TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Rapid Response: Mass MSP Ransomware Incident | Huntress

2021-07-03 · Read original ↗

ATT&CK techniques detected

28 predictions
T1190Exploit Public-Facing Application
100%
“02 / 2021 @ 4 : 22pm et - update # 3 - 07 / 02 / 2021 @ 3 : 17pm et - update # 2 - 07 / 02 / 2021 @ 2 : 49pm et - update # 1 - 07 / 02 / 2021 @ 2 : 45pm et - initial indicators of compromise - further reading & resources - can huntress help me? what ' s happening? we are tracking…”
T1574.001DLL
98%
“lists, whitelisted components, and command & control domains used. iocs ( sha256 ) : - agent. exe d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e - mpsvc. dll ( sideloaded dll, we have seen this file first hand ) e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cb…”
T1486Data Encrypted for Impact
98%
“if you have unencrypted logs from a confirmed compromised vsa server and you are comfortable sharing them to help the discovery efforts, please email a link download them at support [ at ] huntress. com. all your information will be treated confidentially and redacted before any …”
T1486Data Encrypted for Impact
98%
“##l. exe utility - mpsvc. dll - md5 : a47cf00aedf769d60d58bfe00c0b5421 - revil encryptor payload further reading & resources - resources for dfir professionals responding to the revil ransomware kaseya supply chain attack - kaseya supply chain attack delivers mass ransomware even…”
T1190Exploit Public-Facing Application
96%
“the payload for ransomware. unfortunately we have not yet retrieved a copy of screenshot. jpg present on compromised servers that we have seen. the userfiltertablerpt. asp file contains a significant amount of potential sql injection vulnerabilities, which would offer an attack v…”
T1486Data Encrypted for Impact
95%
“with the kaseya security team since july 2 at approximately 2 : 00pm et. they immediately started taking response actions and feedback from our team as we both learned about the unfolding situation. many partners are asking " what do you do if your rmm is compromised? ". this is …”
T1486Data Encrypted for Impact
95%
“##tection auditmode - force - mapsreporting disabled - submitsamplesconsent neversend & copy / y c : \ windows \ system32 \ certutil. exe c : \ windows \ cert. exe & echo % random % > > c : \ windows \ cert. exe & c : \ windows \ cert. exe - decode c : \ kworking \ agent. crt c :…”
T1486Data Encrypted for Impact
94%
“gb - serial # : 119acead668bad57a48b4f42f294f8f0 - issuer : https : / / sectigo. com / when agent. exe runs, the following files are dropped into the hardcoded path c : \ windows : - msmpeng. exe - the legit windows defender executable - mpsvc. dll - the encryptor payload that is…”
T1486Data Encrypted for Impact
91%
“rapid response : mass msp ransomware incident | huntress updated 07 / 13 / 2021 @ 10 : 30am et our team continues to investigate the kaseya vsa supply chain attack that ' s currently affecting a growing number of msps, resellers and their customers. our initial findings and analy…”
T1112Modify Registry
81%
“this registry key is to simply store encryptor runtime keys / configurations and have been previously discussed. we are also aware of conversation about the kaseya payload ' s ability to autologin to safe mode and set the password to " dtrump4ever ". this behavior will only happe…”
T1486Data Encrypted for Impact
77%
“restored. we believe it is vitally important to remove these pending jobs prior to reenabling connectivity. once a patch is released, the huntress team will have more updates to share. update # 15 - 07 / 06 / 2021 @ 7 : 08pm et as demonstrated in our webinar today, huntress secur…”
T1486Data Encrypted for Impact
74%
“on where to go from here reach out to [ email protected ]. we ' ve coached over 200 msps through incidents like this since early 2019 and would be happy to share best practices. for our huntress partners using vsa, we took proactive steps to help protect your systems. we will sen…”
T1059.001PowerShell
64%
“##ity ). the ping sleeps for the amount of time computed in the step 4, which effectively coordinates a synchronized attack at exactly 1630 utc across all victims. % comspec % / c ping 127. 0. 0. 1 - n # diffsec # > > nul & % systemdrive % \ windows \ system32 \ windowspowershell…”
T1190Exploit Public-Facing Application
61%
“all in this together and greatly appreciate your help. update # 10 - 07 / 04 / 2021 @ 12 : 20pm et it ' s still too early to tell, but from the logs we have been analyzing, we have seen a singular post request from an aws ip address 18 [. ] 223. 199. 234 using curl to access the …”
