How Kaseya fell victim to a ransomware attack

Log360 | September 9, 2021 | 3 min read

On July 2, 2021, the cybersecurity world woke up to yet another ransomware attack—this time, the victim was Kaseya, a software enterprise that provides IT management solutions predominantly to managed service providers (MSPs). The attack made a huge impact, affecting several MSPs and thousands of their customers.

So, what exactly transpired in what most cybersecurity experts are calling the largest criminal ransomware attack on record?

It’s been revealed that the attackers discovered and exploited zero-day vulnerabilities in Kaseya VSA, a remote monitoring and management product. The vulnerabilities made it possible for the attackers to access an exposed service on VSA servers, bypass authentication, and execute code remotely. Once they compromised the VSA servers, the attackers deployed REvil ransomware and encrypted thousands of devices across MSPs. The REvil group demanded compensation of $70 million in BTC in return for the decryption key.

While Kaseya tried to take remedial action by shutting down cloud-based installations and asking customers to shut down on-premises installations, the damage had already been done.

The chain of events 

REvil ransomware was delivered to the targets through a hotfix. When this update is installed on a system, it executes a script that performs a series of steps to start off the infection as follows:

  1. REvil uses the Kaseya agent monitor, agentmon.exe, to write a file named agent.crt (to be used as the ransomware dropper) to the path c:kworking.

  2. Next, it shuts down crucial services such as Windows Defender’s real-time monitoring, folder protections, file scanning, network monitoring, and antivirus software.

  3. It then uses CertUtil.exe, an admin command-line tool used for manipulating certification authority, to decode the agent.crt file to agent.exe.

  4. REvil now deletes any artifacts to ensure there are no footprints left behind.

  5. Next, it overwrites the actual MsMpEng.exe file, which runs the Windows Antimalware Service Executable, with an outdated version that allows DLL side loading of the Windows Defender encryptor.

  6. Finally, it uses the encryptor to encrypt the system with higher privileges.

 Key takeaways 

  • It’s important to note that IT management systems like the one targeted have unrestricted access to all components in the network, making it easier for attackers to exploit privileges and execute code at will. For this reason, monitoring and restricting privileges to entities is essential.

  • The Dutch Institute for Vulnerability Disclosure noticed and informed Kaseya about vulnerabilities in VSA, several of which were eventually exploited to execute the attack. When Kaseya learned of the vulnerabilities, it started working on a patch. The REvil group, however, beat it in the race and executed the attack before the patch was rolled out. This just goes to show how time is a crucial factor when it comes to protecting against cyberattacks.

  • The ransomware attack involved steps such as installing services, establishing processes, modifying keys, and renaming files. These events on their own are basic system processes that generate logs, emphasizing the importance of a strong log management and reporting tool.

 How a SIEM solution can help you defend against ransomware 

  • Most ransomware attacks begin by finding and exploiting vulnerabilities in your network. A security information and event management (SIEM) solution integrated with a vulnerability scanner ensures that vulnerabilities in your network are detected as and when they arise.

  • In the event of an attack on your enterprise, a SIEM solution can help you spot indicators of compromise and provide you with alerts and reports. You can also configure workflows for such alerts that are executed automatically whenever the alert is raised.

  • A SIEM solution can also help you identify and mitigate traffic from malicious IP addresses to your web-facing servers.

  • If an attack has been successfully executed and a device is infected, a SIEM solution can help you contain the infection, protecting other network resources from being affected. On detection, the affected device is blocked and isolated from the network.

Log360 is a powerful SIEM solution that collects and manages logs from all your network devices and helps strengthen the security infrastructure of your organization. With Log360, you can:

  • Centrally audit all your systems, such as web-facing servers and endpoints, to extract actionable insights from prebuilt reports. The reports keep you informed about what’s happening in your network.

  • Monitor file and database servers to detect sudden surges in activity, which are typical of ransomware attacks.

  • Configure alerts and workflows for security events occurring in your network. This helps you detect well-known attack patterns and configure the steps needed to mitigate the attack using workflows.

  • Use the powerful log correlation engine to detect and receive alerts on seemingly unrelated events, helping you thwart attempts to execute malicious programs.

  • Monitor and detect anomalous user behavior using user and entity behavior analytics.

  • Ensure compliance with data security regulations such PCI DSS, HIPAA, SOX, and the GDPR using predefined reports.

Want to know how Log360 can be leveraged to capture the indicators of compromise in a REvil ransomware attack? Talk to our experts now.

  1. Vin Go