Kaseya VSA 0-day - REvil Ransomware Supply Chain Attack
On July 2nd, Kaseya company has experienced an attack against the VSA (Virtual System/Server Administrator) product. Kaseya customers pointed out a ransomware outbreak in their environments. Further investigation revealed that REvil group exploited VSA zero-day vulnerabilities for authentication bypass and arbitrary command execution. This allowed the attacker to deploy ransomware on Kaseya customers' endpoints. This playbook should be trigger manually and includes the following tasks: * Collect related known indicators from several sources. * Indicators, PS commands, Registry changes and known HTTP requests hunting using PAN-OS, Cortex XDR and SIEM products. * Splunk advanced queries can be modified through the playbook inputs. * QRadar query is done using Reference Set and "QRadar Indicator Hunting V2" playbook * Search for internet facing Kaseya VSA servers using Xpanse. * Block indicators automatically or manually. * Provide advanced hunting and detection capabilities. * Mitigation using Kaseya On-Premises and SaaS patch. More information: [Kaseya Incident Overview & Technical Details](https://helpdesk.kaseya.com/hc/en-gb/articles/4403584098961) Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.
Rapid Breach Response · 65 tasks · 11 inputs · 0 outputs
Inputs
BlockIndicatorsAutomatically— Whether to automatically block the indicators involved.SplunkEarliestTime— The earliest time for the Splunk search query.SplunkLatestTime— The latest time for the Splunk search query.YaraRulesSource— The source of the Yara rulesSigmaRulesSource— The source of the Sigma rulesQRadarSearchTimeRange— The time range for the QRadar search query.SplunkAdvancedSearch4FilesandReg— Search splunk for related REvil - Kaseya breach file names.SplunkAdvancedSearch4PSCMD— Search Splunk for related REvil - Kaseya breach Powershell behaviours.SplunkAdvancedSearch4WebLog— Search Splunk for related REvil - Kaseya breach web access logs activity.QRadarDomainFieldName— The QRadar domain field name to check against the Reference Set of Kaseya domains.ReferenceListName— The reference list name to create in QRadar for the Domain Indicators Hunting.
Commands used
closeInvestigation
expanse-get-issues
extractIndicators
linkIncidents
qradar-create-reference-set
qradar-create-reference-set-value
qradar-delete-reference-set
qradar-get-reference-by-name
setIndicators
splunk-search