TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Lessons Learned During the Kaseya VSA Supply Chain Attack | Huntress

2021-07-28 · Read original ↗

ATT&CK techniques detected

9 predictions
T1486Data Encrypted for Impact
93%
"process and the timeline for remediations and recovery — it leaves something to be desired. we need to hold our vendors accountable for code quality and transparent communication. the decryption key on july 22, the anticipated news broke : a universal decryption key had surfaced.…"
T1486Data Encrypted for Impact
89%
"for now. the huntress team ' s involvement our team played an active role in this incident. we did what we could to investigate and analyze exactly how this attack was carried out while trying to help businesses that were affected. around two hours after the ransomware incidents …"
T1486Data Encrypted for Impact
82%
"lessons learned during the kaseya vsa supply chain attack | huntress on july 2, 2021, as many people in the united states were preparing for the july 4 holiday, a major ransomware attack began to unfold. the revil ransomware group carried out a sophisticated supply chain attack a…"
T1195Supply Chain Compromise
79%
"lessons learned during the kaseya vsa supply chain attack | huntress on july 2, 2021, as many people in the united states were preparing for the july 4 holiday, a major ransomware attack began to unfold. the revil ransomware group carried out a sophisticated supply chain attack a…"
T1486Data Encrypted for Impact
79%
"more effectively. what happened the huntress team first became aware of the incident after three separate msp partners reached out to us, noting that they — along with their customers — had been hit with ransomware. these reports reached us within half an hour of each other, whic…"
T1486Data Encrypted for Impact
71%
"trickled down from the compromised vsa server to all of the affected msps ’ machines. then, it impacted all of the downstream smb endpoints. in one swoop, the attackers hit the mothership and cut across the entire vertical. remaining undetected there were three main components to…"
T1080Taint Shared Content
63%
"for now. the huntress team ' s involvement our team played an active role in this incident. we did what we could to investigate and analyze exactly how this attack was carried out while trying to help businesses that were affected. around two hours after the ransomware incidents …"
T1003OS Credential Dumping
56%
"trickled down from the compromised vsa server to all of the affected msps ’ machines. then, it impacted all of the downstream smb endpoints. in one swoop, the attackers hit the mothership and cut across the entire vertical. remaining undetected there were three main components to…"
T1078Valid Accounts
30%
"trickled down from the compromised vsa server to all of the affected msps ’ machines. then, it impacted all of the downstream smb endpoints. in one swoop, the attackers hit the mothership and cut across the entire vertical. remaining undetected there were three main components to…"

Summary

The Huntress team recaps what happened during the Kaseya VSA supply chain attack—and what we can learn from it.