Details of the REvil Ransomware Attack

ArsTechnica has a good story on the REvil ransomware attack of last weekend, with technical details:

This weekend’s attack was carried out with almost surgical precision. According to Cybereason, the REvil affiliates first gained access to targeted environments and then used the zero-day in the Kaseya Agent Monitor to gain administrative control over the target’s network. After writing a base-64-encoded payload to a file named agent.crt the dropper executed it.

[…]

The ransomware dropper Agent.exe is signed with a Windows-trusted certificate that uses the registrant name “PB03 TRANSPORT LTD.” By digitally signing their malware, attackers are able to suppress many security warnings that would otherwise appear when it’s being installed. Cybereason said that the certificate appears to have been used exclusively by REvil malware that was deployed during this attack.

To add stealth, the attackers used a technique called DLL Side-Loading, which places a spoofed malicious DLL file in a Windows’ WinSxS directory so that the operating system loads the spoof instead of the legitimate file. In the case here, Agent.exe drops an outdated version that is vulnerable to DLL Side-Loading of “msmpeng.exe,” which is the file for the Windows Defender executable.

Once executed, the malware changes the firewall settings to allow local windows systems to be discovered. Then, it starts to encrypt the files on the system….

REvil is demanding $70 million for a universal decryptor that will recover the data from the 1,500 affected Kaseya customers.

More news.

Note that this is yet another supply-chain attack. Instead of infecting those 1,500 networks directly, REvil infected a single managed service provider. And it leveraged a zero-day vulnerability in that provider.

EDITED TO ADD (7/13): Employees warned Kaseya’s management for years about critical security flaws, but they were ignored.

Tags: , , , , , ,

Posted on July 8, 2021 at 10:06 AM22 Comments

Comments

Tatütata July 8, 2021 10:56 AM

The ransomware dropper Agent.exe is signed with a Windows-trusted certificate that uses the registrant name “PB03 TRANSPORT LTD.”

Gurgling this unusual and specific company name and plugging the result in the federal Canadian business registry (CBCA: Canada Business Corporations Act / Loi canadienne sur les sociétés par actions) yields the following result:

https://www.ic.gc.ca/app/scr/cc/CorporationsCanada/fdrlCrpDtls.html?corpId=11747649

The corporation formed in 2019 is domiciled at a residential address in Brampton Ontario.

The idea of Microsoft issuing a signing certificate to a small business apparently unrelated to software development, said certificate providing access to the inner sanctum is disturbing. Identity theft?

Gavin Belson July 8, 2021 12:58 PM

@Tatutata

Thank you!

That Brampton residential address is 4km away from Microsoft’s Canada HQ. Also noticed:

  1. That address is very upscale
  2. That registrant name is associated with a lot of complaints about malware
  3. The person associated with the registrant is connected to people at Concentrix. Concentrix is now known as Sunnex and is also implicated in this attack
  4. The person associated with the registrant, everyone looking at his profile is affiliated with technology. Although he claims to be a college graduate stone cutter. Stone cutter is used in Minecraft.

Meanwhile the media and members of Congress are calling for war against Russia. Last week Microsoft found malware installed in their customer service department. Microsoft also signed rootkit malware.

When attacks of this nature occur the first to do is investigate themselves. Are insiders responsible and are they still inside?

Clive Robinson July 8, 2021 2:49 PM

@ Bruce, ALL,

Instead of infecting those 1,500 networks directly, REvil infected a single managed service provider.

Well “why not?”…

Look at the upside, as the attacker you have only one target to focus your attentions on. You are thus very much less likely to make OpSec mistakes as you race to do 1500 all different sites.

Oh 70 million might sound a lot but over 1500 entities that’s “chicken feed” for most of them. It’s not even 50K/entity.

Thus if the attackers do things right it’s only one set of “fees” to pick up and deal with. Thus keeping their exposed surface small.

It’s the sort of “economies of scale” you would expect from people who have thought things through just a little.

So I’d expect to see more of it…

Oh do people now understand why more than a decade ago both @NickP and myself had a real downer on “code signing”?

From my point of view the ICTsec industry has in effect lost a decade when it could have been comming up with way better solutions than “code signing”. What’s the betting that what comes next is going to be almost as bad if not worse and just boddged/kludged together to become yet another “legacy nightmare”?

