SECURITY ALERT: MSP Supply Chain Critical Ransomware Attacked (potential Kaseya VSA target)

Product / Version includes:

Last updated: 2024/06/25

Solution ID: KA-0012129

Category: Remove a Malware / Virus

Summary

On July 2, 2021, it was widely reported in several reputable outlets that a number of Managed Service Providers (MSPs) were under what appeared to be an active ransomware attack. One commonality between the MSPs were that they were all using Kaseya VSA - a cloud-based MSP patch management and monitoring platform.

On the same day, Kaseya released a critical bulletin for VSA advising all Kaseya VSA On-premise users to shut down their servers until further instructions are given from Kaseya. They have also indicated that their SaaS and Hosted servers have been shut down and are not suspected to be affected at this time.

About the Attack

Information about this attack is still under investigation; however, at the moment, various research groups and independent observers believe that the attacks appear to be a supply chain attack. Reports have indicated that several of the MSP victims have been affected by ransomware which has encrypted target machines and in one case has proceeded to pop up a note with a $5M USD demand for the decryption key.

At the moment, details on the specific vulnerability used have not been made public, and according to the latest information from Kaseya, a patch/mitigation is currently being worked on. As of now, Kaseya VSA on-premise customers are still advised to keep their servers offline until more information is provided.

Trend Micro Research also has an ongoing blog with detailed information about this campaign.

MSPs and other customers using Trend Micro Worry-Free Business Security Services can visit this article for additional and more specific guidance.

Determining if you are Affected

The public Kaseya security advisory has not specifically outlined any indicators of compromise (IOCs); however, there are a few articles from outlets such as BleepingComputer and an ongoing technical discussion on Reddit started by Huntress Labs that has community-sourced live information that may be very helpful.

Observed IOCs:

Ransomware encryptor is dropped to c:\kworking\agent.exe
The VSA procedure is named "Kaseya VSA Agent Hot-fix"
At least two specific tasks run what appears to be a specific powershell script with the encryptor mentioned above.

Specific Files Observed (SHA256):

agent.exe - d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e
mpsvc.dll (sideloaded DLL) - e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2
mpsvc.dll (sideloaded DLL alternate version) - 8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd
agent.crt - 2093c195b6c1fd6ab9e1110c13096c5fe130b75a84a27748007ae52d9e951643

All of these specific files are being currently detected by Trend Micro anti-malware solutions (please see below for more information).

What if Indicators are Found?

As the attacker’s next steps could vary from one organization to the next, Trend Micro encourages a forensics investigation (with in-house personnel or a qualified incident response team) if evidence of the attack is found in a customer’s environment.

Protection against further Exploitation

First and foremost, it is highly recommended that all customers follow the guidance from Kaseya to power down and eventually patch their affected on-premises servers when a suitable fix is found.

In addition Trend Micro has released some patterns that can help provide protection and detection of malicious components associated with this attack for servers that have not already been compromised or against further attempted attacks. Customers who have not yet enabled Trend Micro's ransomware prevention features on supported products, are advised to do so as soon as possible.

The following Trend Micro Best Practice article can provide more information on this - Ransomware: Solutions, Best Practice Configuration and Prevention using Trend Micro products.

Detection Patterns and Web Filtering

As a first line of defense against this and other ransomware, Trend Micro always recommends that that your product's behavioral detection features are enabled. Trend Micro's Predictive Machine Learning and Behavior Monitoring solutions were found to be detecting and protecting against samples before specific IOCs were added to the regular detection pattern.

With the addition of specific observed IOCs, Trend Micro has added the following pattern-based detection and protection and filters that can help customers to protect themselves against new or further exploitation attempts in combination with patching and/or other manual mitigation steps.

Trend Micro Malware Detection Patterns (VSAPI, Machine Learning, Behavioral Monitoring and WRS) for Endpoint, Servers, Mail & Gateway (e.g. Apex One, Deep Security w/Anti-malware, etc.)

Currently known malicious detections for IOCs:

Troj.Win32.TRX.XXPE50FFF046 (Predictive Machine Learning)
FLS.ISB.4331T and RAN5127T (Behavior Monitoring)
Ransom.Win32.SODINOKIBI.YABGC (VSAPI Pattern)

In addition, Trend Micro is blocking several known malicious domain disease vectors associated with the campaign via Trend Micro Web Reputation Services (WRS).

Using Trend Micro Products for Investigation

The following highlights several post-exploitation detections and remediation rules, filters, patterns and technology that can be used by customers to investigate and help with potential remediation in a customer’s environment.

Trend Micro Vision One™

Trend Micro Vision One customers benefit from XDR detection capabilities of the underlying products such as Apex One. In addition, depending on their data collection time range, Trend Micro Vision One customers may be able to sweep for IOCs retrospectively to identify if there was potential activity in this range to help in investigation.

Utilizing Observed Attack Techniques

Trend Micro Vision One customers that use Trend Micro EDR and Defender for EPP may also go into the Observed Attack Techniques section of the Trend Micro Vision One console to look for suspicious activity that would indicate that Windows Defender may have been disabled.

Detailed information on the Search App, including query syntax and data mapping can be found in Trend Micro’s Online Help Center and additional queries will be updated in this article.

Trend Micro is continuing to aggressively investigate other forms of detection and protection to assist our customers, but we do want to continue to reiterate that the primary recommendation is to apply the official Kaseya patches as soon as possible. We will continue to update this article and our customers if/when additional layers of protection become available.

Reference Links

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

SECURITY ALERT: MSP Supply Chain Critical Ransomware Attacked (potential Kaseya VSA target)

Determining if you are Affected

What if Indicators are Found?

Protection against further Exploitation

Detection Patterns and Web Filtering

Using Trend Micro Products for Investigation

Reference Links

SECURITY ALERT: MSP Supply Chain Critical Ransomware Attacked (potential Kaseya VSA target)

Product / Version includes:

Summary

About the Attack

Determining if you are Affected

What if Indicators are Found?

Protection against further Exploitation

Detection Patterns and Web Filtering

Using Trend Micro Products for Investigation

Reference Links