CISA released guidance earlier this weekend which identifies a suspected supply chain attack on the Kaseya VSA application. Kaseya VSA is a commercial tool used for remote management and administration of a network. The purpose of this KB article is to outline observed TTPs and IOCs associated with REvil’s use of this attack and to highlight how FortiEDR can be used to effectively detect and mitigate post-exploitation activity associated with this threat.
At a high level the Kaseya supply chain attack appears to grant the adversary file write access and access to a remote shell with local system privileges. In all currently observed intrusions this access was used to deploy ransomware by sideloading a ransomware payload into a copy of Microsoft Defender. Analysis of the ransomware payload identified significant similarities to ransomware payloads previously employed by the REvil group.
The actor uses what is believed to be the suspected supply chain attack to place the intermediary file ‘agent.crt’ in the ‘C:\kworking’ directory (hash: 589C8E3CF270FB6AEE9BAD137A20C733F77A3AE190E8DDE29680878FFA07B824). This is a relatively fixed IOC as Kaseya explicitly recommends to customers whitelist this folder to SIEM and AV alerts to prevent false positives. This file is a base64 encoded version of the malicious file agent.exe (d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e). FortiGuard Managed Detection and Response (MDR) team has not yet determined the mechanism used to place this intermediary file on the compromised host.
Following upload of the .crt file to the target endpoint, a set of commands are executed through a cmd shell spawned from the AgentMon.exe process to extract and run the dropper stored in the .crt file. The cmd shell spawning from the AgentMon.exe process is again suspected to be part of the reported supply chain attack. The commands are broken down below:
1. The usage of ping command inline with the proceeding commands is likely to induce a delay between the execution of this initial command and execution of the rest of the commands. Current delay is 90mins 14secs. Based on the current number of observed intrusions, FortiGuard MDR team cannot assess whether the –n count is consistent across intrusions or could be used as a low fidelity indicator.
2. This section of the command uses the PowerShell cmdlet Set-MpPreference to turn off windows defender real time monitoring, intrusion prevention, scanning of connected devices,files, attachments, network protection and reporting to Windows Defender.
3. This section of the code copies the ‘certutil.exe’ executable to the path ‘C:\Windows\’ and renames it to cert.exe. This technique is likely to avoid simple SIEM detection or AV/EDR products that use the execution path or name to apply detection logic to identify anomalous usage of certutil. Following this the cmd environmental variable %RANDOM% is appended to the end of the renamed and moved certutil executable. When referenced this variable generates a random number between 0 – 32767 and appending data to an executable in this fashion is a simple way of modifying a file’s hash. This technique is likely used to further obfuscate the use of the certutil executable.
4. This section of the command decodes the encoded (base64) ‘agent.crt’ intermediary file with the copied version of certutil (cert.exe) to create the initial payload ‘agent.exe’ in the ‘C:\kworking\’ directory.
5. The section of the command deletes the intermediary ‘agent.crt’ file and executes the agent.exe file.
Agent.exe is a dropper that’s signed with a valid signature from the following signer.
This certificate has only been used to sign three files, all of which are linked to this campaign.
When the agent.exe runs, it drops two files into the Victim’s AppData directory: MsMpEng.exe, a valid Windows Defender executable and mpsvc.dll, the ransomware payload.
In the next step, Agent.exe starts running the process MsMpEng.exe i.e Microsoft Malware Protection Engine, a core Windows defender process.
Hijack DLL Execution
As part of intrusions observed by the FortiGuard MDR team the actor uses this shell access to decode and execute a previously downloaded dropper. This dropper downloads a legitimate copy of the Microsoft Defender executable ‘MsMpEng.exe’ (hash: 3d409b39b8502fcd23335a878f2cbdaf6d721995) alongside a malicious dll named ‘mpsvc.dll’ (hash:656c4d285ea518d90c1b669b79af475db31e30b1). The dropper then executes the created MsMpEng.exe executable resulting in dll sideloading of the malicious mpsvc.dll file.
The ransomware payload (mpsvc.dll) side-loaded by MsMpEng.exe encrypts the user files by replacing the plain text with the encrypted content and later renamed the files with the random extension.
In the first event shown below, the ransomware payload encrypts and replaces the content in the document file.doc.
After encrypting the document file.doc, it renames the file with ransomware extension.
The malicious payload then enables network discovery using netsh with the commandline ““advfirewall firewall set rule group=”network discovery” new enable=yes”.
It changes the desktop wallpaper setting in the registry after encrypting the user data.
The following figure shows the ransom note from this supply chain attack. The note instructs the victim to decrypt the files using the decryptor URL “http://decoder.re”, which is a REvil Ransomware domain.
Detecting and mitigating Kaseya intrusion with FortiEDR
Let's have a look at how FortiEDR detects this intrusion.
Fortinet's Cloud intelligence services have been updated to include all publicly available IOC’s. When a malicious file is accessed, the rule "Malicious File Detected" under Execution Prevention policy triggers the following event and prevents the file from being executed.
