Technical & Product Update, July 3, 2021:
Yesterday afternoon, we warned you of a breaking ransomware attack affecting Managed Service Providers (MSPs) and the customers they serve. Today, we are updating this post with more technical detail and product defense information, as well as some analysis that comes from our Panda Research team, using the threat intelligence from our Adaptive Defense 360 (AD360) and Cytomic products.
Before diving into more technical details, let’s cover WatchGuard’s high-level product protections. Both our network and endpoint solutions have protections that can identify the malicious ransomware encryptor (agent.exe) dropped during this attack. Even when we first learned of this attack, APT Blocker, our proactive behavioral-based sandbox, proved to identify this ransomware file as malicious. Our Gateway Antivirus (GAV) service detects it as well. From the endpoint side, AD360 (WatchGuard EPDR) and Cytomic can also detect this threat. Besides identifying the malicious agent.exe file, AD360’s Contextual Engine detects many of the malicious actions the compromised Kaseya agents attempts. We’ll share more detail in our research below. That said, the community does not yet know the ultimate root cause of this compromise. Many suspect it’s a vulnerability in Kaseya VSA (perhaps related to their update mechanism). Not knowing how the attack starts, it’s hard to say when our network products scanning might help, but if you use our endpoint products on your Kaseya VSA server (assuming you are using the on-prem one), you have protections.
Let’s get into some technical details, discovered by our Panda (endpoint) threat hunting and research team.
Incident Overview:
Our telemetry first sees this attack starting on July 2, at 13: ..
Support the originator by clicking the read the rest link below.
){kind=link}