Skip to content
Security Operations

Detection and Investigation Using Devo: REvil Ransomware Kaseya VSA

by Fran Gomez, Security Engineer, and the Devo SecOps Team

July 8, 2021

[wtr-time]

Detection and Investigation Using Devo: REvil Ransomware Kaseya VSA

Incident and Threat Details

On July 3, 2021, Kaseya reported1 a potential attack against its Virtual System/Server Administrator (VSA) that apparently had been limited to a small number of on-premises customers. Kaseya recommended an immediate shutdown of the VSA server until further notice.

The small number of affected customers grew to thousands in just a few hours.

Map from We Live Security2

Like the SolarWinds incident, this latest attack uses a two-step malware delivery process to slide through the back door of tech environments. 

Kaseya received reports from customers and others suggesting unusual behavior occurring on endpoints managed by the Kaseya VSA on-premises product.  Customer reports indicated that ransomware was being executed on endpoints. On July 5th, Kaseya confirmed that REvil ransomware was the threat involved. Thus far, fewer than 1,500 downstream businesses have been affected.

1 https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689

2 https://www.welivesecurity.com/2021/07/03/kaseya-supply-chain-attack-what-we-know-so-far/


Impact

DIVD3 CSIRT4 performed a mass scan for online exposed Kaseya VSA instances. Kaseya turned off its SaaS services and advised all on-premises customers to turn off Kaseya VSA because it was being used to spread ransomware to various MSPs.

Mass5 scan for online exposed Kaseya VSA

The attack vector has not been disclosed but some reports point to a “zero-day.” Although Kaseya says the attack only affected “on-premises” customers — organizations running Kaseya in their own data centers, as opposed to using Kaseya’s cloud-based services that run software for customers — it also shut down those servers as a precaution.

3 https://www.divd.nl/

4 https://csirt.divd.nl/

5 https://csirt.divd.nl/2021/07/03/Kaseya-Case-Update/


Threat Details and Mitigation

Kaseya, which on Friday, July 2nd called on customers to shut down their VSA servers immediately, said on Sunday, July 4th it hoped to have a patch in the next few days.

The  FBI and the Cloud Security Alliance (CSA) have issued guidance, including6:

  • If you feel you are compromised, contact the FBI (or the appropriate authority for users outside of the United States) immediately.
  • Download the Kaseya VSA Detection Tool. This tool analyzes a system (either VSA server or managed endpoint) and determines whether any indicators of compromise (IoC) are present.    
  • Enable and enforce multifactor authentication (MFA) on every single account that is under the control of the organization, and — to the maximum extent possible — enable and enforce MFA for customer-facing services.
  • Implement allowlisting to limit communication with remote monitoring and management (RMM) capabilities to known IP address pairs, and/or place administrative interfaces of RMM behind a virtual private network (VPN) or a firewall on a dedicated administrative network.

6 https://us-cert.cisa.gov/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa


Indicators of Compromise and Detection

Multilookup

Devo creates and maintains a lookup available to all domains. It contains all IOCs collected from multiple sources. revilKaseya contains hashes, IP addresses and filenames.

Multilookups are available to all domains, but users cannot modify them. Some of them are SecOps configuration files, and others store security information from MISP services. This information is periodically updated in different ways.

You can use the lookup in your queries including the following LINQ statement:

Or you can use the graphical interface, Loxcope, for lookup in case you’re not familiar with the LINQ language.


Further details about how to use a lookup are in Devo documentation7.


Log Sources

The Devo Platform uses union tables8 to facilitate customer access to data. Common union tables are those that are available in all domains and collect information for monitoring purposes. There are several technologies for which, regardless of brand, the log events contain very similar, or identical fields. When this is the case, as with web servers, firewalls, proxies, and several other technologies, Devo automatically generates a union table that contains the events from several different data sources.

7 https://docs.devo.com/confluence/ndt/v7.3.0/searching-data/working-in-the-search-window/data-enrichment/add-lookup-values-to-your-query

8 https://docs.devo.com/confluence/ndt/latest/parsers-and-collectors/special-devo-tags-and-data-tables/union-tables


Alerts and Queries

Devo released, through SecOps Content Manager, alerts to cover all known IOCs across different log sources.

