FortiEDR
FortiEDR automates the protection against advanced threats, pre and post-execution, with real time orchestrated incident response functionality.
gthirugnanasa
Article Id 196030

Introduction

 

CISA released guidance earlier this weekend which identifies a suspected supply chain attack on the Kaseya VSA application. Kaseya VSA is a commercial tool used for remote management and administration of a network. The purpose of this KB article is to outline observed TTPs and IOCs associated with REvil’s use of this attack and to highlight how FortiEDR can be used to effectively detect and mitigate post-exploitation activity associated with this threat.

 

At a high level the Kaseya supply chain attack appears to grant the adversary file write access and access to a remote shell with local system privileges. In all currently observed intrusions this access was used to deploy ransomware by sideloading a ransomware payload into a copy of Microsoft Defender. Analysis of the ransomware payload identified significant similarities to ransomware payloads previously employed by the REvil group.

 

Initial Access

 

The actor uses what is believed to be the suspected supply chain attack to place the intermediary file ‘agent.crt’ in the ‘C:\kworking’ directory (hash: 589C8E3CF270FB6AEE9BAD137A20C733F77A3AE190E8DDE29680878FFA07B824). This is a relatively fixed IOC as Kaseya explicitly recommends to customers whitelist this folder to SIEM and AV alerts to prevent false positives. This file is a base64 encoded version of the malicious file agent.exe (d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e). FortiGuard Managed Detection and Response (MDR) team has not yet determined the mechanism used to place this intermediary file on the compromised host.

 

 

 

Following upload of the .crt file to the target endpoint, a set of commands are executed through a cmd shell spawned from the AgentMon.exe process to extract and run the dropper stored in the .crt file. The cmd shell spawning from the AgentMon.exe process is again suspected to be part of the reported supply chain attack. The commands are broken down below:

 

 

 

1.      The usage of ping command inline with the proceeding commands is likely to induce a delay between the execution of this initial command and execution of the rest of the commands. Current delay is 90mins 14secs. Based on the current number of observed intrusions, FortiGuard MDR team cannot assess whether the –n count is consistent across intrusions or could be used as a low fidelity indicator.

2.      This section of the command uses the PowerShell cmdlet Set-MpPreference to turn off windows defender real time monitoring, intrusion prevention, scanning of connected devices,files, attachments, network protection and reporting to Windows Defender.

3.      This section of the code copies the ‘certutil.exe’ executable to the path ‘C:\Windows\’ and renames it to cert.exe. This technique is likely to avoid simple SIEM detection or AV/EDR products that use the execution path or name to apply detection logic to identify anomalous usage of certutil. Following this the cmd environmental variable %RANDOM% is appended to the end of the renamed and moved certutil executable. When referenced this variable generates a random number between 0 – 32767 and appending data to an executable in this fashion is a simple way of modifying a file’s hash. This technique is likely used to further obfuscate the use of the certutil executable.

4.      This section of the command decodes the encoded (base64) ‘agent.crt’ intermediary file with the copied version of certutil (cert.exe) to create the initial payload ‘agent.exe’ in the ‘C:\kworking\’ directory.

5.      The section of the command deletes the intermediary ‘agent.crt’ file and executes the agent.exe file.

 

Agent.exe is a dropper that’s signed with a valid signature from the following signer.

 

 

 

This certificate has only been used to sign three files, all of which are linked to this campaign.

 

 

File Creation

 

When the agent.exe runs, it drops two files into the Victim’s AppData directory: MsMpEng.exe, a valid Windows Defender executable and mpsvc.dll, the ransomware payload.

 

 

 

Process Creation

 

In the next step, Agent.exe starts running the process MsMpEng.exe i.e Microsoft Malware Protection Engine, a core Windows defender process.

 

 

 

 

Hijack DLL Execution

 

As part of intrusions observed by the FortiGuard MDR team the actor uses this shell access to decode and execute a previously downloaded dropper. This dropper downloads a legitimate copy of the Microsoft Defender executable ‘MsMpEng.exe’ (hash: 3d409b39b8502fcd23335a878f2cbdaf6d721995)  alongside a malicious dll named ‘mpsvc.dll’ (hash:656c4d285ea518d90c1b669b79af475db31e30b1). The dropper then executes the created MsMpEng.exe executable resulting in dll sideloading of the malicious mpsvc.dll file.

