{"id":37740,"date":"2021-07-20T14:18:42","date_gmt":"2021-07-20T06:18:42","guid":{"rendered":"https:\/\/version-2.com\/?p=37740"},"modified":"2022-03-07T12:10:45","modified_gmt":"2022-03-07T04:10:45","slug":"kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-msps","status":"publish","type":"post","link":"https:\/\/version-2.com\/zh\/2021\/07\/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-msps\/","title":{"rendered":"Kaseya Supply Chain Attack Delivers Mass Ransomware Event to MSPs"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

\"\"<\/p>\n

\nJust as the security community was recovering from the\u00a0SolarWinds supply-chain attack, over July 4th holiday weekend\u00a0Kaseya IT management software,<\/a>\u00a0commonly implemented by Managed Service Providers (MSPs) fell victim to a series of supply-chain attacks.<\/p>\n

Kaseya is the Focus of New Supply Chain Ransomware Attack<\/h2>\n

According to a report from\u00a0Bleeping Computer<\/em><\/a>, on July 2, 2021, the REvil ransomware gang was actively targeting managed services providers (MSPs) and its customers via a Kaseya VSA supply-chain attack to deploy ransomware on enterprise networks. Kaseya is a popular software developed for Managed Service Providers that provide remote IT support and cybersecurity services for small- to medium-sized businesses that often cannot afford to hire full-time IT employees, due to their limited size or budgets.<\/p>\n

Hundreds of worldwide businesses, including Coop supermarkets in Sweden,\u00a0confirmed to the BBC<\/a>\u00a0they have been impacted by the Kaseya attack, although they are not customers of Kaseya, and have shut down hundreds of stores in Sweden since yesterday evening. This is because they have lost their Point of Sale facilities, which are managed by a company that is a Kaseya customer.<\/p>\n

\n<\/p>\n

Figure 1. What the infected systems look like<\/em><\/p>\n\n

The attackers initially gained access by using a zero-day vulnerability in Kaseya VSA via a malicious automatic update to the software which eventually would deliver the ransomware. Once active in the IT environments, the ransomware would encrypt the different contents of the systems on the network. This would cause widespread operational disruption to any organization that uses this software.\u00a0 Even if the latest version of Kaseya VSA was implemented at the time of the attack, the cyber criminals could remotely execute commands on the VSA appliance.<\/p>\n\n

How the Ransomware is delivered<\/h2>\n

\nAs per the\u00a0DoublePulsar Blog Post<\/a>\u00a0on the Kaseya attack: \u201cDelivery of ransomware is via an automated, fake, software update using Kaseya VSA.<\/p>\n

The attacker immediately stops administrator access to the VSA, and then adds a task called \u201cKaseya VSA Agent Hot-fix\u201d.<\/p>\n

This fake update is then deployed across the estate \u2014 including on MSP client customers\u2019 systems \u2014 as it\u2019s fake management agent update.<\/p>\n

This management agent update is actually REvil ransomware.<\/p>\n

To be clear, this means organizations that are not Kaseya\u2019s customers were still encrypted.<\/p>\n

The Following Command is Run:<\/h2>\n

powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend<\/p>\n

What this does:<\/em><\/p>\n