Executive Summary

A suspected zero-day exploit was used to deliver REvil ransomware to thousands of corporate endpoints.
Attackers targeted Kaseya VSA servers commonly used by Managed Security Service Providers and IT management firms in order to reach the breadth of their respective customers.
The attackers abused a variety of benign components, such as certutil.exe, Microsoft Defender, and stolen digital certificates as part of their execution chain.
At this point, this appears to be the largest mass-scale ransomware incident to date. In an unexpected twist, the attackers are offering a universal decryption tool for all victims at a lump sum of $50 million (originally $70 million).
In this post, we cover the attack’s execution chain, provide a video showing SentinelOne Singularity’s response against the attack, and provide indicators as well as hunting rules to assist defenders.

What Happened?

On Friday, July 2nd, 2021 a well-orchestrated, mass-scale, ransomware campaign was discovered targeting customers of Kaseya’s managed services software and delivering REvil ransomware. It was initially considered a supply chain attack, a safe assumption at that scale, but with time it became apparent that the attackers were instead leveraging a zero-day exploit against internet-facing Kaseya VSA servers.

Kaseya’s initial advisory underscored the severity of the situation as the company instructed customers to shut down VSA servers until further notice.

Initial statement from Kaseya

Since then, Kaseya has engaged the security community and triaged the root cause of this incident. This post seeks to unravel the infection chain, highlight relevant indicators, and clarify protections for our customers.

Malware execution chain

Kaseya VSA Exploit and Infection Chain

Current findings show logic flaws in one of the VSA components (dl.asp) may have led to an authentication bypass. The attackers could then use KUpload.dll to drop multiple files including ‘agent.crt’, a fake certificate that contains the malware dropper. Another dropped artifact, Screenshot.jpg, appears to be a JavaScript file and has only been partially recovered at this time. Specific details regarding the exact nature of the exploit used are still being discovered as the analysis is ongoing.

The suspected exploit chain ends with a SQL injection in userFilterTableRpt.asp in order to queue up a series of VSA procedures that would execute the malware and purge the logs. This activity was seen originating from a hijacked AWS EC2 instance 18.223.199[.]234. Additional activity was observed originating from 161.35.239[.]148 (DigitalOcean), 162.253.124[.]16 (Sapioterra), and 35.226.94[.]113 (Google Cloud).

REvil malware infection chain

The malicious procedure was labeled ‘Kaseya VSA Agent Hot-fix’. This is a series of commands that check for internet access and use PowerShell to disable a sequence of native Operating System security measures including real-time monitoring, intrusion prevention, network protection, and sample auto-submission. The procedure then invokes the native certutil.exe application commonly used to validate certificates and uses it to decode the contents of ‘agent.crt’ into an executable, agent.exe.

The agent.exe binary was compiled on July 1st, 2021 and acts as a dropper for two embedded executable resources, ‘MODLIS’ and ‘SOFTIS’.

Resources embedded in agent.exe

Resource 101, SOFTIS is an outdated legitimate Microsoft Defender executable that is being used to sideload the malicious payload. It’s worth noting that this delivery mechanism of a sideloading dyad (a two-part execution chain) has been used to deliver REvil as early as April 2021.

The payload itself is contained in resource 102, under the resource name ‘MODLIS’.

SHA256
e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2

SHA1
e1d689bf92ff338752b8ae5a2e8d75586ad2b67b

MD5
7ea501911850a077cf0f9fe6a7518859

Compilation Timestamp
2021-07-01 12:39:06

Signature Date
2021-07-02 23:15:00

Size
788.88 KB

Digital Signature
PB03 TRANSPORT LTD.

In order for the malicious payload to be sideloaded by Microsoft Defender, the DLL is dropped at %WinDir%MpSvc.dll and exports the functions ServiceCrtMain, ServiceMain, and SvchostPushServiceGlobals. The file is signed with a stolen digital certificate from a Canadian transport company. It’s one of several stolen certificates recently employed by REvil. The ransomware employs statically-linked OpenSSL to conduct its cryptographic operations. ServiceCRTMain() creates a thread that will deobfuscate the main payload.

While the IOCs directly relevant to the Kaseya incident are a specific subset, we have collected samples for a cluster of similar execution chains including the Microsoft Defender sideloading dyad and still valid stolen digital certificates. We have provided hashes and YARA signatures at the end of this post to help identify additional files signed with these stolen certificates.

During this process, netsh.exe (as we have seen with prior REvil samples) is also called, making the following adjustment to local firewall rules:

netsh.exe netsh advfirewall firewall set rule “group=Network Discovery” new enable=Yes

The following are still valid signers. We have provided YARA signatures at the end of this post to help identify additional files signed with these stolen certificates.

