On the same day, Kaseya released a critical bulletin for VSA advising all Kaseya VSA On-premise users to shut down their servers until further instructions are given from Kaseya. They have also indicated that their SaaS and Hosted servers have been shut down and are not suspected to be affected at this time.
About the AttackInformation about this attack is still under investigation; however, at the moment, various research groups and independent observers believe that the attacks appear to be a supply chain attack. Reports have indicated that several of the MSP victims have been affected by ransomware which has encrypted target machines and in one case has proceeded to pop up a note with a $5M USD demand for the decryption key.
At the moment, details on the specific vulnerability used have not been made public, and according to the latest information from Kaseya, a patch/mitigation is currently being worked on. As of now, Kaseya VSA on-premise customers are still advised to keep their servers offline until more information is provided.
Trend Micro Research also has an ongoing blog with detailed information about this campaign.
Determining if you are AffectedThe public Kaseya security advisory has not specifically outlined any indicators of compromise (IOCs); however, there are a few articles from outlets such as BleepingComputer and an ongoing technical discussion on Reddit started by Huntress Labs that has community-sourced live information that may be very helpful.
- Ransomware encryptor is dropped to c:\kworking\agent.exe
- The VSA procedure is named "Kaseya VSA Agent Hot-fix"
- At least two specific tasks run what appears to be a specific powershell script with the encryptor mentioned above.
Specific Files Observed (SHA256):
- agent.exe - d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e
- mpsvc.dll (sideloaded DLL) - e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2
- mpsvc.dll (sideloaded DLL alternate version) - 8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd
- agent.crt - 2093c195b6c1fd6ab9e1110c13096c5fe130b75a84a27748007ae52d9e951643
As the attacker’s next steps could vary from one organization to the next, Trend Micro encourages a forensics investigation (with in-house personnel or a qualified incident response team) if evidence of the attack is found in a customer’s environment.
What if Indicators are Found?
Protection against further ExploitationFirst and foremost, it is highly recommended that all customers follow the guidance from Kaseya to power down and eventually patch their affected on-premises servers when a suitable fix is found.
In addition Trend Micro has released some patterns that can help provide protection and detection of malicious components associated with this attack for servers that have not already been compromised or against further attempted attacks. Customers who have not yet enabled Trend Micro's ransomware prevention features on supported products, are advised to do so as soon as possible.
The following Trend Micro Best Practice article can provide more information on this - Ransomware: Solutions, Best Practice Configuration and Prevention using Trend Micro products.
Detection Patterns and Web Filtering
As a first line of defense against this and other ransomware, Trend Micro always recommends that that your product's behavioral detection features are enabled. Trend Micro's Predictive Machine Learning and Behavior Monitoring solutions were found to be detecting and protecting against samples before specific IOCs were added to the regular detection pattern.
With the addition of specific observed IOCs, Trend Micro has added the following pattern-based detection and protection and filters that can help customers to protect themselves against new or further exploitation attempts in combination with patching and/or other manual mitigation steps.
Trend Micro Malware Detection Patterns (VSAPI, Machine Learning, Behavioral Monitoring and WRS) for Endpoint, Servers, Mail & Gateway (e.g. Apex One, Deep Security w/Anti-malware, etc.)
Currently known malicious detections for IOCs:
- Troj.Win32.TRX.XXPE50FFF046 (Predictive Machine Learning)
- FLS.ISB.4331T and RAN5127T (Behavior Monitoring)
- Ransom.Win32.SODINOKIBI.YABGC (VSAPI Pattern)
In addition, Trend Micro is blocking several known malicious domain disease vectors associated with the campaign via Trend Micro Web Reputation Services (WRS).
Using Trend Micro Products for Investigation
The following highlights several post-exploitation detections and remediation rules, filters, patterns and technology that can be used by customers to investigate and help with potential remediation in a customer’s environment.
Trend Micro Vision One™
Trend Micro Vision One customers benefit from XDR detection capabilities of the underlying products such as Apex One. In addition, depending on their data collection time range, Trend Micro Vision One customers may be able to sweep for IOCs retrospectively to identify if there was potential activity in this range to help in investigation.
Utilizing Observed Attack Techniques
Trend Micro Vision One customers that use Trend Micro EDR and Defender for EPP may also go into the Observed Attack Techniques section of the Trend Micro Vision One console to look for suspicious activity that would indicate that Windows Defender may have been disabled.
Detailed information on the Search App, including query syntax and data mapping can be found in Trend Micro’s Online Help Center and additional queries will be updated in this article.
Trend Micro is continuing to aggressively investigate other forms of detection and protection to assist our customers, but we do want to continue to reiterate that the primary recommendation is to apply the official Kaseya patches as soon as possible. We will continue to update this article and our customers if/when additional layers of protection become available.
- Kaseya VSA Security Advisory
- IT Management Platform Kaseya Hit With Sodinokibi/REvil Ransomware Attack (Trend Micro Blog)
- Ransomware: Solutions, Best Practice Configuration and Prevention using Trend Micro products (Trend Micro)
- REvil ransomware hits 200 companies in MSP supply-chain attack (BleepingComputer)
- Critical Ransomware Incident in Progress (Reddit)