Ask the Community
Groups
On Premises VSA Startup Readiness Guide - July 7th, 2021 - Connect IT Community | Kaseya
<main> <article class="userContent"> <p><span data-contrast="auto"><span lang="EN-US" data-contrast="none" xml:lang="EN-US"><span data-ccp-parastyle="heading 1">INTRODUCTION</span></span><span data-ccp-props="{"201341983":0,"335559685":232,"335559738":810,"335559739":0,"335559740":240}"> </span></span></p> <p><span data-contrast="auto">The purpose of this document is to ensure your VSA server(s) is prepared to receive the VSA release patch, which contains critical security fixes. </span><span data-ccp-props="{"201341983":0,"335551550":6,"335551620":6,"335559739":160,"335559740":259}"> </span></p> <p><span data-contrast="auto">Before you restore full connectivity between Kaseya VSA server(s) and deployed agents, there are certain steps that we are recommending: </span><span data-ccp-props="{"201341983":0,"335551550":6,"335551620":6,"335559739":160,"335559740":259}"> </span></p> <ul><li data-leveltext="·" data-font="Symbol" data-listid="7" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"> <span data-contrast="auto">Ensure your VSA server is isolated</span><span data-ccp-props="{"134233279":true,"201341983":0,"335551550":6,"335551620":6,"335559739":160,"335559740":259}"> </span> </li> <li data-leveltext="·" data-font="Symbol" data-listid="7" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"> <span data-contrast="auto">Check System for Indicators of Compromise (IOC) </span><span data-ccp-props="{"134233279":true,"201341983":0,"335551550":6,"335551620":6,"335559739":160,"335559740":259}"> </span> </li> <li data-leveltext="·" data-font="Symbol" data-listid="7" aria-setsize="-1" data-aria-posinset="3" data-aria-level="1"> <span data-contrast="auto">Patch the Operating Systems of the VSA Servers</span><span data-ccp-props="{"134233279":true,"201341983":0,"335551550":6,"335551620":6,"335559739":160,"335559740":259}"> </span> </li> <li data-leveltext="·" data-font="Symbol" data-listid="7" aria-setsize="-1" data-aria-posinset="4" data-aria-level="1"> <span data-contrast="auto">Using URL Rewrite to control access to VSA through IIS</span><span data-ccp-props="{"134233279":true,"201341983":0,"335551550":6,"335551620":6,"335559739":160,"335559740":259}"> </span> </li> <li data-leveltext="·" data-font="Symbol" data-listid="7" aria-setsize="-1" data-aria-posinset="5" data-aria-level="1"> <span data-contrast="auto">Install FireEye Agent</span><span data-ccp-props="{"134233279":true,"201341983":0,"335551550":6,"335551620":6,"335559739":160,"335559740":259}"> </span> </li> <li data-leveltext="·" data-font="Symbol" data-listid="7" aria-setsize="-1" data-aria-posinset="5" data-aria-level="1"><span data-ccp-props="{"134233279":true,"201341983":0,"335551550":6,"335551620":6,"335559739":160,"335559740":259}">Remove Pending Scripts/Jobs</span></li> </ul><p><span data-contrast="auto">Each of these steps is described in more detail below.</span><span data-ccp-props="{"201341983":0,"335551550":6,"335551620":6,"335559739":160,"335559740":259}"> </span></p> <p>Step 1 – Ensure your VSA server is isolated</p> <p><span data-contrast="auto">Depending on where and how you host your VSA server, this process will vary between platforms. Before powering on the VSA server, please ensure that </span><strong><span data-contrast="auto">you isolate it from inbound and outbound traffic and segregate it from your main network</span>.</strong><span data-contrast="auto"> There are several ways to do this depending on your specific case. Booting it up in Safe Mode could be one way to achieve that. </span><span data-ccp-props="{"201341983":0,"335551550":6,"335551620":6,"335559739":160,"335559740":259}"> </span></p> <p><span data-contrast="auto">If you host your server in AWS we recommend that you check the NIC network security group and the public inbound ports assigned to the application server. You should deselect/disable ports 80/443/5721 (or any other non-default Kaseya port you might have used). Leave only the ports enabled, which provide you access to the device. For example, port 3389 is the standard port for RDP. Keeping this enabled will allow you to RDP into the virtual machine (VM) and perform the next steps without exposing the VM to the internet.