Post Syndicated from boB Rudis original https://blog.rapid7.com/2021/07/13/managed-service-providers-used-in-coordinated-mass-ransomware-attack-impacting-hundreds-of-companies/

Rapid7 is aware of and tracking all information surrounding a coordinated, mass ransomware attack reported to be affecting hundreds of organizations. Huntress Labs is maintaining a public Reddit thread documenting the scope and triage of an event that has, as of the original post date (see updates below), stemmed from 8 managed service providers. Rapid7 does not use Kaseya or a Kaseya MSP and we are not affected by this mass ransomware attack.

Rapid7 is updating this post as more information becomes available. Core information is below the most recent updates.

2021-07-13

• CISA has updated their Kaseya ransomware event guidance for affected managed service providers and their customers.

2021-07-11

• In a video post today, Kaseya has indicated that they are still planning to go ahead with re-enabling an updated VSA SaaS and rollout of the on-prem VSA server update. Some runbook instructions have changed, so any organization planning on going live today should review those changes to see if they impact your environment.

2021-07-09

• The Dutch Institue for Vulnerability Disclosure (DIVD) published more information on the specific vulnerabilities they shared with Kaseya:
  • CVE-2021-30116 – A credentials leak and business logic flaw, resolution in progress. [CVSS 10]
  • CVE-2021-30117 – An SQL injection vulnerability, resolved in May 8th patch. [CVSS 9.8]
  • CVE-2021-30118 – A Remote Code Execution vulnerability, resolved in April 10th patch. (v9.5.6) [CVSS 9.8]
  • CVE-2021-30119 – A Cross Site Scripting vulnerability, resolution in progress. [CVSS 5.4]
  • CVE-2021-30120 – 2FA bypass, resolution in progress. [CVSS 9.9]
  • CVE-2021-30121 – A Local File Inclusion vulnerability, resolved in May 8th patch. [CVSS 6.5]
  • CVE-2021-30201 – A XML External Entity vulnerability, resolved in May 8th patch. [CVSS 7.5]
• President Biden urged Vladimir Putin to ‘take action to disrupt’ Russia-based hackers behind ransomware attacks.

2021-07-08

• Kaseya has posted a video from their CEO notifying customers that patches and VSA SaaS will likely be available this coming Sunday afternoon (July 11, 2021).
• According to Malwarebytes, some threat actors are capitalizing on the extended response to the Kaseya mass ransomware attack and are targeting victims via email with fake patches that push Cobalt Strike payloads.

2021-07-07

• Kaseya has posted runbooks for on premesis VSAs with steps on how to prepare VSA servers for the forthcoming patch. These details include the installation of FireEye’s agent software along with details on how to isolate the server from production networks, and SaaS customers for how to prepare for the SaaS VSAs coming back online.

2021-07-06

• In a statement posted late Monday night, Kaseya provided an update on their assessment of the impact of the attack: "we are aware of fewer than 60 Kaseya customers, all of whom were using the VSA on-premises product, who were directly compromised by this attack. While many of these customers provide IT services to multiple other companies, we understand the total impact thus far has been to fewer than 1,500 downstream businesses. We have not found evidence that any of our SaaS customers were compromised.
• The Compromise Detection Tool, which was originally only provided directly to customers, has been made public. The tool searches for indicators of compromise, evidence of data encryption, and the REvil ransom note.
• Kaseya also stated that — based on advice by outside experts — customers who experienced ransomware and receive communication from the attackers should not click on any links as they may be weaponized.

2021-07-05

• Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger issued a statement noting that the President has directed the full resources of the government to investigate this incident and urged anyone who believes their systems have been compromised in the Kaseya ransomware incident to immediately report to the Internet Crime Complaint Center at https://www.IC3.gov.
• The Associated Press is reporting that REvil has offered a blanket decryption for all victims of the Kaseya attack in exchange for $70 million.
• Incident responders across multiple firms are indicating the number of victim organizations is in the thousands, spanning over 18 countries.

2021-07-04

• Cado Security published resources which can aid responders as they triage theie exposure to the mass ransomware incident.
• CISA and the FBI have issued guidance for MSPs and their customers who have been affected by the Kaseya VSA supply-chain ransomware attack.

2021-07-03 Update

• The Washington Post has a story with information on the ransom demands being made
• The Dutch Institue for Vulnerability Disclosure (DIVD) posted information into their ongoing investigation and response into the Kaseya incident, which includes details on their efforts to identify and secure internet-facing VSA servers.
• CISA posted an initial advisory and is taking action to understand and address the recent supply-chain ransomware attack.
• Bloomberg is reporting that the attack (so far) spans over 1,000 organizations across 11 countries with numerous downstream impacts.

Original/Main Content

Evidence points to a supply chain attack targeting Kaseya VSA patch management and monitoring software. Ransom notes suggest REvil is behind the coordinated attack.

Rapid7 Managed Detection and Response teams suggest that, out of an abundance of caution, organizations that use either an on-premise Kaseya VSA solution or the Kaseya cloud-based VSA solution perform the following steps immediately:

• Disabling or uninstalling the Kaseya agent
• If you host the Kaseya management server, shut down this system (Kaseya also strongly suggests this course of action)

Kaysea appears to be providing updates via their public helpdesk page and their status page provides visibility into the status of their hosted infrastructure.

Researcher @BushidoToken has provided a link to a GitHub gist containing the REvil configuration dump, which includes indicators of compromise organizations may be able to use to detect evidence of these actors operating in your infrastructure.

Rapid7 Customers

Managed Detection and Response

Rapid7’s Managed Detection and Response (MDR) team had existing attacker behavior detections that identified Kaseya-related ransomware activity beginning on Friday, July 2, 2021. Following the initial wave of alerts on Friday, July 2, MDR sent an email communication with a Critical Advisory to all MDR customers with guidance on disabling Kaseya and mitigating risk. We have conducted hunts across customer environments and deployed additional detections to accelerate identification of the threat. Affected customers have been notified.

InsightIDR

Rapid7 has deployed the following detections in InsightIDR for attacker behavior related to the Kaseya ransomware attack:

• Attacker Technique – CertUtil With Decode Flag
• Suspicious Process – Renamed CertUtil
• Suspicious Process – Certutil Decodes Executable File
• Attacker Tool – KWorking\agent.exe