Home / Industry

Exposing an Active Kaseya Ransomware Attack Infrastructure

Kaseya, an IT solution developer targeting managed service providers (MSPs) and enterprises, became a victim of a massive ransomware attack last July. While the company’s CEO said that less than 0.1% of its clients were affected, the fact that it mostly served MSPs, the data belonging to as many as 1,500 small businesses could have been compromised.

Our in-depth investigation into the Kaseya ransomware attack revealed these findings:

  • Using the 47 registrant email addresses as search strings on Maltego using the WhoisXML API Historical Reverse WHOIS Search transform, we uncovered 280 domains that are possibly connected to the Kaseya ransomware attack.
  • 201 of the connected domains resolved to 325 IP addresses that could be pointing to attacker-owned devices.

Find out how we came to these conclusions in the following sections.

What Happened to Kaseya?

According to security researchers, threat actors may have launched a supply chain ransomware attack on Kaseya by exploiting a vulnerability in its VSA software. The attackers were able to breach the network of the vendor’s MSP and enterprise clients and their customers.

What We Know from Published Reports

Based on reports that have come out since then, WhoisXML API Security Researcher Dancho Danchev obtained 47 registrant email addresses known for having ties to the cyber attack.

A variety of WhoisXML API domain, IP, and other threat intelligence tools were used to expand the list of indicators of compromise (IoCs) and artifacts to ensure the security of other networks. The findings are recorded in the following section.

IoC and Artifact List Expansion Details

The 47 registrant email addresses were used as Maltego search strings using the WhoisXML API Historical Reverse WHOIS Search transform.

A majority of the registrant email addresses (46 out of 47 to be exact) provided a list of 280 connected domains. Examples of these domain names include:

  • alfa-stroy72[.]com
  • parebrise-tla[.]fr
  • zflas[.]com
  • adultgamezone[.]com
  • assurances-alex-trespaille[.]com
  • dpathology[.]com
  • stingraybeach[.]com
  • datacenters-in-europe[.]com
  • medicamentsveterinaire[.]com
  • drinkseed[.]com

The full list of the domains is available for download here.

A majority of the 280 domains used the .com top-level domain (TLD) (187 or 67%). The remaining 33% used 20 other TLDs, such as .net, .fr, and .org. Chart 1 shows the domain volume by TLD.

Chart 1: Distribution of domains connected to the registrant email addresses by TLD

Most of the connected domains used the original gTLDs more than other types (ccTLDs and new gTLDs). That could be due to the fact that the attack’s targets were enterprises. Using old gTLDs would seem more believable to belong to suppliers than the other TLD types.

Subjecting the connected domains to a bulk Domain Name System (DNS) lookup revealed that 201 of the domain names resolved to 325 IP addresses. Examples of these include:

  • 89[.]250[.]150[.]92
  • 217[.]160[.]0[.]62
  • 107[.]152[.]47[.]208
  • 213[.]190[.]6[.]70
  • 172[.]67[.]217[.]55
  • 104[.]21[.]78[.]59
  • 213[.]186[.]33[.]5
  • 164[.]132[.]235[.]17
  • 185[.]233[.]152[.]220
  • 209[.]17[.]116[.]160

A majority of the 325 IP addresses (239 or 74%) originated from the U.S. The remaining 26% were scattered across 24 other countries, such as France, Germany, and Luxembourg. Chart 2 shows the IP address distribution by country.

Chart 2: Distribution of IP address resolutions by country of origin

Subjecting the 280 connected domains to a bulk WHOIS lookup revealed that only 200 had retrievable current WHOIS records. Of these, only 174 had creation dates. A majority of the 174 domains (28 or 16%) were created just this year while the remaining 84% were created between 1995 and 2020. Chart 3 shows the domain distribution by creation year.

Chart 3: Distribution of domains with retrievable WHOIS records by creation year

At times, the age of a domain could add to its legitimacy, which is why some were created as far back as 1995.

Finally, a bulk malware check using Threat Intelligence Platform (TIP) API revealed that two of the connected domains were dubbed “dangerous” by various threat databases. These are dupontsellshomes[.]com and hashkasemestaindonesia[.]com.


As a precautionary measure, all of the connected domains and their IP resolutions, especially those dubbed “dangerous,” mentioned in this post might be worth including in company watchlists at the very least or blocklists for utmost security.

If you’re a security researcher or IT security personnel investigating the threat, contact us for a complete list of the potential IoCs or artifacts or to collaborate on similar research.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (whoisxmlapi) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign

Domain Management

Sponsored byMarkMonitor

Cybersecurity

Sponsored byVerisign

Brand Protection

Sponsored byAppdetex

IPv4 Markets

Sponsored byIPXO