Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

SECURITY ALERT: MSP Supply Chain Critical Ransomware Attacked (potential Kaseya VSA target)

    • Updated:
    • 4 Jul 2021
    • Product/Version:
    • Platform:
Summary
On July 2, 2021, it was widely reported in several reputable outlets that a number of Managed Service Providers (MSPs) were under what appeared to be an active ransomware attack.  One commonality between the MSPs were that they were all using Kaseya VSA - a cloud-based MSP patch management and monitoring platform.

On the same day, Kaseya released a critical bulletin for VSA advising all Kaseya VSA On-premise users to shut down their servers until further instructions are given from Kaseya.  They have also indicated that their SaaS and Hosted servers have been shut down and are not suspected to be affected at this time. 
 
About the Attack
Information about this attack is still under investigation; however, at the moment, various research groups and independent observers believe that the attacks appear to be a supply chain attack.  Reports have indicated that several of the MSP victims have been affected by ransomware which has encrypted target machines and in one case has proceeded to pop up a note with a $5M USD demand for the decryption key.

At the moment, details on the specific vulnerability used have not been made public, and according to the latest information from Kaseya, a patch/mitigation is currently being worked on.  As of now, Kaseya VSA on-premise customers are still advised to keep their servers offline until more information is provided.

Trend Micro Research also has an ongoing blog with detailed information about this campaign.

 
 
MSPs and other customers using Trend Micro Worry-Free Business Security Services can visit this article for additional and more specific guidance.
 
Details
Public

Determining if you are Affected

The public Kaseya security advisory has not specifically outlined any indicators of compromise (IOCs); however, there are a few articles from outlets such as BleepingComputer and an ongoing technical discussion on Reddit started by Huntress Labs that has community-sourced live information that may be very helpful.

Observed IOCs:
  • Ransomware encryptor is dropped to c:\kworking\agent.exe
  • The VSA procedure is named "Kaseya VSA Agent Hot-fix"
  • At least two specific tasks run what appears to be a specific powershell script with the encryptor mentioned above.

Specific Files Observed (SHA256):
  • agent.exe - d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e
  • mpsvc.dll (sideloaded DLL) - e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2
  • mpsvc.dll (sideloaded DLL alternate version) - 8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd
  • agent.crt 2093c195b6c1fd6ab9e1110c13096c5fe130b75a84a27748007ae52d9e951643
All of these specific files are being currently detected by Trend Micro anti-malware solutions (please see below for more information).


What if Indicators are Found?

As the attacker’s next steps could vary from one organization to the next, Trend Micro encourages a forensics investigation (with in-house personnel or a qualified incident response team) if evidence of the attack is found in a customer’s environment.
 

Protection against further Exploitation

First and foremost, it is highly recommended that all customers follow the guidance from Kaseya to power down and eventually patch their affected on-premises servers when a suitable fix is found.

In addition Trend Micro has released some patterns that can help provide protection and detection of malicious components associated with this attack for servers that have not already been compromised or against further attempted attacks.  Customers who have not yet enabled Trend Micro's ransomware prevention features on supported products, are advised to do so as soon as possible. 

The following Trend Micro Best Practice article can provide more information on this - Ransomware: Solutions, Best Practice Configuration and Prevention using Trend Micro products.
 
Detection Patterns and Web Filtering

As a first line of defense against this and other ransomware, Trend Micro always recommends that that your product's behavioral detection features are enabledTrend Micro's Predictive Machine Learning and Behavior Monitoring solutions were found to be detecting and protecting against samples before specific IOCs were added to the regular detection pattern.  

With the addition of specific observed IOCs, Trend Micro has added the following pattern-based detection and protection and filters that can help customers to protect themselves against new or further exploitation attempts in combination with patching and/or other manual mitigation steps.

Trend Micro Malware Detection Patterns (VSAPI, Machine Learning, Behavioral Monitoring and WRS) for Endpoint, Servers, Mail & Gateway (e.g. Apex One, Deep Security w/Anti-malware, etc.)

Currently known malicious detections for IOCs:
  • Troj.Win32.TRX.XXPE50FFF046  (Predictive Machine Learning)
  • FLS.ISB.4331T and RAN5127T  (Behavior Monitoring)
  • Ransom.Win32.SODINOKIBI.YABGC (VSAPI Pattern)

In addition, Trend Micro is blocking several known malicious domain disease vectors associated with the campaign via Trend Micro Web Reputation Services (WRS).

Using Trend Micro Products for Investigation

The following highlights several post-exploitation detections and remediation rules, filters, patterns and technology that can be used by customers to investigate and help with potential remediation in a customer’s environment.

Trend Micro Vision One™

Trend Micro Vision One customers benefit from XDR detection capabilities of the underlying products such as Apex One. In addition, depending on their data collection time range, Trend Micro Vision One customers may be able to sweep for IOCs retrospectively to identify if there was potential activity in this range to help in investigation.


Utilizing Observed Attack Techniques

Trend Micro Vision One customers that use Trend Micro EDR and Defender for EPP may also go into the Observed Attack Techniques section of the Trend Micro Vision One console to look for suspicious activity that would indicate that Windows Defender may have been disabled. 

image


Detailed information on the Search App, including query syntax and data mapping can be found in Trend Micro’s Online Help Center and additional queries will be updated in this article.


Trend Micro is continuing to aggressively investigate other forms of detection and protection to assist our customers, but we do want to continue to reiterate that the primary recommendation is to apply the official Kaseya patches as soon as possible. We will continue to update this article and our customers if/when additional layers of protection become available.
 

Reference Links

Premium
Internal
Partner
Rating:
Category:
Remove a Malware / Virus
Solution Id:
000286889
Feedback
Did this article help you?

Thank you for your feedback!


*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.