Categories
Security

Kaseya ransomware strike reveals a disturbing new trend in cyberattacks

Over the same weekend America celebrated its independence, Kaseya, an IT solutions developer for managed service providers (MSPs) and enterprise clients, announced it had become the victim of a cyberattack. But this wasn’t your garden variety ransomware assault. Those days appear to be behind us now.

Once again striking the now-endangered supply chain, cybercriminals leveraged a vulnerability in Kaseya’s VSA software against multiple MSPs and their hundreds of small business customers. Where SolarWinds had only recently gained infamy as the country’s largest supply chain attack, Kaseya is eerily reminiscent—and likely not to be the last.

Kaseya ransomware attack: The new normal

On July 2, MSP solutions provider Kaseya started receiving reports of “suspicious things happening” with its VSA software program, a remote-monitoring and management tool for networks and endpoints. Within an hour, the company had shut down its VSA service.

Kaseya CEO Fred Voccola said that less than 0.1 percent of its roughly 40,000 clients were affected by the breach. However, as a provider of technology to MSPs, which in turn provide services to other companies, Kaseya is at the center of a wider software supply chain. Current estimates are that about 1,500 businesses were impacted downstream.

So how did cybercriminals pull off their attack within an attack? This was no ordinary, broad ransomware campaign sweeping up any enterprise fish it might catch in its net. The attack on VSA customers was delivered through an automatic, malicious update of the platform, which pushed the REvil ransomware variant, also known as Sodinokibi.

In order to access the VSA platform and the MSPs using it, cybercriminals first had to breach Kaseya itself. They did so by exploiting a known vulnerability in Kaseya software that the company was actively working to correct. Kaseya had thankfully already rolled out patches to its SaaS VSA clients. But before on-premise customers could receive their fix, threat actors made their move.

During the attack, cybercriminals shut off administrative access to VSA and disabled several protections within Microsoft Defender. If clients didn’t take their VSA servers offline, they were served the malicious update. And if they didn’t have another security vendor layered on top of Defender, they were treated with a ransom note and all of their files were encrypted. Customers of Malwarebytes were shielded from this attack — and, with features such as tamper protection and uninstall protection enabled, any future such attacks.

On July 4, the criminals behind REvil staked claim to the attack and demanded $70 million from Kaseya in return for a universal key, later amended to $50 million. They asserted that more than a million systems were impacted, yet their key could restore all in less than an hour — both controversial and dubious allegations, at best. Still, there’s no doubt they pulled off one of the largest ransomware attacks in history.

In fact, you know you’ve “made it” as a cybercriminal when your attack is used as bait for other phishing scams. In the wake of Kaseya, Malwarebytes researchers discovered opportunistic carrion fish had launched a malspam campaign to exploit companies eagerly awaiting the VSA patch so they could bring the platform back online. The email contained both a malicious link and attachments that dropped the Cobalt Strike RAT.

By July 12, Kaseya had released its patches, disclosed its vulnerabilities, and brought the majority of its VSA servers back online. However, the company remained mum on whether or not it would pay the ransom. The REvil affiliates behind the attack could go around Kaseya to negotiate with each of the 1,500 businesses affected. However, threat actors may be wary of creating thousands of “paper trails” on the Bitcoin blockchain now that law enforcement have trained their eye on cryptocurrency as a means of attribution.

Unfortunately, these more aggressive efforts by authorities don’t appear to be slowing or scaling down cyberattacks — at least, not yet. Assaults against organizations have increased steadily in frequency, volume, and sophistication over the last five years — from exploiting vulnerabilities to breach a single enterprise to using such vulnerabilities to gain administrative access to software used by tens of thousands of companies and their millions of customers.

These cascading attacks on supply chain software like SolarWinds and Kaseya are two data points in a greater, more worrying trend: Organizations are increasingly dependent on Internet-connected remote administration tools, and those tools are rife with flaws. Threat actors are aware of both, and we can expect them to continue to target and exploit those flaws, all while creating chaos in the supply chain, disrupting operations, and raking in the Bitcoin.

Security administrators can no longer look away from a problem that impacts the very tools they rely on to do their jobs. They must identify and ensure all known vulnerabilities for software products used in their organization are patched as soon as possible, and vet new software with an eagle eye. Consistent testing, communicating with employees and customers, and updating IT tools and servers — as well as implementing multiple layers of security — is the type of vigilance required to stave off massive breaches. And even then, it’s no failsafe unless the rest of the security community steps up to meet the challenge of cascading cyberattacks.

We need more security researchers and security-conscious developers to devote time and effort to combatting today’s vulnerabilities and preventing future, similarly-flawed products from entering the market. Software engineers must take greater care with borrowing outdated code from online repositories without testing for errors, such as weak encryption or default passwords. Vendors should also invite third-party reviewers to analyze source code created in-house before providing clients with a software bill of materials itemizing components and vulnerabilities.

The cooperation doesn’t stop there. Countries should better incentivize independent security research so analysts aren’t afraid to report their findings. Bug bounty programs are well and fine, but often their payments aren’t substantial enough to subvert dealings on the gray or black market. This $10 million reward offered by the US government for information leading to the identification or location of a nation-state threat actor is a healthy start, though.

