Kaseya supply chain attack – REvil ransomware –History witnesses a new generation RaaS

Even though there have been quite a few breaches in this year already, this attack has definitely made eyes turn back. An enormous series of events on Friday infested at least hundreds and likely thousands of businesses globally with ransomware, including a railroad chain, pharmacies and hundreds of Swedish co-op supermarket brand stores. a turning point, a combination of ransomware and what is known as a supply chain attack. Some leads from various investigation reports have resurfaced giving as the modus operandi of the Ransomware gang aka Sodinokibi ransomware. Attackers are actively exploiting a recently disclosed vulnerability in Oracle WebLogic to install a new variant of ransomware called “Sodinokibi.” Sodinokibi attempts to encrypt data in a user’s directory and delete shadow copy backups to make data recovery more difficult. Oracle first patched the issue on April 26, outside of their normal patch cycle, and assigned it CVE-2019-2725. This vulnerability is easy for attackers to exploit, as anyone with HTTP access to the WebLogic server could carry out an attack. Because of this, the bug has a CVSS score of 9.8/10. [Reference]

With perfect timing to demolish the end of the week, ransomware actors have evidently utilized Kaseya — IT Management Software to MSPs and IT Teams to improve efficiency and security. Manage IT assets, service desk, and more — to deliver their payload. Sophos chief and moral programmer Mark Loman tweeted about the attack on Friday, and announced that the affected system will need $44,999 to be opened. A note on Kaseya’s site begs clients to stop their VSA workers for the present “since one of the principal things the assailant does is shutoff regulatory admittance to the VSA. Security researchers had pieced together critical details about how the attackers both obtained and took advantage of that initial foothold. Attackers exploited the vulnerability to distribute a malicious payload to vulnerable VSA servers. But that meant they also hit, by extension, the VSA agent applications running on the Windows devices of the customers of those MSPs. VSA “working folders” typically operate as a trusted walled garden within those machines, which means malware scanners and other security tools are instructed to ignore whatever they’re doing—providing valuable cover to the hackers who had compromised them. [Reference]

Source : Reference

In a statement to Bleeping Computer, Kaseya stated that they have shut down their SaaS servers and are working with other security firms to investigate the incident. Most large-scale ransomware attacks are conducted late at night over the weekend when there is less staff to monitor the network. As this attack happened midday on a Friday, the threat actors likely planned the time to coincide with the July 4th weekend in the USA, where it is common for staff to have a shorter workday before the holidays. An image below represents the power shell command to execute the REvil ransomware.

Source : Reddit

The agent.exe is signed using a certificate from “PB03 TRANSPORT LTD” and includes an embedded ‘MsMpEng.exe’ and ‘mpsvc.dll,’ with the DLL being the REvil encryptor. When extracted, the ‘MsMpEng.exe’ and ‘mpsvc.dll’ are placed in the C:\Windows folder. The MsMPEng.exe is an older version of the legitimate Microsoft Defender executable used as a LOLBin to launch the DLL and encrypt the device through a trusted executable. Below is an image that depicts agent.exe behaviour extracting and launching embedded sources.

While REvil is known to take information prior to dropping the ransomware and scrambling the systems, it is obscure if the attackers exfiltrated any documents. MSPs are a high-value  focus for ransomware groups as they offer a simple channel to infect numerous organizations through a solitary break, yet the attacks require in-depth information about MSPs and the product they use. [Reference]

The strategies to sidestep malware protection utilized here—harming an supply chain network, exploiting merchant cut outs from malware protection, and side-stacking with a kind side-loading with an otherwise benign (and Microsoft-signed) process—are all very sophisticated. They additionally show the threats of barring hostile to malware protection from folders where automated tasks write and execute new files. While zero-day supply-chain attack is uncommon, we’ve effectively seen two significant systems-management, the executives stages misused in the previous year. While Sunburst was obviously a state-sponsored attack, ransomware operators plainly have the assets to keep on getting extra exploits. The Kaseya ransomware attack is a global one, and isn’t confined to just USA or other explicit nations. With the payment interest out in the open, it stays not yet clear how the issue advances right now. The REvil gang had previously claimed that the ransom amounts would increase with passing time if their demands are not met, prior to publishing this blanket ransom demand via their blog. Is there a way to defend such attacks, mishappenings or exploits being used to extract money? More to come!!!

Article by Kaushik Sundararajan

I am a security professional specializing in network security. With vivid experience in different industries, I am looking to explore the current cyberspace and discuss the ideology of certain ideas from a different perspective.

Published by The Art of Cyber-Space

I am a security professional specializing in network security. With vivid experience in different industries, I am looking to explore the current cyberspace and discuss the ideology of certain ideas from a different perspective.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: