Analysis and traceability of Sodinokibi hacker organization supply chain attack Kaseya VSA

On July 2, 2021, the Sodinokibi (REvil) ransomware hacker organization suspected of using the 0day vulnerability to launch a large-scale supply chain attack through Kaseya VSA. The supply chain extortion attack affected more than 800 store services across the country.

Domestic Weibu Online also conducted relevant analysis and reports on this incident. In fact, the impact of this supply chain attack is still quite large, and the attack methods and attack techniques are also very complete. Kaseya VSA did not disclose too many attack details and vulnerabilities. Details, the US Cybersecurity and Infrastructure Security Agency has entered into an investigation into the supply chain attack.

  Analysis and traceability

This time, the Sodinokibi (REvil) ransomware hacker organization used relevant vulnerabilities to launch a supply chain attack. This is not a simple attack. There is no way to participate in the traceability of this blackmail attack. We can only rely on the traceability report of a foreign security vendor and Some other channels have obtained relevant traceability information, and a partial analysis and restoration of this supply chain attack is not complete. I have no way to go deeper because I have not obtained relevant files and log data for more attack details. analysis traceability.

When analyzing the system logs, I found an AWS IP address: 18[.]223.199.234 sends a POST request like this:


Through analysis, it is found that this userFilterTableRpt.asp contains a large number of potential SQL injection vulnerabilities, which provide the basic conditions for later code execution and damage to the VSA server.

At the same time, we also found two files, dl.asp and KUpload.dll, in the request log. Through analysis, we found that dl.asp has authentication logic flaws. This flawed authentication can bypass the detection of the server and grant users valid sessions. , KUpload.dll provides the upload function and records the log to the file KUpload.log file.

According to the analysis, we found that the content of the KUpload.log file contains the agent.crt and Screenshot.jpg files that have been uploaded to the VSA server. The agent.crt decrypts the ransomware and loads it through the decryption mechanism of the VSA, but what is the Screenshot.jpg file? It is still unknown, and security researchers are also seeking this file from the outside world, and the relevant log records are as follows:


From the above analysis, we can confirm that the entry point of this attack should be the WEB application of Kaseya VSA. The hacker organization bypasses the authentication vulnerability to obtain an authenticated session, uploads the original payload, and executes it through the SQL injection vulnerability. Order.

Foreign security researchers are working with AWS and law enforcement to investigate 18[.]223.199.234 is the IP address, let’s see if there is more information to be released later.

The first stage of the supply chain attack investigation and analysis traceability is as follows:


Here is a file that does not find Screenshot.jpg. I am not sure what this file does, so it will have some impact on the analysis and traceability of more information.

The agent.crt was uploaded to the VSA server, and then the investigation hacker organization used the PowerShell script to execute the relevant command line, as shown below:


The malicious update program agent.exe is popularly executed through VSA update, releases the ransomware payload, and uses the Window Defender program to load and execute, using the white + black method.

The second stage of the supply chain attack investigation and analysis traceability is as follows:

I have no chance to participate in the traceability analysis of this ransomware virus, and I have no way to obtain some relevant files and log data. I only restored some of the process of this supply chain attack from the reports of relevant foreign manufacturers and some outsiders. The manufacturer did not fully restore the entire attack process, because some files have not been obtained, which may have been deleted by the hacker organization. They have dealt with a lot of traceability and analysis work related to ransomware and other malware. Sometimes during the traceability analysis process, because the hacker organization deleted some logs and malware-related information of the system or product, it could not be traced to the complete attack process. It could only be based on its own experience and captured existing log data and Malicious files are analyzed and traced. In fact, only hacker organizations really know the complete process of each attack. Security analysts can only analyze and trace the source based on the existing logs and malicious files left on the system, restore the attack process, and do a good job. For emergency response, detection, defense, etc., analysis and traceability itself is a very complicated task, depending on many objective factors, and more related logs are required to capture the corresponding malware.

Through the analysis and traceability of foreign security vendors, it can be seen that the supply chain attack launched by the Sodinokibi (REvil) ransomware virus is not simple. It not only uses some 0day vulnerabilities, but also does a lot of anti-killing of the host system. Work, the hacker organization is also very familiar with the Kaseya VSA system, and has done a lot of preliminary research work before launching targeted attacks. At the same time, white + black is also a frequently used attack method in APT attacks, just like the ransomware hackers mentioned earlier Organizations have begun to use APT’s attack methods to carry out complete targeted attack operations.

According to many cases of ransomware in emergency response, ransomware hackers often like to launch large-scale ransomware attacks on Fridays. Is it to correspond to “Black Friday”? It can be found that many major ransomware attacks occurred on Friday.

Finally, the Sodinokibi (REvil) ransomware hacker group asked for 70 million US dollars to release a universal decryptor that can unlock all encrypted computers during this supply chain attack, and in their blog on the dark web, they claimed that during the incident Over a million systems were blocked, as follows:


It can be seen from the ransom that the hacker organization should have done a lot of preparations for this supply chain attack.


CISA-FBI has released related solutions for MSPs and their customers affected by the Kaseya VSA supply chain ransomware attack, the link is as follows:

In the solution, Kaseya VSA released related detection tools, as follows:


Reference link:


The ransomware hacker organization has been updating and has never stopped launching new attacks and looking for new targets. In the next few years, ransomware attacks will still be the biggest security threat in the world.

Now there are really too many security incidents. Many enterprises are lurking with various security threats, and all kinds of malware are everywhere. On the one hand, they silently monitor and obtain data in the enterprise; The ransomware attack provides a carrier, perhaps just waiting for an opportunity to erupt, requiring more professional security analysts to discover potential security threats in the enterprise.


The Links:   LQ104S1DG2A FZ3600R17KE3_S1