T1190Exploit Public-Facing Application
61%
“restored. we believe it is vitally important to remove these pending jobs prior to reenabling connectivity. once a patch is released, the huntress team will have more updates to share. update # 15 - 07 / 06 / 2021 @ 7 : 08pm et as demonstrated in our webinar today, huntress secur…”
T1657Financial Theft
59%
“rapid response : mass msp ransomware incident | huntress updated 07 / 13 / 2021 @ 10 : 30am et our team continues to investigate the kaseya vsa supply chain attack that ' s currently affecting a growing number of msps, resellers and their customers. our initial findings and analy…”
T1080Taint Shared Content
54%
“if you have unencrypted logs from a confirmed compromised vsa server and you are comfortable sharing them to help the discovery efforts, please email a link download them at support [ at ] huntress. com. all your information will be treated confidentially and redacted before any …”
T1486Data Encrypted for Impact
47%
“##mediate on - premises vsa servers and has brought vsa saas infrastructure back online on 1630 et, july 11 2021. our team is working to validate the patch and will have more updates soon. note : an sql script has been previously provided to clear out any pending vsa procedures /…”
T1080Taint Shared Content
45%
“with the kaseya security team since july 2 at approximately 2 : 00pm et. they immediately started taking response actions and feedback from our team as we both learned about the unfolding situation. many partners are asking " what do you do if your rmm is compromised? ". this is …”
T1486Data Encrypted for Impact
45%
“. 199. 234 using curl to access these files sequentially : / dl. asp / kupload. dll / userfiltertablerpt. asp we have observed that dl. asp contains proper sql sanitization and there does not seem to be any sql injection vulnerabilities present. however, it does seem to include a…”
T1574.001DLL
42%
“wow6432node \ kaseya \ agent \ < unique id > - when agent. exe runs, the legitimate windows defender executable msmpeng. exe and the encryptor payload mpsvc. dll are dropped into the hardcoded path " c : \ windows " to dll sideload. - the mpsvc. dll sodinokibi dll creates the reg…”
T1195.002Compromise Software Supply Chain
42%
“with the kaseya security team since july 2 at approximately 2 : 00pm et. they immediately started taking response actions and feedback from our team as we both learned about the unfolding situation. many partners are asking " what do you do if your rmm is compromised? ". this is …”
T1553.002Code Signing
33%
“raas affiliate is behind these intrusions. - hxxp : / / aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd [. ] onion the huntress customer support team has started pre - emptively calling all of our vsa partners to make the aware of the situation. we currently have three h…”
T1190Exploit Public-Facing Application
33%
“with the kaseya security team since july 2 at approximately 2 : 00pm et. they immediately started taking response actions and feedback from our team as we both learned about the unfolding situation. many partners are asking " what do you do if your rmm is compromised? ". this is …”
T1588.001Malware
33%
“if you have unencrypted logs from a confirmed compromised vsa server and you are comfortable sharing them to help the discovery efforts, please email a link download them at support [ at ] huntress. com. all your information will be treated confidentially and redacted before any …”
T1113Screen Capture
33%
“more executable code that we can see disables existing user sessions, removes iis logs, and other cleanup activities. unfortunately, a large portion of the code is removed as the original ids had not retrieved the full packet. this explains the previous activity we have seen acro…”
T1195.002Compromise Software Supply Chain
32%
“##l. exe utility - mpsvc. dll - md5 : a47cf00aedf769d60d58bfe00c0b5421 - revil encryptor payload further reading & resources - resources for dfir professionals responding to the revil ransomware kaseya supply chain attack - kaseya supply chain attack delivers mass ransomware even…”
T1053.005Scheduled Task
31%
“##ity ). the ping sleeps for the amount of time computed in the step 4, which effectively coordinates a synchronized attack at exactly 1630 utc across all victims. % comspec % / c ping 127. 0. 0. 1 - n # diffsec # > > nul & % systemdrive % \ windows \ system32 \ windowspowershell…”

Summary

Huntress is tracking a critical ransomware incident affecting MSPs and their customers, caused by a sophisticated Kaseya VSA supply chain attack.