These alerts are available in SecOps Content Manager for all customers who run this application on the Devo Platform. More details about SecOps are available in our documentation9.

SecOps users can go to Content Manager and install the new alerts. 

Just click on the Content Manager icon  and select the alerts you want to install in the Alerts Configurator section.

9 https://docs.devo.com/confluence/ndt/latest/applications/devo-security-operations


REvil Kaseya Hash Found

Description Detected suspicious hash related to REvil Ransomware affecting Kaseya.
Summary The REvil Ransomware has hit 40 service providers globally due to multiple Kaseya VSA zero-days. The attack was pushed out via an infected IT management update from Kaseya.
Query from edr.all.threats
where isnotnull(sha256hash)
select `lu/revilKaseya/type`(sha256hash) as isrevilKaseya
where isnotnull(isrevilKaseya)
group every 5m by ip, sha256hash, mac, filename, host, threat, isrevilKaseya
where isnotnull(ip)
SecOps Query from edr.all.threats
where isnotnull(sha256hash)
select `lu/revilKaseya/type`(sha256hash) as isrevilKaseya
where isnotnull(isrevilKaseya)
group every 5m by ip, sha256hash, mac, filename, host, threat, isrevilKaseya
where isnotnull(ip)
select str(ip) as entity_sourceIP
select `lu/SecOpsAssetRole/class`(entity_sourceIP) as AssetRole // Get asset role from SecOpsRole Lookup
//filtering_section
select mm2asn(ip) as enrichStream_entity_sourceIP_ASN
select mmisp(ip) as enrichStream_entity_sourceIP_ISP
select mmcountry(ip) as enrichStream_entity_sourceIP_country
select ifthenelse(enrichStream_entity_sourceIP_country = “A1”, true, false) as enrichStream_entity_sourceIP_isAnonymousProxy
select `lu/mispIndicator/category`(entity_sourceIP) as indicator
select `lu/mispIndicator/type`(entity_sourceIP) as misp_indicator_type
select `lu/mispIndicator/event_id`(entity_sourceIP) as misp_indicator_event_id
select `lu/SecOpsLocation/country`(entity_sourceIP) as enrichStream_entity_sourceIP_locationCountry
select `lu/SecOpsLocation/city`(entity_sourceIP) as enrichStream_entity_sourceIP_locationCity
select `lu/SecOpsLocation/state`(entity_sourceIP) as enrichStream_entity_sourceIP_locationState
select `lu/SecOpsLocation/lat`(entity_sourceIP) as enrichStream_entity_sourceIP_locationLat
select `lu/SecOpsLocation/lon`(entity_sourceIP) as enrichStream_entity_sourceIP_locationLon
select “Detection” as alertType
select “Execution” as alertMitreTactics
select “User Execution: Malicious File” as alertMitreTechniques
select 4 as alertPriority

REvil Kaseya Domain Connection

Description Detected a suspicious domain related to REvil Ransomware affecting Kaseya.
Summary The REvil Ransomware has hit 40 service providers globally due to multiple Kaseya VSA zero-days. The attack was pushed out via an infected IT management update from Kaseya.
Query from domains.all
where isnotnull(domain)
group every 5m by domain
every 5m
select ip4(domain) as ip // Check domain is not an IP
where isnull(ip)
where not isnull(`lu/revilKaseya/type`(domain))
SecOps Query from domains.all
where isnotnull(domain)
group every 5m by domain
every 30m
// Check domain is not an IP
select ip4(domain) as ip
where isnull(ip)
select domain as entity_destinationHostname
where not isnull(`lu/revilKaseya/type`(entity_destinationHostname))
select `lu/SecOpsAssetRole/class`(entity_destinationHostname) as AssetRole // Get asset role from SecOpsRole Lookup
//filtering_section
select `lu/mispIndicator/category`(entity_destinationHostname) as indicator
select `lu/mispIndicator/type`(entity_destinationHostname) as misp_indicator_type
select `lu/mispIndicator/event_id`(entity_destinationHostname) as misp_indicator_event_id
select “Detection” as alertType
select “Command and Control” as alertMitreTactics
select “Application Layer Protocol: Web Protocols” as alertMitreTechniques
select 4 as alertPriority