FortiEDR’s behavior based detection triggers the following event when agent,exe (malware) side-loads the ransomware payload (mpsvc.dll) into a copy of windows defender process (MsMpEng.exe).
This event is triggered by the following EDR policy rules, and it stops the ransomware's execution, preventing exfiltration.
The REvil ransomware payload (mpsvc.dl) attempting to encrypt the Windows Boot Manager (bootmgr), which prevents the victim from booting the infected computer. The File Encryptor rule in FortiEDR's Ransomware Prevention policy identifies file write operations and prevents them from being encrypted.
Thus, FortiEDR's advanced real time detection along with FortiCloud services detects and blocks the intrusion at every stage.
The following queries can be used in FortiEDR v5 Threat Hunting to identify potential anomalous events associated with this intrusion:
To detect anomalous process creation events:
To detect anomalous MsMpEng.exe process creation events:
Type:("Process Creation") AND Target.Process.Name:("MsMpEng.exe")AND Source.Process.Name:( "Agent.exe") AND Target.Process.File.SHA1:(3D409B39B8502FCD23335A878F2CBDAF6D721995) NOT Target.Process.File.Path:(ProgramData\\Microsoft\\Windows Defender\\Platform)
This query is more generic but will catch future permutations of dropper name and MsMpEng.exe version. No false positives were observed in the test environment:
Type:("Process Creation") AND Target.Process.Name:("MsMpEng.exe") NOT (Target.Process.File.Path:(ProgramData Microsoft Windows Defender Platform))
To detect cmd shell usage associated with Kaseya compromise. This process chain has a very low false positive rate in the test environment but may require filtering in a Kaseya environment if the AgentMon -> cmd process chain is standard:
Type:("Process Creation") AND Source.Process.Name:("AgentMon.exe") AND Target.Process.Name:("cmd.exe")
To detect cmd shell usage associated with Kaseya compromise used specifically to decode and execute the ransomware dropper (Agent.exe):
Type:("Process Creation") AND Source.Process.Name:("AgentMon.exe") AND Target.Process.Name:("cmd.exe") AND Target.Process.CommandLine:(ping.exe 127.0.0.1 RANDOM decode)
To detect ransomware payload using netsh to disable firewall restrictions. Note this detection has a very low false positive rate. If this detection returns results the ransomware has successfully executed in your environment:
Type:("Process Creation") AND Target.Process.Name:("netsh.exe") AND Source.Process.Name:("MsMpEng.exe") NOT (Source.Process.File.Path:(ProgramData Microsoft Windows Defender Platform)) AND Target.Process.CommandLine:(advfirewall firewall set rule group network discovery new enable yes)
To detect anomalous file creation events:
To detect creation of a decoded file following the use of a copy of certutil:
Type:("File Create") AND Target.File.Ext:("exe") AND Source.Process.CommandLine:(-decode) AND Source.Process.Parent.Path:(Windows\\System32\\cmd.exe)
To detect IOC specific creation of agent.exe:
Type:("File Create") AND Target.File.Name:("Agent.exe") AND Target.File.Path:("kworking\\Agent.exe")
To detect creation of MsMpEng executable outside standard filepath:
Type:("File Create") AND Target.File.Name:("MsMpEng.exe") NOT (Target.File.Path:(ProgramData\\Microsoft\\Windows Defender\\Platform*)) NOT (Source.Process.File.Path:(Windows\\System32\\WerFaultSecure.exe))
To detect creation of mpsvc.dll library outside standard filepath. This has a very low false positive rate but may need to be altered if Windows Defender has a custom install path in target environment:
Type:("File Create") AND Target.File.Name:("MpSvc.dll") NOT (Target.File.Path:(ProgramData\\Microsoft\\Windows Defender\\Platform*)) NOT (Source.Process.File.Path:(ProgramData\\Microsoft\\Windows Defender\\Platform\*))
To detect initial drop of encoded agent (agent.crt). Very low false positive rate but will not be effective if adversary alters filename:
Type:("File Create") AND Target.File.Name:("Agent.crt") AND Target.File.Path:("kworking\\Agent.crt")
To detect specific hashes:
Type:("File Create") AND (Target.File.SHA1:( 589C8E3CF270FB6AEE9BAD137A20C733F77A3AE190E8DDE29680878FFA07B824
) OR Target.File.SHA1:( D55F983C994CAA160EC63A59F6B4250FE67FB3E8C43A388AEC60A4A6978E9F1E
) OR Target.File.SHA1:( 8DD620D9AEB35960BB766458C8890EDE987C33D239CF730F93FE49D90AE759DD
) OR Target.File.SHA1:( E2A24AB94F865CAEACDF2C3AD015F31F23008AC6DB8312C2CBFB32E4A5466EA2
To detect anomalous library load events:
library load events indicative of the msmpeng.exe sideloading:
Type:("Library Loaded") AND Target.Executable.File.Name:("mpsvc.dll") AND Source.Process.Name:("MsMpEng.exe") NOT (Target.Executable.File.Path:(ProgramData\\Microsoft\\Windows Defender\\Platform*)) NOT (Source.Process.File.Path:(ProgramData\\Microsoft\\Windows Defender\\Platform*))
Outline of MITRE techniques observed
TA0001 - Initial access
Supply Chain Compromise: Compromise Software Supply Chain
Suspected supply chain attack on Kaseya ‘Virtual System Administrator Agent’ appears to allow file write (actor chose to write an encoded .crt file rather than use access through supply chain to write agent.exe directly although this may be to avoid detection from SIEM searches looking for executable write events.) and cmd shell access on affected host. This exhibits itself as a cmd.exe process spawning from the AgentMon.exe process, described as a Virtual System Administrator Agent from Kaseya which is spawned as a service. This process chain allows the execution of cmd.exe as system which subverts UAC.
