Kaseya’s VSA servers to bypass authentication on the web panel and execute SQL commands on the appliance to deploy REvil payload to all connected clients.
Infiltrate into Customers System
The malware was delivered via a malicious update payload sent out to VSA servers, and in turn to the VSA agent applications running on managed Windows devices.This gave REvil the stealth in several ways:
- It allowed initial compromise through a trusted channel, and leveraged trust in the VSA agent code which is reflected in anti-malware software exclusions that Kaseya requires for set-up for its application and agent “working” folders.
- Anything executed by the Kaseya Agent Monitor is therefore ignored because of those exclusions which allowed REvil to deploy its dropper without scrutiny.
Gaining Foothold
The Kaseya Agent Monitor (at C:\PROGRAM FILES (X86)\KASEYA\<ID>\AGENTMON.EXE, with the ID being the identification key for the server connected to the monitor instance) wrote out the Base64-encoded malicious payload AGENT.CRT to the VSA agent’s “working” directory for updates (by default, C:\KWORKING\). AGENT.CRT is encoded to prevent malware defenses from performing static file analysis with pattern scanning and machine learning when it is dropped. It is to be noted that since this file was deployed within the “working” directory which was excluded from malware defenses under Kaseya’s requirements, the encoding was probably not necessary in this case.
After deploying the payload, the Kaseya agent ran Windows shell commands (7 together), concatenated into a single string by using ‘&’ as delimiter.
The commands (given in probable sequence of execution) and what they do
[1] ping 127.0.0.1 -n 5693 > nul
The first command is essentially a timer. The PING command has a -n parameter which instructs the Windows PING.EXE tool to send echo requests to the localhost (127.0.0.1). In this case, 5,693 of them. This acted as a “sleep” function, delaying the subsequent PowerShell command for 5,693 seconds which is roughly 94 minutes. The value 5,693 varied per victim, indicating that the number was randomly generated on each VSA server as part of the agent procedure that sent the malicious command down to victims. This is one example of customization of the attack.
[2] C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
The next part of the command string is a PowerShell command that attempts to disable core malware and anti-ransomware protections offered by Microsoft Defender:
- Real-time protection
- Network protection against exploitation of known vulnerabilities
- Scanning of all downloaded files and attachments
- Scanning of scripts
- Ransomware protection
- Protection that prevents any application from gaining access to dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet
- Sharing of potential threat information with Microsoft Active Protection Service (MAPS)
- Automatic sample submission to Microsoft
- These features are turned off to prevent Microsoft Defender from potentially blocking subsequent malicious files and activity.
[3] copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe
This creates a copy of the Windows certificate utility, CERTUTIL.EXE that can be used to download and decoding web-encoded content. The copy is written to C:\WINDOWS\CERT.EXE.
[4] echo %RANDOM% >> C:\Windows\cert.exe
This appends a random 5-digit number to the end of the copied CERTUTIL. This could have been an attempt to prevent anti-malware products that watch for CERTUTIL abuse from recognizing CERT.EXE as a CERTUTIL copy by signature.
[5] C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe
The copied CERTUTIL is used to decode the Base64-encoded payload file AGENT.CRT and write it to an executable, AGENT.EXE, in the Kaseya working folder. AGENT.EXE has a valid Authenticode, signed with a certificate for “PB03 TRANSPORT LTD.” This certificate is seen associated with REvil malware only which may be stolen or procured fraudulently. Upon reverse engineering AGENT.EXE, it was found that it contains a compiler timestamp of July 1, 2021 (14:40:29) which was the day before the attack.
[6] del /q /f c:\kworking\agent.crt C:\Windows\cert.exe
The original payload file C:\KWORKING\AGENT.CRT and the copy of CERTUTIL are deleted.
[7] c:\kworking\agent.exe
Finally, AGENT.EXE is started by Kaseya’s AGENTMON.EXE process (inheriting its system-level privilege)—and the actual dropping of ransomware begins.
Side-loading for stealth
AGENT.EXE dropped MSMPENG.EXE, which is an outdated and expired version of Microsoft’s Antimalware Service executable. This is a legitimate yet vulnerable application from Windows Defender, version 4.5.218.0, signed by Microsoft on March 23, 2014:
This version of MSMPENG.EXE is vulnerable to side-loading attacks (which has been found before in other attacks using the same file). In a side-load attack, malicious code is put into a dynamic link library (DLL) which is named to match the same as one required by a targeted executable, and usually placed into the same folder as the executable to make the malicious file available ahead of the legit one in the DLL load order.
In this case, AGENT.EXE dropped a malicious file named MPSVC.DLL alongside the MSMPENG.EXE executable. AGENT.EXE then executes MSMPENG.EXE, which detects the malicious MPSVC.DLL file and loads it into its own memory space.
The MPSVC.DLL also contains the “PB03 TRANSPORT LTD.” certificate that was applied to AGENT.EXE. The MPSVC.DLL appears to have been compiled on Thursday July 1, 2021 (14:39:06), just prior to the compilation of AGENT.EXE.
From here, the malicious code in MPSVC.DLL hijacks the normal execution flow of the Microsoft branded process.
Once the DLL is loaded into memory, the malware deletes it from disk.
The MSMPENG.EXE, now under control of the malicious MPSVC.DLL, begins to encrypt the local disk, connected removable drives and mapped network drives, all from a Microsoft signed application that security controls typically trust and allow to run unhindered.
Lateral Movement
Once a foothold is gained, this REvil ransomware is technically very similar to other recent REvil extortion operations.
It executes a NetShell (netsh) command to change firewall settings to allow the local Windows system to be discovered on the local network by other computers by using the command:
netsh advfirewall firewall set rule group=”Network Discovery” new enable=Yes
Encryption
After movement and establishment, the ransomware starts encrypting files. The REvil ransomware performs an in-place encryption attack, and so the encrypted documents are stored on the same sectors as the original unencrypted document, making it impossible to recover the originals with data recovery tools.
REvil’s efficient file system activities are implemented as multi-threaded code and specific operations are performed on dedicated threads. The ransomware storage access activities i.e. reading original documents and writing encrypted documents, embedding key as binary object, and document renaming runs on multiple individual threads.
As each file is encrypted, a random extension is added to the end of its name.
Attack Summary
- Use zero-day and SQLi to infiltrate it into Kaseya VSA server
- Use trusted channel to infiltrate into the managed system
- Use leveraged trust into the local host to run main install command
- Run PowerShell command to stop Windows Defender
- Renamed CERTUTIL.EXE decodes AGENT.EXE from AGENT.CRT
- AGENT.EXE is executed, drops MSMPENG.EXE and MPSVC.DLL into C:\Windows
- MSMPENG.EXE is executed, and side-loads the REvil DLL
- Files are encrypted, ransom note created
- Netsh.exe turns on network discovery
- Perform lateral movement and effect other windows machines
- Continue encryption
Speciality of the attack
There are some factors of this attack that are observed to be different from other similar attacks:
- REvil attack makes no apparent effort to exfiltrate data, probably due to its mass deployment
- Attacks were customized based on the size of the organization, meaning that REvil actors had access to VSA server instances and were able to identify individual customers of MSPs.
- There was no sign of deletion of volume shadow copies which is common behavior among ransomware. This is to avoid triggering malware defenses.
Comments