Cyber Threat Advisory: Kaseya REvil Ransomware Attack

Share On Facebook
Share On Twitter
Share On Linkedin

Author: Nick Sundvall

TLP: WHITE

      1. Executive Summary

On 2 July, the threat actors behind REvil, also known as Sodinokibi, launched a massive ransomware attack targeting users of Kaseya’s remote monitoring and management service, VSA. In this supply chain attack, the actors exploited a zero-day vulnerability in Kaseya’s software to deploy ransomware on nearly 1500 company networks.1 Kaseya stated that the attack compromised only customers of the on-premises version of VSA and that there is no evidence that it compromised SaaS customers.

After the attack, the actors stated the following on their blog: “On Friday (02.07.2021) we launched an attack on MSP providers. More than a million systems were infected. If anyone wants to negotiate about universal decryptor – our price is 70,000,000$ in BTC and we will publish publicly decryptor that decrypts files of all victims, so everyone will be able to recover from attack in less than an hour.”2

      2. REvil/Sodinokibi Background

In June 2019, we published a report3 on Sodinokibi/REvil. At the time, it was a relatively new ransomware-as-a-service (RaaS), and it appeared to be one of the ransomware families filling a void left by the discontinuation of the popular ransomware Gandcrab. REvil was first identified in the wild on 17 April 2019, when threat actors exploited a vulnerability in Oracle WebLogic to install Sodinokibi on susceptible web servers.2 Like Gandcrab, REvil uses an affiliate revenue system where threat actors sign up as affiliates, start using the ransomware for no initial fee, and share a percentage of their profits.

As we noted in 2019, the fact that REvil is freely available means its distribution methods vary from one  threat actor to another. Even in 2019, REvil affiliates had distributed the ransomware by compromising MSPs, distributing malicious spam emails, and hacking websites that host downloadable executables to replace the legitimate software with copies of REvil.4

      3. Kaseya Attack Analysis

                 3.1. Malicious Software Update

Sophos reported that the actors delivered the ransomware to VSA servers via a malicious update, and the update employed a zero-day exploit of the server platform to deploy the ransomware to the managed Windows machines. According to Sophos, this approach gave the threat actors the advantages of 1) compromising the downstream companies by abusing the trusted VSA service, and 2) avoiding being stopped by antivirus software (AV), because VSA requires that several folders as well as the Kaseya executables be excluded from AV monitoring.

                 3.2. Ransomware Deployment

Upon receiving the malicious update, the VSA agent wrote an encoded malicious payload into its working directory, C:\KWORKING\. The agent then ran several Windows shell commands, which repeatedly pinged localhost, acted as a sleep function, and delayed the upcoming commands for approximately 90 minutes.

The agent then ran a PowerShell command that disabled Microsoft Defender’s anti-malware and anti-ransomware protections. At this point, the agent made a copy of certutil.exe, the Windows certificate utility that can download and decode content, and used the executable to decode the previously downloaded payload.

Sophos reported that the payload had a valid certificate but that it “may be stolen or fraudulently obtained” and that the payload was compiled a day before the attack, on 1 July. After the agent decoded the payload, the final shell command launched the malicious payload and the ransomware began to deploy. The report noted that due to mass deployment, the attack made no effort to exfiltrate any data.

      4. Prevention and Mitigation

Kaseya recommends taking all on-premises VSA servers offline until further notice. Also, Kaseya has stated that they are actively working on a patch and hope to deploy it by 7 July. Finally, Kaseya has released a compromise detection tool that will help determine whether any IoCs are present on a system.5

Infoblox recommends backing up data and systems regularly to minimize the potential impact of ransomware in general, as well as practicing restoring from backups. Ideally, backups should be stored off the network.

Also, beware of scams looking to take advantage of this attack. Malwarebytes has already reported on a malspam phishing campaign that allegedly delivers a patch for the vulnerability exploited by the REvil threat actors.6 In reality, the email attachment drops CobaltStrike, a legitimate penetration-testing tool that threat actors abuse to deploy a program named Beacon. Beacon enables them to perform advanced post-exploitation functions, such as command execution, key logging, file transfer, privilege escalation, port scanning, and lateral movement.

      5. Indicators of Compromise

Indicator

Description

C:\windows\cert.exe

 Copied certutil

C:\windows\msmpeng.exe

 Executable vulnerable to DLL sideload

C:\kworking\agent.crt

REvil dropper used in Kaseya exploit
C:\windows\mpsvc.dll

REvil ransomware DLL
33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a

d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1

8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd

e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2

50416e50797cf88a48d086e718c003e2d10c3847b1a251669d6f10f8d3546e03

SHA256s

101gowrie[.]com

123vrachi[.]ru

12starhd[.]online

1kbk[.]com[.]ua

1team[.]es

321play[.]com[.]hk

35-40konkatsu[.]net

365questions[.]org

4net[.]guru

4youbeautysalon[.]com

8449nohate[.]org

andersongilmour[.]co[.]uk

asiluxury[.]com

bierensgebakkramen[.]nl

blgr[.]be

blossombeyond50[.]com

bxdf[.]info

c2e-poitiers[.]com

candyhouseusa[.]com

cerebralforce[.]net

cleliaekiko[.]online

conexa4papers[.]trade

copystar[.]co[.]uk

cursosgratuitosnainternet[.]com

daklesa[.]de

danielblum[.]info

dubnew[.]com

eglectonk[.]online

facettenreich27[.]de

fannmedias[.]com

faroairporttransfers[.]net

filmstreamingvfcomplet[.]be

foryourhealth[.]live

fotoscondron[.]com

gmto[.]fr

gonzalezfornes[.]es

hairstylesnow[.]site

homng[.]net

importardechina[.]info

iqbalscientific[.]com

kaotikkustomz[.]com

liliesandbeauties[.]org

milestoneshows[.]com

mindpackstudios[.]com

myhostcloud[.]com

ncuccr[.]org

pasvenska[.]se

rimborsobancario[.]net

simoneblum[.]de

smartypractice[.]com

southeasternacademyofprosthodontics[.]org

streamerzradio1[.]site

summitmarketingstrategies[.]com

sw1m[.]ru

tanzschule-kieber[.]de

thee[.]network

thomasvicino[.]com

tonelektro[.]nl

Domains Found In REvil Config File

Endnotes

  1. https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689
  2. https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/
  3. https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence–21
  4. https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-spreads-wide-via-hacked-msps-sites-and-spam/
  5. https://kaseya.app.box.com/s/p9b712dcwfsnhuq2jmx31ibsuef6xict
  6. https://twitter.com/MBThreatIntel/status/1412518446013812737/

Labels:

Infoblox Threat Intelligence Group

With over 50 years of combined experience, the Infoblox Threat Intelligence Group creates, aggregates and curates information on threats to provide actionable intelligence that is high-quality, timely and reliable. Threat information from Infoblox filters out false positives and gives you the information you need to block the newest threats and to maintain a unified security policy across the entire security infrastructure of your organization.

View All Posts

You might also be interested in

You might also be interested in

×