Kaseya Community

Targeted probes (agent installations) from Azure IP space

This question is answered

Hi All!

I'm experiencing a new trend (starting in August)  in which we have rouge agents checking into groups that have the check-in policy set to "Allow automatic account creation".

These rouge agents have the following properties:

-The connection gateway for the rouge agents are in MS Azure IP space (40.96.0.0/12 and 40.80.0.0/12)

-localnet IP space is always 10.0.0.0/24 with 10.0.0.1 as the default gateway.

-The Product name is always exactly "HP Elite"

-The OS version is Windows 7 Ultimate or Windows 10 Enterprise

-Computer name is 6 to 8 alpha characters (no dashes or other patterns)

-Last Logged in User names are mostly "firstlast". i.e dylanking, sarasims, jonrobe

-They stay online in Kaseya for 2 1/2 minutes *exactly*.

Some of these rouge machines are checking into groups that have never been published on dl.asp. I sent an email to MS (their abuse address) for the IP blocks and was told by Microsoft support  "The specific details of this case will not be provided in accordance with our customer privacy policy"


I've had as many as 50 "HP Elites" check-in over a day. What i find curious is that probing our kaseya deployment like  this with "fake" computers from azure would cost a good amount of money, and not the normal activity of the everyday "threat actor".

My question to the community is, who would do this and why, and is anyone else experiencing this?

Verified Answer
  • These rogue agents are most likely Windows Advanced Defender running up binaries in a sandbox.  There are other advanced malware detection systems which do the same thing.

    I personally have experienced this ranging from domain to cloud environments.  You can set certain restrictions via your system module to account for this behavior.

  • Do you have O365 ATP in use? We noticed that when sending an agent install link via email to a customer then ATP would download the kcsetup.exe and test it out in a azure vm environment where they deploy win7 & win10 machines to test everything for malware etc.

    See this old post for more info: community.kaseya.com/.../24481.aspx

All Replies
  • Do you have your server open to public?

    I don't have any good answer, but I want to watch this thread to see. The potential implications are quite disturbing.

  • Adding a screenshot of the rouge check-in machines:

  • We do support for the public at large, so yes, port 5721 is open to the public.  

    FYI I asked Kaseya support about this a couple months ago. The meat of their answer was "Please be assured that these machines are not a security risk. The machines can't get any sensitive data from being an agent. On the contrary, VSA admins will now have control of the machine."

    I get their point but it doesn't really answer why someone would do such a thing.

  • These rogue agents are most likely Windows Advanced Defender running up binaries in a sandbox.  There are other advanced malware detection systems which do the same thing.

    I personally have experienced this ranging from domain to cloud environments.  You can set certain restrictions via your system module to account for this behavior.

  • Thanks for the info ! I see what you mean.

    BTW, can you lead me to where in the system module I may "account for this behavior" other than disabling the auto-account creation for the check-in policy?

    Thanks!

  • Do you have O365 ATP in use? We noticed that when sending an agent install link via email to a customer then ATP would download the kcsetup.exe and test it out in a azure vm environment where they deploy win7 & win10 machines to test everything for malware etc.

    See this old post for more info: community.kaseya.com/.../24481.aspx

  • I've seen this before and can confirm that it's some sort of AV testing farm thing. Annoying, but not a threat.

    Can you confirm the serial number(s)?

  • I have a couple of these - serial number is: 2UA20511KN for both.