</span><span data-ccp-props="{"201341983":0,"335551550":6,"335551620":6,"335559739":160,"335559740":259}"> </span></p> <p><span data-contrast="auto">In order to disable Kaseya network communication, please stop the Kaseya Edge Services service and set it to </span><strong>Disabled</strong><span data-contrast="auto">. </span><span data-ccp-props="{"201341983":0,"335551550":6,"335551620":6,"335559739":160,"335559740":257}"> </span></p> <p>Step 2 – Check your System for Indicators of Compromise (IOC) </p> <p><span data-contrast="auto">Please make sure you have run the “Compromise Detection Tool” on your VSA server. If you have not already run this tool, it can be downloaded from<strong> </strong></span><strong><a rel="nofollow" href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fkaseya.app.box.com%2Fs%2Fp9b712dcwfsnhuq2jmx31ibsuef6xict">here</a></strong><span data-contrast="auto">. Please ensure you follow the directions available via the link.</span><span data-ccp-props="{"201341983":0,"335551550":6,"335551620":6,"335559739":160,"335559740":257}"> </span></p> <ul><li data-leveltext="" data-font="Symbol" data-listid="1" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"> <em>If, at this point, you are unsure about the results received, please contact our support team at helpdesk.kaseya.com, or send an email to <a rel="nofollow" href="mailto:support@kaseya.com">support@kaseya.com</a>. We will be happy to assist you.</em><span data-ccp-props="{"134233279":true,"201341983":0,"335551550":6,"335551620":6,"335559739":160,"335559740":257}"> </span> </li> <li data-leveltext="" data-font="Symbol" data-listid="1" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"> <span data-contrast="auto">For information about the detection tool, see the appendix below.</span><span data-ccp-props="{"134233279":true,"201341983":0,"335551550":6,"335551620":6,"335559739":160,"335559740":257}"> </span> </li> </ul><p>Step 3 – Patching the Operating Systems of the VSA Servers </p> <p><span data-contrast="auto">For the following steps we require internet access, so if your machine is completely isolated from the internet, please restore </span><strong><span data-contrast="none">“Outbound</span>”</strong><span data-contrast="auto"> internet connectivity now. Before doing so please double check that the Kaseya Edge Services service is still disabled.</span><span data-ccp-props="{"201341983":0,"335551550":6,"335551620":6,"335559739":160,"335559740":257}"> </span></p> <ul><li data-leveltext="·" data-font="Symbol" data-listid="3" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"> <span data-contrast="auto">Apply the latest Microsoft patches to both the Windows operating system and SQL server. Please verify that your SQL server is on the latest available patch. This page tells you about the latest available patch for the product you use: </span><a rel="nofollow" href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsql%2Fdatabase-engine%2Finstall-windows%2Flatest-updates-for-microsoft-sql-server%3Fview%3Dsql-server-ver15"><span data-contrast="none"><a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsql%2Fdatabase-engine%2Finstall-windows%2Flatest-updates-for-microsoft-sql-server%3Fview%3Dsql-server-ver15">https://docs.microsoft.com/en-us/sql/database-engine/install-windows/latest-updates-for-microsoft-sql-server?view=sql-server-ver15</a></span></a><span data-ccp-props="{"134233279":true,"201341983":0,"335551550":6,"335551620":6,"335559739":160,"335559740":257}"> </span> </li> </ul><p><span data-contrast="auto">This process might require a few reboots, depending on how many outstanding patches there are. Please ensure no Windows or SQL patches remain outstanding.</span><span data-ccp-props="{"201341983":0,"335551550":6,"335551620":6,"335559739":160,"335559740":257}"> </span></p> <p>Step 4 – Using URL Rewrite to control access to VSA through IIS and Firewall Rules </p> <p><span data-contrast="auto"></span><span data-ccp-props="{"201341983":0,"335551550":6,"335551620":6,"335559739":160,"335559740":257}"> *Updated July 11th 2021*<br>Based on customer feedback, we have made changes to the IIS rewrite tool in order to give customers more control of their environments using their firewalls. Please rerun the tool referenced below – it will automatically update the IIS configuration even if you ran the tool previously.</span></p> <p><span data-ccp-props="{"201341983":0,"335551550":6,"335551620":6,"335559739":160,"335559740":257}">The purpose of this step is to control access to your VSA server and only allow the necessary access to the system User Interface (UI). This MUST be done on the VSA server.</span></p> <p><span data-ccp-props="{"201341983":0,"335551550":6,"335551620":6,"335559739":160,"335559740":257}"><strong>Part A</strong> - There is a tool available for download, which helps automate this configuration process. You can obtain the tool at: <a rel="nofollow" href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fapp.box.com%2Fs%2F1yel8q8nw4sxpujbhtudaqapk5yd84qk">https://app.box.com/s/1yel8q8nw4sxpujbhtudaqapk5yd84qk</a> </span></p> <p><span data-ccp-props="{"201341983":0,"335551550":6,"335551620":6,"335559739":160,"335559740":257}">Once this is completed, you should expect the following: <br></span></p> <p><span data-ccp-props="{"201341983":0,"335551550":6,"335551620":6,"335559739":160,"335559740":257}">Access to your VSA UI will block certain communication from the outside world (only what is necessary) on inbound port 5721. <br></span></p> <p><span data-ccp-props="{"201341983":0,"335551550":6,"335551620":6,"335559739":160,"335559740":257}"><strong>Part B</strong> – Configure your firewall to only allow inbound traffic to the VSA on port 5721 (the agent port).<br>This will require your VSA users to be on the local network or VPN’d into the local network reducing the attack surface.</span></p> <p><span data-ccp-props="{"201341983":0,"335551550":6,"335551620":6,"335559739":160,"335559740":257}">Given your unique environmental needs, you can create rules in your firewall to also allow port 443 inbound traffic to your VSA where required. For example, certain IP addresses for integrations or locations where you must allow access to the web GUI.</span></p> <p><span data-ccp-props="{"201341983":0,"335551550":6,"335551620":6,"335559739":160,"335559740":257}">This provides customers the flexibility to use their existing firewall to control access to the VSA web GUI to meet their unique requirements while securing the agent port (5721) IIS access which is required for agents and some communications.</span></p> <p><span data-ccp-props="{"201341983":0,"335551550":6,"335551620":6,"335559739":160,"335559740":257}">Please review a list of popular integrations that you may wish to whitelist at <a rel="nofollow" href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fkaseya.vanillacommunities.com%2Fkb%2Farticles%2Faliases%2Fkaseya%2Fhc%2Fen-gb%2Farticles%2F4403869952657">https://helpdesk.kaseya.com/hc/en-gb/articles/4403869952657</a> <br></span></p> <p>Step 5 – Install FireEye Agent </p> <p><span data-contrast="auto">Kaseya is providing complimentary licenses of FireEye Endpoint Security agents for each customer’s VSA Server(s).