Scammers exploiting Kaseya ransomware attack to deploy malware

3 months ago 18
PR Distribution

A caller phishing run claims to connection a information update for Kaseya's VSA bundle but really tries to instal malware, says Malwarebytes.


Image: danijelala, Getty Images/iStockPhoto

Cybercriminals are already taking vantage of the ransomware onslaught against IT steadfast Kaseya to deploy spam designed to infect computers with Cobalt Strike-delivered malware. In a July 6 update to an ongoing blog and a tweet astir the Kaseya incident, information steadfast Malwarebytes said that its Threat Intelligence squad has detected a malicious spam run exploiting the Kaseya VSA attack.

SEE: Ransomware: What IT pros request to cognize (free PDF) (TechRepublic)

The phishing email sent retired successful this run claims to connection a hole for the Kaseya information flaw, telling the recipient: "Please instal the update from microsoft to support against ransomware arsenic soon arsenic possible. This is fixing a vulnerability successful Kaseya."

The email carries a record attachment named SecurityUpdates.exe. But anyone who attempts to tally the attached record volition alternatively beryllium treated to a dose of malware courtesy of penetrating investigating instrumentality Cobalt Strike.


Image: Malwarebytes

Designed and intended arsenic a morganatic information program, Cobalt Strike is utilized by organizations to trial their interior information to look for anemic spots. But the instrumentality has increasingly been co-opted by cybercriminals to deploy malicious payloads onto victimized computers. The programme has been fashionable among large cybercrime groups and precocious persistent menace groups but has precocious gained greater traction among wide commodity criminals.

Typically, attackers download Cobalt Strike arsenic a 2nd signifier aft the archetypal compromise. But lately there's been an summation successful campaigns pushing Cobalt Strike arsenic a archetypal payload to acceptable the signifier for the attack.

This Kaseaya fake update is hosted connected the aforesaid IP code utilized for a past run pushing the Dridex banking trojan, according to Jerome Segura, pb malware quality expert for Malwarebytes. Segura said Malwarebytes has seen the aforesaid menace histrion down Dridex utilizing Cobalt Strike but couldn't corroborate the radical down this caller campaign.

On July 3, Kaseya revealed that its VSA merchandise had been the unfortunate of a ransomware attack. Used by Managed Service Providers, the bundle allows users to remotely show and administer IT services for their customers. The ransomware exploits a zero-day vulnerability successful the VSA software, delivering the malicious payload done a fake VSA update.

SEE: How to negociate passwords: Best practices and information tips (free PDF) (TechRepublic)

The onslaught straight infected little than 60 Kaseya customers, each of whom were moving the VSA on-premises product. However, a ripple effect passim the Kaseya proviso concatenation meant that those infected systems past infected the systems of astir 1,500 customers, according to Kaseya.

Proudly taking work for the onslaught was ransomware radical REvil. In its ain "Happy Blog," the radical claimed that much than 1 cardinal systems were infected, according to information steadfast Sophos. REvil besides devised a captivating connection for each victims of the attack. In speech for $70 cardinal worthy of bitcoin, the radical would station a cosmopolitan decryptor that would let each affected companies to retrieve their files.

Kaseya has been moving connected a spot to hole the vulnerability successful its VSA software. But the institution has seemingly tally into glitches. Late Tuesday, Kaseya revealed that an contented was discovered that blocked the motorboat of the spot during deployment, pushing backmost the timeline for its release. In an update to its blog, the institution said it would denote the caller planned availability of the spot by 5 p.m. Eastern clip connected Wednesday.  

"Cybercriminals routinely capitalize connected panic stemming from newsworthy events," said Chris Clements, VP of solutions architecture for Cerberus Sentinel. "We saw it with COVID stimulus checks, vaccine availability and present with the Kaseya proviso concatenation attack."

To assistance organizations support themselves against these types of scams, Clements said that it's important for users to vet immoderate sources of accusation to marque definite they're close earlier they unfastened attachments oregon stock delicate information. Phishing emails are a numbers crippled earlier 1 bypasses a information filter and arrives successful a user's mailbox, Clements added.

"Even the champion anti-malware solutions tin beryllium deceived by clever binary obfuscation techniques," Clements said. "As such, it's captious to person layers of controls that expect failures of different controls. This is wherever continuous monitoring and proactive menace hunting truly radiance by providing the capableness to place perchance suspicious activities that negociate to evade superior defenses."

Cybersecurity Insider Newsletter

Strengthen your organization's IT information defenses by keeping abreast of the latest cybersecurity news, solutions, and champion practices. Delivered Tuesdays and Thursdays

Sign up today

Also see

Read Entire Article