BUKTBAI, OOO
thumbprint = “282ebc0a99a6328343a7d7706465778c3925adb6”
PB03 TRANSPORT LTD
thumbprint = “11ff68da43f0931e22002f1461136c662e623366”
OOO Saylent
thumbprint = “0d61738e6407c01d5c9f477039fb581a5f81f436”

Encryption and Post Encryption Behavior

The Salsa20 encryption algorithm used by this variant of the REvil ransomware is incredibly fast compared to other common encryption algorithms and is an optimal choice for a ransomware operation of this magnitude. Other highly-prolific ransomware families have employed the same algorithm (e.g., DarkSide & later variations of Petya / GoldenEye).

Once the contents of the machine have been successfully encrypted, ransom notes are dropped alongside encrypted files and the machine’s wallpaper is changed to alert users to their predicament.

Ransom note displayed upon infection

The ransom note directs users to an .onion site and an alternative for those that don’t have access to TOR. The site asks for the key appended to the ransom note before providing a ransom amount for that specific endpoint, along with a timer that indicates how long the victim has to pay before the ransom demand increases. The standard demand for a non-corporate domain machine is the equivalent of $44,999 in Monero (XMR) or Bitcoin (BTC). Taking a broader view, the REvil gang has reportedly offered a universal decrypter for the eye-watering lump sum of $70 million (later amended to $50 million).

July 4th Update from the REvil gang

Latest Developments

On Monday, July 5, Kaseya announced they are developing a new patch for on-premise installations in order to assist customers in getting back to service. Kaseya also published a Compromise Detection Tool for customers to check if their on-premise installation had been actually compromised.

Since this outbreak, attackers have been scanning for Kaseya on-premise internet exposed servers using publicly available platforms such as Shodan.io. This time window allows attack groups besides REvil to obtain immediate access over the internet to customer-sensitive networks.

This attack proves again the necessity for a modern EDR solution which defends against improper use of built-in operating system executables (LOLBINs), such as detecting certutil.exe writing executables or usage of signed software such as MsMpEng.exe running from unexpected locations and executing unexpected software.

This threat is detected and mitigated by SentinelOne:

SentinelOne vs REvil (Sodinokibi)
Preventing the Kaseya Ransomware Attack

Conclusions

While the full impact of this attack is still unfolding, it’s a further escalation in the sophistication of cybercrime, not only on the technical side but also in how the attack was orchestrated. It’s clear that the perpetrators are well aware of the PR implications and will use widespread disruptions to try to maximize the payouts. This is yet another reminder of why security products need to leverage the power of data, specifically rich behavioral data, and AI. Malware and ransomware are increasingly cunning and novel in their techniques to compromise devices. A data-driven and AI-powered approach creates an autonomous posture to cybersecurity. It’s not enough to use signature-based or human-powered legacy solutions to protect your organization’s attack surfaces as every second counts when defending from advanced attacks like this one.

While we continue to uncover the full ramifications of this attack, our advice to defenders is to always act under the assumption that their networks are already host to malicious actors. The exorbitant profits realized by cyber criminals will only add to the sophistication of the attacks we’ll continue to see, the means and motivations are already there. Ransomware is a reality that every organization must face operating in the digital age. Cybersecurity today has become a critical part of corporate operations: the ability for malicious actors to disrupt and profit has reached new levels of relevance as a possible existential threat to businesses.

Indicators of Compromise

Samples

agent.crt encoded dropper
2093c195b6c1fd6ab9e1110c13096c5fe130b75a84a27748007ae52d9e951643

agent.exe dropper
d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e

Payloads
e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2
8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd

Additional recent REvil activity including dyad droppers and payloads with still valid stolen digital signatures:

aae6e388e774180bc3eb96dad5d5bfefd63d0eb7124d68b6991701936801f1c7
df2d6ef0450660aaae62c429610b964949812df2da1c57646fc29aa51c3f031e
f6908ef76b666157a13534db47652a845d8f7d985fdf944f7e43a3afd3f3d8c2
d5ce6f36a06b0dc8ce8e7e2c9a53e66094c2adfc93cfac61dd09efe9ac45a75f
d8353cfc5e696d3ae402c7c70565c1e7f31e49bcf74a6e12e5ab044f306b4b20
dc6b0e8c1e9c113f0364e1c8370060dee3fcbe25b667ddeca7623a95cd21411f
cc0cdc6a3d843e22c98170713abf1d6ae06e8b5e34ed06ac3159adafe85e3bd6
81d0c71f8b282076cd93fb6bb5bfd3932422d033109e2c92572fc49e4abc2471

MITRE TTPs Used in Kaseya Attack

T1112 – Modify Registry
T1012 – Query Registry
T1082 – System Information Discovery
T1120 – Peripheral Device Discovery
T1491 – Defacement
T1543.003 – Create or Modify System Process: Windows Service
T1036 – Masquerading
T1036.003 – Masquerading: Rename System Utilities
T1202 – Indirect Command Execution
T1486 – Data Encrypted for Impact
T1106 – Native API