TA0002 - Execution
Command and Scripting Interpreter: PowerShell
cmd shell access through suspected supply chain attack is used to execute PowerShell cmdlet 'Set-MpPreference' to degrade Microsoft Defender.
Command and Scripting Interpreter: Windows Command Shell
Suspected supply chain attack appears to provide access to a cmd shell used to decode the base64 encoded dropper, run PowerShell commands to disable Microsoft Defender and execute dropper.
System Services: Service Execution
The suspected supply chain attack appears to exhibit itself as a part of the Kaseya service hosted in the AgentMon.exe process.
TA0003 - Persistence
Hijack Execution Flow: DLL Side-Loading
Adversary uses DLL side loading by dropping a copy of 'MsMpEng.exe' along with a malicious dll 'mpsvc.dll' containing the ransomware payload. This dll is loaded when the copy of MsMpEng.exe is executed.
TA0004 - Privilege Escalation
Exploitation for Privilege Escalation
The suspected supply chain attack appears to exhibit itself as a part of the Kaseya service hosted in the AgentMon.exe process giving the subsequent cmd shell spawned from the AgentMon.exe process local system privileges. This removes the requirement for the adversary to perform further privilege escalation.
TA0005 - Defensive Evasion
Hijack Execution Flow: DLL Side-Loading
Adversary uses DLL side loading for the Windows Defender executable. This is an application commonly whitelisted by security vendors to avoid a large volume of false positives associated with running two AV products simultaneously.
Impair Defenses: Disable or Modify System Firewall
The ransomware payload (mpsvc.dll) enables the 'Netwoork Discovery' rule on affected endpoints.
Impair Defenses: Disable or Modify Tools
Adversary uses ‘Set-MpPreference’ PowerShell cmdlet to disable various Windows Defender features including: Realtime Monitoring, Intrusion Prevention System, IO AV Protection, Script Scanning, Controlled Folder Access, Network Protection (set to audit only), MAPS Reporting and Sample Submission.
Indicator Removal on Host: File Deletion
cmd shell commands are used to delete the intermediary file ‘agent.crt’ following decode of the main dropper. This is likely to hide evidence of this intermediate file.
Masquerading: Rename System Utilities
The adversary uses commands executed through cmd shell to create a copy of Certutil.exe with a different name and path, as well as appending random numbers to the end of the file to modify its hash. This allows the adversary to use certutil without triggering any simple behavior analysis of the standard certutil executable.
Masquerading: Match Legitimate Name or Location
Creating a copy of the legitimate executable MsMpEng.exe and a malicious version of mpsvc.dll that is normally loaded by that process hampers the ability of analysts to quickly identify anomalies.
Obfuscated Files or Information: Binary Padding
Altering the hash of the copied certutil executable by padding with a random number would avoid the scrutiny that the certutil command is regularly exposed to by analysts due to its utility as a dropper and its ability to support base64 decode in cmd.
Obfuscated Files or Information: Compile After Delivery
The main dropper (agent.exe) is decoded on the target endpoint from the agent.crt certificate dropped through the suspected supply chain attack rather than being written directly to disc. This may be indicative on restrictions on file write or a Defense Evasion technique.
Signed Binary Proxy Execution
The use of side-loading targeting a valid, signed copy of the Windows Defender executable avoids detection of direct execution of an unsigned executable that is common amongst previous REvil intrusions.
Subvert Trust Controls: Code Signing
Malware samples employed as part of this intrusion are signed with a valid code signing certificate. Certificate details are outlined in the IOC section at the end of the KB article.
TA0040 - Impact
Data Encrypted for Impact
The sideloaded dll mpsvc.dll contains a ransomware payload that encrypts all files on the target endpoint, changes the desktop background to a ransomware note (through registry modification) and writes ransomware notes to any directory containing an encrypted file.
For additional information, please refer to the following report
The FortiGuard Managed Detection and Response (MDR) Service is designed for customers of the FortiEDR advanced endpoint security platform. This team of threat experts continue to monitor and update this article as new information is discovered.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.