REvil ransomware hits 1,000+ companies in MSP supply-chain attack

silversurfer

Level 75
Verified
Trusted
Content Creator
Malware Hunter
Aug 17, 2014
6,418
A massive REvil ransomware attack affects multiple managed service providers and their clients through a reported Kaseya supply-chain attack.

Starting this afternoon, the REvil ransomware gang, aka Sodinokibi, targeted MSPs with thousands of customers, through what appears to be a Kaseya VSA supply-chain attack.
At this time, there eight known large MSPs that have been hit as part of this supply-chain attack.

Kaseya VSA is a cloud-based MSP platform that allows providers to perform patch management and client monitoring for their customers.

Huntress Labs' John Hammond has told BleepingComputer that all of the affected MSPs are using Kaseya VSA and that they have proof that their customers are being encrypted as well.
"We are tracking 20 MSPs where Kaseya VSA was used to encrypt over 1,000 business and are working in close collaboration with six of them," Hammond shared in blog post about the attack.

Kaseya issued a security advisory on their help desk site, warning all VSA customers to immediately shut down their VSA server to prevent the attack's spread while investigating.
 
Last edited:

silversurfer

Level 75
Verified
Trusted
Content Creator
Malware Hunter
Aug 17, 2014
6,418

CISA, FBI share guidance for victims of Kaseya ransomware attack​

CISA and FBI involved in the incident-handling process​

The two federal agencies are involved in the worldwide incident-handling process for impacted Kaseya customers and are urging all affected MSPs and their customers to follow the guidance shared above.

"Due to the potential scale of this incident, the FBI and CISA may be unable to respond to each victim individually, but all information we receive will be useful in countering this threat," the FBI said in an official statement issued over the weekend.

Earlier today, the White House National Security Council has also urged victims of this large-scale supply-chain attack to report the incident to the Internet Crime Complaint Center.

Victims were also advised to follow the guidance issued by Kaseya, including shutting down their VSA servers, as well as implementing CISA's and FBI's mitigation techniques.

 
Last edited:

wat0114

Level 3
Apr 5, 2021
139
A PowerShell command is then launched that first disables various Microsoft Defender security features, such as real-time monitoring, Controlled Folder Access, script scanning, and network protection.

It will then decode the agent.crt file using the legitimate Windows certutil.exe command to extract an agent.exe file to the same folder, which is then launched to begin the encryption process.
PowerShell command to execute the REvil ransomware

How does this happen unless there are serious and properly trained people in charge of IT security!? Useless people in charge.

The agent.exe is signed using a certificate from "PB03 TRANSPORT LTD" and includes an embedded 'MsMpEng.exe' and 'mpsvc.dll,' with the DLL being the REvil encryptor. When extracted, the 'MsMpEng.exe' and 'mpsvc.dll' are placed in the C:\Windows folder.

Again, how does this happen? That directory requires elevated privileges to copy files to it. Is this actually easier to pull off than I think it should be? Please somebody elucidate for me.
 

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,144
How does this happen unless there are serious and properly trained people in charge of IT security!? Useless people in charge.



Again, how does this happen? That directory requires elevated privileges to copy files to it. Is this actually easier to pull off than I think it should be? Please somebody elucidate for me.

It is a Kaseya VSA supply-chain attack (the platform was infected from the server-side). It already works with high privileges. The ransomware was delivered via autoupdate. The effect would be similar if you would get malicious Windows Update from Microsoft. The only quick remediation was an immediate shutdown of the VSA servers. The malware was so nasty that after the infection of the running server it could not be shut down.

Kaseya VSA is a cloud-based MSP platform that allows providers to perform patch management and client monitoring for their customers.
 
Last edited:

wat0114

Level 3
Apr 5, 2021
139
It is a Kaseya VSA supply-chain attack (the platform was infected from the server-side). It already works with high privileges. The ransomware was delivered via autoupdate. The effect would be similar if you would get malicious Windows Update from Microsoft. The only quick remediation was an immediate shutdown of the VSA servers. The malware was so nasty that after the infection of the running server it could not be shut down.
Thanks Andy, and that's kind of the gist I got from the article, but it also mentions that the miscreants likely waited until the July 4th long weekend "when there is less staff to monitor the network." Do they really mean to say it takes people to monitor for these kinds of attacks? Aren't there actual built-in security measures available to prevent these attacks? So I'm left speculating that maybe vetting updates first, then manually applying them might be the better policy instead.

EDIT

So this seems to further illustrate that companies can't completely rely upon 3rd-party IT solutions providers or cloud-based providers for their security solutions.
 
Last edited:

Gandalf_The_Grey

Level 50
Verified
Trusted
Content Creator
Apr 24, 2016
3,974
Researchers warn of unpatched Kaseya Unitrend backup vulnerabilities
Security researchers warn of three new zero-day vulnerabilities in the Kaseya Unitrend service and advise users not to expose the service to the Internet.

Kaseya Unitrends is a cloud-based enterprise backup and disaster recovery solution that is offered as a stand-alone solution or as an add-on for the Kaseya VSA remote management platform.
The vulnerabilities affecting the Kaseya Unitrends backup service include a mixture of authenticated remote code execution, authenticated privilege escalation, and unauthenticated remote code execution on the client side.

Unlike the Kaseya VSA zero-days used as part of the July 2nd REvil ransomware attack, these vulnerabilities are more difficult to exploit.
 
Top