Kaseya VSA Breach – Consequences of Security Failures
The world has witnessed another large-scalecyber-attack. On July 2, 2021, Kaseya, an IT Systems Management software firm,disclosed a security incident impacting their on-premises versionof Kaseya’s Virtual System Administrator (VSA) software. The resultwas up to 1500 companies being held hostage to a significant ransom demand.
Incidents such as these arebecoming more commonplace. We are seeing a trend where attackers concentratemore on finding and exploiting zero-day vulnerabilities in system administratortools. The situation becomes much more severe with remote monitoring and management(RMM) tools like Kaseya VSA and Solarwinds, where attackers can penetratedirectly into their customer networks and operate with implicit trust, initiatingcommands or deploying malware. For RMM, most security vendors recommendallowlisting (formerly known as whitelisting) specific folders or executablesto eliminate any disruption of service due to false positive detection as thesefolders and executables become trusted. Unfortunately, Allowlisting often leadsto the initial bypassing of endpoint security protection solutions that dependon detecting suspicious activity before a blocking action can occur. Comodo Threat Research Labs (CTRL) hasanalyzed the VSA attack and provides analysis below to show how Comodo ActiveBreach Protection can protect endpoints from sophisticated attacks, even whenall attack vectors have been trusted.
A mysterious weaponized armor controlled solely by the Tenno. Through the Warframe, Tenno can cheat death, channel the forbidden Void energies and face scores of enemies without fatigue. Due to apparent resistances of their Bio-Metal exoskeletons, Warframes can be safely deployed to Infestation Outbreaks, should they occur. UnKnoWnCheaTs - Multiplayer Game Hacking and Cheats, leading the scene since 2000. We offer a huge amount of information and content for game hacks and cheats through our game hacking forum, download database, game hacking tutorials, and wiki sections. We supply everything for game hack source codes, anti cheat bypasses, game hack tools, game hack programming or free undetected game hacking files. This is my first ever Apex.exe and I think it went alright, definitely some things I want to add and spice up in the next vid but I hoped you guys enjoyed my. Total CSGhost Downloads (on UC): 84,943. I have mostly finished development of CSGhost v4, now featuring a full integrated VAC bypass that prevents you from getting VAC banned even with detected cheats. CSGhost v4 aims to allow anyone to inject whatever cheats they choose without having to worry about VAC bans. Valkyrie Injector Warface Code To Provide Line Hijacking - This is usually a fairly stable technique of shot that takes over already executing code to provide your DLL and will be not used by many injectors. Manual Chart - This can be the most secure shot technique. So protected that also Windows wont also understand about the shot DLL.
Our analysis first noted the exploitation of a zero-day vulnerability [CVE-2021-30116]. Credit goes to Wietse Boonstra, a Dutch Institute for Vulnerability Disclosure researcher, who identified and reported this vulnerability to Kaseya under responsible disclosure guidelines. We do not have sufficient detail about the exploit. Still, we know attackers used an authentication bypass in the web interface of Kaseya VSA to gain an authenticated session, upload the ransomware payload, and execute commands via Kaseya agents using a SQL injection vulnerability of Kaseya VSA. The attack was purportedly limited to on-premises instances of Kaseya VSA however SaaS services went also offline. After the incident, Kaseya recommended shutting down all VSA servers; as of this post, SaaS service were still offline, and they have been working on patches for both SaaS and on-prem servers. Kaseya released a Compromise Detection Tool to determine whether any indicators of compromise (IoC) are present. CISA and FBI released guidance for MSPs and their customers affected: https://us-cert.cisa.gov/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa
To further analyze the breach, wecreated a mapping of the Kaseya VSA attack against the Mitre ATT&CKframework
Reconnaissance – Weaponization
We do not have many details aboutthis initial step. But it is obvious the attackers, identified as REvil (aka Sodinokibi),the same group behind May 1, 2021, JBS food processing ransomware attack, identifiedand exploited a zero-day vulnerability in Kaseya VSA, which is an asp.netapplication. In this redditpost, HuntressLabs Team analyzed one of the compromised servers and suspectdl.asp has an authentication vulnerability granting a user a valid session andallowing the user to access files that typically require authentication,specifically KUpload.dll and userFilterTableRpt.asp. KUpload.dll offers uploadfunctionality that bypasses the authentication, allowing attackers to uploadany malicious executable to the victim’s systems. We also found userFilterTableRpt.aspwas susceptible to an SQL injection vulnerability, allowing remote codeexecution and initial compromise of the VSA server.
Delivery
The delivery method is hiddenbehind an agent update package called Kaseya VSA Agent Hot-fix. Inside this package,agent.crt or Screenshot.jpg files are written to the c:kworking folder. This folderis one of the working folders recommended to be allowlisted,which often leads to compromise due to security technologies trusting theexecutables contained within the folder.