REvil Kaseya Registry Key

Description Detected registry key created HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BlackLivesMatter or HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Kaseya\Agent related to REvil Ransomware affecting Kaseya.
Summary The REvil Ransomware has hit 40 service providers globally due to multiple Kaseya VSA zero-days. The attack was pushed out via an infected IT management update from Kaseya.
Query from box.all.win
where objName -> “HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\BlackLivesMatter”
or objName -> “HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Kaseya\\Agent”
group every 5m by machineIp, srcHost
every 5m
SecOps Query from box.all.win
where objName -> “HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\BlackLivesMatter”
or objName -> “HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Kaseya\\Agent”
group every 5m by machineIp, srcHost
every 15m
select str(machineIp) as entity_sourceIP
select srcHost as entity_sourceHostname
select `lu/SecOpsAssetRole/class`(entity_sourceHostname) as entity_sourceHostname_AssetRole // Get asset role from SecOpsRole Lookup
select `lu/SecOpsAssetRole/class`(entity_sourceIP) as entity_sourceIP_AssetRole // Get asset role from SecOpsRole Lookup
//filtering_section
select `lu/mispIndicator/category`(entity_sourceIP) as indicator
select `lu/mispIndicator/type`(entity_sourceIP) as misp_indicator_type
select `lu/mispIndicator/event_id`(entity_sourceIP) as misp_indicator_event_id
select `lu/SecOpsLocation/country`(entity_sourceIP) as enrichStream_entity_sourceIP_locationCountry
select `lu/SecOpsLocation/city`(entity_sourceIP) as enrichStream_entity_sourceIP_locationCity
select `lu/SecOpsLocation/state`(entity_sourceIP) as enrichStream_entity_sourceIP_locationState
select `lu/SecOpsLocation/lat`(entity_sourceIP) as enrichStream_entity_sourceIP_locationLat
select `lu/SecOpsLocation/lon`(entity_sourceIP) as enrichStream_entity_sourceIP_locationLon
select “Detection” as alertType
select “Execution” as alertMitreTactics
select “User Execution: Malicious File” as alertMitreTechniques
select 4 as alertPriority

REvil Kaseya WebShells

Description Found the IP accessing a web resource related to REvil Ransomware affecting Kaseya.
Summary The REvil Ransomware has hit 40 service providers globally due to multiple Kaseya VSA zero-days. The attack was pushed out via an infected IT management update from Kaseya.
Query from web.all.access
group every 5m by srcIp, url
every 5m
select peek(url, re(“[^/]+$”), 0) as resource
where isnotnull(resource)
select `lu/revilKaseya/type`(resource) as isrevilKaseya
where isnotnull(isrevilKaseya
SecOps Query from web.all.access
group every 5m by srcIp, url
every 5m
select str(srcIp) as entity_sourceIP
select `lu/SecOpsAssetRole/class`(entity_sourceIP) as AssetRole // Get asset role from SecOpsRole Lookup
//filtering_section
select peek(url, re(“[^/]+$”), 0) as resource
where isnotnull(resource)
select `lu/revilKaseya/type`(resource) as isrevilKaseya
where isnotnull(isrevilKaseya)
select mm2asn(srcIp) as enrichStream_entity_sourceIP_ASN
select mmisp(srcIp) as enrichStream_entity_sourceIP_ISP
select mmcountry(srcIp) as enrichStream_entity_sourceIP_country
select ifthenelse(enrichStream_entity_sourceIP_country = “A1”, true, false) as enrichStream_entity_sourceIP_isAnonymousProxy
select `lu/mispIndicator/category`(entity_sourceIP) as indicator
select `lu/mispIndicator/type`(entity_sourceIP) as misp_indicator_type
select `lu/mispIndicator/event_id`(entity_sourceIP) as misp_indicator_event_id
select “Detection” as alertType
select “Persistence” as alertMitreTactics
select “Server Software Component: Web Shell” as alertMitreTechniques
select 4 as alertPriority