YARA Hunting Rules for REvil/Kaseya Artifacts

import “pe”
import “math”

rule cw_REvil_Kaseya_BUKTBAI_stolenCert
{
meta:
desc = “Stolen digital certificate: BUKTAI”
author = “JAG-S @ SentinelLabs”
last_modified = “07.02.2021”
version = “1.0”
hash = “d8353cfc5e696d3ae402c7c70565c1e7f31e49bcf74a6e12e5ab044f306b4b20”
hash = “d5ce6f36a06b0dc8ce8e7e2c9a53e66094c2adfc93cfac61dd09efe9ac45a75f”
hash = “df2d6ef0450660aaae62c429610b964949812df2da1c57646fc29aa51c3f031e”
hash = “aae6e388e774180bc3eb96dad5d5bfefd63d0eb7124d68b6991701936801f1c7”
condition:
uint16(0) == 0x5a4d
and
for any signer in pe.signatures:
(
signer.subject == “/C=RU/L=Samara/O=BUKTBAI, OOO/CN=BUKTBAI, OOO”
or
signer.serial == “42:c1:64:9a:6b:80:64:0f:ad:7a:fb:b8:3e:29:81:52”
or
signer.thumbprint == “282ebc0a99a6328343a7d7706465778c3925adb6”
)
}

rule cw_REvil_Kaseya_PB03TRANSPORT_stolenCert
{
meta:
desc = “Stolen digital certificate: PB03 TRANSPORT”
author = “JAG-S @ SentinelLabs”
last_modified = “07.02.2021”
version = “1.0”
hash = “8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd”
hash = “e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2”
hash = “d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e”
condition:
uint16(0) == 0x5a4d
and
for any signer in pe.signatures:
(
signer.subject == “/C=CA/ST=Ontario/L=Brampton/O=PB03 TRANSPORT LTD./CN=PB03 TRANSPORT LTD.”
or
signer.serial == “11:9a:ce:ad:66:8b:ad:57:a4:8b:4f:42:f2:94:f8:f0”
or
signer.thumbprint == “11ff68da43f0931e22002f1461136c662e623366”
)
}

rule cw_REvil_Kaseya_SAYLENT_stolenCert
{
meta:
desc = “Stolen digital certificate: PB03 TRANSPORT”
author = “JAG-S @ SentinelLabs”
last_modified = “07.02.2021”
version = “1.0”
hash = “cc0cdc6a3d843e22c98170713abf1d6ae06e8b5e34ed06ac3159adafe85e3bd6”
hash = “dc6b0e8c1e9c113f0364e1c8370060dee3fcbe25b667ddeca7623a95cd21411f”
condition:
uint16(0) == 0x5a4d
and
for any signer in pe.signatures:
(
signer.subject == “/C=RU/L=Cherepovetz/O=OOO Saylent/CN=OOO Saylent”
or
signer.serial == “00:bd:df:46:f3:a2:de:7d:2b:fb:f5:16:9a:e9:76:d9:7e”
or
signer.thumbprint == “0d61738e6407c01d5c9f477039fb581a5f81f436”
)
}

rule cw_REvil_Kaseya_Dropper
{
meta:
desc = “Dropper for Microsoft Defender + Sodinokibi DLL Sideload”
author = “JAG-S @ SentinelLabs”
last_modified = “07.02.2021”
version = “1.0”
hash = “df2d6ef0450660aaae62c429610b964949812df2da1c57646fc29aa51c3f031e”
hash = “dc6b0e8c1e9c113f0364e1c8370060dee3fcbe25b667ddeca7623a95cd21411f”
hash = “aae6e388e774180bc3eb96dad5d5bfefd63d0eb7124d68b6991701936801f1c7”
hash = “81d0c71f8b282076cd93fb6bb5bfd3932422d033109e2c92572fc49e4abc2471”
strings:
$drop_ransom = “mpsvc.dll” ascii wide fullword
$drop_defender = “MsMpEng.exe” ascii wide fullword
$drop_path = “C:\Windows\” wide fullword
condition:
uint16(0) == 0x5a4d
and
(
2 of ($drop*)
and
pe.number_of_resources == 2
and
for all rsrc in pe.resources:
(
math.entropy(rsrc.offset, rsrc.length) >= 6.7
)
)
}

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

A Moment of Appreciation. Today SentinelOne Becomes a Publicly Traded Company!
Bypassing macOS TCC User Privacy Protections By Accident and Design
SentinelOne is a Leader in the 2021 Gartner Magic Quadrant. Here’s Why.
Feature Spotlight: Gain Intelligence & Insight With Threat Center
Evasive Maneuvers | Massive IcedID Campaign Aims For Stealth with Benign Macros
Feature Spotlight: Data-Driven Threat Intelligence with Singularity Signal
12 Things To Know About macOS Monterey and Security
Securing Hybrid Cloud Containerized Workloads in AWS ECS Anywhere
MITRE ATT&CK Engenuity: AI & Big Data Powered EDR > Human Powered Products

This week, REvil ransomware operators exploited a bug in Kaseya VSA software and then requested a lump sum of $50 million for a universal decryption key for all victims of the Kaseya attack. To put that in context, last year, all ransomware extortion payments were calculated at $350 million in cryptocurrency. Insurance carriers are paying those claims, but the increased cost and frequency/timeline to pay is outside the scope of traditional insurance.

