WHAT PORT DOES THE KASEYA AGENT NEED OPEN UPDATE
Once the malicious update is deployed to the devices, Kaseya VSA Agents will run a PowerShell command to decode the. crt file was deployed through a malicious update by exploiting Kaseya VSA servers, and it eventually sent out this update to the Kaseya VSA Agents running on managed devices.
"Agent.exe" was initially dropped as a Base64 encoded file – named as " Agent.crt" to the path C:\kworking. "Agent.exe" dropper contains two binaries - MsMpEng.exe and mpsvc.dll embedded in its body (particularly in the resources section), which when executed, writes (with system privilege) both files into C:\Windows. Agent.exe then executes MsMpEng.exe that eventually loaded the malicious "mpsvc.dll" file. Stepping back, MsMpEng.exe and mpsvc.dll were both installed in the infected system by a dropper named Agent.exe. This function unpacks and loads the ransomware into the memory and executes it. When MsMpEng.exe runs, it picks up the attacker's "mpsvc.dll" and loads an exported function from the malicious library called ServiceCrtMain(). The REvil group initially demanded $70 million USD to reveal a universal decryptor for all affected victims but has since lowered the demand to $50 million.
WHAT PORT DOES THE KASEYA AGENT NEED OPEN PATCH
A patch has not been released, and Kaseya is recommending that customers with on-premises VSA Servers take them offline until a patch is issued. At this point, it is still not clear what the actual issue is or how the exploit may work, although initial reports suggest a potential authentication bypass. A patch was being actively worked on by Kaseya according to the DIVD, but not finalized prior to REvil discovering and exploiting the issue. This vulnerability has been issued CVE-2021-30116 and was discovered and reported to Kaseya by a researcher for the Dutch Institute for Vulnerability Disclosure (DIVD).
At the time of this blog, 1,500 downstream customers of these MSPs have been infected with ransomware. Instead, the attackers found and leveraged an unpatched zero-day vulnerability in Kaseya's VSA software. It was initially thought that Kaseya might have been compromised themselves as a root cause - similar to the compromises associated with SolarWinds software in December of 2020. The attack leveraged the on-premises servers deployed by IT Management Software vendor Kaseya.
On, July 2 nd, a massive ransomware attack was launched against roughly 60 managed services providers (MSPs) by criminals associated with the REvil ransomware-as-a-service (RaaS) group.
0 kommentar(er)
