Attacks on Kaseya servers led to ransomware in less than 2 hours

Sometime after 14:30 UTC on Friday, July 2, network traffic combining three vulnerabilities started compromising scores of Internet-connected Kaseya Virtual System Administrator (VSA) servers hosted by managed service providers. The attackers’ code synchronized to a specific time and then hibernated.

At 4:30 p.m. UTC, all within the same second, the compromised servers woke up and ran a command script that disabled a variety of security controls and sent malicious payloads to every system managed by those servers, according to an analysis conducted by Huntress Labs. While security firms are still sifting through the data, reverse engineering has revealed that the attack — from the first packets exploiting dozens of VSA servers, to the deployment of ransomware on the endpoints of hundreds to thousands of MSP customers — took less than two hours.

The speed of automation gave managed service providers and their customers only a very narrow window in which to detect attacks and block them, says John Hammond, a senior threat researcher for Huntress Labs. Companies would have to run frequent monitoring and alerts to have caught the changes, he says.

“Unfortunately, this form of hyperactive logging and detection is rare — managed service providers often don’t have the resources, let alone the personnel to frequently monitor massive components of their software and stack,” Hammond says. “With that said, the efficacy and potential for human-powered threat hunters is never something to be left out of the equation.”

The quick turnaround of the attack underscores the compressed timeline for defenders to respond to automated attacks. The REvil group and its affiliates, who are thought responsible for the attack, scanned for Internet-connected VSA servers and, when found, sent the initial exploit, which chained three vulnerabilities.

At 14:48 UTC on Friday, July 2, the first packets started hitting on-premise Kaseya VSA servers, according to logs collected from affected MSPs by Huntress Labs. The exploited flaws included an authentication bypass, an arbitrary file upload, and a command injection. The activity continued, until the hibernating processes reactivated at 16:30 UTC, and antivirus firms suddenly started seeing spikes in detections of the ransomware payload.

In the hour after the attack’s activation, between 16:30 and 17:30 UTC, antivirus firm Sophos detected a massive spike in blocked ransomware activity on its endpoints.

“We started seeing telemetry immediately as the client systems started getting hit,” says Sean Gallagher, senior threat researcher at Sophos. “The telemetry spiked all at one time, in a very small time window.” After that, the attack most went quiet, he says.

Because Kaseya VSA manages other systems, the software not only has higher privileges — usually administrator privileges — on other systems but also often has exclusions in place so that antivirus software does not flag its activity as malicious. The command-line script that executed at 16:30 UTC on Friday ran a PowerShell script, disabling many security measures, loading in certificates, and running a malicious executable disguised as a certificate, agent.crt.

To read the complete article, visit Dark Reading.