No market segment or industry group has been spared by ransomware. In this threat environment, two things are certain: organizations need better security stacks/fewer bugs, and they need to transfer risk via cyber insurance. Unfortunately, a lot of companies viewed this as an “either/or” proposition and that has driven losses and dramatic change in the way that insurers price cyber risk.

Marsh Insurance reported a 35% increase in cyber insurance premiums last month, the largest in 5 years. Unsustainable loss ratios have led to higher premiums for less coverage and higher retentions (deductibles). Many companies will not qualify for renewal if their tech stack is not up to par. Brokers report all markets are requiring higher technical standards and many now require EDR. Companies that don’t present well will not qualify for coverage.

For those that are new to this area, Cyber insurance is a two-tiered market. You need a broker to purchase the coverage from a carrier (AXA, Chubb, etc.). The carriers use Reinsurance to share the losses, and now the reinsurers are tightening their guidelines under their ‘treaties’ with carriers and reducing capacity.

Brokers must navigate the risk management issues with each client as they attempt to secure coverage. It’s a lengthy process and ‘real-time’ network security reports are difficult to obtain. Most company-specific cyber analysis reports are from the outside of the network, looking in. While this data is useful, it doesn’t tell you what evil may be hiding on systems inside the company.

What should companies expect during the new underwriting process? We spoke with several Cyber insurance brokers to determine how companies can qualify for cyber insurance given the stringent new guidelines.

Our panel of experts include:

Chris Keegan, Sr. Managing Director of Beecher Carlson
Anthony Dagostino, EVP at Lockton Companies
David Lewison, EVP of AmWINS Insurance
Jesus Gonzalez, Cyber Chief of Staff, Aon Insurance

Are your clients able to keep their Cyber policy coverage intact? How has coverage and policies changed?

David: The main reaction to the ransomware pandemic is to cut limits. A small handful of insurers are pushing coinsurance for all ransomware related expenses. The rates are unpredictable at the moment. The underwriters don’t want to lose good risks – at least those they think are good. Retentions are rising. Brokers would rather sell higher premiums than restrict coverage. The last thing we want is to see premiums paid, but losses not covered. Many markets are making their ransomware applications mandatory. Any answers that they don’t like and they won’t quote or stay on a renewal. They used to just charge more if a risk didn’t look as locked up. Now they walk. It’s made it tougher to find a home for the companies that are behind on their security posture.

Anthony: Many are in-line but some high, much higher, and some lower. It depends on the industry, loss history and controls in place. Capacity is getting a bit more strict and large clients are seeing a push to higher retentions in some cases.

Chris: As we started the first quarter of 2021, we were aware the frequency and severity of ransomware claims would require cyber insurance markets to make major adjustments to their books. Directionally this meant reducing limits, increasing premiums by 30% to 40%, and in some cases, reducing their exposure to ransomware through sub-limits and coinsurance.

All relatively manageable, but as we come towards the end of Q2, the landscape has changed dramatically with increases for large clients in the 40% to 50% range and some smaller clients seeing increases of over 100%. Markets have contacted us that they are pulling out of the cyber insurance market entirely. Furthermore, insurance carriers are informing us they have a limit to how much business they can write. In other words, once they’ve reached a total number of exposed limits, they are done for the year. BCS, who support us on a number of large accounts that renew in Q4, contacted us to say they have only half the limits available and to reserve those limits now; and as for the large leading markets, namely AIG, Chubb and Axis, be prepared to have limits reduced by half.

Whether we continue to see carriers leaving the market or not, one thing is for sure, the underwriting process is much more intense and we need to be prepared to help assess our clients risk, determine where our clients are in their cybersecurity maturity lifecycle, and assist in creating a plan forward towards a comprehensive solution.

Jesus: On January 1, 2021 many reinsurance treaties renewed albeit at a significantly higher cost due to loss ratios and coupled with more stringent underwriting requirements. The term ‘hardening’ insurance market took on new meaning for network security and privacy liability (cyber) space due to recent events including SolarWinds and MSFT exchange server vulnerabilities. In terms of coverage changes, a handful of insurers are injecting coinsurance as part of the cyber extortion (ransomware) insuring agreement. This has not previously been seen in the cyber insurance space.

As far as capacity is concerned, we are seeing a vast range of behaviors; from many insurance market partners reducing their limits on any particular risk to non-renewing terms and conditions even for risks that have no claims history and better than average cyber controls. As far as business interruption coverage is concerned, many are pulling back on contingent business interruption (BI) coverage extended to cover an insured’s loss of income due to a vendors’ cyber event. Ensuring that the client has a strong vendor due diligence program in place is key to maintaining this coverage.

How does the Broker help the client maintain/secure coverage? Are you utilizing network scans or similar to meet with carrier underwriting requirements?