 

 

File Encryption

 

 

The ransomware payload (mpsvc.dll) side-loaded by MsMpEng.exe encrypts the user files by replacing the plain text with the encrypted content and later renamed the files with the random extension.

 

 

In the first event shown below, the ransomware payload encrypts and replaces the content in the document file.doc.

 

 

 

After encrypting the document file.doc, it renames the file with ransomware extension.

 

 

Network Discovery

 

The malicious payload then enables network discovery using netsh with the commandline ““advfirewall firewall set rule group=”network discovery” new enable=yes”.

 

Modify Registry

 

It changes the desktop wallpaper setting in the registry after encrypting the user data.

 

 

Ransom Note

 

The following figure shows the ransom note from this supply chain attack. The note instructs the victim to decrypt the files using the decryptor URL “http://decoder.re”, which is a REvil Ransomware domain.

 

 

 

 


Solution

Detecting and mitigating Kaseya intrusion with FortiEDR

 

Let's have a look at how FortiEDR detects this intrusion.

 

 

Malicious Payload

 

 

Fortinet's Cloud intelligence services have been updated to include all publicly available IOC’s. When a malicious file is accessed, the rule "Malicious File Detected" under Execution Prevention policy triggers the following event and prevents the file from being executed.

 

 

 

DLL Side-Loading

 

 

FortiEDR’s behavior based detection triggers the following event when agent,exe (malware) side-loads the ransomware payload (mpsvc.dll) into a copy of windows defender process (MsMpEng.exe). 

 

 

This event is triggered by the following EDR policy rules, and it stops the ransomware's execution, preventing exfiltration.

 

 

File Encryption

 

 

The REvil ransomware payload (mpsvc.dl) attempting to encrypt the Windows Boot Manager (bootmgr), which prevents the victim from booting the infected computer. The File Encryptor rule in FortiEDR's Ransomware Prevention policy identifies file write operations and prevents them from being encrypted.

 

 

 

Thus, FortiEDR's advanced real time detection along with FortiCloud services detects and blocks the intrusion at every stage. 

 

Threat Hunting

 

The following queries can be used in FortiEDR v5 Threat Hunting to identify potential anomalous events associated with this intrusion:

 

 

    • Process Creation Events

 

To detect anomalous process creation events:

 

To detect anomalous MsMpEng.exe process creation events:

 

Type:("Process Creation") AND Target.Process.Name:("MsMpEng.exe")AND Source.Process.Name:( "Agent.exe") AND Target.Process.File.SHA1:(3D409B39B8502FCD23335A878F2CBDAF6D721995) NOT Target.Process.File.Path:(ProgramData\\Microsoft\\Windows Defender\\Platform)

 

This query is more generic but will catch future permutations of dropper name and MsMpEng.exe version. No false positives were observed in the test environment:

 

Type:("Process Creation") AND Target.Process.Name:("MsMpEng.exe") NOT (Target.Process.File.Path:(ProgramData Microsoft Windows Defender Platform))

 

To detect cmd shell usage associated with Kaseya compromise. This process chain has a very low false positive rate in the test environment but may require filtering in a Kaseya environment if the AgentMon -> cmd process chain is standard:

 

Type:("Process Creation") AND Source.Process.Name:("AgentMon.exe") AND Target.Process.Name:("cmd.exe")

 

To detect cmd shell usage associated with Kaseya compromise used specifically to decode and execute the ransomware dropper (Agent.exe):

 

Type:("Process Creation") AND Source.Process.Name:("AgentMon.exe") AND Target.Process.Name:("cmd.exe") AND Target.Process.CommandLine:(ping.exe 127.0.0.1 RANDOM decode)

 

To detect ransomware payload using netsh to disable firewall restrictions. Note this detection has a very low false positive rate. If this detection returns results the ransomware has successfully executed in your environment:

 

Type:("Process Creation") AND Target.Process.Name:("netsh.exe") AND Source.Process.Name:("MsMpEng.exe") NOT (Source.Process.File.Path:(ProgramData Microsoft Windows Defender Platform)) AND Target.Process.CommandLine:(advfirewall firewall set rule group network discovery new enable yes)

 

 

    • File Creation Events

To detect anomalous file creation events:

 

To detect creation of a decoded file following the use of a copy of certutil:

 

