How Kaseya was the victim of a ransomware attack


On July 2, 2021, the cybersecurity world woke up with yet another ransomware attack. This time the victim was Kaseya, a software company that provides IT management solutions primarily to Managed Service Providers (MSPs). The attack had a huge impact, affecting several MSPs and thousands of their customers.

So what exactly happened in what most cybersecurity experts call the biggest criminal ransomware attack on record?

It has been revealed that attackers discovered and exploited zero-day vulnerabilities in Kaseya VSA, a remote monitoring and management product. The vulnerabilities allowed attackers to access an exposed service on VSA servers, bypass authentication, and execute code remotely. Once they compromised the VSA servers, the attackers deployed the REvil ransomware and encrypted thousands of devices on the MSPs. The REvil group demanded compensation of $ 70 million in BTC in exchange for the decryption key.

As Kaseya tried to take corrective action by shutting down cloud-based facilities and asking customers to shut down on-premises facilities, the damage was already done.

The chain of events

The REvil ransomware was delivered to targets via a patch. When this update is installed on a system, it runs a script that performs a series of steps to start the infection as follows:

  1. REvil uses the Kaseya agent monitor, agentmon.exe, to write a file named agent.crt (to be used as a ransomware dropper) to the c: kworking path.

  2. Then it stops crucial services like Windows Defender real-time monitoring, folder protections, file scanning, network monitoring, and anti-virus software.

  3. It then uses CertUtil.exe, an administrative command line tool used to manipulate the CA, to decode the agent.crt file to agent.exe.

  4. REvil now removes all artifacts to ensure that no fingerprints remain.

  5. Then it overwrites the MsMpEng.exe file, which runs the Windows Antimalware service executable, with an obsolete version that allows Windows Defender Encryptor DLL sideloading.

  6. Finally, it uses the encryptor to encrypt the system with higher privileges.

Key points to remember

  • Importantly, IT management systems like the one targeted have unrestricted access to all network components, making it easier for attackers to exploit privileges and execute code at will. For this reason, monitoring and restricting privileges to entities is essential.

  • The Dutch Institute for Vulnerability Disclosure noticed and informed Kaseya of the vulnerabilities in VSA, several of which were ultimately exploited to execute the attack. When Kaseya learned of the vulnerabilities, he started working on a fix. The REvil group, however, beat him in the race and executed the attack before the patch was deployed. This shows how time is of the essence when it comes to protecting yourself against cyber attacks.

  • The ransomware attack involved steps such as installing services, establishing processes, changing keys, and renaming files. These events in themselves are core system processes that generate logs, emphasizing the importance of a powerful log management and reporting tool.

How a SIEM Solution Can Help You Defend Against Ransomware

  • Most ransomware attacks start with finding and exploiting vulnerabilities in your network. A security information and event management (SIEM) solution integrated with a vulnerability scanner ensures that vulnerabilities in your network are detected as they arise.

  • In the event of an attack on your business, a SIEM solution can help you spot indicators of compromise and provide you with alerts and reports. You can also configure workflows for these alerts which are executed automatically each time the alert is triggered.

  • A SIEM solution can also help you identify and mitigate traffic from malicious IP addresses to your web servers.

  • If an attack has been executed successfully and a device is infected, a SIEM solution can help you contain the infection, protecting other network resources from the impact. Upon detection, the affected device is blocked and isolated from the network.

Log360 is a powerful SIEM solution that collects and manages logs from all your network devices and helps strengthen your organization’s security infrastructure. With Log360, you can:

  • Centrally audit all of your systems, such as web servers and endpoints, to extract actionable insights from predefined reports. Reports keep you informed of what’s going on in your network.

  • Monitor file and database servers for sudden spikes in activity, typical of ransomware attacks.

  • Configure alerts and workflows for security events occurring on your network. This helps you detect well-known attack patterns and configure the steps necessary to mitigate the attack using workflows.

  • Monitor and detect abnormal user behavior using User and Entity Behavior Analysis.

  • Ensure compliance with data security regulations such as PCI DSS, HIPAA, SOX, and GDPR using predefined reports.

Want to know how Log360 can be used to capture indicators of compromise in a REvil ransomware attack? Talk to our experts now.

The article How Kaseya was the victim of a ransomware attack appeared first on the ManageEngine blog.

*** This is a syndicated Security Bloggers Network blog from ManageEngine Blog written by Kingshuk Das. Read the original post at:


About Author

Leave A Reply