Kaseya VSA 0-day - REvil Ransomware Supply Chain Attack

On July 2nd, Kaseya company has experienced an attack against the VSA (Virtual System/Server Administrator) product. Kaseya customers pointed out a ransomware outbreak in their environments. Further investigation revealed that REvil group exploited VSA zero-day vulnerabilities for authentication bypass and arbitrary command execution. This allowed the attacker to deploy ransomware on Kaseya customers' endpoints. This playbook should be trigger manually and includes the following tasks: * Collect related known indicators from several sources. * Indicators, PS commands, Registry changes and known HTTP requests hunting using PAN-OS, Cortex XDR and SIEM products. * Splunk advanced queries can be modified through the playbook inputs. * QRadar query is done using Reference Set and "QRadar Indicator Hunting V2" playbook * Search for internet facing Kaseya VSA servers using Xpanse. * Block indicators automatically or manually. * Provide advanced hunting and detection capabilities. * Mitigation using Kaseya On-Premises and SaaS patch. More information: [Kaseya Incident Overview & Technical Details](https://helpdesk.kaseya.com/hc/en-gb/articles/4403584098961) Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

Rapid Breach Response · 65 tasks · 11 inputs · 0 outputs

Inputs

  • BlockIndicatorsAutomatically — Whether to automatically block the indicators involved.
  • SplunkEarliestTime — The earliest time for the Splunk search query.
  • SplunkLatestTime — The latest time for the Splunk search query.
  • YaraRulesSource — The source of the Yara rules
  • SigmaRulesSource — The source of the Sigma rules
  • QRadarSearchTimeRange — The time range for the QRadar search query.
  • SplunkAdvancedSearch4FilesandReg — Search splunk for related REvil - Kaseya breach file names.
  • SplunkAdvancedSearch4PSCMD — Search Splunk for related REvil - Kaseya breach Powershell behaviours.
  • SplunkAdvancedSearch4WebLog — Search Splunk for related REvil - Kaseya breach web access logs activity.
  • QRadarDomainFieldName — The QRadar domain field name to check against the Reference Set of Kaseya domains.
  • ReferenceListName — The reference list name to create in QRadar for the Domain Indicators Hunting.

Commands used

closeInvestigation expanse-get-issues extractIndicators linkIncidents qradar-create-reference-set qradar-create-reference-set-value qradar-delete-reference-set qradar-get-reference-by-name setIndicators splunk-search

