Fallout From the Kaseya Attack

Just before the Fourth of July weekend, we saw an advisory from Kaseya Corp., the Miami-based maker of remote access software, that its Virtual System/Server Administrator (VSA) software had been compromised. This, in turn, led to the managed service providers (MSPs) who provide outsourced IT services for companies using Kaseya VSA software to deliver malware payloads to their end customers embedded with a Kaseya VSA client update. According to Huntress Labs, dozens of MSPs and potentially thousands of customers may have been compromised.

This is reminiscent of the 2020 attack against the ConnectWise Automate platform and shows why “Zero Trust” is a thing now – i.e., never trust anything in your enterprise. Assume everything is compromised, and throw up additional layers of defense through network segmentation, single sign-on with multifactor authentication,  and continuous monitoring – everywhere.

The Bad News

The Kaseya compromise is believed to include three “Zero Day” (aka “0day”) attacks – i.e., attackers found vulnerabilities which were previously unknown and for which there is no security patch available. Ethical hackers find security flaws in software all the time and get paid “bug bounties” to reveal their methods to developers and allow them to create a fix before going public with the info. Read more about this in my recent blog post on the Fortinet SSL VPN vulnerabilities. But REvil figured out they could get a lot more money by using the attack for ransomware extortion.

Figure 1 Example of REvil Ransomware Demand (image credit to: Tenable, Inc.)

In fact, the REvil gang probably did not discover the 0days themselves but paid someone else for them. Ransomware gangs are often well-organized businesses that have a division of labor in which they compensate security vulnerability researchers, red teamers/penetration-testers, and other affiliates some percentage of the bounty they get for doing their part.

This was a matter of bad timing for Kaseya. They had been notified of the 0days by the Dutch Institute for Vulnerability Disclosure (DIVD.NL) and were in the process of patching them when the attack took place. With no patch available, the advice was just to shut down any servers running VSA immediately. According to the DIVD.NL Director Victor Gevers, there were initially about 2,200 servers up and running on the Internet and vulnerable to the exploits. This fell to about 140 by July 4^th  – still a significant number.

The three 0days include the following:

1. Authentication Bypass – allowing login without proper credentials/access tokens.
2. Arbitrary File Upload – poor handling of untrusted data, such as allowing uploading of malicious executables.
3. Code Injection – similar to (2), allowing input of code that is then interpreted/executed by the application for malicious purposes.

In one of his tweets, Gevers seemed to indicate that the vulnerability was simple to exploit. Unfortunately, it has not been easy for Kaseya to fix. As of this writing (Wednesday, July 7^th, 2021 at 11 AM EDT), there is still no working patch. Kaseya said on its notification page that the patch they attempted to issue on Jul 6^th  had issues, and they were unable to release it.

What Can You Do NOW?

Obviously, if you are using Kaseya VSA on-premises in your environment, keep those servers offline until a working patch is available. Kaseya already shut down its cloud version of VSA as a precautionary measure. 

You can also look for artifacts of the SQL injection into the VSA database. Refer to the Huntress Labs research for specifics on this. They provide information about the injection commands, known external command & control IP addresses, and so forth to look for in audit logs.

Sophos also describes the attack in detail along with IOCs to look for. It starts with a malicious update payload sent from a compromised VSA server to VSA agent applications running on managed Windows devices. By using this “trusted” channel, REvil can load a malware “dropper” program called AGENT.EXE without scrutiny. The dropper leaves a payload called AGENT.CRT to prevent malware defenses from performing static file analysis, and then executes a Windows shell script that delays for about 90 minutes before running a Windows PowerShell command disabling Microsoft Defender. After loading some other files, it eventually drops C:\Windows\MsMpEng.exe. This is actually a legitimate but old, deprecated version of Microsoft Defender that hackers have abused in the past to allow “side-loading” of malicious code in a dynamic link library (DLL). This DLL, in turn, is named to match a legitimate system file and is often placed in the same folder as the executable, so it is found before the legitimate copy.

Since the malicious binaries are the same for all victims, one could simply search for the presence of the affected programs. Check this link for all IOCs and hashes. Some of the hash (integrity checksum unique identifier) values are as follows:

• 561cffbaba71a6e8cc1cdceda990ead4, the hash for C:\kworking\agent.exe
• a47cf00aedf769d60d58bfe00c0b5421, the hash for C:\Windows\mpsvc.dll
• 8cc83221870dd07144e63df594c391d9, the hash for C:\Windows\msmpeng.exe

Abacode partners with the Tenable, AT&T Cybersecurity, and other cybersecurity vendors to provide comprehensive and leading-edge managed services for our customers.

Tenable Nessus automated vulnerability scanner has released a local Windows detection for Kaseya agents as well as a remote detection plugin for Kaseya VSA. The AT&T Cybersecurity AlienVault USM-Anywhere platform already had detection rules for REvil indicators of Compromise (IOCs).

Contact us today if you’re concerned and need vulnerability scanning and remediation services or to schedule a no-cost “Proof of Value” of our 24/7 SIEM/SOC/Continuous Monitoring and Incident Response solution. As I have written before, this is the only way to detect and stop ransomware before it turns into a costly data breach – regardless of the 0days involved.

Those who use Abacode’s managed services already have a Zero Trust attitude and approach and don’t need to be as concerned when such devastating attacks happen, because someone already has their back. They know they are not just depending on a point solution but rather an entire framework of security with multiple layers and fail-safes.