Type:("File Create") AND Target.File.Ext:("exe") AND Source.Process.CommandLine:(-decode) AND Source.Process.Parent.Path:(Windows\\System32\\cmd.exe)

 

To detect IOC specific creation of agent.exe:

 

Type:("File Create") AND Target.File.Name:("Agent.exe") AND Target.File.Path:("kworking\\Agent.exe")

 

To detect creation of MsMpEng executable outside standard filepath:

 

Type:("File Create") AND Target.File.Name:("MsMpEng.exe")  NOT (Target.File.Path:(ProgramData\\Microsoft\\Windows Defender\\Platform*)) NOT (Source.Process.File.Path:(Windows\\System32\\WerFaultSecure.exe))

 

To detect creation of mpsvc.dll library outside standard filepath. This has a very low false positive rate but may need to be altered if Windows Defender has a custom install path in target environment:

 

Type:("File Create") AND Target.File.Name:("MpSvc.dll")  NOT (Target.File.Path:(ProgramData\\Microsoft\\Windows Defender\\Platform*))  NOT (Source.Process.File.Path:(ProgramData\\Microsoft\\Windows Defender\\Platform\*))

 

To detect initial drop of encoded agent (agent.crt). Very low false positive rate but will not be effective if adversary alters filename:

 

Type:("File Create") AND Target.File.Name:("Agent.crt") AND Target.File.Path:("kworking\\Agent.crt")

 

To detect specific hashes:

 

Type:("File Create") AND (Target.File.SHA1:( 589C8E3CF270FB6AEE9BAD137A20C733F77A3AE190E8DDE29680878FFA07B824

) OR Target.File.SHA1:( D55F983C994CAA160EC63A59F6B4250FE67FB3E8C43A388AEC60A4A6978E9F1E

) OR Target.File.SHA1:( 8DD620D9AEB35960BB766458C8890EDE987C33D239CF730F93FE49D90AE759DD

) OR Target.File.SHA1:( E2A24AB94F865CAEACDF2C3AD015F31F23008AC6DB8312C2CBFB32E4A5466EA2

))

 

    • Library Loaded Events

 

 

To detect anomalous library load events:

 

library load events indicative of the msmpeng.exe sideloading:

 

Type:("Library Loaded") AND Target.Executable.File.Name:("mpsvc.dll") AND Source.Process.Name:("MsMpEng.exe")  NOT (Target.Executable.File.Path:(ProgramData\\Microsoft\\Windows Defender\\Platform*)) NOT (Source.Process.File.Path:(ProgramData\\Microsoft\\Windows Defender\\Platform*))

 

 

Outline of MITRE techniques observed

 

TA0001 - Initial access

 

Technique ID

 

Technique Description

 

Observed Activity

 

T1195.002

 

Supply Chain Compromise: Compromise Software Supply Chain

 

Suspected supply chain attack on Kaseya ‘Virtual System Administrator Agent’ appears to allow file write (actor chose to write an encoded .crt file rather than use access through supply chain to write agent.exe directly although this may be to avoid detection from SIEM searches looking for executable write events.) and cmd shell access on affected host. This exhibits itself as a cmd.exe process spawning from the AgentMon.exe process, described as a Virtual System Administrator Agent from Kaseya which is spawned as a service. This process chain allows the execution of cmd.exe as system which subverts UAC.

 

 

 

TA0002 - Execution

 

Technique ID

 

Technique Description

 

Observed Activity

 

T1059.001

 

Command and Scripting Interpreter: PowerShell

 

cmd shell access through suspected supply chain attack is used to execute PowerShell cmdlet 'Set-MpPreference' to degrade Microsoft Defender.

 

T1059.003

 

Command and Scripting Interpreter: Windows Command Shell

 

Suspected supply chain attack appears to provide access to a cmd shell used to decode the base64 encoded dropper, run PowerShell commands to disable Microsoft Defender and execute dropper.

 

T1569.002

 

System Services: Service Execution

 

The suspected supply chain attack appears to exhibit itself as a part of the Kaseya service hosted in the AgentMon.exe process.

 

 

 

TA0003 - Persistence

 

Technique ID

 

Technique Description

 

Observed Activity

 

T1574.002

 

Hijack Execution Flow: DLL Side-Loading

 

Adversary uses DLL side loading by dropping a copy of 'MsMpEng.exe' along with a malicious dll 'mpsvc.dll' containing the ransomware payload. This dll is loaded when the copy of MsMpEng.exe is executed.

