On July 2, 2021, Kaseya, an IT Management software firm, disclosed a security incident impacting their on-prem version of Kaseya VSA software. Kaseya VSA is a cloud-based MSP platform that allows service providers to perform patch management, backups, and client monitoring for their customers. As per Kaseya, the majority of their customers that rely on SaaS based offering were not impacted by this issue and only a small percentage (less than 40 worldwide) running on-prem instances of Kaseya VSA server were affected.
Zscaler Threatlabz is actively tracking the Kaseya VSA supply-chain ransomware attack incident, involving REvil/Sodinokibi ransomware targeting a number of Managed Service Providers (MSPs) and encrypting data for 1000+ businesses they manage.
To minimize the adverse impact, Kaseya has shutdown all the SaaS server instances of VSA remote monitoring as a precautionary measure although the impact has been observed in the on-prem version of the VSA servers and they have notified all their customers to shutdown on-prem VSA server instances until they are explicitly notified to bring them back. As per the Kaseya, they have identified the vulnerability that was possibly exploited to compromise the VSA server and will soon release the patch.
The investigation on this security incident is still in progress and more details are emerging regularly. Based on information available till now, it appears that a zero day vulnerability in the VSA server software was potentially exploited in order to plant a custom malware loader and eventually distribute REvil ransomware to the target systems.
The compromised version of VSA will drop a .crt file to a specific path in c:\ which is believed to be distributed through updates from the VSA server. In this case, it was reportedly distributed as 'Kaseya VSA Agent Hot-fix.' A PowerShell command will then disable various Microsoft Defender security measures before decoding the .crt file using legitimate Windows certuit.exe command. The extracted file is saved as agent.exe in the same folder and is responsible for encrypting data on the victim machine. The attacker is leveraging DLL Side Loading technique by making use of an older version of legitimate MS Defender executable to launch the malicious REvil DLL on the victim machines.
While details of this incident are still surfacing and we will update this advisory further, following are some of the best practices for safeguarding and limiting impact from supply-chain attacks.
Zscaler leveraged the details on the countermeasures published to ensure coverage against the variant of REvil/Sodinokibi ransomware. Enhanced protection has been added wherever necessary across multiple layers of the Zscaler security platform. Below are the threat names of the existing detections:
Details related to these threat signatures can be found in the Zscaler Threat Library.
We have ensured that Zscaler Cloud Sandbox flags these Indicators Of Compromise (IOCs). As always, Cloud Sandbox plays a critical role in blocking newer variants of ransomware payloads and providing protection against patient zero infection.
Fig: Zscaler sandbox report REvil sample involved in Kaseya supply chain attack
The Zscaler ThreatLabz team is actively monitoring this campaign and any activity around REvil/Sodinokibi ransomware to ensure coverage for newer IOCs as they are discovered.
The detailed technical analysis of the REvil payload used in Kaseya's VSA server supply chain ransomware attack can be found here.