Until We Get Better at Trusted Environments, Attacks Like Kaseya Will Continue
Until We Get Better at Trusted Environments, Attacks Like Kaseya Will Continue
Go ask a Cybersecurity professional to explain how a digital certificate works, and how it protects the privacy of the user and proves the identity of the Web site. If they can explain it, that’s great. If not, be worried. And go ask a software developer about the technical methods used to sign and prove digital libraries and API connections, and if they can explain these, then all is good. Unfortunately, it is not all rosy. I have observed a general lack of knowledge in the core of the trust and security on the Internet: PKI.
But, why is this so important? Well, we too often dwell on the after effects of a security incident, but not on how to be secure by design. And it is digital certificates and breaches of the trust infrastructure that can cause considerable damage within the industry. In Solarwinds, the intruders managed to find a digital certificate the private key that was used to sign their applications, and thus was used to compile a new version with a backdoor, and then for the application to be signed with a trusted key.
The initial details of the intrusion of the Kaseya attack (which started on 1 July 2021) have now been published here. Unlike the reports on it being a supply chain attack, it was actually an attack on Kaseya internet-facing servers. Overall the intruders dropped REvil’s Sodinokibi ransomware through stolen digital certificates and some simple trust weaknesses that allow the intruders to breach the infrastructure.
The intrusion involved an authentication bypass on the Microsoft ASP Web infrastructure and where KUpload.dll is likely to have been used to upload a fake certificate (agent.crt) that contains the malware dropper, and another file named Screenshot.jpg that contained malicious JavaScript. Within the Kaseya infrastructure, the certutil.exe program validates certificates and converts them into an executable (agent.exe) — and which was compiled on 1 July 2021. This executable was then used to create two malicious files (MODLIS and SOFTIS), and where SOFTIS is a previous version of Microsoft Defender and which can be used to carry malicious payloads (such as MODLIS):
This method of propagation has been seen at least once in the past. For Defender to act in this way, the intruders dropped a version of MpSvc.dll and which is signed by a stolen digital certificate. Another part of the dropping of the malicious code is the opening of the firewall on the local server:
netsh.exe netsh advfirewall firewall set rule "group=Network Discovery" new enable=Yes
It is interesting that the ransomware uses Salsa20 instead of AES, as this is faster at encrypting files. You can read more details here: