Kaseya agent monitor running at C:\PROGRAM FILES (X86)\KASEYA\\AGENTMON.EXE, this AGENTMON.EXE is used to write a base64 encoded malicious payload "AGENT.CRT in the VGA working directory. Īn ID connects the Kaseya server and Kaseya agent monitor instance, and the configuration is stored in HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Kaseya\Agent\įirst, the VSA server was compromised second, a malicious payload was sent out from compromised VSA servers to VSA agents. This means whatever is executed by the agent will be ignored by antivirus and Windows defender. The company's documentation recommended add an exclusion on Kaseya agent's home directories ( C:\program files\ "agent working folders" \ *) from the Firewall, anti-virus, for this agent to function correctly. Blind Trust in the application:Ī VSA agent is running on the Windows device, and the VSA agent received the update from the VSA server. After the Authentication was bypassed, an arbitrary File upload and finally a local File Code injection. Since no patch for the VSA server has been issued yet, and it is a zero-day exploit, the details on this exploit are limited. VSA server zero-day exploit:Īn authentication bypass was used on the VSA server's internet-facing interface. The attackers identify the zero-day exploit on the VSA server platform. The evil actors found a new vulnerability in Kaseya's supply chain and delivered the ransomware code through the malware protection program. How was this attack delivered?Īctors: VSA server, VSA agent, Kaseya Agent Monitor Reconnaissance This group takes the percentage of the Ransome price as the cost of service they provide decryption, encryption, communication, and arrangement to give data and access keys. The REvil, also known as the Sodinobiki group, was also responsible for MSPs and local government in Taxes attacks in 2019. REvil ransomware group was responsible for this attack, one of the most notoriously known ransomware-as-a-service (RaaS) services. July 9 to July 11: The company released a patch and tool check for the IOCs.July 6, 2021: Server operation is not resumed yet. Fireeye mediant and other cyber companies were requested to do the research.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |