Posted on Leave a comment

Supply Chain Attack on Kaseya has Lead to Delivery of REvil Ransomware.

Kaseya, one of the supplier of IT management software for Managed Service Providers and for Internal IT teams has announced it has been the victim of sophisticated cyber attack which has pushed the REvil ransomware to its 40 customer around the world on July 2, 2021.

We are experiencing a potential attack against the VSA that has been limited to a small number of on-premise customers only, We are in the process of investigating the root cause of the incident with the utmost vigilance.” stated in the companies website.

A man types on a computer keyboard in Warsaw in this February 28, 2013 illustration file picture.  REUTERS/Kacper Pempel/File Photo
Source: Reuters.

Kaseya said that they are progressing on their investigation of this incident while working with FBI for their worldwide customers impacted by this attack.

“‘We recommended that you IMMEDIATELY shutdown your VSA server … It’s critical that you do this immediately, because one of the first things the attacker does is shutoff administrative access to the VSA,” mentioned in their notification.

Fred Voccola, the CEO of the company had mentioned that they identified the source of the vulnerability and they are preparing a patch to remediate for their on-premises customers after the thorough testing..

John Hammond, a researcher of the CyberSecurity Company( Huntress Labs) says “Kaseya handles large enterprise all the way to small businesses globally, so ultimately, it has the potential to spread to any size or scale business ,This is a colossal and devastating supply-chain attack.”

Checkout the detailed notification and further updates by the company here.

Indicators of Compromise:

file_namefile_hash
agent.exeD55F983C994CAA160EC63A59F6B4250FE67FB3E8C43A388AEC60A4A6978E9F1E
mpsvc.dllE2A24AB94F865CAEACDF2C3AD015F31F23008AC6DB8312C2CBFB32E4A5466EA2
mpsvc.dll8DD620D9AEB35960BB766458C8890EDE987C33D239CF730F93FE49D90AE759DD
cert.exe36a71c6ac77db619e18f701be47d79306459ff1550b0c92da47b8c46e2ec0752
36a71c6ac77db619e18f701be47d79306459ff1550b0c92da47b8c46e2ec0752
7ea501911850a077cf0f9fe6a7518859
e1d689bf92ff338752b8ae5a2e8d75586ad2b67b
e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2
0299e3c2536543885860c7b61e1efc3f
682389250d914b95d6c23ab29dffee11cb65cae9
df2d6ef0450660aaae62c429610b964949812df2da1c57646fc29aa51c3f031e
835f242dde220cc76ee5544119562268
8118474606a68c03581eef85a05a90275aa1ec24
dc6b0e8c1e9c113f0364e1c8370060dee3fcbe25b667ddeca7623a95cd21411f
849fb558745e4089a8232312594b21d2
1bcf1ae39b898aaa8b6b0207d7e307b234614ff6
d8353cfc5e696d3ae402c7c70565c1e7f31e49bcf74a6e12e5ab044f306b4b20
561cffbaba71a6e8cc1cdceda990ead4
5162f14d75e96edb914d1756349d6e11583db0b0
d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e
4a91cb0705539e1d09108c60f991ffcf
7895e4d017c3ed5edb9bf92c156316b4990361eb
d5ce6f36a06b0dc8ce8e7e2c9a53e66094c2adfc93cfac61dd09efe9ac45a75f
7d1807850275485397ce2bb218eff159
45c1b556f5a875b71f2286e1ed4c7bd32e705758
cc0cdc6a3d843e22c98170713abf1d6ae06e8b5e34ed06ac3159adafe85e3bd6
8535397007ecb56d666b666c3592c26d
0912b7cecfbe82d6903a8a0dc421c285480e5caa
aae6e388e774180bc3eb96dad5d5bfefd63d0eb7124d68b6991701936801f1c7
5a97a50e45e64db41049fd88a75f2dd2
20e3a0955baca4dc7f1f36d3b865e632474add77
66490c59cb9630b53fa3fa7125b5c9511afde38edab4459065938c1974229ca8
040818b1b3c9b1bf8245f5bcb4eebbbc
c0f569fc22cb5dd8e02e44f85168b4b72a6669c3
0496ca57e387b10dfdac809de8a4e039f68e8d66535d5d19ec76d39f7d0a4402
be6c46239e9c753de227bf1f3428e271
13d57aba8df4c95185c1a6d2f945d65795ee825b
81d0c71f8b282076cd93fb6bb5bfd3932422d033109e2c92572fc49e4abc2471
a560890b8af60b9824c73be74ef24a46
c2bb3eef783c18d9825134dc8b6e9cc261d4cca7
8e846ed965bbc0270a6f58c5818e039ef2fb78def4d2bf82348ca786ea0cea4f
a47cf00aedf769d60d58bfe00c0b5421
656c4d285ea518d90c1b669b79af475db31e30b1
8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd
18786bfac1be0ddf23ff94c029ca4d63
3c2b0dcdb2a46fc1ec0a12a54309e35621caa925
1fe9b489c25bb23b04d9996e8107671edee69bd6f6def2fe7ece38a0fb35f98e

Process Data:

  • “C:\WINDOWS\system32\cmd.exe” /c ping 127.0.0.1 -n 6258 > nul & C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe
    • Parent Path – C:\Program Files (x86)\Kaseya\<ID>\AgentMon.exe
  • “C:\Windows\system32\cmd.exe” /c ping 127.0.0.1 -n 5693 > nul & C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe
    • Parent Path – C:\Program Files (x86)\Kaseya\<ID>\AgentMon.exe

Files involved

  • C:\windows\cert.exe
    • 36a71c6ac77db619e18f701be47d79306459ff1550b0c92da47b8c46e2ec0752
  • C:\windows\msmpeng.exe
    • 33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a
  • C:\kworking\agent.crt
  • C:\Windows\mpsvc.dll
    • 8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd
  • C:\kworking\agent.exe
    • d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e

Registry Keys

  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BlackLivesMatter

Ransomware Extension

  • <victim ID>-readme.txt

Domains 

  • ncuccr[.]org
  • 1team[.]es
  • 4net[.]guru
  • 35-40konkatsu[.]net
  • 123vrachi[.]ru
  • 4youbeautysalon[.]com
  • 12starhd[.]online
  • 101gowrie[.]com
  • 8449nohate[.]org
  • 1kbk[.]com[.]ua
  • 365questions[.]org
  • 321play[.]com[.]hk
  • candyhouseusa[.]com
  • andersongilmour[.]co[.]uk
  • facettenreich27[.]de
  • blgr[.]be
  • fannmedias[.]com
  • southeasternacademyofprosthodontics[.]org
  • filmstreamingvfcomplet[.]be
  • smartypractice[.]com
  • tanzschule-kieber[.]de
  • iqbalscientific[.]com
  • pasvenska[.]se
  • cursosgratuitosnainternet[.]com
  • bierensgebakkramen[.]nl
  • c2e-poitiers[.]com
  • gonzalezfornes[.]es
  • tonelektro[.]nl
  • milestoneshows[.]com
  • blossombeyond50[.]com
  • thomasvicino[.]com
  • kaotikkustomz[.]com
  • mindpackstudios[.]com
  • faroairporttransfers[.]net
  • daklesa[.]de
  • bxdf[.]info
  • simoneblum[.]de
  • gmto[.]fr
  • cerebralforce[.]net
  • myhostcloud[.]com
  • fotoscondron[.]com
  • sw1m[.]ru
  • homng[.]net

Source: Sophos.

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1

Leave a Reply