REvil Attack, Genetic Analysis and Lessons Learned

Validating your Software Supply Chain for Tampering

Solarwinds, CodeCov and now Kaseya are the latest supply chain attacks we know about. In this short blog post you will find a genetic analysis of the attack against Kaseya customers as well as our recommendations for both software consumers and vendors.

REvil Use Case

The REvil ransomware gang gained access to the infrastructure of Kaseya – a company that provides IT management software for managed service providers (MSPs) and IT Teams. The attack leveraged a zero-day vulnerability in Virtual Server Agent (VSA) servers to deploy a variant of the REvil Ransomware to machines managed by the service. While Kaseya reported that a small portion of their customers were affected, many of these customers were MSPs with large customer bases resulting in a multiplier effect. The ransom demanded by the group is between $50,000 to $5 million, or $70 million to recover all the victims of the attack. So far about 200 companies were affected by the attack.  

The supply chain attack is a new infection vector adopted by the REvil gang while using existing malware variants. The shift towards this highly effective infection vector can be the start of the trend of attackers delivering their malware using supply chain attacks. Unlike SolarWinds attack, the REvil group is financially motivated, and this attack might be part of a wider campaign.

We uploaded the binaries from the attack to Intezer Analyze to check for code reuse and shared capabilities with other malware variants.

This is how one of the samples from the attack looks like in Intezer Analyze (Figure 1). The file was dynamically unpacked and executed in a sandbox enabling Analyze to extract and classify all the processes and memory dumps relevant to the malware. Intezer Analyze inspected the code that was loaded into memory and detected the file as malicious and classified it as REvil ransomware (also known as Sodinokibi).

Figure 1: The analysis of one of the binaries in Intezer Analyze

The file shares code with other samples from the same malware family (Figure 2) including samples from 2019.

Figure 2: List of samples sharing code with the binary from the attack going back to 2019

The binaries that contain the ransomware were digitally signed using a certificate, as a result standart antiviruses may have approved the files. As Intezer Analyze inspects the code itself, it is able to classify and identify the malware.

The threat injects malicious code into the main process of Windows Defender called MsMpEng.exe, as part of an evasion technique (Figure 3). Regardless of  the legitimate name, Intezer Analyze detects the process as malicious and classifies it as Sodinokibi.

Figure 3: Intezer Analyze picked up the legitimate process name containing Sodinokibi code

Intezer Analyze can find MITRE ATT&CK techniques and capabilities shared between malware families. Using this feature we were able to identify several capabilities and techniques shared between the sample from the attack and other samples in the REvil (Sodinokibi) family. The shared capabilities include encryption of files using encryption algorithms such as RC4 as well as implementation of anti-debugging techniques – all of which fits this ransomware family.

Figure 4: Techniques and capabilities of the malware in Intezer Analyze

Prepare for the Next Supply Chain Attack

For Consumers

  • Identifying malicious code and suspicious newly added capabilities to the latest version of the software you are using is the best way to verify the code was not tempered. We recommend scanning third-party software and updates before running it in your organization. Read more on how Intezer Analyze can help you with scanning your supply chain software for backdoors.
  • As demonstrated by this attack, and past ransomware supply chain attacks such as NotPetya ransomware through the MeDoc software, it shows that a company’s first line of defenses are only as strong as the weakest link of their supply chains’ defenses. Therefore it is absolutely imperative to have a multi-layered defense in depth strategy that will protect your organisation once the first line of defenses fail. As part of a defense in depth strategy, use endpoint protection and runtime security on servers and cloud workloads, like Intezer Protect.
  • Fileless malware is a huge threat as it is still one of the most effective ways of bypassing malware protection products. Ensure that your malware detection products can handle fileless malware in memory such as Intezer Analyze.
  • Having backups of data and methods of quickly restoring operations from this data is essential.

For Vendors

  • Scan software releases for tampering and backdoors, before delivering to customers or deploying to production. Read more on how Intezer can help you release your software with peace of mind.
  • Use advanced threat protection and runtime security tools for development and build environments like Intezer Protect.
  • Scan your third party code dependencies for threats using Intezer Analyze.
  • Apply strict access control to development and build environments.

The post REvil Attack, Genetic Analysis and Lessons Learned appeared first on Intezer.

Article Link: REvil Attack, Genetic Analysis and Lessons Learned - Intezer