Partner Program
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them.
IntegrationsSync with an abundant number of out-of-the-box integrations.
HiveForce LabsStrategic intelligence and operational expertise to ensure comprehensive security readiness at all levels.
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Data Sheets
Whitepapers
Press Releases
connect
Webinars & Videos
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoStart Free Trial
Platform
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them.
IntegrationsSync with an abundant number of out-of-the-box integrations.
HiveForce LabsStrategic intelligence and operational expertise to ensure comprehensive security readiness at all levels.
Solutions
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Data Sheets
Whitepapers
Press Releases
connect
Webinars & Videos
Company
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoStart Free Trial

REvil Ransomware gang behind the Kaseya VSA Supply-Chain attack

Threat Level – Red | Vulnerability Report
Download PDF

For a detailed advisory, download the pdf file here.

The REvil ransomware group was successful in carrying out a supply chain attack by exploiting the zero-day vulnerability (CVE-2021-30116) in the Kaseya VSA server and delivering a malicious script to all the computer devices managed by servers. The script delivered the REvil ransomware and encrypted the files of the clients managed by the server affecting almost 1 million computer devices.

Hive Pro researchers have identified that there are three more zero-day vulnerabilities that were possibly used to target the clients:

Authentication Bypass VulnerabilityArbitrary File Upload VulnerabilityCode Injection Vulnerability

The Techniques used by the REvil ransomware includes:

TA0001: Initial AccessT1189: Drive-by CompromiseT1566: PhishingT1566.001: Spear phishing AttachmentTA0002: ExecutionT1059: Command and Scripting InterpreterT1106: Native APIT1059.001: PowerShellT1059.005: Visual BasicT1059.003: Windows Command ShellTA0003: PersistenceT1204: User ExecutionT1047: Windows Management InstrumentationT1204.002: Malicious FileTA0004: Privilege EscalationT1134: Access Token ManipulationT1134.002: Create Process with TokenT1134.001: Token Impersonation/TheftT1574:Hijack Execution FlowT1574.002:Hijack Execution Flow: DLL Side-LoadingTA0005: Defense EvasionT1134: Access Token ManipulationT1134.002: Create Process with TokenT1134.001: Token Impersonation/TheftT1140: DE obfuscate/Decode Files or InformationT1055: Process InjectionTA0006: Credential AccessT1562: Impair DefensesT1562.001: Disable or Modify ToolsT1070: Indicator Removal on HostT1070.004: File DeletionT1036: MasqueradingT1036.005: Match Legitimate Name or LocationT1112: Modify RegistryT1027: Obfuscated Files or InformationT1055: Process InjectionTA0007: DiscoveryT1083: File and Directory DiscoveryTA0008: Lateral MovementT1069: Permission Groups DiscoveryT1069.002: Domain GroupsT1012: Query RegistryT1082: System Information DiscoveryTA0011: Command and ControlT1071: Application Layer ProtocolT1071.001: Web Protocols  T1573: Encrypted Channel T1573.002: Asymmetric CryptographyT1105: Ingress Tool TransferTA0010: ExfiltrationT1041: Exfiltration Over C2 ChannelTA0040: ImpactT1485: Data DestructionT1486: Data Encrypted for ImpactT1490: Inhibit System Recovery   T1489: Service Stop

Threat Actor

Vulnerability Details

Indicators of Compromise

TypeValue
IPv4161[.]35.239.148
Hash(SHA1)d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e
8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd
e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2
45AEBD60E3C4ED8D3285907F5BF6C71B3B60A9BCB7C34E246C20410CF678FC0C

References

https://www.bleepingcomputer.com/news/security/kaseya-was-fixing-zero-day-just-as-revil-ransomware-sprung-their-attack/

https://otx.alienvault.com/pulse/60e40b4535299fb6755143cf

https://us-cert.cisa.gov/ncas/current-activity/2021/07/02/kaseya-vsa-supply-chain-ransomware-attack

https://www.tenable.com/blog/cve-2021-30116-multiple-zero-day-vulnerabilities-in-kaseya-vsa-exploited-to-distribute-ransomware

https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/

https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/

What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox