I'm experiencing a new trend (starting in August) in which we have rouge agents checking into groups that have the check-in policy set to "Allow automatic account creation".
These rouge agents have the following properties:
-The connection gateway for the rouge agents are in MS Azure IP space (188.8.131.52/12 and 184.108.40.206/12)
-localnet IP space is always 10.0.0.0/24 with 10.0.0.1 as the default gateway.
-The Product name is always exactly "HP Elite"
-The OS version is Windows 7 Ultimate or Windows 10 Enterprise
-Computer name is 6 to 8 alpha characters (no dashes or other patterns)
-Last Logged in User names are mostly "firstlast". i.e dylanking, sarasims, jonrobe
-They stay online in Kaseya for 2 1/2 minutes *exactly*.
I've had as many as 50 "HP Elites" check-in over a day. What i find curious is that probing our kaseya deployment like this with "fake" computers from azure would cost a good amount of money, and not the normal activity of the everyday "threat actor".
My question to the community is, who would do this and why, and is anyone else experiencing this?
These rogue agents are most likely Windows Advanced Defender running up binaries in a sandbox. There are other advanced malware detection systems which do the same thing.
I personally have experienced this ranging from domain to cloud environments. You can set certain restrictions via your system module to account for this behavior.
Do you have O365 ATP in use? We noticed that when sending an agent install link via email to a customer then ATP would download the kcsetup.exe and test it out in a azure vm environment where they deploy win7 & win10 machines to test everything for malware etc.
See this old post for more info: community.kaseya.com/.../24481.aspx
Do you have your server open to public?
I don't have any good answer, but I want to watch this thread to see. The potential implications are quite disturbing.
Adding a screenshot of the rouge check-in machines:
We do support for the public at large, so yes, port 5721 is open to the public.
FYI I asked Kaseya support about this a couple months ago. The meat of their answer was "Please be assured that these machines are not a security risk. The machines can't get any sensitive data from being an agent. On the contrary, VSA admins will now have control of the machine."
I get their point but it doesn't really answer why someone would do such a thing.
Thanks for the info Oscar Romero! I see what you mean.
BTW, can you lead me to where in the system module I may "account for this behavior" other than disabling the auto-account creation for the check-in policy?
I've seen this before and can confirm that it's some sort of AV testing farm thing. Annoying, but not a threat.
Can you confirm the serial number(s)?
I have a couple of these - serial number is: 2UA20511KN for both.