David: We don’t have any scan technology of our own so we rely on the offerings of the insuretech’s and carriers that have been doing that. One thing I’ve been watching is what scan is being used. A few insurtech’s have built their own scan while many other insurers are outsourcing, often to the same one or two vendors. If they all use the same vendor, do they get a competitive edge? If they don’t scan, are they going to be victims of bad risk selection? What if the scan is looking at the wrong things? I believe scans are good for assessing a portfolio of risks for the carriers.

Another interesting thing is who gets to see the scan. The insuretech’s share the scan data so clients can work on their weaknesses. Other carriers use the scan as part of risk selection, but don’t share it. The best way we have to maintain coverage is to be in tune with the huge range of insurers and their appetites. With 100+ insurers and fluctuating appetites, it’s very challenging to find the perfect carrier partner for every unique risk. We get there by collaborating and sharing what we are seeing across industry groups, revenue sizes, insurer appetites, loss trends, etc.

Anthony: We’ve really shifted over the past 12 months or so to more cyber risk management in addition to just the placement of the policy. We utilize risk quantification tools and network scans in some cases to preempt the underwriting response.

Chris: We are utilizing external network scans (Binary Edge) to allow our clients to see what the underwriters are seeing. For us, its advising where the most critical issues are from, combined with the underwriter’s perspective in helping our clients develop a narrative for those areas where there are weaknesses and helping them to express where they’re strong.

Will your larger enterprise accounts be able to keep their coverage at current levels or will the renewal costs be prohibitive or cause a reduction in coverage?

David: We are definitely seeing cases where the insurers are reducing their limits on larger risks and there aren’t enough insurers jumping in to fill those gaps. We’ve had some challenging placements higher up on towers as insurers have reduced limits and dropped lower where the premiums are higher. Higher retentions are one way for the client to share in the risk and find more interested insurers. Accepting a level of coinsurance for ransomware is another.

Anthony: It depends on the client, the program, and their approach to risk. Some have bought more limit in the environment given the exposures while others manage to budgets and explore higher self insured retentions, loss corridors, and increased captive use.

Chris: This is a work in progress at the moment. The capacity available is shrinking so towers are reducing. We are often working to replace gaps with Co-insurance from the clients captive. Decisions on risk transfer versus self-insurance are being made on a case by case basis looking at cost benefit. Going forward we think the market will find some level of equilibrium so we find many of our clients continuing to purchase the cover rather than self-insure where they can in the hope that they will be able to hold onto their programs through this period to a point where the market normalizes.

Jesus: Larger enterprise accounts, those defined by annual revenues of $2B or greater, can expect a 10-fold effort to renew their program and should allocate a sufficient amount of time by aligning internal resources including CISO, legal, compliance, and procurement to successfully address all insurance market inquiries surrounding their E&O/Cyber program. Cyber insurance markets are now requiring baseline application, supplementals (including ransomware), and a formal underwriting meeting to address any/all questions surrounding their cybersecurity hygiene. We are advising clients to start four to six months in advance of their renewal date.

Even if the large enterprise entity addresses all required underwriting information, we are still seeing renewal costs surge. All sensitivity analysis that were previously provided for budgeting purposes to clients have been completely blown, due to primary programs experiencing greater than 50% YoY premium increases in the second quarter for expiring terms and conditions on various risk profiles. As a broker, we have to provide the client options including raising the self-insured retention level, a reduction in total capacity, or removing some insuring agreements. We are seeing a significant increase in the use of captives to address capacity shortfalls or to maintain a reasonable pricing structure from the more sophisticated risk managers.

What is your best guidance for companies seeking new policies or renewals in this environment?

David: As is always the case in insurance, any uncertainty leads to higher prices and fewer options. Come prepared to be transparent with underwriters. They are being selective on risks and want to be sure they are getting good risks. If you hide details, they’ll just take a pass.

Anthony: Know the marketplace, know the key controls needed to get the best coverage, and work with your broker. If renewing coverage, start the process very early.

Chris: Start preparing your submission for the insurance well in advance. For large companies that may mean six months or more in advance of the renewal. Critically review key controls for ransomware attacks and prepare your ID security team to be able to talk to those controls and provide a well-crafted presentation to the underwriting community.

Jesus: For new placements, our advice is that you work with an experienced broker to ensure that your company is prepared for the barrage of underwriting questions that will come across various domains including but not limited to:

Operational IT
Security Organization
Software/Network Connectivity (MFA in place across the firm)
Access Management (limited Domain Admin accounts)

Security Controls/Procedures
Intrusion Testing, Detection and Prevention (think endpoint protection, firewalls, etc.)
Policies & Procedures (documented and tested)
Hosting of Information + Encryption (DLPs)

Business Continuity & Incident Response Planning (documented, tested, updated)
Vendor Management (think SolarWinds)

For renewals, our recommendation is to start early. The risk manager should query the firm and gather as much intelligence in preparation for the renewal cycle from internal stakeholders to ensure the company’s risk profile has not changed significantly from the previous year, including a new acquisition/divestiture, new vendor partner providing key services (new MSSP perhaps), or new contract requirements stipulated a certain level of coverage and/or limits.