Clive Robinson July 8, 2021 3:19 PM

@ Gavin Belson, ALL,

When attacks of this nature occur the first [thing] to do is investigate themselves. Are insiders responsible and are they still inside?

Part of that is trying to find the real culprits if it is an insider. Any one with half a brain would be aware of what Ed Snowden did to cover his tracks, only he put his had upto it when he realised what was going to happen to those he had effectively framed.

An insider may not put their hand up to it for a variety of reasons…

Then comes the hard questions for managment about an insider,

1, How did they get there?
2, What else have they done?
3, Can you actually get rid of them?
4, Can you actually take legal action against them?

If some of the more far out rumours are true, that “people have been placed” by US Gov entities, then the answers are fairly moot.

Even if not placed, “insiders” do not have to be “in jurisdiction” anyone remember OPM some suspected were in effect “insiders” via a contractor but held Chinese citizenship?

Then there is all that “outsourcing” to Indian “zero hours contractors” working through US companies. Anyone checked Indian legislation? So such “remote insiders” may not have done anything illegal and can not be pursued, or leverage applied to them…

As the old joke has it,

“Sometimes when you pay for what you get, you realy pay for what you get”.

The neo-con matras about “not leaving money on the table” sound a bit hollow when someone turns up with a truck to your bank and empties out all your accounts into the back and drives south of the boarder or equivalent.

Shocked July 8, 2021 4:58 PM

This article may be interesting, but that ARS is an A$$HOLE media company. They and their “partners” track readers ruthlessly up to precise geolocation point.

I’m deeply shocked here that Bruce Schneier suggest articles of this company that violates so massively the readers rights. So much of the “privacy advocate”, heh?

Roger Myers July 8, 2021 5:15 PM

Very interesting that the company is ‘based’ in Brampton. Kaseya development is controlled by people of the same sort who have now colonized Brampton. Seems very likely that this was an insider attack.

SpaceLifeForm July 8, 2021 6:10 PM

Every deliverable (source or binary) needs it’s own signing key. So, the signing key can be revoked on the old deliverable that has been found to be exploitable. When a new version comes out, it must have a new signing key.

jones July 8, 2021 6:20 PM

Obviously the solution is to put more microchips in everything…

Diminishing returns will be taboo another 20 years until it becomes a new type of technological lockdown fascism mythology

No Name July 8, 2021 8:19 PM

What does the “PB03 Transport” mean.

PB03 refers to the Indian city Bathinda in Punjab which is halfway between Lahore, Pakistan and New Delhi.

“PB-03 is the RTO Code for Bathinda city in Punjab. The RTO of Bathinda comes under the Punjab State Vehicles Department. Established under the provisions of section 213(1) of the Motor Vehicles Act, 1988 Bathinda RTO is responsible for vehicles and drivers record management and collection of road tax etc.”

ht tps://www.getatoz.com/content/rto/code/pb-03/punjab

Bathinda also is due south of a border that China is amassing troops on. 50,000
ht tps://www.wsws.org/en/articles/2021/07/07/indi-j07.html

echo July 8, 2021 8:37 PM

Another post went walkies. I stand by my facetious yet hauntingly accurate comment. I don’t expect an industry which heaps woo woo on top of woo woo and derives status and attention from this to like it.

No Name July 8, 2021 8:58 PM

While the US Gov and Cybersecurity sector is solely focused on Russia, China is sneaking in the back door.

This hack may just be a purposeful diversion. No data was accessed or purloined.

China is aligned with Pakistan. They are interested in disrupting India’s tech sector. They see India as competition. China doesn’t let anyone make money but them. Ask Wall St how that Didi IPO went last week.

ht tps://www.business-standard.com/article/current-affairs/china-indulging-in-unrestricted-warfare-against-india-says-report-121070700289_1.html

The West’s lack of geopolitical or cultural knowledge in Asia has historically been our undoing. The Middle East and Afghanistan is Asia too. The US Military just left Afghanistan and gifted the Taliban. Afghanistan is only 670 miles to Lahore. Bathinda is only 96 miles from Lahore and about 190 to Delhi.

Something is going on that’s for certain. But no one is focused where it should be. No BS response or burying this in a fake hash discussion.