</span><span data-ccp-props="{"201341983":0,"335551550":6,"335551620":6,"335559739":160,"335559740":257}"> </span></p> <p><span data-contrast="auto">To initiate this process, please send an email to </span><a rel="nofollow" href="mailto:fireeye@kaseya.com"><span data-contrast="none">fireeye@kaseya.com</span></a><span data-contrast="auto"> and be sure to include the following information:</span><span data-ccp-props="{"201341983":0,"335551550":6,"335551620":6,"335559739":160,"335559740":257}"> </span></p> <ul><li data-leveltext="" data-font="Symbol" data-listid="17" aria-setsize="-1" data-aria-posinset="4" data-aria-level="1"> <span data-contrast="none">Your Company Name</span><span data-ccp-props="{"134233279":true,"201341983":0,"335559738":100,"335559739":200,"335559740":360}"> </span> </li> <li data-leveltext="" data-font="Symbol" data-listid="17" aria-setsize="-1" data-aria-posinset="5" data-aria-level="1"> <span data-contrast="none">Your Mobile Number (only to contact you in case the information is not complete)</span><span data-ccp-props="{"134233279":true,"201341983":0,"335559738":100,"335559739":200,"335559740":360}"> </span> </li> <li data-leveltext="" data-font="Symbol" data-listid="17" aria-setsize="-1" data-aria-posinset="6" data-aria-level="1"> <span data-contrast="none">VSA Device Role (Web Server or Database Server)</span><span data-ccp-props="{"134233279":true,"201341983":0,"335559738":100,"335559739":200,"335559740":360}"> </span> </li> <li data-leveltext="" data-font="Symbol" data-listid="17" aria-setsize="-1" data-aria-posinset="6" data-aria-level="1"> <em><span data-contrast="none">If you have a split server configuration, you will need to install FireEye on both the Web Server and the SQL server. Please provide this information for both servers.</span></em><span data-ccp-props="{"134233279":true,"201341983":0,"335559738":100,"335559739":200,"335559740":360}"> </span> </li> <li data-leveltext="" data-font="Symbol" data-listid="17" aria-setsize="-1" data-aria-posinset="6" data-aria-level="1"> <span data-contrast="none">The hostname of the Server </span><span data-ccp-props="{"134233279":true,"201341983":0,"335559738":100,"335559739":200,"335559740":360}"> </span> </li> <li data-leveltext="" data-font="Symbol" data-listid="17" aria-setsize="-1" data-aria-posinset="6" data-aria-level="1"> <span data-contrast="none">Your Domain Name (for example, kaseya.com)</span><span data-ccp-props="{"134233279":true,"201341983":0,"335559738":100,"335559739":200,"335559740":360}"> </span> </li> <li data-leveltext="" data-font="Symbol" data-listid="17" aria-setsize="-1" data-aria-posinset="6" data-aria-level="1"> <span data-contrast="none">Internal IP Address</span><span data-ccp-props="{"134233279":true,"201341983":0,"335559738":100,"335559739":200,"335559740":360}"> </span> </li> <li data-leveltext="" data-font="Symbol" data-listid="17" aria-setsize="-1" data-aria-posinset="6" data-aria-level="1"> <span data-contrast="none">Egress (External) IP Address (Please use this URL on the server itself to confirm your gateway IP - </span><a rel="nofollow" href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fwww.whatismypublicip.com%2F"><span data-contrast="none"><a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fwww.whatismypublicip.com%2F">https://www.whatismypublicip.com/</a></span></a><span data-contrast="none">)</span><span data-ccp-props="{"134233279":true,"201341983":0,"335559738":100,"335559739":200,"335559740":360}"> </span> </li> <li data-leveltext="" data-font="Symbol" data-listid="17" aria-setsize="-1" data-aria-posinset="6" data-aria-level="1"> <span data-contrast="none">VSA Agent Port (By default it is 5721, please provide your port number if you changed this)</span><span data-ccp-props="{"134233279":true,"201341983":0,"335559738":100,"335559739":200,"335559740":360}"> </span> </li> </ul><p><span data-contrast="none">Once Kaseya receives your email, our teams will contact FireEye to have the agents provisioned, and will then reach out to you with instructions, and a link to the installer.