A massive chain Friday reaction infected at least hundreds and probably thousands of businesses around the world with ransomware, including a railway, a pharmacy chain, and hundreds of showcases of the Swedish brand Coop. Made by the famous Russian-based criminal gang REvil, the attack is a moment of sharing, a combination of ransomware it is a so-called attack on the supply chain. Now, it becomes clearer how exactly they pulled it off.
Some details were revealed as early as Friday afternoon To propagate their ransomware to a number of targets, the attackers found a vulnerability in the update mechanism used by IT services company Kaseya. The company develops software used to manage enterprise networks and devices, and then sells those tools to other companies called “managed service providers.” MSP, under its contract, contracts with small and medium-sized enterprises or any institution that does not want to manage its own IT infrastructure. By sowing their ransomware using Kaseya’s trusted distribution mechanism, attackers could infect MSP’s Kaseya infrastructure and then watch the fall of the domains as these MSPs inadvertently distribute malware to their customers.
But on Sunday, security investigators gathered critical details about how the two attackers obtained and exploited that initial starting point.
“What’s interesting about this and that is that REvil has used trusted applications in every instance to gain access to targets. Usually ransomware players need more vulnerabilities at different stages to do that or time on. to the network to find out the administrator’s passwords, ”says Sean Gallagher, senior researcher at Sophos Threat. Published by Sophos new discoveries linked to Sunday’s attack. “This is a step above what generally appear to be ransomware attacks.”
Exercise of confidence
The attack is based on exploiting an initial vulnerability in Kaseya’s automated update system for its remote monitoring and management system known as VSA. It is also unclear whether the attackers exploited the vulnerability up to the chain in Kaseya’s central systems. What seems most likely is that they have exploited individual VSA servers managed by MSP and have pushed malicious “updates” from there to MSP clients. REvil seems to have adapted rescue requests – as well as some of its attack techniques – based on the target, rather than taking a unique approach.
The timing of the attack was especially unfortunate because security researchers had already identified the underlying vulnerability in the Kaseya update system. Wietse Boonstra of the Dutch Institute for Vulnerability Dissemination worked with Kaseya to develop and test patches for the defect. The fixes were close to being released, but had not yet been deployed when REvil hit.
“We did our best and Kaseya did her best,” says Victor Gevers, a researcher at the Dutch Institute for Vulnerability Dissemination. “It’s an easy vulnerability to find, I think.” That’s probably the reason the attackers won the final sprint. ”
The attackers exploited the vulnerability to distribute a malicious payload to vulnerable VSA servers. But this meant that they also affected, by extension, VSA agent applications running on the Windows devices of those MSP clients. VSA “workbooks” typically operate as a wall of trust in those machines, which means that malware scanners and other security tools are ordered to ignore everything they do – providing valuable coverage to hackers. which had compromised him.
Once deposited, the malware then launched a series of commands to hide malicious activity from Microsoft Defender, the malware scanning tool integrated into Windows. Finally, the malware ordered Kesaya’s upgrade process to run a legitimate but outdated and outdated version of Microsoft’s “Antimalware Service,” a component of Windows Defender. Attackers can manipulate this old version to “sideload” the malicious code, sneaking past Windows Defender the way Luke Skywalker can sneak past Stormtroopers if he wears his armor. From there, the malware started encrypting the files on the victim’s machine. It has also taken measures to make it more difficult for victims to recover from data backups.