Kaseya Ransomware Attack and the Implications of Microsoft Defender for Endpoint (MDE)


By now, the story of the Kaseya ransomware attack is a cautionary tale to all MSP’s and their clients. However, there’s more to the story than meets the eye. Let’s first examine the role Kaseya played in the attack.

The Problem:

Kaseya VSA is an on-premise solution used to manage remote assets. Many managed service providers (MSP) use this technology to manage their clients’ IT infrastructure. In order for this application to work, devices must establish a trust with this software. Some MSPs openly allow this on-premise application to be accessible from the internet.

Attackers were able to execute code against an unauthenticated user from the public internet. Also, Kaseya VSA requires high administrative privilege on the systems it is designed to manage – making it possible to disable Defender (among others) and execute ransomware. In addition, the Kaseya VSA agent requires exclusions for it to co-exist with various Anti-Virus technologies installed on those assets. This opens the door for nefarious actors to control MSP client assets in many ways through privilege escalation.

[Ref: https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b]

Secondly, to really understand the implications for Microsoft Defender for Endpoint, we need to break down the REvil ransomware used in the attack.

PowerShell Cmdlets were used to tamper with Microsoft Defender. Real-time Monitoring, IOAV Protection, Intrusion Prevention System, Script Scanning, Controlled Folder Access, Network Protection, MAPS Reporting, and Sample submission were all disabled.

Once Defender was disabled, a “dropper” got executed. Two files were downloaded and saved to a folder by the dropper: “MsMpEng.exe” (a valid Windows Defender executable) and mpsvc.dll (the ransomware payload) which were placed into the victim’s AppData/Local/Temp folder.

Please note that the legitimate Defender binary is executed from \ProgramData\Microsoft\Windows Defender\Platform\\MsMpEng.exe and is started by a service “WinDefend”.

SecThe tampered MsMpEng.exe binary downloaded by REvil was a Microsoft digitally signed file having a timestamp of March 2014.

REvil, who took credit for the ransomware, uses a DLL side loading technique to execute the ransomware code. MsMpgEng.exe will load the functions of MpSvc.dll when it’s executed. The ransomware code is contained in the DLL file which is called by the MsMpEng.exe binary located in the Temp folder.

[Ref: https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransom

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/revil-ransomware-uses-dll-sideloading/ ]

Traditionally, if a user has local administrative privilege on a system they are capable of tampering with Defender. Eventually, Defender will turn itself back on. Domain Administrators can also disable Defender by pushing Group Policy Preferences to systems. These settings are more permanent until reverted.

[Ref: https://doublepulsar.com/kase[Ref: https://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&docType=kc&externalId=FD52622]

The Solution: Tamper Protection

Defender for Endpoint would not have been affected by this campaign had Tamper Protection been enabled and system requirements met. In addition, Defender for Endpoint would have alerted the Tamper events affecting Defender.

When a tampering attempt is detected, an alert is raised in the Microsoft 365 Defender portal.

Using endpoint detection and response and advance hunting capabilities in Microsoft Defender for Endpoint, your security operations team can investigate and address such attempts.

Tamper Protection is available for:

  • Windows 10
  • Windows Server 2019
  • Windows Server, version 1803 or later
  • Windows Server 2016

With Tamper Protection, malware is prevented from taking actions such as:

  • Disabling virus and threat protection
  • Disabling real-time protection
  • Turning off behavior monitoring
  • Disabling antivirus (such as IOfficeAntivirus (IOAV))
  • Disabling cloud-delivered protection
  • Removing security intelligence updates

Tamper Protection locks Microsoft Defender Antivirus to its secure, default values, and prevents security settings from being changed through applications and methods such as:

  • Configuration of settings in Registry Editor
  • Changing settings through PowerShell Cmdlets (As seen in REvil)
  • Editing or removing security settings through Group Policy

Tamper protection does not:

  • Prevent users from viewing security settings.
  • Affect how non-Microsoft antivirus applications register with the Windows Security app.

If an organization is using Windows 10 Enterprise E5, individual users cannot change tamper protection settings. At this level, Security Teams manage tamper protection. It can be configured in the Microsoft 365 Defender portal.

[Ref: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-cloud-protection-microsoft-defender-antivirus?view=o365-worldwide]

Conclusion:

Enterprise level clients have many criteria to examine when evaluating IT security software choices; along with their cost. When news such as the recent supply chain attacks hits the executive boardroom, doubts eventually creep into the once trusted options. It is possible for executive level decision makers to get information overload or draw incorrect conclusions based on limited available information. Speak to a Difenda representative to ensure you are always well-informed.

Defender for Endpoint would not have been affected by this campaign had Tamper Protection been enabled and system requirements met. In addition, Defender for Endpoint would have alerted the Tamper events affecting Defender.

Our Partners

Penetration Testing Whitepaper

Threat Intelligence

Subscribe to receive insider threat intelligence from Difenda’s front line security analysts in our 24/7/365 SOC.

Ken Perkins

Biography coming soon.

Megan Miller

Megan Miller’s energy and passion for learning flow into all aspects of her work. As the Growth Manager, North America, she brings a background in sciences which she has transitioned to the tech sector in her role at Difenda.