</span><span data-ccp-props="{"134233279":true,"201341983":0,"335559738":100,"335559739":200,"335559740":360}"> </span></p> <p><span data-contrast="auto">Please ensure you send us all the information requested above as it is necessary for the FireEye agent to function properly. </span><span data-ccp-props="{"201341983":0,"335551550":6,"335551620":6,"335559739":160,"335559740":257}"> </span><span data-ccp-props="{"201341983":0,"335551550":6,"335551620":6,"335559739":160,"335559740":257}"></span><span data-ccp-props="{"201341983":0,"335551550":6,"335551620":6,"335559739":160,"335559740":257}"></span></p> <div> <div> <p>6 – Remove Pending Scripts/Jobs</p> <div>Prior to startup, we recommend you clear out any pending VSA procedures/scripts/jobs that accumulated since the shutdown. Download the script that we have provided with the instructions on the following link: <u><a tabindex="-1" title="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fhelpdesk.kaseya.com%2Fhc%2Fen-gb%2Farticles%2F4403843938321" href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fkaseya.vanillacommunities.com%2Fkb%2Farticles%2Faliases%2Fkaseya%2Fhc%2Fen-gb%2Farticles%2F4403843938321" rel="noreferrer noopener nofollow">https://helpdesk.kaseya.com/hc/en-gb/articles/4403843938321</a></u> </div> <div><u></u></div> </div> <div> <p> </p> <p>7 - VSA SQL Database Assessment</p> <p>In response to the July VSA Security Incident, Kaseya has created a PowerShell script that connects to your local SQL Instance and generates an HTML report of important data points that Kaseya has deemed valuable to review. The inclusion of these data points is not directly correlated to known Indicators of Compromise (IOC) but rather an audit of the user, procedure, and agent connection information to provide assurance of the state of the VSA prior to the restarting of VSA Servers.</p> </div> <p>Please note that we strongly recommend that you do NOT give your VSA Server internet access while running these scripts. Ensure your VSA remains OFFLINE and associated services are stopped until you receive an official update from Kaseya.</p> <p>Please make sure you have run the "VSA SQL Audit Report" tool on your VSA Server. If you have not already run this tool, it can be downloaded from <strong><a rel="nofollow" href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fapp.box.com%2Fs%2Fqy5qn3sesgf2685id0txnr50ighb3e8u">here</a></strong>. The link contains instructions and a sample report.</p> <p>If you need assistance or have run the report and suspect your VSA application has been compromised, please contact our support team at helpdesk.kaseya.com, or send an email to support@kaseya.com. We will be happy to assist you.</p> </div> <div></div> <div><strong>Now that you have completed these steps, you are ready to install the patch when released. We will provide you details for obtaining the patch prior to the release.</strong></div> <p><strong>Do not start up your VSA Application until this VSA patch has been applied!</strong> </p> <p aria-level="1"> </p> <p aria-level="1"><strong><span data-contrast="none">APPENDIX</span></strong><span data-ccp-props="{"201341983":0,"335559685":232,"335559738":810,"335559739":0,"335559740":240}"> </span></p> <p><span data-ccp-props="{"201341983":0,"335559739":0,"335559740":240}"> </span></p> <p><strong><span data-contrast="auto">Detection Tool Information</span></strong><span data-ccp-props="{"201341983":0,"335551550":6,"335551620":6,"335559685":246,"335559739":0,"335559740":240}"> </span></p> <p><span data-contrast="auto">This tool analyzes a system (either VSA server or managed endpoint) and determines whether any indicators of compromise (IoC) are present.</span><span data-ccp-props="{"201341983":0,"335551550":6,"335551620":6,"335559739":0,"335559740":257}"> </span></p> <p><span data-contrast="auto">The latest version searches for the indicators of compromise, data encryption, and the REvil ransom note. We recommend that you re-run this procedure to better determine if the system was compromised by REvil.