Kaseya Supply Chain Attack: What We Know So Far
As the announcement of the supply chain ransomware attack on Kaseya’s IT management software, here’s what we know so far
Just as we overcome SolarWinds’ supply chain attack, we see Kaseya IT management software, commonly used in Managed Service Provider (MSP) environments, hit by another in a series of hacks. of the supply chain. Similar to the SolarWinds incident, this latest attack uses a two-step malware delivery process that slides through the backdoor of technology environments. Unlike SolarWinds, the cybercriminals behind this attack apparently had monetary gain rather than cyber espionage in their sights, ending up planting ransomware while exploiting the trusting relationship between Kaseya and her customers.
ESET security researchers are monitoring this ransomware, which is widely attributed to the REvil gang whose ESET security products detect malware like Sodinokibi. Our preliminary analysis supports this attribution.
ESET added detection of this ransomware variant as Win32 / Filecoder.Sodinokibi.N Trojan on July 2sd at 3:22 p.m. (EDT; UTC-04:00). This detection includes both the main body of the ransomware, as well as the DLLs that it loads laterally. ESET telemetry shows the majority of reports from UK, South Africa, Canada, Germany, US and Colombia.
Kaseya, for her part, was quick to sort out the incident and sent notifications to those potentially affected advising them to immediately shut down any potentially affected on-premises VSA servers.
This advice couldn’t come too soon. Once the server is infested, the malware closes administrative access and begins to encrypt data, a precursor to the full cycle of ransomware attack. After the encryption process is complete, the system desktop wallpaper is set to an image similar to Figure 2, and the ransom note it refers to will look like Figure 3, if a victim has it. find and open it.
The first part of the “readme” file name is random.
Hundreds of organizations now have encrypted data within their organization, according to a report, scrambling to contain and educate IT teams to act quickly.
As vendors like ESET detect this malware, there has been a time lag between when affected servers were affected by the attacks and when support teams and software were able to respond, which allowed early infestations do their damage.
There are several places where upcoming information is released, including the security industry stepping up, in real time, to help customers in any way they can.
If you have servers that are likely to be affected, it is essential to keep abreast of news as they arise and shut down potentially vulnerable machines, or at least isolate them from the network until that more information is available. Kaseya also posts regular updates on its website.
Indicators of Compromise (IoC)
The following files are associated with Win32 / Filecoder.Sodinokibi.N ransomware:
|File name||SHA-256 hash||ESET detection name|
|agent.exe||D55F983C994CAA160EC63A59F6B4250FE67FB3E8C43A388AEC60A4A6978E9F1E||Win32 / Filecoder.Sodinokibi.N|
|mpsvc.dll||E2A24AB94F865CAEACDF2C3AD015F31F23008AC6DB8312C2CBFB32E4A5466EA2||Win32 / Filecoder.Sodinokibi.N|
|mpsvc.dll||8DD620D9AEB35960BB766458C8890EDE987C33D239CF730F93FE49D90AE759DD||Win32 / Filecoder.Sodinokibi.N|