Threat Alert

by IthacaLabs™

THREAT LEVEL/High 06/07/2021

A new supply-chain ransomware attack campaign targets thousands of businesses.

Threat Level Description

Threat Level: High – An attack is highly likely. Additional and sustainable protective security measures reflecting the broad nature of the threat combined with specific business and geographical vulnerabilities and judgments on acceptable risk.

Description

We have observed that a new supply-chain ransomware attack campaign, that triggered an infection chain compromising thousands of businesses, has been identified.

This supply-chain ransomware attack campaign could allow unauthorized remote attackers to fully compromise and encrypt infected systems, bringing down all the services and consequently demand ransoms.

This ransomware attack campaign, allegedly launched by Russia-linked “REvil” ransomware-as-a-service (RaaS) syndicate, is based on the “Kaseya” VA software zero-day vulnerabilities (CVE-2021-30116) that could be exploited as a conduit to deploy ransomware.

Kaseya VSA is a cloud-based IT management and remote monitoring solution for managed service providers (MSPs), offering a centralized console to monitor and manage endpoints, automate IT processes, deploy security patches, and control access via two-factor authentication.

The remote attackers, by exploiting these zero-day vulnerabilities in the VSA product, have managed to bypass authentication and run arbitrary command execution. Thus, they could leverage the standard VSA product functionality to deploy ransomware to endpoints.

While successful zero-day exploitation on Kaseya VSA software isn’t a supply-chain attack, taking advantage of the exploit to compromise managed service providers (MSPs) and breach their customers would constitute as one.

The attack chain that has affected a large number of organizations, worked by first deploying a malicious dropper via a PowerShell script which was executed through Kaseya’s VSA software.

This script has disabled Microsoft Defender for Endpoint protection features and then used the “certutil.exe” utility to decode a malicious executable (agent.exe) that drops a legitimate Microsoft binary (MsMpEng.exe, an older version of Microsoft Defender) and malicious library (mpsvc.dll), which is the REvil ransomware. This library is then loaded by the legitimate MsMpEng.exe by utilizing the DLL side-loading technique.

Note that MSPs are high-value targets because one MSP can manage IT for hundred companies. Thus, remote attackers instead of compromising hundred different companies only need to hack one MSP to compromise them.

CVE(s)

N/A

Affected Systems

  • Organizations with Kaseya VSA deployments.

Recommendation(s)

You should download and execute the Compromise Detection Tool that “Kaseya” has made available to identify any indicators of compromise (IoC). In addition you should enable multi-factor authentication, limit communication with remote monitoring and management (RMM) capabilities to known IP address pairs, and place administrative interfaces of RMM behind a virtual private network (VPN) or a firewall on a dedicated administrative network.

The guidelines below will help you protect against Ransomware and its associated security threats:
* Back up your data. The single biggest thing that will defeat ransomware is having a regularly updated backup.
* Consider enabling the “”Show hidden file-extensions””. One way that ransomware such as Cryptolocker frequently arrives is in a file that is named with the extension “.PDF.EXE”, counting on Window’s default behavior of hiding known file-extensions.
* Filter executable files in email. If your email gateway has the ability to filter files by extension, you may wish to deny mails sent with “.exe”, “”.scr””, “”.bat”” files, or to deny mails sent with files that have two file extensions, the last one being executable.
* Disable files running from AppData/LocalAppData folders. You can create rules within Windows or with Host Intrusion Prevention software, to disallow a particular, notable behavior used by ransomware, which is to run its executable from the App Data or Local App Data folders.
* Disable macros in Microsoft Office files. Most people may not be aware that Microsoft Office Files are like a file-system within a file system, which includes the ability to use a powerful scripting language to automate almost any action you could perform with a full executable file. By disabling macros in Office files, you deactivate the use of this scripting language.
* Keep your antivirus up to date and use real time protection.
* It is also recommended to implement a Security Awareness program, addressed to all your management and staff, designed to increase the level of understanding regarding Social Engineering and security threats in general.

Finally, in case that a system is compromised, it should be immediately removed from the network.

References

Get the latest Threat Alerts in your inbox.