With an updated risk profile in hand, the risk manager should reach out to the broker to query all existing insurance partners for their concerns, appetite, and upcoming requirements but most importantly for their continued support of the risk transfer solution. Finally, the risk manager should confirm that the risk transfer program is in alignment with the corporate strategy especially since this ‘hardening’ market will impact budgeting.

What are your clients saying about the ransomware threat? Do they believe they are sufficiently protected? Do they expect insurance will cover their losses?

David: As a wholesaler, we don’t often get to talk to the clients. I know the clients are concerned about ransomware based upon the increase in first time buyers across the SME and middle market space. We’re not seeing companies dropping coverage, which they would do if they didn’t see value in the policy.

Anthony: It’s the biggest concern because it’s so real and in the news hitting all industries. Education and transparency is critical so they understand what’s covered, what isn’t, and how coverage may have changed upon renewal.

Chris: The more we are seeing ransomware events the more that our clients are becoming concerned about the threat. There are still companies out there who think that they are not likely to be a target even though some have controls that are less than they should be in this environment. They do believe that the insurance coverage will help them respond to ransomware attacks and cover their losses . The history has been very good in insurance markets making payments for ransomware.

Which industry groups are most concerned with the latest iteration of double ransom with data exfiltration? Do they expect the threat actor to delete data if ransom demands are met?

David: I would think any industry that holds a lot of PII and PHI or confidential corporate information would be the most concerned. Does anyone fully trust a threat actor?

Chris: Most companies are only now becoming aware of the double ransom and triple ransom in some instances where the threat actors are reaching out to the people whose personal information has been released and seeking extortion money from them. It seems that all groups of companies are concerned. Those companies without a large database of third party personal information are still concerned for their employee information.

What are Board Directors saying to management about steps they should take…most expedient way to get back online or follow the FBI guidance?

Chris: Almost all of the companies that we deal with are most concerned about the direct business impact and are taking whatever steps they deem necessary to most efficiently get their businesses back up. They are concerned about the OFAC and regulatory issues but are most concerned about their employees, clients and reputation.

Could the Federal Govt outlaw paying of Ransom demands in such a way as to not harm the victims further?

David: I’m concerned about this. The business interruption risk is already much larger than the ransom, otherwise why would anyone pay the ransom? If a company can’t pay the ransom, what’s the alternative? If the Govt wants to help, they need to counterattack or regulate cryptocurrencies. Without anonymous payments, the bad guys could get tracked down faster.

Chris: I don’t think so.

How does the recent Executive Order impact your clients? Are municipal governments able to secure coverage at reasonable rates?

David: We are already reeling from the majority of insurers getting out of municipal risks. By majority I’m talking about 95%+ of the market has left. I’d like to see the insuretech’s that purport to offer valuable risk management services come in and risk manage this class of business and insure them.

Chris: So far we have not seen any impact from the executive order. Municipalities is one class that is very difficult to find coverage for in the current market.

We would like to thank our expert panel for sharing their views. SentinelOne works closely with insurance carriers and brokers, to develop and deliver risk mitigation solutions. We believe the ransomware problem can be defeated and as our broker colleagues have stated, all solutions require a coordinated approach. If you would like to learn more about the SentinelOne insurance partners, contact us here.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

REvil’s Grand Coup | Abusing Kaseya Managed Services Software for Massive Profits
A Moment of Appreciation. Today SentinelOne Becomes a Publicly Traded Company!
Bypassing macOS TCC User Privacy Protections By Accident and Design
SentinelOne is a Leader in the 2021 Gartner Magic Quadrant. Here’s Why.
Feature Spotlight: Gain Intelligence & Insight With Threat Center
Evasive Maneuvers | Massive IcedID Campaign Aims For Stealth with Benign Macros
Feature Spotlight: Data-Driven Threat Intelligence with Singularity Signal
12 Things To Know About macOS Monterey and Security
Securing Hybrid Cloud Containerized Workloads in AWS ECS Anywhere
MITRE ATT&CK Engenuity: AI & Big Data Powered EDR > Human Powered Products

To respond effectively to an incident, it is essential to understand the big picture: how, when, and why an incident occurred. This is critical because the moment you begin containing a threat, it may set off alarm bells for adversaries, triggering them to accelerate an attack or stealthily change techniques. Responding to a threat without understanding the big picture can lead to an infinite loop where we contain a threat only to wait for the adversary to leverage the same attack methodology again. This is the reason why at least in theory, SOC analysts spend time analyzing how, when, and why an incident occurs.

Unfortunately, in reality, SOC analysts don’t often have the time required to perform these types of in-depth analyses because their incident queues are full, and metrics like average time for mean time to detect (MTTD) or mean time to respond (MTTR), continues to increase. So the question becomes how can an organization acquire the intelligence they need without adding even more work to an already overloaded team?