Agent.crt is an encoded file,once decoded, is then converted into agent.exe. Finally, Agent.exe is digitallysigned with the following information:
Exploitation
The malicious executable iscalled via a stored procedure on VSA servers that essentially execute aPowerShell command. This command disables some features of Windows Defender toenable the malicious code execution to remain undetected. This stored procedureis then injected into the SQL database of the Kaseya VSA server to be used in ascript that is executed directly on the VSA agents being remotely managed ormonitored on the customer’s infrastructure.
When the agent.exe file isexecuted on the system, the primary process will drop the next executableMsMpEng.exe into the C:windows directory. This file is flagged as clean by anyanti-virus software present on the system and is associated with the MicrosoftMalware Protection service created and signed in 2014. The trusted and validMicrosoft executable MsMpEng.exe is used to side-load the DLL (Dynamic-link Library)component used to encrypt the victim’s servers and workstations.
Installation
DLL side-loading attacks happenwhen a malicious code is replaced within a DLL file then loaded by a vulnerableapplication into memory and executed. In this instance, the componentC:windowsmpsvc.dll was also dropped into the Windows directory and is theactual Sodinokibi malware that encrypts the victim’s devices. Encryptionimpacts the local disks, any removable drives, and network drives. Since therequest comes from a Microsoft signed application, most endpoint protectioncontrols trust the file and do not block its execution.
C2
This specific REvil attack did not follow a typical command and control sequence of connecting to an external domain to retrieve its payload. Kaseya Revil case, network configuration is set to Off so it doesn’t have any network traces
Action on Objectives
When executed, REvil Ransomware performsan in-place encryption attack. It overwrites the same sectors as the originalfiles, so it becomes impossible to recover the originals. Once the decryptionbegins, a pop-up window displays the following ransom note.
And when victims follow theinstruction to contact the attackers, they are redirected to a “welcome topayment” page, as seen below.
How Comodo protects organizations during an active breach?
Comodo’s ActiveBreach Protection utilizes a combination of Kernel API virtualization, allowlisting,machine learning, behavior analysis, and advanced static and dynamic threatcloud analysis (Comodo Valkyrie) to deliver trusted verdicts accurately andquickly for all unknown files and processes. Additionally,we authenticate every executable and process that requests runtime privilegesand employ our patented Kernel API Virtualization technique to ensure nothingunknown accesses the underlying operating system.
Before execution, ourtechnology authenticates every executable and process that requests runtimeprivileges. For example, suppose the executed code (either .exe, .dll orscript) is unknown. In that case, our technology is architected to limit theirexecution to an isolated session which never impedes the user’s ability to openthe file and view its contents; however, it restricts the file from havingaccess to any portion of the file system that requires persistent behavior likewriting files, changing registry, etc. This allows safe applications thefreedom to run as needed while denying potentially malicious applications thesystem access they require to inflict damage, like run encryption routines asin the case of ransomware.
What follows is adetailed description of how Comodo prevents this REvil ransomware fromexecuting a priori.
Before executing the PowerShellscript used in the Kaseya REvil Ransomware attack, we allowlisted all Kaseyaapplication folders as suggested by Kaseya Knowledge base documents.
Like all other allowlistingtechnologies, this excludes the folder contents from being blocked and truststhe contents within.
As previously stated, there isnothing to prevent attackers from reaching the Exploitation stage as endpointsare managed by Kaseya agents, which operate with elevated privilege. The KaseyaVSA Agent Hot-fix is distributed, and agent.crt now runs from within thetrusted c:/kworking directory.
Whenever the above PowerShellcommand runs, agent.crt is decoded into agent.exe, which is not observed to bemalicious since it is performed via a legitimate Windows executable,certutil.exe. The last command of the script is to run agent.exe
At this point, Comodo differentiates itself from all other vendors, as we do not trust the file. Our first point of analysis is the origination date. The file was recently signed, and to Comodo, this means we’ve never seen this file before and, therefore, restrict the file by placing it into a virtual runtime we automatically create to restrict the file runtime privilege.
Viola!!! Even if MSMpEng.exe werea legitimate Windows executable, it is isolated to a read-only location, as isthe malicious payload, mpsvc.dll. As a result, MSMpEng.exe, which is vulnerableto DLL side-load attacks and malicious DLL injection, is not allowed to writeto the disk. All write-file requests are directed to our virtual folder, calledVTRoot. Even the drop files sit within a virtual folder and are neutered. Noencryption is possible, and a ransomware attack is thwarted. We also now detectthe mpsvc.dll as malicious since it is no longer contained within the allowlistedfolder. Our customers are protectedagainst any unknown threat, regardless of sophistication, because these attacksrely on unknown/untrusted code/exe in their execution steps.
Furthermore, if you want tounderstand how an attack we prevent originated, you can see the full forensicdetail courtesy of our EDR, which is both free and open sourced.
At Comodo, we believe every sizeorganization needs not only the best protection at affordable prices but thateveryone should always have access to the forensic tools necessary tounderstand the entire lifecycle of a breach. Since we don’t rely on EDR toprevent threats from becoming breaches, we make EDR accessible to everyone.Checkout OpenEDR and utilize the best EDRtools for free.
