Last Friday, Kaseya – which serves managed service providers (MSPs) among its client base – was hit by REvil, a ransomware group that managed to exploit vulnerabilities in the firm’s VSA software. As a precaution, the company pulled both VSA and SaaS servers offline. However, roughly 50 direct clients and up to 1,500 businesses further down the chain have been impacted. On July 8, the software solutions provider said that scam artists are leveraging the security incident to “send out fake email notifications that appear to be Kaseya updates.” “These are phishing emails that may contain malicious links and/or attachments,” the company added. Samples of fake, emailed Kaseya advisories, as noted by Malwarebytes, urge recipients to download and execute an attachment called “SecurityUpdates.exe” to resolve a vulnerability in Kaseya and to protect themselves against ransomware. However, the attachment, a Windows executable, is actually a Cobalt Strike package. The legitimate threat emulation tool is used by penetration testers, but unfortunately, is also widely abused by threat actors. Cobalt Strike may be used to set up a connection with a command-and-control (C2) server. Together with Metasploit, an open source penetration testing toolkit, these tools were used to host over a quarter of all malware-linked C2s in 2020. The email sample also contained a direct link to a malicious executable. Previously, some legitimate emails sent to customers appear to have included links to the Kaseya helpdesk; however, if customers are used to this sort of format then they may be more susceptible to clicking on malicious links sent via email by threat actors. In light of this potential security risk adding to the existing burden of restoration efforts, the company says it will no longer send email updates containing any links or attachments. Kaseya has encountered some issues during recovery attempts. In a July 8 update, Kaseya CTO Dan Timpson said the vulnerabilities have been fixed and additional security measures “are being created prior to deployment to improve the overall security posture of our products.” At present, the company hopes to bring customers back online this Sunday at 4 PM EDT.
Previous and related coverage
Kaseya ransomware attack: 1,500 companies affected, company confirmsShould Kaseya pay REvil ransom? Experts are tornKaseya urges customers to immediately shut down VSA servers after ransomware attack
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0