Enriched Intelligence Through Singularity Signal

Earlier this month, we announced Singularity Signal, our cyber threat intelligence (CTI) platform, and shortly after we announced the general availability of threat intelligence reports for all Singularity Complete customers. Today, we are excited to announce enhancements in how we provide real-time enriched intelligence through Singularity Signal.

Singularity Signal combines artificial- and human-based intelligence to provide context, enrichment, and actionability to cyber data, empowering organizations to stay a step ahead with unparalleled insight into the attacker mindset. The platform performs tactic, technique, and procedure (TTP) analysis and correlation of all incoming threats at scale and in real time through the Singularity Signal AI Engine.

By leveraging the Singularity Signal AI Engine, security professionals can offload much of the previously labor-intensive work that they didn’t have time to get to before. That translates to instant, enriched intelligence for your organization to help you navigate through even the most sophisticated attacks. Singularity Signal is your dedicated AI-based threat researcher who knows your environment and aids your SOC analysts to respond to threats more effectively.

See Enriched Intelligence in Action

From the SentinelOne Singularity Platform console, navigate to the incident that you want to investigate. At a glance, you will gain information on when the threat was first seen, when it was last seen, and the scope of the breach. Additionally, in the Threat Indicators section, you can access real-time TTP analysis and correlation performed by the Singularity Signal AI Engine. At your fingertips, you immediately gain vital insights on each TTP mapped towards the MITRE ATT&CK framework.

In the example above, you are looking at an incident within the SentinelOne management console. Here you can quickly identify that this is a detection of a ransomware campaign, and by leveraging the Singularity Signal AI Engine you are able to get enriched intelligence on what, how, and when the incident occurred as well as insights on how each step of the adversary maps to the tactics, techniques, and procedures (TTP)’s of the MITRE ATT&CK framework.

Sometimes, you may be in a situation where you need additional information—that’s when proactive or reactive threat hunting is critical. Historically, in order to succeed, SOC analysts needed to first familiarize themselves with an often very complex threat hunting platform, the respective data schema of their telemetry sources, then how to build threat hunting queries for Indicator of Compromise (IOC), Indicator of Attack (IOA), or specific adversary lookup. SentinelOne’s Deep Visibility capability pairs direct access to all the structured data of an organization with an easy-to-learn query language, making it a powerful tool for threat hunters.

In the example above, we are in the Deep Visibility feature within the SentinelOne management console. With just one line, we can look up all the endpoints on who might have a particular file based on an hash value.

Next, save time building threat hunting queries by simply leveraging SentinelOne Hunter to instantly look up threat hunting queries for specific adversaries, TTPs, and other types of IOC and IOAs.

By simply using the search function in Hunter, you are quickly able to find relevant threat hunting queries. In this example, I looked for all the threat hunting queries related to the adversary group named Hafnium. I can again take this query and run it instantly in Deep Visibility within the SentinelOne management console with one click.

Summary

The cyber threat landscape continues to evolve rapidly. As a result, in many organizations, the time to detect and contain a threat continues to increase. Most security teams today are too overloaded with long incident queues to perform in-depth, meaningful analysis as part of their incident investigation. Singularity Signal leverages the Signal AI Engine to perform real-time threat modeling, incident correlation, and TTP analysis at scale, delivering enriched intelligence that you can use to respond more effectively to threats.

To explore more ways Singularity Signal is helping enterprises around the world take a new approach to threat intelligence, read more here.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Feature Spotlight: Data-Driven Threat Intelligence with Singularity Signal
Conti Unpacked | Understanding Ransomware Development As a Response to Detection
Cyber Insurance: Navigating A Tough New World In the Age of Ransomware
REvil’s Grand Coup | Abusing Kaseya Managed Services Software for Massive Profits
Bypassing macOS TCC User Privacy Protections By Accident and Design
SentinelOne is a Leader in the 2021 Gartner Magic Quadrant. Here’s Why.
Feature Spotlight: Gain Intelligence & Insight With Threat Center
Evasive Maneuvers | Massive IcedID Campaign Aims For Stealth with Benign Macros
12 Things To Know About macOS Monterey and Security

Executive Summary

A remote code execution vulnerability is being dubbed ‘PrintNightmare’ (CVE-2021-34527 and CVE-2021-1675).
The vulnerabilities are present in the Windows Spooler Service present on all Windows versions.
Microsoft has released two patches to address these vulnerabilities (an Out-of_Band update on July 1 as well as the July 13th monthly update).
Exploit code is readily available and has already been folded into popular hacking tools like Mimikatz and the Metasploit framework.
SentinelOne has provided DeepVisibility queries to detect attempts to exploit PrintNightmare in customer environments.

What Happened?