What’s clear is that individuals — and even well-stacked IT departments — can no longer be solely responsible for their own cyber protection. To truly combat these increasingly sophisticated cascading attacks in the future, it will require an institutional shift in thinking that brings the top security minds together in lockstep.

We’ll need international cooperation and aggressive action from government and law enforcement. 360-degree security up and down the supply chain, branching out to fourth- and fifth-tier parties. Smart and secure development of Internet-connected software, as well as layers of security to stop breakthrough breaches. And a collective awareness by all that cybercrime has evolved and we can no longer turn the other cheek.

To learn more about the technical details of the Kaseya attack, check out this blog from Malwarebytes Labs: https://blog.malwarebytes.com/cybercrime/2021/07/shutdown-kaseya-vsa-servers-now-amidst-cascading-revil-attack-against-msps-clients/

Categories
Security

RegretLocker ransomware encrypts virtual machines

Ransomware, ransomware, ransomware. At this point, the other malware families might be feeling some Jan Brady-level jealousy toward their flashier, more advanced brother. Ransomware is getting all the attention right now — for good reason.

Ransomware attacks have been ramping up in volume and in sophistication over the last year. Corporate targets have had to steel themselves against stealthy spear phishing campaigns, exposed RDP ports, zero-day exploits, and more. Now they have to worry about their virtual machines.

Using a combination of advanced attack techniques, a new ransomware family discovered in October called RegretLocker is able to encrypt virtual hard drives and close any files open by users for encryption. Why does this matter? RegretLocker is able to execute much more quickly than previous ransomware families and evade detection.

RegretLocker takes ransomware to the next level

RegretLocker ransomware appears fairly simple on the surface. It is accompanied by a short and sweet ransom note (as opposed to a long-winded soliloquy that has become common among ransomware threat actors). It uses email instead of Tor to accept ransom payments. When encrypting files, it applies a harmless-sounding .mouse extension.

But that’s where the simplicity ends. Instead of encrypting large files en masse, which can take a long time, RegretLocker mounts a virtual disk file so that each file may be encrypted individually, speeding up the process. In addition, RegretLocker uses the Windows Restart Manager API to terminate processes on Windows that can keep a file open during encryption, preventing users from salvaging open files.

RegretLocker follows in the footsteps of another ransomware family known as Ragnar Locker, which was first discovered in October 2019. Ragnar Locker deploys virtual machines to victim systems and launches the ransomware from inside. This gives the ransomware access to files on the local disk without being detected by security software deployed on the host system. In September 2020, Maze ransomware authors added Ragnar Locker’s virtual machine tactic to their bag of tricks.

The use of virtual machines by these ransomware families is not for the faint of heart — it’s complex, messy, and requires prior knowledge about the hardware and capabilities of its target networks, including whether or not the services had already been disabled. However, for threat actors looking to select and encrypt specific files quickly, or for those who’ve compromised a system but are looking to crack particularly difficult files, these methods represent the next evolution in a long chain of dangerous developments in ransomware.

What’s more, there are not many ways to protect against these types of ransomware attacks outside of preventing them from happening in the first place. (Though Malwarebytes’ Anti-Ransomware technology blocks RegretLocker from launching.)

What we can take away from these latest developments in ransomware is that cybercriminals have been busy doing what they do best: developing new tricks and workarounds that had previously prevented their malware from being as dangerous as it could be. The best defense, as it has always been, is awareness and proactive protection.

To learn more about RegretLocker ransomware, take a look at our blog on Malwarebytes Labs: https://blog.malwarebytes.com/ransomware/2020/11/regretlocker-new-ransomware-can-encrypt-windows-virtual-hard-disks/

And here is Bleeping Computer’s take on RegretLocker: https://www.bleepingcomputer.com/news/security/new-regretlocker-ransomware-targets-windows-virtual-machines/

For information on Ragnar Locker’s attack on gaming company Capcom: https://threatpost.com/gaming-giant-capcom-ragnar-locker-ransomware/160996/

Categories
Security

Mysterious case of the executable hijack

I got a message from my friend Paul today asking for help with an infection. He was using the latest version of Firefox at the time and was positive he did not click on any odd links or downloaded anything malicious. Naturally, I advised him to run Malwarebytes Anti-Malware and had him send me the log. One specific entry popped out at me.

Memory Processes Infected:
c:UsersPaulAppDataLocalojx.exe (Trojan.ExeShell.Gen) -> 3508 -> No action taken.

I picked up the phone and called Bruce Harrison, our VP of Research, and asked for an explanation. The result had shocked me. I was told that this was an executable hijack that is used with FakeAlert, a Trojan we see almost daily in our research center.

What exactly does that mean? Well, when the infection is able to penetrate your computer, it hijacks all executables to run the malicious file instead of their intended targets. For example, you try to open Skype and the malicious file starts instead.

It does this in two ways. First, it modifies each shortcut itself to point to the malware. Secondly, it modifies the .exe shell in the registry so that once again instead of starting the correct executable, it starts the malicious file.

Luckily, Malwarebytes Anti-Malware was able to patch Paul up, but we both wanted to know how this had happened. Bruce advised us to check the installed Java version. It was in fact outdated by several versions. I advised Paul to update to the latest version and he now has a healthy computer!