 

 

 

TA0004 - Privilege Escalation

 

Technique ID

 

Technique Description

 

Observed Activity

 

T1068

 

Exploitation for Privilege Escalation

 

The suspected supply chain attack appears to exhibit itself as a part of the Kaseya service hosted in the AgentMon.exe process giving the subsequent cmd shell spawned from the AgentMon.exe process local system privileges. This removes the requirement for the adversary to perform further privilege escalation.

 

 

 

TA0005 - Defensive Evasion

 

Technique ID

 

Technique Description

 

Observed Activity

 

T1574.002

 

Hijack Execution Flow: DLL Side-Loading

 

Adversary uses DLL side loading for the Windows Defender executable. This is an application commonly whitelisted by security vendors to avoid a large volume of false positives associated with running two AV products simultaneously.

 

T1562.004

 

Impair Defenses: Disable or Modify System Firewall

 

The ransomware payload (mpsvc.dll) enables the 'Netwoork Discovery' rule on affected endpoints.

 

T1562.001

 

Impair Defenses: Disable or Modify Tools

 

Adversary uses ‘Set-MpPreference’ PowerShell cmdlet to disable various Windows Defender features including: Realtime Monitoring, Intrusion Prevention System, IO AV Protection, Script Scanning, Controlled Folder Access, Network Protection (set to audit only), MAPS Reporting and Sample Submission.

 

T1070.004

 

Indicator Removal on Host: File Deletion

 

cmd shell commands are used to delete the intermediary file ‘agent.crt’ following decode of the main dropper. This is likely to hide evidence of this intermediate file.

 

T1036.003

 

Masquerading: Rename System Utilities

 

The adversary uses commands executed through cmd shell to create a copy of Certutil.exe with a different name and path, as well as appending random numbers to the end of the file to modify its hash. This allows the adversary to use certutil without triggering any simple behavior analysis of the standard certutil executable.

 

T1036.005

 

Masquerading: Match Legitimate Name or Location

 

Creating a copy of the legitimate executable MsMpEng.exe and a malicious version of mpsvc.dll that is normally loaded by that process hampers the ability of analysts to quickly identify anomalies.

 

T1027.001

 

Obfuscated Files or Information: Binary Padding

 

Altering the hash of the copied certutil executable by padding with a random number would avoid the scrutiny that the certutil command is regularly exposed to by analysts due to its utility as a dropper and its ability to support base64 decode in cmd.

 

T1027.004

 

Obfuscated Files or Information: Compile After Delivery

 

The main dropper (agent.exe) is decoded on the target endpoint from the agent.crt certificate dropped through the suspected supply chain attack rather than being written directly to disc. This may be indicative on restrictions on file write or a Defense Evasion technique.

 

T1218

 

Signed Binary Proxy Execution

 

The use of side-loading targeting a valid, signed copy of the Windows Defender executable avoids detection of direct execution of an unsigned executable that is common amongst previous REvil intrusions.

 

T1553.002

 

Subvert Trust Controls: Code Signing

 

Malware samples employed as part of this intrusion are signed with a valid code signing certificate. Certificate details are outlined in the IOC section at the end of the KB article.

 

 

TA0040 - Impact

 

Technique ID

 

Technique Description

 

Observed Activity

 

T1486

 

Data Encrypted for Impact

 

The sideloaded dll mpsvc.dll contains a ransomware payload that encrypts all files on the target endpoint, changes the desktop background to a ransomware note (through registry modification) and writes ransomware notes to any directory containing an encrypted file.

 

 

 

IOC’s

 

Agent.crt

589C8E3CF270FB6AEE9BAD137A20C733F77A3AE190E8DDE29680878FFA07B824

 

Agent.exe

D55F983C994CAA160EC63A59F6B4250FE67FB3E8C43A388AEC60A4A6978E9F1E

 

mpsvc.dll

8DD620D9AEB35960BB766458C8890EDE987C33D239CF730F93FE49D90AE759DD

 

mpsvc.dll

E2A24AB94F865CAEACDF2C3AD015F31F23008AC6DB8312C2CBFB32E4A5466EA2

 

For additional information, please refer to the following report

The FortiGuard Managed Detection and Response (MDR) Service is designed for customers of the FortiEDR advanced endpoint security platform. This team of threat experts continue to monitor and update this article as new information is discovered.