Kaseya Ransomware Attack Used to Fuel Malspam Campaign

Kaseya REvil victims targeted

• In a series of tweets from Malwarebytes, researchers have disclosed that a malspam campaign is taking advantage of the Kaseya ransomware attack to drop Cobalt Strike. This can enable threat actors to conduct further attacks, possibly even drop other malware.
• The campaign is carried out via phishing email that contains an attachment named ‘SecurityUpdates.exe’, as well as a link pretending to be a security update for the Kaseya vulnerability.
• To make it look convincing, the email claims that the security update is from Microsoft.

What do we know about the Kaseya attack?

• The Kaseya ransomware attack that unfolded on July 2, is one of the destructive ransomware attacks this year, following the attacks against Colonial Pipeline and JBS Foods.
• The REvil ransomware gang infiltrated the firm by exploiting a yet to be patched zero-day vulnerability in VSA servers.
• Following the attack, the attackers had managed to steal troves of data and later demanded $70 million in ransom to release a universal decryption key.
• Some of the affected organizations include supermarkets in Sweden and schools in New Zealand. While hundreds of companies are directly hit by the supply-chain attack on Kaseya’s VSA software, at least 36,000 companies are impacted indirectly.

Noteworthy point

• Threat actors have always aimed for a lucrative opportunity to ripen their fortune and leveraging the Kaseya ransomware attack is one such case.
• Earlier, the outage at Colonial Pipeline had sparked a ‘Help Desk’ phishing attack that targeted Microsoft 365 customers. The ultimate goal of the campaign was to drop the Cobalt Strike tool on victims’ systems.

Conclusion