On Friday, 02.07.21, computers running Kaseya VSA have been installing a malicious update that contains the REvil ransomware. This monumental breach has caught many MSP companies that use Kaseya off guard, and it is known that more than 1000 businesses have been successfully penetrated. A supply chain attack of this caliber was not seen since the SolarWinds breach.
In a nutshell, Kaseya allows administration of systems and running with high-level privileges. The attackers, hacked Kaseya’s servers, pushed an update that contained ransomware, which was installed on all managed systems. It’s worth noting that Kaseya requires antivirus exclusions on some folders used during the deployment of this malware.
According to reports, attackers disabled Windows Defender before executing a binary named “agent.exe” which drops two executables to disk, an old Windows Defender binary and a DLL named “mpsvc.dll”. Once the outdated Defender binary is executed, the actual ransomware that is stored in the previously dropped DLL file will be loaded into memory, as the Defender executable has a known dll side-loading exploit. Attackers might have chosen to use an old Microsoft binary to evade EDR software, thus increasing the number of encrypted devices.
This ransomware threat is preventable using Minerva Labs Armor before the attack unfolds, abusing the exploited Defender executable:
