Detection and Investigation Using Devo: REvil Ransomware Kaseya VSA
Incident and Threat Details
On July 3, 2021, Kaseya reported1 a potential attack against its Virtual System/Server Administrator (VSA) that apparently had been limited to a small number of on-premises customers. Kaseya recommended an immediate shutdown of the VSA server until further notice.
The small number of affected customers grew to thousands in just a few hours.
Map from We Live Security2
Like the SolarWinds incident, this latest attack uses a two-step malware delivery process to slide through the back door of tech environments.
Kaseya received reports from customers and others suggesting unusual behavior occurring on endpoints managed by the Kaseya VSA on-premises product. Customer reports indicated that ransomware was being executed on endpoints. On July 5th, Kaseya confirmed that REvil ransomware was the threat involved. Thus far, fewer than 1,500 downstream businesses have been affected.
1 https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689
2 https://www.welivesecurity.com/2021/07/03/kaseya-supply-chain-attack-what-we-know-so-far/
Impact
DIVD3 CSIRT4 performed a mass scan for online exposed Kaseya VSA instances. Kaseya turned off its SaaS services and advised all on-premises customers to turn off Kaseya VSA because it was being used to spread ransomware to various MSPs.
Mass5 scan for online exposed Kaseya VSA
The attack vector has not been disclosed but some reports point to a “zero-day.” Although Kaseya says the attack only affected “on-premises” customers — organizations running Kaseya in their own data centers, as opposed to using Kaseya’s cloud-based services that run software for customers — it also shut down those servers as a precaution.
5 https://csirt.divd.nl/2021/07/03/Kaseya-Case-Update/
Threat Details and Mitigation
Kaseya, which on Friday, July 2nd called on customers to shut down their VSA servers immediately, said on Sunday, July 4th it hoped to have a patch in the next few days.
The FBI and the Cloud Security Alliance (CSA) have issued guidance, including6:
- If you feel you are compromised, contact the FBI (or the appropriate authority for users outside of the United States) immediately.
- Download the Kaseya VSA Detection Tool. This tool analyzes a system (either VSA server or managed endpoint) and determines whether any indicators of compromise (IoC) are present.
- Enable and enforce multifactor authentication (MFA) on every single account that is under the control of the organization, and — to the maximum extent possible — enable and enforce MFA for customer-facing services.
- Implement allowlisting to limit communication with remote monitoring and management (RMM) capabilities to known IP address pairs, and/or place administrative interfaces of RMM behind a virtual private network (VPN) or a firewall on a dedicated administrative network.
Indicators of Compromise and Detection
Multilookup
Devo creates and maintains a lookup available to all domains. It contains all IOCs collected from multiple sources. revilKaseya contains hashes, IP addresses and filenames.
Multilookups are available to all domains, but users cannot modify them. Some of them are SecOps configuration files, and others store security information from MISP services. This information is periodically updated in different ways.
You can use the lookup in your queries including the following LINQ statement:
Or you can use the graphical interface, Loxcope, for lookup in case you’re not familiar with the LINQ language.
Further details about how to use a lookup are in Devo documentation7.
Log Sources
The Devo Platform uses union tables8 to facilitate customer access to data. Common union tables are those that are available in all domains and collect information for monitoring purposes. There are several technologies for which, regardless of brand, the log events contain very similar, or identical fields. When this is the case, as with web servers, firewalls, proxies, and several other technologies, Devo automatically generates a union table that contains the events from several different data sources.
Alerts and Queries
Devo released, through SecOps Content Manager, alerts to cover all known IOCs across different log sources.
These alerts are available in SecOps Content Manager for all customers who run this application on the Devo Platform. More details about SecOps are available in our documentation9.
SecOps users can go to Content Manager and install the new alerts.
Just click on the Content Manager icon 
and select the alerts you want to install in the Alerts Configurator section.
9 https://docs.devo.com/confluence/ndt/latest/applications/devo-security-operations
REvil Kaseya Hash Found
| Description | Detected suspicious hash related to REvil Ransomware affecting Kaseya. |
| Summary | The REvil Ransomware has hit 40 service providers globally due to multiple Kaseya VSA zero-days. The attack was pushed out via an infected IT management update from Kaseya. |
| Query | from edr.all.threats where isnotnull(sha256hash) select `lu/revilKaseya/type`(sha256hash) as isrevilKaseya where isnotnull(isrevilKaseya) group every 5m by ip, sha256hash, mac, filename, host, threat, isrevilKaseya where isnotnull(ip) |
| SecOps Query | from edr.all.threats where isnotnull(sha256hash) select `lu/revilKaseya/type`(sha256hash) as isrevilKaseya where isnotnull(isrevilKaseya) group every 5m by ip, sha256hash, mac, filename, host, threat, isrevilKaseya where isnotnull(ip) select str(ip) as entity_sourceIP select `lu/SecOpsAssetRole/class`(entity_sourceIP) as AssetRole // Get asset role from SecOpsRole Lookup //filtering_section select mm2asn(ip) as enrichStream_entity_sourceIP_ASN select mmisp(ip) as enrichStream_entity_sourceIP_ISP select mmcountry(ip) as enrichStream_entity_sourceIP_country select ifthenelse(enrichStream_entity_sourceIP_country = “A1”, true, false) as enrichStream_entity_sourceIP_isAnonymousProxy select `lu/mispIndicator/category`(entity_sourceIP) as indicator select `lu/mispIndicator/type`(entity_sourceIP) as misp_indicator_type select `lu/mispIndicator/event_id`(entity_sourceIP) as misp_indicator_event_id select `lu/SecOpsLocation/country`(entity_sourceIP) as enrichStream_entity_sourceIP_locationCountry select `lu/SecOpsLocation/city`(entity_sourceIP) as enrichStream_entity_sourceIP_locationCity select `lu/SecOpsLocation/state`(entity_sourceIP) as enrichStream_entity_sourceIP_locationState select `lu/SecOpsLocation/lat`(entity_sourceIP) as enrichStream_entity_sourceIP_locationLat select `lu/SecOpsLocation/lon`(entity_sourceIP) as enrichStream_entity_sourceIP_locationLon select “Detection” as alertType select “Execution” as alertMitreTactics select “User Execution: Malicious File” as alertMitreTechniques select 4 as alertPriority |
REvil Kaseya Domain Connection
| Description | Detected a suspicious domain related to REvil Ransomware affecting Kaseya. |
| Summary | The REvil Ransomware has hit 40 service providers globally due to multiple Kaseya VSA zero-days. The attack was pushed out via an infected IT management update from Kaseya. |
| Query | from domains.all where isnotnull(domain) group every 5m by domain every 5m select ip4(domain) as ip // Check domain is not an IP where isnull(ip) where not isnull(`lu/revilKaseya/type`(domain)) |
| SecOps Query | from domains.all where isnotnull(domain) group every 5m by domain every 30m // Check domain is not an IP select ip4(domain) as ip where isnull(ip) select domain as entity_destinationHostname where not isnull(`lu/revilKaseya/type`(entity_destinationHostname)) select `lu/SecOpsAssetRole/class`(entity_destinationHostname) as AssetRole // Get asset role from SecOpsRole Lookup //filtering_section select `lu/mispIndicator/category`(entity_destinationHostname) as indicator select `lu/mispIndicator/type`(entity_destinationHostname) as misp_indicator_type select `lu/mispIndicator/event_id`(entity_destinationHostname) as misp_indicator_event_id select “Detection” as alertType select “Command and Control” as alertMitreTactics select “Application Layer Protocol: Web Protocols” as alertMitreTechniques select 4 as alertPriority |
REvil Kaseya Registry Key
| Description | Detected registry key created HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BlackLivesMatter or HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Kaseya\Agent related to REvil Ransomware affecting Kaseya. |
| Summary | The REvil Ransomware has hit 40 service providers globally due to multiple Kaseya VSA zero-days. The attack was pushed out via an infected IT management update from Kaseya. |
