Details of the REvil Ransomware Attack
ArsTechnica has a good story on the REvil ransomware attack of last weekend, with technical details:
This weekend’s attack was carried out with almost surgical precision. According to Cybereason, the REvil affiliates first gained access to targeted environments and then used the zero-day in the Kaseya Agent Monitor to gain administrative control over the target’s network. After writing a base-64-encoded payload to a file named agent.crt the dropper executed it.
[…]
The ransomware dropper Agent.exe is signed with a Windows-trusted certificate that uses the registrant name “PB03 TRANSPORT LTD.” By digitally signing their malware, attackers are able to suppress many security warnings that would otherwise appear when it’s being installed. Cybereason said that the certificate appears to have been used exclusively by REvil malware that was deployed during this attack.
To add stealth, the attackers used a technique called DLL Side-Loading, which places a spoofed malicious DLL file in a Windows’ WinSxS directory so that the operating system loads the spoof instead of the legitimate file. In the case here, Agent.exe drops an outdated version that is vulnerable to DLL Side-Loading of “msmpeng.exe,” which is the file for the Windows Defender executable.
Once executed, the malware changes the firewall settings to allow local windows systems to be discovered. Then, it starts to encrypt the files on the system….
REvil is demanding $70 million for a universal decryptor that will recover the data from the 1,500 affected Kaseya customers.
Note that this is yet another supply-chain attack. Instead of infecting those 1,500 networks directly, REvil infected a single managed service provider. And it leveraged a zero-day vulnerability in that provider.
EDITED TO ADD (7/13): Employees warned Kaseya’s management for years about critical security flaws, but they were ignored.
Tatütata • July 8, 2021 10:56 AM
The ransomware dropper Agent.exe is signed with a Windows-trusted certificate that uses the registrant name “PB03 TRANSPORT LTD.”
Gurgling this unusual and specific company name and plugging the result in the federal Canadian business registry (CBCA: Canada Business Corporations Act / Loi canadienne sur les sociétés par actions) yields the following result:
https://www.ic.gc.ca/app/scr/cc/CorporationsCanada/fdrlCrpDtls.html?corpId=11747649
The corporation formed in 2019 is domiciled at a residential address in Brampton Ontario.
The idea of Microsoft issuing a signing certificate to a small business apparently unrelated to software development, said certificate providing access to the inner sanctum is disturbing. Identity theft?