Massive chain reaction on friday infected at least hundreds and probably thousands of companies around the world with ransomware, including the railway, a chain of pharmacies and hundreds of shop windows of the Swedish food brand Coop. It was carried out by the infamous criminal gang REvil based in Russia, the attack is a turning point, a combination ransomware and the so-called attack on the supply chain. It is now clear how exactly they did it.
Some details were already known on Friday afternoon. To extend their ransomware to a myriad of targets, the attackers found a vulnerability in the update mechanism used by IT services company Kaseya. The firm develops software that is used to manage business networks and devices, and then sells those tools to other companies called “managed service providers.” SMEs, on the other hand, contract with small and medium-sized enterprises or any institution that does not want to manage its IT infrastructure on its own. By sowing their ransomware using Kasey’s reliable distribution mechanism, attackers could infect SME’s Kaseya infrastructure and then watch the dominoes fall as those SMEs inadvertently distributed the malware to their customers.
But by Sunday, security researchers had put together critical details of how the attackers came and took advantage of that initial stronghold.
“What is interesting about this and worrying is that REvil has in any case used reliable applications to gain access to the targets. Usually, ransomware actors need multiple vulnerabilities at different stages to do this, or time online to reveal administrator passwords, ”says Sophos senior threat researcher Sean Gallagher. Sophos published new knowledge related to Sunday’s attack. “This is a step above what ransomware attacks usually look like.”
Practice with confidence
The attack depended on exploiting an initial vulnerability in Kasey’s automated update system for his remote monitoring and control system known as VSA. It is still unclear whether the attackers exploited the vulnerability all the way to the chain in Kasey’s central systems. What seems more likely is that they used individual VSA servers managed by SMEs and from there suppressed malicious “updates” to SME users. REvil appears to have adapted ransom demands – and even some of their attack techniques – based on the target, rather than approaching a single measure.
The timing of the attack was particularly unfortunate as security researchers had already identified a underlying vulnerability in Kasey’s update system. Wietse Boonstra of the Dutch Vulnerability Detection Institute collaborated with Kasey on the development and testing of patches for mana. The corrections were close to exiting, but had not yet been applied by the time REvil struck.
“We did our best, and Kaseya did her best,” says Victor Gevers, a researcher at the Dutch Vulnerability Detection Institute. “It’s a vulnerability that’s easy to find, I think. This is most likely the reason why the attackers won at the end of the sprint. ”
The attackers exploited the vulnerability to distribute malicious data to vulnerable VSA servers. But that also meant hitting VSA agent applications running on Windows devices of customers of those SMEs. VSA “worksheets” typically function as a trusted garden with walls inside these machines, meaning that malware scanners and other security tools are made to ignore everything they do – providing valuable cover to hackers who have compromised them.
Once stored, the malware then ran a series of commands to hide malicious activity from Microsoft Defender, a malware scanning tool built into Windows. Finally, the malware instructed the Kesay update process to run a legitimate but outdated and expired version of Microsoft’s Antimalware service, a component of Windows Defender. Attackers can manipulate this outdated version to “sideways” load malicious code, dragging it past Windows Defender the way Luke Skywalker can sneak past storm shooters if he wears their armor. From there, the malware began encrypting the files on the victim’s computer. Steps have even been taken to make it harder for victims to recover from data backups.