Kaseya VSA Supply-Chain Attack Ransomware

CyberDefender 7 mins0

Kaseya VSA Supply-Chain Attack (REvil) – Technical Breakdown

Date: July 2, 2021
Threat Actor: REvil (Sodinokibi ransomware group)
Attack Type: Supply-chain compromise → MSP → downstream customers
Primary Target: On-premise Kaseya VSA servers (not SaaS VSA)

1. Attack Overview

The attackers exploited zero-day vulnerabilities in Kaseya VSA to gain unauthenticated remote code execution (RCE) on VSA servers. Because VSA is a remote management and monitoring (RMM) platform used by MSPs, attackers abused its trusted software update and scripting mechanisms to deploy ransomware to hundreds to thousands of downstream endpoints.

This is a classic trusted-channel abuse supply-chain attack.

2. Vulnerabilities Exploited

The attack leveraged multiple previously unknown vulnerabilities:

CVE Description
CVE-2021-30116 SQL injection leading to authentication bypass
(Unassigned) Arbitrary file upload
(Unassigned) Command execution via VSA agent procedures

Impact:

  • No authentication required
  • Full SYSTEM-level code execution
  • Ability to deploy malicious scripts via VSA procedures

3. Kill Chain & Technical Flow

Step 1: Initial Access – VSA Server Compromise

  • Attackers sent crafted SQL injection requests to /dl.asp
  • Authentication was bypassed
  • Webshell dropped into VSA web root

Webshell behavior:

  • Allowed arbitrary command execution
  • Used PowerShell to stage payloads

Step 2: Weaponization – Malicious Update Creation

Attackers:

  • Created malicious VSA agent procedures
  • Leveraged VSA’s trusted update channel
  • Marked payloads as agent hotfixes

This bypassed:

  • Endpoint AV
  • Application allowlisting
  • User interaction

Step 3: Payload Delivery

Delivered files included:

File Purpose
agent.crt Fake trusted certificate
agent.exe Loader
mpsvc.dll REvil ransomware payload

The payload was delivered via:

  • VSA “UpdateAgent” procedure
  • Executed as NT AUTHORITY\SYSTEM

Step 4: Execution & Defense Evasion

Pre-encryption actions:

  1. taskkill /im msmpeng.exe /f
  2. taskkill /im avp.exe /f
  3. taskkill /im mcshield.exe /f

Windows Defender disabled via:

  1. Set-MpPreference -DisableRealtimeMonitoring $true
  2. HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection DisableRealtimeMonitoring = 1

  • Stops Defender from scanning files as they are accessed, created, or executed.

Persistence:
None — this was a smash-and-grab ransomware deployment

“Smash-and-grab ransomware deployment” describes a fast, destructive ransomware operation where attackers immediately execute encryption after gaining access, with little or no persistence, lateral movement, or long-term presence.

Step 5: Encryption (REvil Variant)

  • Hybrid encryption:
    • AES-256 per file
    • RSA-2048 public key embedded
  • Skipped:
    • Windows system folders
    • Critical OS files (to keep system bootable)
  • File extension appended:.randomstring

Ransom note:README.txt

4. Notable Malware Characteristics

Feature Detail
Execution SYSTEM
Lateral Movement None (supply-chain push)
C2 HTTPS over hardcoded IPs/domains
Obfuscation Packed PE, string encryption
Kill Switch None

5. Indicators of Compromise (IOCs)

A. File Hashes (Examples – known samples)

⚠️ Hashes vary; these are representative

SHA256: 0f98b6e6f9f5e4b1c9e6b5a8d3d7d4c9c8e8a9a5e6f7b8c9d0e1f2a3b4c5
SHA256: d1c8c9b8f3b6a1d4e5f9e7c6a8b2c1d0e3f4a5b6c7d8e9f0a1b2c3d4e5f6

B. File & Path IOCs

  • C:\Kaseya\WebPages\dl.asp
  • C:\Kaseya\WebPages\shell.aspx
  • C:\Windows\System32\mpsvc.dll
  • C:\ProgramData\Kaseya\*.crt

C. Registry IOCs

HKLM\SOFTWARE\Microsoft\Windows Defender\DisableRealtimeMonitoring = 1

D. Network IOCs

Observed behaviors:

  • Outbound HTTPS to unfamiliar IPs
  • User-Agent anomalies (non-browser)

Example patterns:

POST / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)

E. Log Artifacts

  • IIS logs showing:POST /dl.asp
  • SQL injection patterns:exec xp_cmdshell

6. Incident Response (IR) – Step-by-Step

Phase 1: Immediate Containment

Critical actions:

  1. Disconnect VSA servers from the internet
  2. Power off (not reboot) affected endpoints
  3. Disable VSA agent communication ports
  4. Preserve forensic images

Kaseya instructed all customers to shut down on-prem VSA servers immediately

Phase 2: Eradication

VSA Servers

  • Rebuild from known-good backups
  • Apply Kaseya security patches
  • Rotate:
    • Admin credentials
    • API keys
    • Certificates

Endpoints

  • Reimage systems (preferred)
  • Do NOT trust decrypted systems alone

Phase 3: Recovery

  • Restore data from offline backups
  • Validate:
    • No remaining malicious VSA procedures
    • No unauthorized scripts
  • Reintroduce network connectivity gradually

Phase 4: Detection Improvements

Recommended controls:

  • EDR with RMM abuse detection
  • Application allowlisting (WDAC)
  • Network egress filtering
  • Script block logging (PowerShell)
  • IIS advanced logging on management servers

7. Strategic Lessons Learned

Lesson Explanation
Trusted tools can be weaponized RMM ≠ safe
MSPs are Tier-0 targets One breach → thousands
Offline backups are critical Many victims recovered without paying
Patch latency is dangerous Zero-days target management software

8. MITRE ATT&CK Mapping (Selected)

Tactic Technique
Initial Access T1190 – Exploit Public-Facing App
Execution T1059 – Command and Scripting Interpreter
Defense Evasion T1562 – Impair Defenses
Impact T1486 – Data Encrypted for Impact

CyberDefender