Hackers have been identified launching opportunistic phishing attacks from victims that faux to be security updates for the Kaseya VSA product, vulnerable computer software not too long ago exposed to a ransomware attack.
The phishing e-mail warn victims that they need to “install the update from Microsoft to defend against ransomware as before long as feasible. This is fixing a vulnerability in Kaseya”, according to a site article by Malwarebytes.
This seems to be a traditional illustration of an opportunistic attack probable executed by one more hacking group off the back again of a substantial-profile cyber attack, the researchers assert.
“With Kaseya staying a huge title in the MSP earth and the company trying to take their VSA SaaS system off the ground, post-attack, it is the great time and prospect to also capitalize on businesses who are eagerly waiting around for the hotfix that REvil exploited in the initially location so they can get again to company as quickly as probable,” said the researchers.
The e-mail show up to be employing SecurityUpdates.exe and ploader.exe as attachments, both of those of which use the Cobalt Strike payload.
Scientists also pointed out that the site in which the payload is hosted appears to be the exact IP handle used in another malspam campaign that was pushing Dridex, a regarded info stealer. They added that hackers powering Dridex campaigns were also noticed employing Cobalt Strike.
Cobalt Strike alone is legit application made use of as “adversary simulation software”, however, ransomware actors have abused these kinds of software package to goal businesses.
Previous thirty day period, researchers at Proofpoint explained that the use of legit applications, such as Cobalt Strike, experienced amplified 161% from 2019 to 2020 and stays a higher-volume danger in 2021.
Scientists warned organizations affected by the Kaseya ransomware attack ought to only get patches straight from their vendor.
“Links and/or attachments despatched about your way, even from a trusted colleague, must be suspect right up until you have verified with your vendor of the availability of a patch and the place or how to get it,” they included.
“Opportunists will present no mercy in concentrating on cyber attack victims a number of situations as very long as they get some thing out of it.”
Researchers extra that with the use of Cobalt Strike, hackers intend to also acquire entry to now-compromised programs, potentially for more reconnaissance or to perform a community, follow-up attack.
Some components of this post are sourced from: