The massive Kaseya ransomware attack that is claimed to have affected around 1,000 organizations, is now being leveraged to fuel other attack campaigns. One such attack campaign has come to the notice of Malwarebytes researchers.

Kaseya REvil victims targeted

  • In a series of tweets from Malwarebytes, researchers have disclosed that a malspam campaign is taking advantage of the Kaseya ransomware attack to drop Cobalt Strike. This can enable threat actors to conduct further attacks, possibly even drop other malware.
  • The campaign is carried out via phishing email that contains an attachment named ‘SecurityUpdates.exe’, as well as a link pretending to be a security update for the Kaseya vulnerability.
  • To make it look convincing, the email claims that the security update is from Microsoft.

What do we know about the Kaseya attack?

  • The Kaseya ransomware attack that unfolded on July 2, is one of the destructive ransomware attacks this year, following the attacks against Colonial Pipeline and JBS Foods.
  • The REvil ransomware gang infiltrated the firm by exploiting a yet to be patched zero-day vulnerability in VSA servers.
  • Following the attack, the attackers had managed to steal troves of data and later demanded $70 million in ransom to release a universal decryption key.
  • Some of the affected organizations include supermarkets in Sweden and schools in New Zealand. While hundreds of companies are directly hit by the supply-chain attack on Kaseya’s VSA software, at least 36,000 companies are impacted indirectly.

Noteworthy point

  • Threat actors have always aimed for a lucrative opportunity to ripen their fortune and leveraging the Kaseya ransomware attack is one such case.
  • Earlier, the outage at Colonial Pipeline had sparked a ‘Help Desk’ phishing attack that targeted Microsoft 365 customers. The ultimate goal of the campaign was to drop the Cobalt Strike tool on victims’ systems.

Conclusion

As the ongoing Kaseya attack continues to give a tough time to organizations, the emergence of parallel campaigns by threat actors, probably not associated with the REvil gang, will surely add more headaches. Being careful when receiving unsolicited emails can help one stay safe from such attacks. Meanwhile, Kaseya has begun the work to address the vulnerability affecting its VSA servers.

Cyware Publisher

Publisher

Cyware