</span><span data-ccp-props="{"201341983":0,"335551550":6,"335551620":6,"335559739":0,"335559740":257}"> </span></p> <p><span data-contrast="auto">This continues to be enhanced, so please always refer to the </span><a rel="nofollow" href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fkaseya.app.box.com%2Fs%2Fp9b712dcwfsnhuq2jmx31ibsuef6xict"><span data-contrast="none">download site</span></a><span data-contrast="auto"> for the latest version.</span><span data-ccp-props="{"201341983":0,"335551550":6,"335551620":6,"335559739":0,"335559740":257}"> </span></p> <p><span data-contrast="auto">From the review of data provided by clients, we have identified IOCs. We are providing the following IOC information to aid our customers and security researchers in their investigations. Kaseya’s investigation is ongoing and, as such, this information is subject to change. </span><span data-ccp-props="{"201341983":0,"335551550":6,"335551620":6,"335559739":0,"335559740":257}"> </span></p> <p><strong><span data-contrast="auto">Network IOCs</span></strong><span data-ccp-props="{"201341983":0,"335551550":6,"335551620":6,"335559739":0,"335559740":257}"> </span></p> <p><span data-contrast="auto">The following IP addresses were seen accessing VSA Servers remotely to perform the attack sequence:</span><span data-ccp-props="{"201341983":0,"335551550":6,"335551620":6,"335559739":0,"335559740":257}"> </span></p> <p><span data-contrast="auto">35.226.94[.]113</span> <br><span data-contrast="auto">161.35.239[.]148</span> <br><span data-contrast="auto">162.253.124[.]162</span><span data-ccp-props="{"201341983":0,"335551550":6,"335551620":6,"335559739":0,"335559740":257}"> </span></p> <p> </p> <p><strong><span data-contrast="auto">Endpoint IOCs</span></strong><span data-ccp-props="{"201341983":0,"335551550":6,"335551620":6,"335559739":0,"335559740":257}"> </span></p> <p><span data-contrast="auto">The following files were used as part of the deployment of the encryptor:</span><span data-ccp-props="{"201341983":0,"335551550":6,"335551620":6,"335559739":0,"335559740":257}"> </span></p> <table data-tablestyle="MsoTableGrid" data-tablelook="1696"><tbody><tr><td data-celllook="65536"> <p><strong><span data-contrast="none">Filename</span></strong><span data-ccp-props="{"201341983":0,"335551550":6,"335551620":6,"335559739":0,"335559740":240}"> </span></p> </td> <td data-celllook="65536"> <p><strong><span data-contrast="none">MD5 Hash</span></strong><span data-ccp-props="{"201341983":0,"335551550":6,"335551620":6,"335559739":0,"335559740":240}"> </span></p> </td> <td data-celllook="65536"> <p><strong><span data-contrast="none">Function</span></strong><span data-ccp-props="{"201341983":0,"335551550":6,"335551620":6,"335559739":0,"335559740":240}"> </span></p> </td> </tr><tr><td data-celllook="0"> <p><span data-contrast="auto">cert.exe</span><span data-ccp-props="{"201341983":0,"335551550":6,"335551620":6,"335559739":160,"335559740":257}"> </span></p> </td> <td data-celllook="0"> <p><span data-contrast="auto">N/A – Legitimate File with random string appended</span><span data-ccp-props="{"201341983":0,"335551550":6,"335551620":6,"335559739":160,"335559740":257}"> </span></p> </td> <td data-celllook="0"> <p><span data-contrast="auto">Legit certutil.exe Utility</span><span data-ccp-props="{"201341983":0,"335551550":6,"335551620":6,"335559739":160,"335559740":257}"> </span></p> </td> </tr><tr><td data-celllook="0"> <p><span data-contrast="auto">agent.crt</span><span data-ccp-props="{"201341983":0,"335551550":6,"335551620":6,"335559739":160,"335559740":257}"> </span></p> </td> <td data-celllook="0"> <p><span data-contrast="auto">939aae3cc456de8964cb182c75a5f8cc</span><span data-ccp-props="{"201341983":0,"335551550":6,"335551620":6,"335559739":160,"335559740":257}"> </span></p> </td> <td data-celllook="0"> <p><span data-contrast="auto">Encoded