With a Bachelors of Science in Geology, Megan is a lifelong learner who is voracious about learning anything she can get her hands on about cybersecurity. Her positive energy has built a sales strategy with a focus on expanding in the United States while nurturing the Canadian presence. She is responsible for recruiting and training the sales team. Together with the company’s leadership, she creates the sales process and the company’s product strategy in order to better serve the customer base. This ensures that our customers have a highly trained and highly motivated team to help them every step of the way, Megan has completed Microsoft SC-900 training and working towards mastering Microsoft.

Whether at work or play, Megan is fully committed. She took her love of hockey all the way to the semi-professional level as a competitive hockey player. Megan loves all things sports including water skiing, scuba diving, cycling, and snowboarding. She also enjoys time with family and reading about alternative energy, innovation, and cybersecurity.

Natasha Phanor

As the Microsoft Partner Manager at Difenda, Natasha Phanor is responsible for driving growth within our Microsoft Partnership. With six years in the industry, she offers a fresh, energetic approach, and the ability to focus on our customer’s needs throughout the entire process. Natasha has the innate ability to foresee customer needs and solve problems before they arise, which creates a smooth road for each customer she encounters.

As the recipient of the Outstanding Services Partner of the Year Award in 2018, it is clear that Natasha responds quickly to customer needs, creates a platform for understanding a customer’s business requirements, and walks them through the process to ensure their complete satisfaction.

In her spare time, Natasha is as energetic and passionate as she is on the job. A self-proclaimed foodie-extraordinaire, she enjoys dinner parties, traveling, downhill skiing, hiking, biking, and reading. Natasha has a Bachelor of Fine Arts, specializing in Dance, from Ryerson University.

Lisa Templeton

Lisa Templeton is the perfect combination of human empathy and technological prowess. In her role as People Services Manager, she takes care of our team members to support them in their daily work, as well as on their personal life paths. Happy employees make for happy customers, and Lisa excels in giving our employees the tools they need for success in order to become the best possible versions of themselves. Along with employee formation, she shines in the service delivery support domain to continuously improve the process. Her 24 years of experience in IT Operations and Service Management help her create quality and efficiency at Difenda.

Having attended the Information Systems Management certificate program at Ryerson University, and with various other certifications to her credit, Lisa is perceptive and innovative when it comes to information technology, but also sensitive to the needs of her human constituents. Responsible for achieving the first privately owned company HDI Support Center certification in Canada, she has also designed and implemented Service Management excellence programs and 24×7 IT Operations departments for multiple IT organizations, and has created corporate rewards and recognition programs to keep her employees engaged and motivated.

On the personal side, Lisa passionately supports the cause of breast cancer research, having lost her mother to the disease. She reads voraciously in her spare time, and enjoys the art of home renovation. The summer months also bring time on her boat and exploring new hiking trails.

Miranda McCurdy

Miranda McCurdy uses her myriad super powers in all aspects of her job and personal life. As the Marketing Director at Difenda, Miranda McCurdy brings over a decade of experience to the table, which includes expertise in all facets of operations, brand management, and content marketing, as well as a multitude of successful strategies for the ever-expanding digital world. She is an expert at simplifying the message the company is trying to send, filling in gaps in the information, and strengthening the content in order to create compelling narratives that strengthen the brand and developing programs that bring teams together.

With several Addy Awards issued by the American Advertising Federation Cleveland to her credit, and her never say die attitude, Miranda understands both the broader picture and the minute details that are needed to successfully market a product. With her abilities to harness both the talent needed to spread the message, as well as to create the message itself, she is an integral cog in the company’s ability to communicate with customers and other stakeholders.

When she is not building a brand, she shares her ability to fill the gaps in her community by volunteering with Habitat for Humanity, the Special Olympics, and the Charleston Food Bank. In her spare time, Miranda spends time with her family, enjoys fitness and health, paddle boarding, reading, and arts and crafts.

Juliana Zaremba

Connections are the name of the game for Juliana Zaremba. As Strategic Partnerships Director, she is responsible for Difenda’s channel partnerships and the development and ownership of the channel partner program. She is also responsible for the global Microsoft Partnership, including the creation of strategic plans with MSFT contacts that will facilitate the continued growth of the business and establish certification and training protocols in all security technologies. Her role is multifaceted, as she acquires partners, manages relationships with them, and develops strategies that will provide cutting edge security solutions to our customer base. Another integral aspect of her job is to facilitate growth.

With a Bachelor’s in Math from the University of Waterloo and 14 years of experience from her previous roles at Herjavec Group and CDW, her cutting edge focus and ability to develop long-lasting relationships and strategies provides world class security solutions to our customer base.

Juliana thrives on connections outside of work as well. She is a philanthropist and contributor with Women4Change based in Hamilton. This group of local women is passionate about supporting local causes, and she focuses her efforts around Women in STEM. She is also a member of Club Italia in Niagara Falls and supports their youth events throughout the year.

When not managing the Microsoft Global partnership, Juliana enjoys reading, often reading several books at once. Juliana enjoys exploring the Niagara Escarpment with her family, as well as sharing meals and experiences with her extended family. Juliana’s competitive nature has her always trying new things, like Whoop band challenges and Peloton.

Jeffry Jacob

Biography Coming Soon