The Art of War “The whole secret lies in confusing the enemy, so that he cannot fathom our real intent”.

Tatütata July 9, 2021 8:19 AM

When I posted the info on the alleged certificate registrant, I wasn’t implying that the entity identified was the actual applicant. I was more dubious about the auditing process, as a cursory check like mine suggests that further vetting is warranted before handing over the keys to the castle, thus my reference to “identity theft”.

Yet other commenters appear to take the connection for granted, one of them in clearly racist overtones.

No Name July 9, 2021 9:43 AM

@Tatutata

If we refer to any discussion of nationality as racist we will never find out what’s going on here. If you search for information about Brampton the first thing that comes up is its nickname. Its nickname(s) are used and were developed by its inhabitants. It’s also right on the US border near Buffalo.

We should focus on fact:

  1. The Cybersecurity companies are incentivized to make this appear ‘different’ than it is. It’s driving a lot of business to them.
  2. No data was accessed, stolen or encrypted. Kaseya’s website never went down.
  3. The only company that has admitted publicly to an outage, also claims to not being a Kaseya customer.
  4. ALL of the high profile attacks since last year involve Microsoft products being compromised.
  5. Microsoft is repeatedly experiencing internal attacks, such as with customer service last week, signing malware, their core code accessed and releasing vulnerability information to partners before a patch is deployed. Also their released patches repeatedly aren’t working. Earlier this year and now it’s to do with printers.
  6. FireEye’s red team tools were stolen and we still have no idea when that happened, whether it was insiders or what country that occurred in.
  7. The Cybersecurity companies have been pushing ‘monitoring’ as a solution for decades now. But it doesn’t work against these attacks. The solutions include implementing controls and rearchitecting networks, killing federation, reducing data’s footprint, no more reliance on a SPOC vendor, deleting data and moving it offline. But most important is that outsourcing data is just too dangerous for the critical infrastructure and it’s already illegal (numerous laws) but the US isn’t upholding our laws.

I cannot pretend to know what’s going on in India. But Bathinda may be a hot spot. Also historically too. It was founded by the Jats who have an interesting history. There’s Military bases there too. I think it fair to say that Modi has his hands full. So even if there’s a rebellion (sabotage) going on within the tech sector, I doubt he could do anything about it. This has happened before, a lot. Internal IP theft and sabotage is very common, especially in the USA’s largest companies.

The US Government has never done anything to prevent or stop a cyber attack so no one should look to them as a solution. They need to uphold our existing laws. That will stop attacks. But so far there’s no willingness.

Modi normally smiles a lot. I don’t expect him to be happy given all that his country is going through. But his facial expressions and speeches at the G7 were very insightful. He’s not just dealing with a killer mutation. He knows that without help it will keep happening. https://www.thehindu.com/news/national/india-a-natural-ally-of-g7-narendra-modi/article34805604.ece

And just like that globalism is over. I think Modi knows that. What’s the difference between Imperialism and Globalism? Nothing. At the end there’s always a loser.

A few months ago the US Congress passed a law outlawing Asian hate speech. It didn’t specify certain Asian countries. But it’s a ridiculous law because even members of Congress constantly violate it calling for war against Russia and the destruction of Israel. Meanwhile both countries are Asian too. So Tatutata we need to stop cancel culture and have a rational discussion. To be successful in Cybersecurity it requires the ability to have situational awareness.

I stopped voting a decade ago realizing that I couldn’t do my job if I had any political bias. Whenever you see a politicized Cybersecurity professional, that’s your first clue they aren’t capable of doing their job. Because they cannot see beyond their own prejudice. I think Echo referred to it as woo woo earlier.

No Name July 9, 2021 10:08 AM

I meant to say no more SPOF vendors. Not spoc. SPOF is single point of failure. Don’t single source your critical systems.

Fake July 9, 2021 2:05 PM

So hey, there’s a mechanic in town loosening bolts on people’s manifolds during oil changes.

That’s politics huh?

I wonder what his reasoning is…

Cry me a river of blood I’m here to figure out how to stop reverse engineering and theft of coffee.

None of the reasons that bring the cult of glue sniffing copy and paste eaters.

No Name July 9, 2021 2:45 PM

@Fake

Bandaids don’t work in technology. Identifying root cause is required to fix anything. And the truth is, most present day cyber solutions increase risk.