On June 29, 2021, details emerged of a remotely exploitable vulnerability in the Microsoft Windows Print Spooler service affecting all versions of Windows to date. The vulnerability was originally discovered by security researchers at Sangfor Technologies and responsibly disclosed to Microsoft. Variants of the vulnerability, appropriately dubbed ‘PrintNightmare’, are tracked under CVE-2021-34527 and CVE-2021-1675. They allow Remote Code Execution and have now been folded into popular attack tools like Mimikatz and Metasploit. Microsoft has released updated versions of their patches and guidance as of July 13th. That said, if Microsoft’s instructions are not carefully followed, hosts may still be left exposed to exploitation.

The PrintNightmare Rapidly Escalates

Initially, it was believed that the vulnerability could only be exploited on Windows Servers; however, researchers found an alternative call flow to the vulnerable function that allows attacking any Windows machine running the Print Spooler service. Much of the severity lies in the ease of exploitation: it is network exploitable, requires no user interaction, and can be initiated from a lower-privileged context. All of that is a recipe for quick adoption by attackers of all stripes.

In this flaw, the Windows Print Spooler service improperly governs access to RpcAddPrinterDriverEx(), resulting in the ability to achieve SYSTEM privileges, and subsequently execute code within that context. The vulnerability was first exploited using the RpcAddPrinterDriverEx API. Subsequently, newer versions of the exploit began using an alternative execution flow calling the function RpcAsyncAddPrinterDriver to bypass detections. Ultimately, the flaw allows for the loading of a malicious DLL of the attacker’s choice, making the vulnerability ideal for multiple stages in the attack chain.

The vulnerability affects all supported versions of Microsoft Windows (servers and workstations alike). Hosts with the Windows Print Spooler Service running are exposed to potential exploitation.

Several days after Microsoft Emergency patch (KB5005010) was published, researchers published a full bypass which still allows full remote exploitation of a fully patched and rebooted system. The PrintNightmare attack was quickly integrated into mainstream attack tools such as MetaSploit, Mimikatz, and WinPwn.

One Demo/PoC of PrintNightmare Exploitation (by cube0x0)

This case continues to highlight vulnerabilities in older aspects of the Windows codebase, and the printing infrastructure in particular. During 2020-2021 multiple previous vulnerabilities were discovered in the Print Spooler/Fax code including: FaxHell (Oct 2020), CVE-2020-1337 (Aug 2020), Evil Printer (Jun 2020), PrintDemon (May 2020). In addition, it is critical to note that attackers will continue looking for systems exposed to this vulnerability for years to come. It is probable that this flaw will fall in with MS08-067 and other ‘commodity’ vulnerabilities that seem to linger far past their welcome.

Mitigation and Workarounds

In addition to applying the revised update from Microsoft, there are multiple Microsoft remediation suggestions with registry changes and GPO policies.

Install the official updates from Microsoft
Follow additional guidance from Microsoft regarding registry settings and/or GPO updates:
HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NTPrintersPointAndPrint (set to 0)
NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
UpdatePromptSettings = 0 (DWORD) or not defined (default setting)

Additional Workarounds

If you are unable to apply the latest patch or use the suggestions above, it is also possible to disable inbound remote printing via Group Policy. This can be done via PowerShell

Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled

or via gpedit.msc:

Computer Configuration / Administrative Templates / PrintersAllow Print Spooler to accept client connections Disabled

Note: The Print Spooler service will need to be restarted following this change.

Disable remote printing via gpedit.msc

Finding Drivers Vulnerable to PrintNightmare

SentinelOne customers can also proactively search for vulnerable drivers using the following Deep Visibility query:

EventType In ( “File Rename”,”File Creation” ) AND TgtFilePath Contains Anycase “spooldriversx64” AND TgtFilePath Contains Anycase “Old” AND TgtFilePath Contains Anycase “dll” AND TgtFileIsSigned != “signed” AND AgentMachineType In ( “Server” )

Hunting for PrintNightmare in Deep Visibility

Conclusion

PrintNightmare (CVE-2021-34527) is a critical, high impact, and easily exploitable vulnerability, which has already found its way into the toolsets of cybercriminals. We recommend expediting the deployment and installation of Microsoft’s official security update. In addition, there are a number of workarounds available that can help mitigate some of the risk.

This is a sobering example of how quickly these flaws can unravel once released into the wild. The challenge lies in our ability to rapidly pivot, manage the risk, and employ available countermeasures. Modern endpoint security products like SentinelOne’s Singularity Platform, which proactively provide rapid threat hunting packs, are key in providing the visibility and protection around new and emerging threats.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Feature Spotlight: Data-Driven Threat Intelligence with Singularity Signal
Conti Unpacked | Understanding Ransomware Development As a Response to Detection
Cyber Insurance: Navigating A Tough New World In the Age of Ransomware
REvil’s Grand Coup | Abusing Kaseya Managed Services Software for Massive Profits
Bypassing macOS TCC User Privacy Protections By Accident and Design
SentinelOne is a Leader in the 2021 Gartner Magic Quadrant. Here’s Why.
Feature Spotlight: Gain Intelligence & Insight With Threat Center
Evasive Maneuvers | Massive IcedID Campaign Aims For Stealth with Benign Macros
12 Things To Know About macOS Monterey and Security