| Query | from box.all.win where objName -> “HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\BlackLivesMatter” or objName -> “HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Kaseya\\Agent” group every 5m by machineIp, srcHost every 5m |
| SecOps Query | from box.all.win where objName -> “HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\BlackLivesMatter” or objName -> “HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Kaseya\\Agent” group every 5m by machineIp, srcHost every 15m select str(machineIp) as entity_sourceIP select srcHost as entity_sourceHostname select `lu/SecOpsAssetRole/class`(entity_sourceHostname) as entity_sourceHostname_AssetRole // Get asset role from SecOpsRole Lookup select `lu/SecOpsAssetRole/class`(entity_sourceIP) as entity_sourceIP_AssetRole // Get asset role from SecOpsRole Lookup //filtering_section select `lu/mispIndicator/category`(entity_sourceIP) as indicator select `lu/mispIndicator/type`(entity_sourceIP) as misp_indicator_type select `lu/mispIndicator/event_id`(entity_sourceIP) as misp_indicator_event_id select `lu/SecOpsLocation/country`(entity_sourceIP) as enrichStream_entity_sourceIP_locationCountry select `lu/SecOpsLocation/city`(entity_sourceIP) as enrichStream_entity_sourceIP_locationCity select `lu/SecOpsLocation/state`(entity_sourceIP) as enrichStream_entity_sourceIP_locationState select `lu/SecOpsLocation/lat`(entity_sourceIP) as enrichStream_entity_sourceIP_locationLat select `lu/SecOpsLocation/lon`(entity_sourceIP) as enrichStream_entity_sourceIP_locationLon select “Detection” as alertType select “Execution” as alertMitreTactics select “User Execution: Malicious File” as alertMitreTechniques select 4 as alertPriority |
REvil Kaseya WebShells
| Description | Found the IP accessing a web resource related to REvil Ransomware affecting Kaseya. |
| Summary | The REvil Ransomware has hit 40 service providers globally due to multiple Kaseya VSA zero-days. The attack was pushed out via an infected IT management update from Kaseya. |
| Query | from web.all.access group every 5m by srcIp, url every 5m select peek(url, re(“[^/]+$”), 0) as resource where isnotnull(resource) select `lu/revilKaseya/type`(resource) as isrevilKaseya where isnotnull(isrevilKaseya |
| SecOps Query | from web.all.access group every 5m by srcIp, url every 5m select str(srcIp) as entity_sourceIP select `lu/SecOpsAssetRole/class`(entity_sourceIP) as AssetRole // Get asset role from SecOpsRole Lookup //filtering_section select peek(url, re(“[^/]+$”), 0) as resource where isnotnull(resource) select `lu/revilKaseya/type`(resource) as isrevilKaseya where isnotnull(isrevilKaseya) select mm2asn(srcIp) as enrichStream_entity_sourceIP_ASN select mmisp(srcIp) as enrichStream_entity_sourceIP_ISP select mmcountry(srcIp) as enrichStream_entity_sourceIP_country select ifthenelse(enrichStream_entity_sourceIP_country = “A1”, true, false) as enrichStream_entity_sourceIP_isAnonymousProxy select `lu/mispIndicator/category`(entity_sourceIP) as indicator select `lu/mispIndicator/type`(entity_sourceIP) as misp_indicator_type select `lu/mispIndicator/event_id`(entity_sourceIP) as misp_indicator_event_id select “Detection” as alertType select “Persistence” as alertMitreTactics select “Server Software Component: Web Shell” as alertMitreTechniques select 4 as alertPriority |
REvil Kaseya WebShells Upload Conn
| Description | Found internal IP accessing a web resource related to REvil Ransomware affecting Kaseya. |
| Summary | The REvil Ransomware has hit 40 service providers globally due to multiple Kaseya VSA zero-days. The attack was pushed out via an infected IT management update from Kaseya. |
| Query | from proxy.all.access group every 5m by srcIp, url, dstHost every 5m select peek(url, re(“[^/]+$”), 0) as resource where isnotnull(resource) select `lu/revilKaseya/type`(resource) as isrevilKaseya where isnotnull(isrevilKaseya) |
