{
	"id": "d48ea57b-a25a-40e1-b415-f8198d245239",
	"created_at": "2026-04-10T03:20:02.683593Z",
	"updated_at": "2026-04-10T03:22:17.864087Z",
	"deleted_at": null,
	"sha1_hash": "d606a1679ef58c13cf3d4cb772ee7a634a478e07",
	"title": "Observations and Recommendations from the Ongoing REvil-Kaseya Incident",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 298997,
	"plain_text": "Observations and Recommendations from the Ongoing REvil-Kaseya Incident\r\nBy Joe Slowik\r\nPublished: 2021-07-08 · Archived: 2026-04-10 02:45:08 UTC\r\nBackground\r\nOn July 2, 2021, software vendor Kaseya’s VSA remote monitoring and management tool became the point of\r\nfocus for an intrusion campaign impacting multiple managed service providers (MSPs). While initially viewed as\r\na software supply-chain intrusion (implying compromise of Kaseya and modification of VSA packages),\r\nsubsequent analysis identified the intrusion sequence as exploitation of known but unpatched vulnerabilities in\r\nVSA, followed by use of MSP privileged connections to clients to deliver REvil ransomware. REvil, similar to\r\nDarkSide ransomware, operates via an affiliate model where attackers can operate the malware.\r\nContinuous updates from security firm Huntress as well as Kaseya itself indicated dozens of VSA customers\r\n(MSPs) were impacted, leading to follow-on impacts at more than one thousand entities linked to the impacted\r\nMSPs.\r\nAffected entities ranged from a Swedish grocery chain that shuttered hundreds of locations due to the incident, to\r\nseveral school systems in New Zealand.\r\nWhile the impact of this incident will only become clear with more time, sufficient information now exists to\r\nanalyze precisely how this event took place, and how network defenders can prepare for future, similar incidents\r\nhttps://blog.gigamon.com/2021/07/08/observations-and-recommendations-from-the-ongoing-revil-kaseya-incident/\r\nPage 1 of 5\n\nshould they occur.\r\nInitial Delivery and Execution\r\nInitial delivery and execution mechanisms for this incident relied on identification and subsequent exploitation of\r\nvulnerabilities within the VSA platform. While initial reporting suggested a potential breach at Kaseya leading to\r\nthe distribution of malicious VSA updates, subsequent analysis revealed this to not be the case. Instead, while the\r\ncompany’s software was certainly impacted through the event, Kaseya itself appears to have avoided a breach of\r\nits own network.\r\nRather than a software supply chain compromise, the incident instead reflects a services supply chain incident. In\r\nthis scenario, the adversary abuses trust relationships between ultimate victims and MSPs in order to deploy a\r\nmalicious capability.\r\nPrevious examples of service-focused supply chain activity include the CloudHopper campaign and the Palmetto\r\nFusion activity described by the U.S. government. At this time, it is not clear whether the MSPs targeted in this\r\nincident were deliberate selections (for example, based on the number or type of clients managed) or opportunistic\r\nidentification of entities running vulnerable and exposed VSA instances. On the latter point, Kaseya repeatedly\r\nstated during response to this incident that only the on-premises version of VSA was impacted by the\r\nvulnerabilities under discussion, while the software as a service (SaaS) platform showed no evidence of\r\nexploitation.\r\nBased on analysis from Huntress, enabled through data sharing from victim MSPs, initial intrusion at MSP entities\r\nstarted by accessing an externally exposed VSA-related resource — dl.asp — and abusing a flaw in that\r\napplication’s authentication process. Once authentication was circumvented, the intruders used built-in VSA\r\nfunctionality to upload at least two files:\r\nAgent.crt, an encoded REvil ransomware payload that would be distributed to MSP clients\r\nScreenshot.jpg, an executable masquerading as an image file designed to delete relevant logs and other\r\ncleanup actions on impacted VSA instances\r\nWhile upload of these items appears to have abused legitimate VSA functionality following the authentication\r\nbypass noted above, actual process execution appears to rely on another vulnerability, potentially SQL injection,\r\nvia another exposed application, userFilterTableRpt.asp. Through exploitation, the REvil affiliate would be able to\r\nachieve command execution of the deployed payloads in the victim environment, leading to follow-on infection\r\nstages described below.\r\nAs noted by Kaseya, the following HTTP GET and POST requests relate to the previously-described activity:\r\nPOST: /dl.asp, /cgi-bin/KUpload.dll, /userFilterTableRpt.asp\r\nGET: /done.asp\r\nThe above items in this specific incident were accessed by an entity potentially using the command line tool cURL\r\nbased on the User Agent “curl/7.69.1” in network logs and traffic.\r\nhttps://blog.gigamon.com/2021/07/08/observations-and-recommendations-from-the-ongoing-revil-kaseya-incident/\r\nPage 2 of 5\n\nWhile specific evidence is unavailable at the time of this writing, the above exploitation path indicates the REvil\r\naffiliate involved was able to access VSA instances directly via an external network connection. Review of VSA\r\nexposure through web scanning tools indicated more than one thousand such instances were externally accessible\r\nat the time of the incident (although significantly reduced since then), indicating a potential intrusion path while\r\nalso informing victim selection based purely on availability.