malicious content</span><span data-ccp-props="{"201341983":0,"335551550":6,"335551620":6,"335559739":160,"335559740":257}"> </span></p> </td> </tr><tr><td data-celllook="0"> <p><span data-contrast="auto">agent.exe</span><span data-ccp-props="{"201341983":0,"335551550":6,"335551620":6,"335559739":160,"335559740":257}"> </span></p> </td> <td data-celllook="0"> <p><span data-contrast="auto">561cffbaba71a6e8cc1cdceda990ead4</span><span data-ccp-props="{"201341983":0,"335551550":6,"335551620":6,"335559739":160,"335559740":257}"> </span></p> </td> <td data-celllook="0"> <p><span data-contrast="auto">Decoded contents of agent.crt</span><span data-ccp-props="{"201341983":0,"335551550":6,"335551620":6,"335559739":160,"335559740":257}"> </span></p> </td> </tr><tr><td data-celllook="0"> <p><span data-contrast="auto">mpsvc.dll</span><span data-ccp-props="{"201341983":0,"335551550":6,"335551620":6,"335559739":160,"335559740":257}"> </span></p> </td> <td data-celllook="0"> <p><span data-contrast="auto">a47cf00aedf769d60d58bfe00c0b5421</span><span data-ccp-props="{"201341983":0,"335551550":6,"335551620":6,"335559739":160,"335559740":257}"> </span></p> </td> <td data-celllook="0"> <p><span data-contrast="auto">Ransomware Payload</span><span data-ccp-props="{"201341983":0,"335551550":6,"335551620":6,"335559739":160,"335559740":257}"> </span> </p> </td> </tr></tbody></table><p><strong><span data-contrast="auto"><br>Web Log IOCs</span></strong><span data-ccp-props="{"201341983":0,"335551550":6,"335551620":6,"335559739":0,"335559740":257}"> </span></p> <p><span data-contrast="auto">The following are excerpts from the IIS access logs of a compromised VSA server. They depict a sequential series of HTTP requests that the threat actor made to perform their attack. If this sequence of requests is present in the IIS logs of a VSA server, it suggests the threat actor either attempted to or successfully used it to perform their attack.</span><span data-ccp-props="{"201341983":0,"335551550":6,"335551620":6,"335559739":0,"335559740":257}"> </span></p> <p><span data-contrast="auto">POST /dl.asp curl/7.69.1</span> <br><span data-contrast="auto">GET /done.asp curl/7.69.1</span> <br><span data-contrast="auto">POST /cgi-bin/KUpload.dll curl/7.69.1</span> <br><span data-contrast="auto">GET /done.asp curl/7.69.1</span> <br><span data-contrast="auto">POST /cgi-bin/KUpload.dll curl/7.69.1</span> <br><span data-contrast="auto">POST </span> <span data-contrast="auto">/userFilterTableRpt.asp </span> <span data-contrast="auto"> curl/7.69.1</span><span data-ccp-props="{"201341983":0,"335551550":6,"335551620":6,"335559739":0,"335559740":257}"> </span></p> <p><span data-contrast="auto">Based on what most customers tend to use, here are some areas within the VSA you can consider looking into to make sure that everything is as you would expect it to be:</span><span data-ccp-props="{"201341983":0,"335551550":6,"335551620":6,"335559739":0,"335559740":257}"> </span></p> <ul><li data-leveltext="" data-font="Symbol" data-listid="5" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"> <span data-contrast="auto">Agent count</span><span data-ccp-props="{"134233279":true,"201341983":0,"335551550":6,"335551620":6,"335559739":160,"335559740":259}"> </span> </li> <li data-leveltext="" data-font="Symbol" data-listid="5" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"> <span data-contrast="auto">Policy Management</span><span data-ccp-props="{"134233279":true,"201341983":0,"335551550":6,"335551620":6,"335559739":160,"335559740":259}"> </span> </li> <li data-leveltext="" data-font="Symbol" data-listid="5" aria-setsize="-1" data-aria-posinset="3" data-aria-level="1"> <span data-contrast="auto">Agent procedures</span><span data-ccp-props="{"134233279":true,"201341983":0,"335551550":6,"335551620":6,"335559739":160,"335559740":259}"> </span> </li> <li