A massive chain reaction friday infected at least hundreds and possibly thousands of businesses worldwide with ransomware, including a railroad, drugstore chain, and hundreds of Swedish grocery brand Coop storefronts. Led by the notorious Russian-based criminal gang REvil, the attack is a defining moment, a combination of ransomware and a so-called supply chain attack. Now it becomes clearer how exactly they succeeded.
Some details were known by Friday afternoon. In order to spread its ransomware to countless targets, attackers discovered a vulnerability in the update mechanism used by IT services company Kaseya. The company develops software used to manage corporate networks and devices, then sells these tools to other companies called “managed service providers.” PSMs, in turn, contract with small and medium-sized enterprises or any institution that does not wish to manage its IT infrastructure on its own. By sowing its ransomware using Kaseya’s trusted distribution mechanism, attackers could infect MSP’s Kaseya infrastructure and then see dominoes fall as those MSPs inadvertently distribute malware to their customers.
But on Sunday, security researchers had gathered critical details of how the attackers both obtained and profited from that initial position.
“What’s interesting about this and concerning is that REvil used trusted applications in each case to access targets. Usually, ransomware players need multiple vulnerabilities at different stages to do this or time on the network to discover administrator passwords, ”says Sean Gallagher, senior threat researcher at Sophos. Sophos posted new discoveries linked to the attack on Sunday. “This is a step above what ransomware attacks generally look like. “
Exercise of confidence
The attack was based on exploiting an initial vulnerability in Kaseya’s automated update system for its remote monitoring and management system known as the VSA. It is still unclear whether the attackers exploited the down-chain vulnerability in Kaseya’s own core systems. What seems more likely is that they exploited individual VSA servers managed by MSPs and pushed malicious “updates” from there to MSP clients. REvil appears to have tailored the ransom demands – and even some of their attack techniques – depending on the target, rather than taking a one-size-fits-all approach.
The timing of the attack was particularly unfortunate as security researchers had already identified the underlying vulnerability in Kaseya’s update system. Wietse Boonstra of the Netherlands Institute for Vulnerability Disclosure was working with Kaseya to develop and test patches for the failure. The fixes were about to be released, but hadn’t yet been deployed by the time REvil hit.
“We did our best and Kaseya did the best,” says Victor Gevers, researcher at the Netherlands Institute for Vulnerability Disclosure. “It’s an easy vulnerability to find, I think. This is probably the reason why the forwards won the final sprint.
Attackers exploited the vulnerability to distribute malicious payload to vulnerable VSA servers. But that did mean that they also affected, by extension, VSA agent apps running on the Windows devices of those MSPs. VSA “working folders” typically function as a walled garden of trust within these machines, meaning malware scanners and other security tools are advised to ignore whatever they are doing, providing cover. invaluable to the hackers who compromised them.
Once dropped, the malware then executed a series of commands to mask malicious activity from Microsoft Defender, the malware analysis tool built into Windows. Finally, the malware instructed the Kesaya update process to run a legitimate but outdated and expired version of Microsoft’s “Antimalware Service”, a component of Windows Defender. Attackers can manipulate this deprecated version to “sideload” malicious code, passing it behind Windows Defender in the same way that Luke Skywalker can sneak past Stormtroopers while wearing their armor. From there, the malware started to encrypt the files on the victim’s machine. It even took steps to make it harder to recover victims from data backups.