Kaseya Supply Chain Attack: What We Know So Far


As news from the supply chain ransomware attack on Kaseya’s IT management software, here’s what we know so far

Just as we overcome SolarWinds supply chain attack, we see Kaseya IT management software, commonly used in Managed Service Provider (MSP) environments, hit by another in a series of hacks. of the supply chain. Similar to the SolarWinds incident, this latest attack uses a two-step malware delivery process that slides through the backdoor of technology environments. Unlike SolarWinds, the cybercriminals behind this attack apparently had monetary gain rather than cyber espionage in their sights, ending up planting ransomware while exploiting the trusting relationship between Kaseya and her customers.

ESET security researchers are monitoring this ransomware, which is widely attributed to the REvil gang whose ESET security products detect malware like Sodinokibi. Our preliminary analysis supports this attribution.

Figure 1. Victims by country

ESET added detection of this ransomware variant as Win32 / Filecoder.Sodinokibi.N Trojan on July 2sd at 3:22 p.m. (EDT; UTC-04:00). This detection includes both the main body of the ransomware, as well as the DLLs that it loads laterally. ESET telemetry shows the majority of reports from UK, South Africa, Canada, Germany, US and Colombia.

Kaseya, for her part, was quick to sort out the incident and sent notifications to those potentially affected advising them to immediately shut down any potentially affected on-premises VSA servers.

This advice couldn’t come too soon. Once the server is infested, the malware closes administrative access and begins to encrypt data, a precursor to the full cycle of ransomware attack. After the encryption process is complete, the system desktop wallpaper is set to an image similar to Figure 2, and the ransom note it refers to will look like Figure 3, if a victim has it. find and open it.

Figure 2. The system wallpaper is replaced with an image like this

Figure 2. The system wallpaper is replaced with an image like this one. (The second image is cropped for better readability.)

The first part of the “readme” file name is random.

Figure 3. The ransom note

Figure 3. The ransom note (we have wrapped the text for readability)

Hundreds of organizations now have encrypted data within their organization, according to a report, and are scrambling to contain and educate IT teams to act quickly.

Figure 4. The page to which victims are redirected

Figure 4. The page to which victims are redirected

As vendors like ESET detect this malware, there has been a time lag between when affected servers were affected by the attacks and when support teams and software were able to respond, giving rise to early infestations time to do their damage.

There are several places where upcoming information is released, including the security industry stepping up, in real time, to help customers in any way they can.

If you have servers that are likely to be affected, it is essential that you keep abreast of news as they arise and shut down potentially vulnerable machines, or at least isolate them from the network until that more information is available. Kaseya also posts regular updates on its website.

Indicators of Compromise (IoC)

The following files are associated with Win32 / Filecoder.Sodinokibi.N ransomware:

File name SHA-256 hash ESET detection name
agent.exe D55F983C994CAA160EC63A59F6B4250FE67FB3E8C43A388AEC60A4A6978E9F1E Win32 / Filecoder.Sodinokibi.N
mpsvc.dll E2A24AB94F865CAEACDF2C3AD015F31F23008AC6DB8312C2CBFB32E4A5466EA2 Win32 / Filecoder.Sodinokibi.N
mpsvc.dll 8DD620D9AEB35960BB766458C8890EDE987C33D239CF730F93FE49D90AE759DD Win32 / Filecoder.Sodinokibi.N


Leave A Reply