data-leveltext="" data-font="Symbol" data-listid="5" aria-setsize="-1" data-aria-posinset="4" data-aria-level="1"> <span data-contrast="auto">Reports</span><span data-ccp-props="{"134233279":true,"201341983":0,"335551550":6,"335551620":6,"335559739":160,"335559740":259}"> </span> </li> <li data-leveltext="" data-font="Symbol" data-listid="5" aria-setsize="-1" data-aria-posinset="5" data-aria-level="1"> <span data-contrast="auto">Users (with their Roles and Scopes)</span><span data-ccp-props="{"134233279":true,"201341983":0,"335551550":6,"335551620":6,"335559739":160,"335559740":259}"> </span> </li> <li data-leveltext="" data-font="Symbol" data-listid="5" aria-setsize="-1" data-aria-posinset="5" data-aria-level="1"> <span data-contrast="auto">Views</span><span data-ccp-props="{"134233279":true,"201341983":0,"335551550":6,"335551620":6,"335559739":160,"335559740":259}"> </span> </li> <li data-leveltext="" data-font="Symbol" data-listid="5" aria-setsize="-1" data-aria-posinset="5" data-aria-level="1"> <span data-contrast="auto">While the above-linked tool checks all the below, if you wish to perform a manual verification, please check the following. Search the Kaseya installation directory (e.g. C:\Kaseya\Webpages for the following files: </span><strong><span data-contrast="auto">UserFilterTableRpt.asp</span></strong><span data-contrast="auto"> and </span><strong><span data-contrast="auto">userFilterTableV6KES.asp</span></strong><span data-contrast="auto">. </span> <br><strong><span data-contrast="auto">Note:</span></strong><span data-contrast="auto"> Please be sure to purge any copies if found.</span><span data-ccp-props="{"134233279":true,"201341983":0,"335551550":6,"335551620":6,"335559739":160,"335559740":259}"> </span> </li> <li data-leveltext="" data-font="Symbol" data-listid="5" aria-setsize="-1" data-aria-posinset="5" data-aria-level="1"> <span data-contrast="auto">Search IIS logs for references to</span><span data-contrast="auto"> </span><strong><span data-contrast="auto">UserFilterTableRpt.asp . </span></strong><span data-contrast="auto">You can find the IIS logs typically under C:\inetpub\logs\LogFiles\W3SVC1 . Order the directory content by ‘Date modified’ and open the log files modified between the 2</span><span data-contrast="auto">nd</span><span data-contrast="auto"> and the 7</span><span data-contrast="auto">th</span><span data-contrast="auto"> of July. Search the content for the above filenames or any items listed under </span><strong><span data-contrast="auto">Web Log Indicators.</span></strong> </li> <li data-leveltext="" data-font="Symbol" data-listid="5" aria-setsize="-1" data-aria-posinset="5" data-aria-level="1"> <span data-contrast="auto">Search for Kaseya\webpages\managedfiles\vsaticketfiles\agent.crt. If found, please archive this file into a password-protected zip file and submit it to us via the support desk including the password applied. Once submitted, </span><strong><span data-contrast="auto">please purge the artifact from the hard drive</span></strong><span data-contrast="auto">.</span><span data-ccp-props="{"134233279":true,"201341983":0,"335551550":6,"335551620":6,"335559739":160,"335559740":259}"> </span> </li> <li data-leveltext="" data-font="Symbol" data-listid="5" aria-setsize="-1" data-aria-posinset="5" data-aria-level="1"> <span data-contrast="auto">Search for Kaseya\webpages\managedfiles\vsaticketfiles\agent.exe . If found, please archive this file into a password-protected zip file and submit it to us via the support desk including the password applied. Once submitted, </span><strong><span data-contrast="auto">please purge the artifact from the hard drive</span></strong><span data-contrast="auto">. </span> <br><strong><span data-contrast="auto">IMPORTANT: DO NOT EXECUTE this file as it can be an exploit.</span></strong><span data-ccp-props="{"134233279":true,"201341983":0,"335551550":6,"335551620":6,"335559739":160,"335559740":259}"> </span> </li> </ul> </article> </main>