NOT JUST STATE ACTORS USING SUPPLY CHAIN ATTACKS!
guys, that’s correct! The infamous SolarWinds hacks, which took place in late 2020 and were only detected in early 2021, thrust supply chain compromise squarely in the spotlight. Eventually, the relentless cadence of fresh ransomware attacks engulfed this story, erasing it from memory until today. The Ransomware-as-a-Service (RaaS) group REvil is known for extorting Lady Gaga, compromising Microsoft Exchange Server data, and stealing Apple’s designs for two new laptops and an updated Apple Watch.
WHO IS REVIL?
Since 2020, the Ransomware-as-a-Service (RaaS) gang known as REvil—first identified as Sodinokibi—has been responsible for numerous high-profile ransomware attacks. Since the group doesn’t target Russian organisations or groups that were formerly a part of the Soviet bloc, independent and official research has revealed that the group is Russian or largely Russian. Many experts think that REvil is the offspring of GandCrab, which went offline just before REvil started operating. They have previously targeted Donald Trump, Lady Gaga, law firms, colleges, technological corporations, infrastructure, JBS S.A. (the meat producing company), and Invenergy, an American power generation company. Their most recent victim is Kaseya.
WHAT IS A SUPPLY CHAIN COMPROMISE?
An actor will try to compromise any of a system’s CIA triad—Confidentiality, Integrity, or Availability—as well as any of the data it stores, sends, receives, and processes—through a supply chain attack. In the infrastructure of the company’s supply chain, this can include the networking elements, technology, people, resources, activities, and information. A company’s development lifetime, which typically encompasses design, manufacturing, production, distribution, installation, operations, and maintenance, can be more succinctly described as a tradeoff.
An ideal illustration of a supply chain attack would be the 2013 Target compromise. Their HVAC servicing company, a third-party vendor, was the weak link in this supply chain. The attackers broke into Target’s network using the credentials they acquired from the HVAC firm, moving laterally to a system that held customer payment information.
That was a rather blatant example of a supply chain breach, but in both the SolarWinds hack and this most recent attack on Kaseya, attackers have been utilising basic security procedures that most professionals are evangelising about, such as patching. Managed Service Providers frequently employ Kaseya’s remote management solutions (MSPs). To spread ransomware, attackers are abusing a malicious upgrade of their VSA software (which is the supply chain hack).
The security company Sophos is analysing the malware found during the hack. According to Sophos, the amount of telemetry they receive made it possible for them to initially identify the attack. According to Sophos, the malicious update grants REvil access to the VSA on-premises servers, and from there, using internal scripting, ransomware was distributed to all connected customers.
But things only get worse. Once REvil is installed on the host computers, antivirus software is turned off, and a fake Windows Defender application is used to launch the ransomware that locks the victim’s PC. VSA accomplishes this by dropping a file called agent.crt into the c:kworking directory. This is what the “Kaseya VSA Agent Hot-fix” update says it will do. The agent.crt is then decoded using Powershell, and agent.exe is extracted into the same directory. Agent.exe has MsMPEng.exe and the malicious DLL mpsvc.dll embedded in it, along with a signed certificate from “PBo3 TRANSPORT LTD.”
It is crucial to remember that the malicious DLL was launched using MsMPEng.exe, a valid, albeit outdated, version of Microsoft Defender. A sample has the REvil safe mode default password set to DTrump4ever, while some samples include registry keys for the Black Lives Matter movement.
Due to the widespread use of VSA by MSPs, over eight MSPs have been hit by this ransomware attack, and over 200 organisations have had their networks encrypted. Although they are fairly certain that SaaS clients were never in danger, Kaseya promptly took down their SaaS servers as a precaution. Additionally, they telephoned, emailed, and sent in-product alerts to on-premises clients who possessed VSA servers, advising them to quickly turn off their systems to avoid further compromise. Additionally, they have located the flaw that was exploited and are developing a fix to address the problem.
Within a day, they hope to have their SaaS solutions operational. As more details regarding this incident come to light, CISA and the FBI will continue to investigate the matter and keep the public informed.
Updates will continue to be published by the United States Cybersecurity Magazine crew as they become available.