How many scanning tools are out there? How many of them are malware in disguise or just so poorly designed or staffed that they cannot be called anything but malware?

At least one media outlet noticed this today.

https://www.barrons.com/articles/software-as-a-disservice-security-shortcuts-are-exposing-computers-to-hackers-51625844951

If Microsoft’s challenges are rooted in geopolitical conflict, the private sector needs to be aware of it. Because in that awareness is part of the solution.

We need a FDA for software and technology service providers. The government needs to assess tech, rate whether fit for purpose, monitor them and then they can protect users when needed.

There’s no other way to do this.

Clive Robinson July 9, 2021 4:27 PM

@ No Name, Fake, ALL,

Bandaids don’t work in technology. Identifying root cause is required to fix anything. And the truth is, most present day cyber solutions increase risk.

It’s not just software, but it’s harder to hide in other technology and fields of endevor with physical product with more sensible legal rights of redress (consumer liability law etc).

In part it’s the lack of legal pushback that has enabled the sloppy thinking and behaviours as why do better if nobody is going to make you do so.

The software industry is in no way a “free market” but a “winner takes all monopoly”. Which Silicon Vally Corps have divided up into vertical segment monopolies so at worst it looks like cartels to the legislators and legal brethren.

It’s long over due proper legislation, I think most will agree on that. However where there will be no agreement and the Corps will make sure of that yet again, is in what the “proper legislation” should be…

Simply breaking Corps up into non compeating entities will not work, we know this from the past, likewise large fines don’t work, especially as they can be made tax deductible.

For various reasons mostly political we’ve alowed these monster not just to grow, beyond sensible limits, we’ve alowed them to put their assets etc beyond legal reach.

Thus the question of what to do is likely to be a vexed one as frequently if legislators can not go after the suppliers they will go after the customers instead with ineffective punative taxation the benifit of which does not get used to fix the problem, only encorage greater money raising in the future.

Frank Wilhoit July 9, 2021 6:28 PM

“…the REvil affiliates first gained access to targeted environments…” (emphasis mine)

If that means what it says in plain English, then that was the essential step and the rest is noise.

?

No Name July 9, 2021 7:47 PM

@Clive

NIST is working on it. Biden’s Cybersecurity Executive Order (law) a few months ago addresses defining Cyber and cloud software attributes. NIST has made a lot of progress. These efforts will impact the private sector.

The US Gov is the world’s biggest whale. Which in sales means that it is the biggest customer for vendors. There’s also existing laws which require the private sector abide by Federal procurement laws even if you aren’t a vendor. The impact of this will be widespread. It will also impact financing of start ups. Because if they cannot qualify to sell to the gov, there’s no reason to fund them if they are a B2B vendor. But it will also force existing funding vehicles to examine the viability of their investments. No more vaporware possible.

You can search for the EO. It is very impactful. There’s a lot of near term deliverables forecasted.

If you read it, search for “Enhancing software supply chain security”. It might be restricted to foreign or VPN traffic. Which is why I won’t link it.

I am hopeful. I am very interested to see how they qualify zero trust architecture. It’s a very ambitious effort.

FWIW July 11, 2021 3:32 PM

A “PB03 Transport LLC” was also registered in Yuba City, California, US, on 22-May-2021, under file # 202114610804, by one “Gurteg S. Mann” of 1915 McCune Ave, that city. That also appears to be the address of a “Regal Hauling LLC” (among possible others – Yuba City appears to be a trucking hub) which shows G. Mann as a principal, as well as one “Tarsem Mann”. Whether this outfit is related to the Ontario PB03 Transport, and, if so, what possible connection there could be between a hauling company and the exploits discussed, is an exercise I’ll leave to others. If there is indeed no connection, there might be some implicit instructive conclusion about the value of making leaps of logic based on hits from web searches…

SpaceLifeForm July 12, 2021 3:06 AM

More news

hxtps://www.engadget.com/kaseya-warned-of-security-flaws-before-ransomware-210226358.html

The giant ransomware attack against Kaseya might have been entirely avoidable. Former staff talking to Bloomberg claim they warned executives of “critical” security flaws in Kaseya’s products several times between 2017 and 2020, but that the company didn’t truly address them. Multiple staff either quit or said they were fired over inaction.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.