Are you interested inlearning more about Active Breach Protection? Check out our blog.
Need to inject a mod menu or hack for your game? Check out our free injectors.
Game hacks are popular in the multiplayer game world. They add another dimension to the gaming realm. Hacks or cheats give you leverage over other players.
Cheats and modifications also ensure that the game does not lose its player base. Games can quickly fade away. Improvements to game features keep a game interesting for the players. That is, as long as the players do not abuse the use of cheats for unethical practices.
There are a lot of free injectors and cheat DLLs on our website. Choose cheats from a website or author that you trust, or that appears the safest.
Why use cheats & hacks?
- Explore and play around with hacks (within your private friends’ circle).
- Rank up, dominate, and rise to the top.
- You can use this advantage to keep up with other players in case you tend to fall behind. Hacks can help players be more confident when put up against more skilled opponents in games like CS:GO.
- Hacks can give a boost to people with disabilities. It can help the player to keep up with normal players and allow for enjoying the game.
- Use mod menus to make a game more fun and to keep the interest rising with modified features.
What’s an injector?
An injector is an .exe file you use to inject a game hack or menu into your game. Some hacks include an injector, and some don’t. Try out one of our free and undetected game hack injectors above and avoid bans.
Injectors are programs that inject DLL files into games. It can be cheats, mod menus, or trainers. The game hacks are available for free, or you can purchase them.
A tip before using cheats: use an alternate/smurf account.
Here are some free hack injectors that you can download:
Extreme injector
Extreme injector was made especially for CS:GO, also applicable for GTA V, Fall Guys, or any other game, favored for its stable and straightforward graphic user interface, GUI.
A robust scrambler is added in the injector to make the hacks undetectable when run in games.
On the extreme injector, inject the cheat directly into the running process, i.e., run the game and open the injector file in the game at the same time. Enter the .dll file as an administrator.
The injector is a useful program for injecting several libraries in one process. It is wiser, though, to test every single mod first instead of going all out in one go with the bag load of exciting hacks.
CSGhost
CSGhost an injector explicitly created for CS:GO cheat files to work undetected on the latest version of the game. Use the game to inject hacks that will increase your ESP, ammo, health, help you scale walls, jump incredibly high, fly, track down opponents, etc.
Xenos Injector X86 and X64
Xenos Injector is also made for GTA V, Fall guys, and Fortnite. With two versions available, x86 and x64, you can choose any as per your preference. Download the free injector to enjoy the cheats. You can inject the selected .dll files by running the injector program as an administrator.
SazInjector
SazInjector works for all games; find the cheat files you want from trusted authors and introduce them to your gameplay using the SazInjector.
AUInjector
AUInjector an injector created for Among Us fans to create a common program for injecting all Among Us apps.
How to use injectors: the basic steps
- Turn off the default anti-virus
- Download the most recent update of the injector
- Launch the game
- Run the injector as an admin
- Open the injector as a pop-up
- Select the DLL file or cheat you want to use, select one or multiple DLLs
- It is wiser to test cheats one by one if you are running it for the first time. Get the hang of one hack, disable it, inject another one and then test it. Get some hold on your hacks before diving all the way with all the hacks
- Inject the cheat
- Enjoy gaming
The negative facet of hacks:
Some gamers abuse hacks for malicious purposes. Players resort to using hacks just to troll other players and spoil the fun of regular gamers. Some gamers use cheats solely to crush the gaming experience of other players and to make other teams suffer.
Some gamers do not want to be defeated. It can become an unhealthy addiction and can also ruin the game of better players.
How to stay undetected while using injectors
Valkyrie Injector.exe Warface 2
Most games come with anti-cheats to prevent the abuse of unfair advantages. Some hackers and script kiddies are known to practice unethical behaviors in the virtual world. These practices harm the gaming atmosphere and are a cause of concern to parents who fear the exposure of their children to unhealthy content.
When you download a free cheat, you accept the odds of being detected. Once you are detected, you run the risk of getting your account banned permanently.
This means that you will have to start over, set up a new account, repurchase the game, and if you are still into cheats, download the cheat files again to use them.
To prevent or lessen the probabilities of detection, hack writers tend to do frequent updates, rewriting or patching, updating within hours or every day. This helps hackers to stay ahead and undetected for longer.
Here are a few tips for using cheats smartly:
Valkyrie Injector.exe Warface Free
- Start the game; let your game be idle for some time. Do not go immediately into using your cheats when the game starts. Your actions can become too obvious.
- Play the way you usually would. Do not be too obvious with your heightened advantage. Use your skills to survive the game.
- Buy some items in the game.
- Do not go all out, making easy kills and ravaging other players. You may feel like some god, but the feeling will not last. If your activities are too obvious, you will get noticed easily and get banned even within hours into the game, or you can get reported.
- Do not ruin the game experience for other players. It is no fun going up against an apparently undefeatable opponent. You can mess around sometimes and carry out exploits; it’s fun while it lasts. Remember, though, not to go overboard.
- Get killed sometimes. You have the game control in your hands; roll with it.