REvil Kaseya WebShells Upload Conn

Description Found internal IP accessing a web resource related to REvil Ransomware affecting Kaseya.
Summary The REvil Ransomware has hit 40 service providers globally due to multiple Kaseya VSA zero-days. The attack was pushed out via an infected IT management update from Kaseya.
Query from proxy.all.access
group every 5m by srcIp, url, dstHost
every 5m
select peek(url, re(“[^/]+$”), 0) as resource
where isnotnull(resource)
select `lu/revilKaseya/type`(resource) as isrevilKaseya
where isnotnull(isrevilKaseya)
SecOps Query from domains.all
where isnotnull(domain)
group every 5m by domain
every 30m
// Check domain is not an IP
select ip4(domain) as ip
where isnull(ip)
select domain as entity_destinationHostname
where not isnull(`lu/revilKaseya/type`(entity_destinationHostname))
select `lu/SecOpsAssetRole/class`(entity_destinationHostname) as AssetRole // Get asset role from SecOpsRole Lookup
//filtering_section
select `lu/mispIndicator/category`(entity_destinationHostname) as indicator
select `lu/mispIndicator/type`(entity_destinationHostname) as misp_indicator_type
select `lu/mispIndicator/event_id`(entity_destinationHostname) as misp_indicator_event_id
select “Detection” as alertType
select “Command and Control” as alertMitreTactics
select “Application Layer Protocol: Web Protocols” as alertMitreTechniques
select 4 as alertPriority

REvil Kaseya Network Activity

Description Detected connection from external IP to internal related to REvil Ransomware affecting Kaseya.
Summary The REvil Ransomware has hit 40 service providers globally due to multiple Kaseya VSA zero-days. The attack was pushed out via an infected IT management update from Kaseya.
Query from firewall.all.traffic
where ispublic(srcIp)
select `lu/revilKaseya/type`(str(srcIp)) as isrevilKaseya
where isnotnull(isrevilKaseya)
group every 5m by srcIp, dstIp, dstPort
every 5m
SecOps Query from firewall.all.traffic
where ispublic(srcIp)
select `lu/revilKaseya/type`(str(srcIp)) as isrevilKaseya
where isnotnull(isrevilKaseya)
group every 5m by srcIp, dstIp, dstPort
every 5m
select str(srcIp) as entity_sourceIP
select str(dstIp) as entity_destinationIP
select `lu/SecOpsAssetRole/class`(entity_sourceIP) as AssetRole // Get asset role from SecOpsRole Lookup
//filtering_section
select mm2asn(srcIp) as enrichStream_entity_sourceIP_ASN
select mmisp(srcIp) as enrichStream_entity_sourceIP_ISP
select mmcountry(srcIp) as enrichStream_entity_sourceIP_country
select ifthenelse(enrichStream_entity_sourceIP_country = “A1”, true, false) as enrichStream_entity_sourceIP_isAnonymousProxy
select `lu/mispIndicator/category`(entity_sourceIP) as indicator
select `lu/mispIndicator/type`(entity_sourceIP) as misp_indicator_type
select `lu/mispIndicator/event_id`(entity_sourceIP) as misp_indicator_event_id
select `lu/SecOpsLocation/country`(entity_destinationIP) as enrichStream_entity_sourceIP_locationCountry
select `lu/SecOpsLocation/city`(entity_destinationIP) as enrichStream_entity_sourceIP_locationCity
select `lu/SecOpsLocation/state`(entity_destinationIP) as enrichStream_entity_sourceIP_locationState
select `lu/SecOpsLocation/lat`(entity_destinationIP) as enrichStream_entity_sourceIP_locationLat
select `lu/SecOpsLocation/lon`(entity_destinationIP) as enrichStream_entity_sourceIP_locationLon
select “Detection” as alertType
select “Initial Access” as alertMitreTactics
select “External Remote Services” as alertMitreTechniques
select 4 as alertPriority

Creating the alerts without SecOps

Devo customers not yet using SecOps can create custom alerts10 by taking the following steps and using the available resources and queries included in this post.

  1. Go to Data Search in the navigation panel. Open the required data table or use “Free text query.”
  2. Query the data while applying the necessary operations and filters to identify the alert condition. Use the queries above (Query Row).
  3. Select New Alert Definition from the table toolbar. The New Alert Definition window will appear. 
  4. Fill in the requested information in the New Alert Definition dialog window.

 

These are the mandatory fields to complete in this form:


Things to Keep an Eye On

Official incident overview and technical details from Kaseya:

DFIR IOCs repository:

Early Reddit thread containing some initial information about the threat:

AlienVault Pulse:

More Data. More Clarity. More Confidence.