Posted on Leave a comment

Kaseya Say’s ‘It’s Not a Supply Chain Attack’ and Releases Indicators of Compromises.

Kaseya has confirmed in its recent notification that the attack is not really a supply chain attack and it has not found the evidence for any modification in its Kaseya’s VSA Codebase.

“The attackers were able to exploit zero-day vulnerabilities[CVE-2021-30116]  in the VSA product to bypass authentication and run arbitrary command execution.  This allowed the attackers to leverage the standard VSA product functionality to deploy ransomware to endpoints.  There is no evidence that Kaseya’s VSA codebase has been maliciously modified.  ” reads the notification.

One of the good part about this incident is the moment kaseya’s customers reported the ransomware attack on the endpoints, the executive team has diligently notified their customers about the attack and abruptly shutdown their VSA SaaS infrastructures to prevent further complications.

Kaseya also confirmed that they had involved third party Cyber Security firm(Mandiant) to quickly involve and investigate the incident to assess the breach and impact of it.

“To date, we are aware of fewer than 60 Kaseya customers, all of which were using the VSA on-premises product, who was directly compromised by this attack. 

While many of these customers provide IT services to multiple other companies, we understand the total impact thus far has been to fewer than 1,500 downstream businesses.  We have not found any evidence that any of our SaaS customers were compromised.” reads the notification.

Kaseya also released the IOC’s which they had identified for their customers and security researchers.

Network IOCs

The following IP addresses were seen accessing VSA Servers remotely to perform the attack sequence:

35.226.94[.]113

161.35.239[.]148

162.253.124[.]162

Endpoint IOCs

The following files were used as part of the deployment of the encryptor:

FilenameMD5 HashFunction
cert.exeN/A – Legitimate File with random string appendedLegit certutil.exe Utility
agent.crt939aae3cc456de8964cb182c75a5f8ccEncoded malicious content
agent.exe561cffbaba71a6e8cc1cdceda990ead4Decoded contents of agent.crt
mpsvc.dlla47cf00aedf769d60d58bfe00c0b5421Ransomware Payload

Web Log Indicators

 Excerpts from the IIS access logs of a compromised VSA server which the threat actor made to perform their attack.

POST /dl.asp curl/7.69.1
GET /done.asp curl/7.69.1
POST /cgi-bin/KUpload.dll curl/7.69.1
GET /done.asp curl/7.69.1
POST /cgi-bin/KUpload.dll curl/7.69.1
POST /userFilterTableRpt.asp curl/7.69.1

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1

Leave a Reply