How TrapX Can Help You Defend Against RMM Supply Chain Attacks Like Kaseya
After completing my first blog on ransomware, “Why ransomware is a national security crisis – and what to do about it,” I was heading home from the office when my wife called and asked me to stop by the grocery store for a few items.
Now I am thinking about the many Swedish men who, like me, stopped by the supermarket on their way home to fulfill their wife’s request – but instead found closed doors. They came home with empty hands because the Swedish Coop grocery chain, the largest in the country, closed more than half of its 800 stores due to the Kaseya ransomware attack. In addition, railways services and pharmacy chains suffered significant disruption.
To combat the growing threat of ransomware from REvil and other actors, organizations can use DeceptionGrid from TrapX, which captures and stifles ransomware attacks before they do harm. DeceptionGrid lures the attacker to a ransomware trap where an entirely realistic but simulated proprietary data store allows ransomware to successfully encrypt data which assist in capturing the attacker.
How DeceptionGrid from TrapX helps MSPs and enterprises prevent supply chain attacks like Kesaya
Managed service providers and enterprise customers that use RMM software like Kaseya VSA can utilize DeceptionGrid to create deceptive decoys, with two options:
1. They can set up an additional actual server image with Kaseya or other RMM software installed. In addition to the production server, the organization can use this image as a real deceptive server, with or without Microsoft SQL and fake database records, and then install a TrapX FullOS agent on the server to detect and isolate an attacker with unauthorized privileges.
2. They can use a Windows server emulation trap (also called a medium-level interaction decoy) out of the box by using a Windows server trap or creating a custom trap with the TrapX Build Your Trap feature and configuring it in DeceptionGrid (see below).
TrapX emulation traps support the same OS versions as Kaseya VSA (listed on their website VSA requirements.) and can emulate the web UI of the Kaseya software when attackers access the fake server emulation over HTTPS, providing the VSA LogIn Interface.
The three steps used in the Kaseya attack – prevented using DeceptionGrid™
In initial research into the Kaseya attack, Huntress found there were at least three significant steps during the attack:
1. Authentication bypass
DeceptionGrid allows organizations to run reverse TCP shells and run exploits against the emulation trap, and then present the shellcode execution and payload to the analyst, as shown below:
2. Arbitrary file upload
When an attacker is interacting with the emulated server trap, such as copying or uploading a file, performing a scan or reconnaissance an immediate alert to the TrapX console and/or SIEM.
Giving you a sneak peak into DeceptionGrid 7.2 (Now available):
The identity of the source IP and host name of the attacker will be included in the alert, as in the Kaseya example provided above. Allowing MSPs and enterprises to isolate and divert the attacker manually or automatically using NAC integrations.
3. Command injection
DeceptionGrid displays any SQL query or command against our FullOS traps. An alert displays all the SQL commands used by the attacker, if the emulated traps are proxied to a FullOS server as shown below:
Huntress mentioned that it is plausible the REvil attackers may have compromised a legitimate web server and used it as a launch point for their attack. The external IP address 18[.]223.199.234 is associated with the attack.
TrapX offers another add-on protection for outbounds threats called Network Intelligence Sensor. It provides alerts based on blacklisted URLs and IPs from TrapX intelligence feeds. Because the above external IP already exists in TrapX intelligence feeds, DeceptionGrid will alert on endpoint communication with it.
Get ready for future REvil ransomware attacks
To protect Windows endpoints, MSPs and enterprises can use DeceptionGrid and CryptoTrap, as described in this blog: “Why ransomware is a national security crisis – and what to do about it.”
In addition, the ransomware used by REvil also includes a Linux version, as explained here, which allows attackers to target ESXi and NAS devices. Organizations can use the TrapX Build Your Trap feature and create ESXi emulation traps.
Any reconnaissance scan or information gathered on ESXi will show up as an alert on DeceptionGrid, while the attacker would receive the fingerprint as if it were a real ESXi device, as shown below.
Based on the Huntress research described above, before encrypting all the organization’s files, REvil runs the ESXCLI command-line tool to list all running ESXi VMs and terminate them. By doing this, the attacker ensures that no other VM is handling the files to be encrypted, avoiding corruption of the encrypted files.
Below is an example when running the command against the ESXi emulation trap:
The command is captured by the DeceptionGrid ESXi emulation trap and displayed to the analyst on the DeceptionGrid console.
Organizations can also configure DeceptionGrid to ensure that, as soon as any interaction or infection event is triggered against the emulation ESXi, they can divert the attackers manually or automatically using NAC integrations with DeceptionGrid.
Given the sophistication of today’s attackers, it is almost impossible to detect supply chain attacks. Ransomware attacks are expected to continue, especially as attackers target RMM software.
TrapX gives you powerful deception technologies that keep your organization one step ahead of the attackers, reduce dwell time, and allow you to mitigate the risk immediately.
About TrapX Security
TrapX has created a new generation of Deception technology that provides real-time breach detection and prevention. Our proven solutions immerse tangible IT assets in a virtual minefield of traps that misinform and misdirect would-be attackers, alerting SOC teams to malicious activity with immediate, actionable intelligence. Our solutions enable our customers to isolate, fingerprint rapidly and disable new Zero-Day attacks and APTs in real-time.