Advisory July 6, 2021

Client Advisory: Kaseya Sodinokibi incident

Get the technical summary of the Kaseya July 2021 REvil/Sodinokibi mass ransomware event

Background

On Friday, 2 July, 2021, a coordinated ransomware attack took place that impacted a subset of customers of the Kaseya remote IT management tool. At the time of writing, it is believed this incident impacted a global subset of users of on-premises Kaseya VSA, but not users of the cloud version and not all users of Kaseya VSA.

The attack targeted Managed Service Providers (MSPs) who use Kaseya VSA, but the computer systems ultimately encrypted by the ransomware were those of the MSPs' end customers. The REvil blog site claims that over one million endpoints were encrypted by the attack.

No signs of data exfiltration

According to reports by Huntress Labs and the national CERT for the Netherlands, the attack used an authentication bypass in the web interface of Kaseya VSA, which allowed them to upload their malicious payload to the server.

A second vulnerability is then exploited in the /userFilterTableRpt.asp page of the Kaseya web interface, which uses SQL injection to begin the execution of the payload they uploaded.

The SQL injection attack allowed the REvil threat actors to execute the following Windows command:

"C:\WINDOWS\system32\cmd.exe" /c ping 127.0.0.1 -n 4979 > nul & C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe

This command does a number of things:

  1. It makes the endpoint send a ‘ping’ request to itself 4,979 times. This achieves nothing other than making the command take approximately one hour to complete, so that the malicious payload has sufficient time to finish.
  2. Using PowerShell, it disables the Realtime Monitoring, Intrusion Prevention System, Antivirus, Script Scanning, Controlled Folder Access, Network Protection, Microsoft Active Protection Service, and Malware Sample Submission security components of Windows.
  3. It copies the Microsoft Certificate Utility component of Windows to the root OS folder, C:\Windows, but with a random number appended to the end of the executable so that it has a unique file hash.
  4. It uses the newly created cert.exe executable to decode the malicious payload that was uploaded using the first exploit, C:\kworking\agent.crt and save it as a new file, C:\kworking\agent.exe
  5. It deletes the original payload and the copy of the Microsoft Certificate Utility.
  6. It executes the newly created agent.exe file.

Once the agent file is run, it would use a technique known as DLL sideloading to inject the Sodinokibi DLL into Windows Defender. This would encrypt the machine, rebooting into safe mode if necessary. Kaseya logs are also purged by the executable.

There are currently no reports of further commands having been run, as this appears to have been a fully automated attack which allowed the threat actors to operate at such significant scale. None of the above command, nor anything inherent to the Sodinokibi executable, allows data to be stolen from the network.

Third party providers such as Sophos have also agreed with this hypothesis that there is no evidence or likelihood of data theft. As such, at this time, there is no reason to suspect that a data breach has occurred beyond the impact to availability.