Flowchart

yes yes No Yes Yes Yes Yes No Yes yes yes Yes Yes yes yes Start Start Collect Indicators Collect Indicators Collect Hash indicators from cado-security - ParseHTMLIndicators Collect Hash indicators f... ParseHTMLIndicators Collect Domain indicators from cado-security - ParseHTMLIndicators Collect Domain indicators... ParseHTMLIndicators Extract Indicators Extract Indicators Extract Indicators From Data Collected - extractIndicators Extract Indicators From D... extractIndicators Download Yara Rules - http Download Yara Rules http Threat Hunting Threat Hunting SIEM Hunting SIEM Hunting Palo Alto Networks Hunting Palo Alto Networks Hunting Palo Alto Networks - Hunting And Threat Detection - Palo Alto Networks - Hunting And Threat Detection Palo Alto Networks - Hunt... Palo Alto Networks - Hunting ... Splunk Indicator Hunting - Splunk Indicator Hunting Splunk Indicator Hunting Splunk Indicator Hunting QRadar Indicator Hunting V2 - QRadar Indicator Hunting V2 QRadar Indicator Hunting V2 QRadar Indicator Hunting V2 Search Endpoints By Hash - Generic V2 - Search Endpoints By Hash - Generic V2 Search Endpoints By Hash ... Search Endpoints By Hash - Ge... Hunting REvil Known Samples on Endpoints Hunting REvil Known Sampl... Search XDR incidents for suspicious network behavior - SearchIncidentsV2 Search XDR incidents for ... SearchIncidentsV2 Is Cortex XDR enabled? Is Cortex XDR enabled? Panorama Query Logs for Kaseya breach Threat IDs - Panorama Query Logs Panorama Query Logs for K... Panorama Query Logs Post Intrusion Ransomware Investigation - Post Intrusion Ransomware Investigation Post Intrusion Ransomware... Post Intrusion Ransomware Inv... Remediation Remediation Deploy YARA rules Deploy YARA rules Deploy Sigma rules Deploy Sigma rules Download Sigma Rules - http Download Sigma Rules http Advanced Hunting and Detection Procedures Advanced Hunting and Dete... Block Indicators - Generic v2 - Block Indicators - Generic v2 Block Indicators - Generi... Block Indicators - Generic v2 Block indicators automatically? Block indicators automati... Block indicators manually Block indicators manually Splunk Search Related Activity Based on Files and Registry - splunk-search Splunk Search Related Act... splunk-search Splunk Advanced Hunting Splunk Advanced Hunting Splunk Search Related Activity Based on Powershell Command Lines - splunk-search Splunk Search Related Act... splunk-search Should Initiate Ransomware Investigation playbook? Should Initiate Ransomwar... Is Splunk Enabled? Is Splunk Enabled? Run Kaseya Patch Release Preparation for VSA On-Premises Run Kaseya Patch Release ... Tag Indicators Tag Indicators Tag File indicators - setIndicators Tag File indicators setIndicators Tag IP indicators - setIndicators Tag IP indicators setIndicators Tag Domain indicators - setIndicators Tag Domain indicators setIndicators Tag URL indicators - setIndicators Tag URL indicators setIndicators Resolution Resolution Analysis resolution - Should continue with the investigation? Analysis resolution - Sho... Done Done Collect indicators from HUNTRESS - ParseHTMLIndicators Collect indicators from H... ParseHTMLIndicators Investigate Further Investigate Further Close Investigation - closeInvestigation Close Investigation closeInvestigation Collect indicators from Kaseya advisory - ParseHTMLIndicators Collect indicators from K... ParseHTMLIndicators Splunk Search Related Activity Based on web logs - splunk-search Splunk Search Related Act... splunk-search Xpanse Issues Hunt Xpanse Issues Hunt Search for internet facing Kaseya VSA servers using Xpanse - expanse-get-issues Search for internet facin... expanse-get-issues Is Xpanse Enabled? Is Xpanse Enabled? Search for related Xpanse incident - SearchIncidentsV2 Search for related Xpanse... SearchIncidentsV2 Link related incidents - linkIncidents Link related incidents linkIncidents Kaseya Detection and Mitigation Kaseya Detection and Miti... Deploy Detection Rules Deploy Detection Rules Ransomware Remediation Ransomware Remediation Run Kaseya Patch Release Preparation for VSA SaaS Run Kaseya Patch Release ... Download Kaseya Compromise Detection Tools Download Kaseya Compromis... Install Kaseya Patch for VSA Servers Install Kaseya Patch for ... Create Reference List of Domain Indicators - qradar-create-reference-set Create Reference List of ... qradar-create-reference-set Add Domain Indicators to the Reference List - qradar-create-reference-set-value Add Domain Indicators to ... qradar-create-reference-set-v... QRadar Domain Indicators Hunting - QRadarFullSearch QRadar Domain Indicators ... QRadarFullSearch Is QRadar Enabled? Is QRadar Enabled? Found Related Incidents? Found Related Incidents? Check if DomainIndicators Reference List Exists - qradar-get-reference-by-name Check if DomainIndicators... qradar-get-reference-by-name Is KaseyaDomainIndicators Reference list exists? - isError Is KaseyaDomainIndicators... isError Delete DomainIndicators Reference List - qradar-delete-reference-set Delete DomainIndicators R... qradar-delete-reference-set