\r\nSubsequent Propagation to Victims\r\nOnce the intruder compromised MSP entities, they abused VSA characteristics to enable follow-on distribution\r\nand execution of REvil ransomware in MSP customer environments. The entity enabled this phase of operations\r\nthrough a combination of impersonating legitimate VSA functionality for distribution and using Kaseya-prescribed antivirus directory exclusions to evade (some) security solutions.\r\nBased on reporting from multiple third parties, subsequent activity leverages the legitimate Kaseya VSA update\r\nagent (agentmon.exe on local systems) to push a malicious update object that drops an encoded file (agent.crt) to\r\ndisk. The update agent then launches a series of Windows commands for subsequent functionality on victim\r\nmachines:\r\nping 127.0.0.1 -n \u003cParameter\u003e \u003e\u003e nul \u0026 %SystemDrive%\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe Set\r\nThe above breaks down to the following steps:\r\n1. Establish a timer via the “ping” function to localhost, setting the number of pings to roughly equal the\r\namount of time between execution and 1630 UTC on 02 July 2021. In this fashion, all payloads are\r\nsynchronized to execute at approximately the same time.\r\n2. Use PowerShell to disable multiple security, prevention, and monitoring functions on the victim machine.\r\n3. Create a copy of the legitimate Windows binary “certutil.exe” in the Windows directory.\r\n4. Use the copy of certutil to decode the “agent.crt” payload, save it as an executable, then launch the\r\nprogram.\r\n5. Remove artifacts (agent.crt, agent.exe, and the copy of certutil) from the victim host.\r\nAt the end of the above sequence, a REvil ransomware variant executes, resulting in encryption of the host. Of\r\nnote, while REvil contains the capability of “checking in” with controllers (to send victim information and other\r\nstatistics) via a list of domains within the ransomware’s configuration, the specific REvil variants distributed in\r\nthis campaign disabled this functionality. As a result, network traffic from the ransomware execution is essentially\r\nnon-existent, with no observed Command and Control (C2) observables, or even (given the distribution\r\nmechanism) artifacts related to lateral movement.\r\nDetection and Defensive Possibilities\r\nhttps://blog.gigamon.com/2021/07/08/observations-and-recommendations-from-the-ongoing-revil-kaseya-incident/\r\nPage 3 of 5\n\nThe above sequence of behaviors presents a vexing problem to network defenders, especially for those\r\nrepresenting ultimate victims for ransomware operations. Given the use (and abuse) of otherwise legitimate,\r\ntrusted network pathways, detection and mitigation opportunities would appear limited. Yet, by reviewing how\r\nthis operation took place, even with only preliminary data and investigations ongoing, viable defensive strategies\r\nare revealed. Through appropriate leveraging of available data sources, recognizing adversary tradecraft, and\r\napplying this understanding to revealed anomalies in network observables, defenders can formulate a plan to\r\ndetect similar attack vectors in future encounters.\r\nIntermediate Victim Opportunities\r\nThe REvil affiliate in this campaign breached MSPs using an unpatched vulnerability in external-facing software.\r\nWhile the vulnerability aspect of matters presents a difficult to address problem, as it was neither publicly\r\ndisclosed nor was there a patch available, other aspects of this initial intrusion pathway offer multiple detection\r\nand mitigation possibilities.\r\nFirst, attack surface identification, and subsequent reduction, could remove or substantially limit access to\r\nvulnerable resources (such as the VSA portal). While potentially limiting ease and convenience of access, placing\r\nsuch a portal behind a virtual private network (VPN) or other control significantly increases the difficulty of\r\nexploitation or even illicit authentication to the resource. Identifying such resources and implementing appropriate\r\nsecurity architecture thus represents a powerful if not critical control that may have minimized risk of incidents\r\nsuch as this REvil event. Furthermore, establishing such limits facilitates the creation of network choke points that\r\ncan enable further monitoring of environments and ensuring that traffic of interest passes through sensors for\r\nanalysis and response.\r\nSecond, the events in question reveal several anomalous items that are revealed through network security\r\nmonitoring (NSM) and analysis. For example, MSP compromise relies not just on subverting authentication, but\r\nusing this to enable upload of malicious payloads via an authorized portal. Yet identifying or baselining what\r\nshould be uploaded through such applications can allow defenders to identify suspicious or outright malicious\r\nobjects utilizing this mechanism. Such an approach is especially rewarded in cases like “Screenshot.jpg,” where a\r\nfile object attempts to use a benign extension to mask a binary payload, and “Agent.crt,” where an executable is\r\ntransferred using a common encoding schema.\r\nThird, various activities described previously, from authentication to upload to command injection to achieve\r\nprogram execution, took place via a somewhat anomalous User Agent belonging to the cURL utility. While cURL\r\nis a legitimate program, identifying this User Agent associated with the network activities linked to ultimate REvil\r\ndistribution is exceptionally strange, and provides a potential alerting point for intrusions. Categorizing and\r\nappropriately profiling communication metadata, especially linked to sensitive resources such as interactive\r\nportals, or even HTTP commands such as POST associated with plaintext commands or other observables, can\r\nassist in identifying activity for further investigation.\r\nUltimate Victim Defensive Measures\r\nFrom the perspective of ultimate victims of this campaign, defensive measures are sadly more limited. An\r\norganization adopting best practices from their vendor would be left almost completely blind to potential\r\nhttps://blog.gigamon.com/2021/07/08/observations-and-recommendations-from-the-ongoing-revil-kaseya-incident/\r\nPage 4 of 5\n\nexploitation given the use of a trusted network path (update push from MSP VSA nodes) and requirements to\r\ncurtail or eliminate security monitoring of product directories.\r\nBased on these observations, one of the first concrete actions defenders and asset owners can take in this situation\r\nis to simply ignore (or at least refine) vendor recommendations. Instead of allow-listing or omitting entire\r\ndirectories from security monitoring and response, narrowly tailoring adjustments to match specific file names,\r\nfile paths, and potentially even file signatures could significantly reduce attack surface and minimize a malicious\r\nactor’s ability to action a supply chain compromise. Such work is, however, arduous and has the risk of breaking\r\nupdates or other functionality. Yet, as examples like this incident and the previous SolarWinds and Microsoft\r\nintrusion linked to Russian intelligence operations demonstrate, the testing and analysis required to action such\r\nlimits may be well worth the effort given the increase in security by treating vendor updates with greater scrutiny.\r\nFrom a network perspective, defenders are in a more limited state as services such as the VSA update process will\r\nleverage implicitly-trusted, likely encrypted pathways for data transfer. Yet as such trust-subverting intrusions\r\nbecome more common, organizations gain greater incentive to apply further scrutiny to these relationships.\r\nThrough techniques such as SSL decryption and greater application of NSM practices to even nominally-trusted\r\ncommunication pathways, defenders can potentially identify the initial stages of an intrusion such as that\r\nemployed by REvil operators in this incident. Looking for communication artifacts or observables such as the\r\ntransfer of encoded objects (like “agent.crt”) or downloaded binary files without a known good, known expected\r\nsignature can serve as critical tripwires for defenders that matters are not what they seem, leading to a response\r\nthat curtails or prevents subsequent ransomware activity.\r\nConclusion\r\nSupply chain-oriented intrusions, whether through products or services, are an increasing threat to organizations.\r\nBy adopting a more robust and complete posture with respect to NSM and network detection and response (NDR),\r\ndefenders can identify the precursors associated with such activity (if they are a supplier of interest, in products or\r\nservices), or alterations in otherwise normal activity (if one is an end user).\r\nBy minimizing blind spots; increasing visibility into all traffic, including TLS inspection; and analyzing\r\ncommunication streams, combined with thorough coverage of systems and endpoints, defenders can layer\r\ndefenses in such a fashion to detect or even defeat these types of intrusions, whether their ultimate goal is\r\nransomware deployment, as seen in this incident, or espionage operations.\r\nHow to Take Action\r\nTo learn how to leverage Gigamon for SSL decryption and blind spot elimination for better NSM and for network\r\ndetection and response, contact us here.\r\nSource: https://blog.gigamon.com/2021/07/08/observations-and-recommendations-from-the-ongoing-revil-kaseya-incident/\r\nhttps://blog.gigamon.com/2021/07/08/observations-and-recommendations-from-the-ongoing-revil-kaseya-incident/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.gigamon.com/2021/07/08/observations-and-recommendations-from-the-ongoing-revil-kaseya-incident/"
	],
	"report_names": [
		"observations-and-recommendations-from-the-ongoing-revil-kaseya-incident"
	],
	"threat_actors": [],
	"ts_created_at": 1775791202,
	"ts_updated_at": 1775791337,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d606a1679ef58c13cf3d4cb772ee7a634a478e07.pdf",
		"text": "https://archive.orkl.eu/d606a1679ef58c13cf3d4cb772ee7a634a478e07.txt",
		"img": "https://archive.orkl.eu/d606a1679ef58c13cf3d4cb772ee7a634a478e07.jpg"
	}
}