| SecOps Query | from domains.all where isnotnull(domain) group every 5m by domain every 30m // Check domain is not an IP select ip4(domain) as ip where isnull(ip) select domain as entity_destinationHostname where not isnull(`lu/revilKaseya/type`(entity_destinationHostname)) select `lu/SecOpsAssetRole/class`(entity_destinationHostname) as AssetRole // Get asset role from SecOpsRole Lookup //filtering_section select `lu/mispIndicator/category`(entity_destinationHostname) as indicator select `lu/mispIndicator/type`(entity_destinationHostname) as misp_indicator_type select `lu/mispIndicator/event_id`(entity_destinationHostname) as misp_indicator_event_id select “Detection” as alertType select “Command and Control” as alertMitreTactics select “Application Layer Protocol: Web Protocols” as alertMitreTechniques select 4 as alertPriority |
REvil Kaseya Network Activity
| Description | Detected connection from external IP to internal related to REvil Ransomware affecting Kaseya. |
| Summary | The REvil Ransomware has hit 40 service providers globally due to multiple Kaseya VSA zero-days. The attack was pushed out via an infected IT management update from Kaseya. |
| Query | from firewall.all.traffic where ispublic(srcIp) select `lu/revilKaseya/type`(str(srcIp)) as isrevilKaseya where isnotnull(isrevilKaseya) group every 5m by srcIp, dstIp, dstPort every 5m |
| SecOps Query | from firewall.all.traffic where ispublic(srcIp) select `lu/revilKaseya/type`(str(srcIp)) as isrevilKaseya where isnotnull(isrevilKaseya) group every 5m by srcIp, dstIp, dstPort every 5m select str(srcIp) as entity_sourceIP select str(dstIp) as entity_destinationIP select `lu/SecOpsAssetRole/class`(entity_sourceIP) as AssetRole // Get asset role from SecOpsRole Lookup //filtering_section select mm2asn(srcIp) as enrichStream_entity_sourceIP_ASN select mmisp(srcIp) as enrichStream_entity_sourceIP_ISP select mmcountry(srcIp) as enrichStream_entity_sourceIP_country select ifthenelse(enrichStream_entity_sourceIP_country = “A1”, true, false) as enrichStream_entity_sourceIP_isAnonymousProxy select `lu/mispIndicator/category`(entity_sourceIP) as indicator select `lu/mispIndicator/type`(entity_sourceIP) as misp_indicator_type select `lu/mispIndicator/event_id`(entity_sourceIP) as misp_indicator_event_id select `lu/SecOpsLocation/country`(entity_destinationIP) as enrichStream_entity_sourceIP_locationCountry select `lu/SecOpsLocation/city`(entity_destinationIP) as enrichStream_entity_sourceIP_locationCity select `lu/SecOpsLocation/state`(entity_destinationIP) as enrichStream_entity_sourceIP_locationState select `lu/SecOpsLocation/lat`(entity_destinationIP) as enrichStream_entity_sourceIP_locationLat select `lu/SecOpsLocation/lon`(entity_destinationIP) as enrichStream_entity_sourceIP_locationLon select “Detection” as alertType select “Initial Access” as alertMitreTactics select “External Remote Services” as alertMitreTechniques select 4 as alertPriority |
Creating the alerts without SecOps
Devo customers not yet using SecOps can create custom alerts10 by taking the following steps and using the available resources and queries included in this post.
- Go to Data Search in the navigation panel. Open the required data table or use “Free text query.”
- Query the data while applying the necessary operations and filters to identify the alert condition. Use the queries above (Query Row).
- Select New Alert Definition from the table toolbar. The New Alert Definition window will appear.
- Fill in the requested information in the New Alert Definition dialog window.
These are the mandatory fields to complete in this form:
Things to Keep an Eye On
Official incident overview and technical details from Kaseya:
DFIR IOCs repository:
Early Reddit thread containing some initial information about the threat:
AlienVault Pulse:
