Malspam Campaign Targets Kaseya VictimsPhishing Emails Contain Malicious Link, Attachment
Spammers posing as software vendor Kaseya are waging a malspam campaign to target users of the company's VSA remote IT management software that was hit by a ransomware attack, the security firm Malwarebytes reports.
As Kaseya prepares to patch its SaaS and on-premises versions of VSA by Sunday, cybercriminals are transmitting fraudulent emails - portrayed as updates from Kaseya - that contain a malicious link and attachment purporting to offer a Microsoft security update, Malwarebytes says. The campaign may be designed to conduct reconnaissance or launch isolated, follow-up attacks, researchers say.
This malspam campaign comes a week after the REvil ransomware gang targeted the on-premises version of VSA, affecting about 60 of Kaseya's managed service provider customers and as many as 1,500 of the MSPs' clients (see: List of Victims of Kaseya Ransomware Attack Grows).
Kaseya also warns of "spammers making phone calls claiming to be a Kaseya partner reaching out to help," presumably with service restoration. The company warns users not to acknowledge any such calls.
Don't Click Links, Attachments
In an update to its customers Friday on the malspam campaign, Kaseya confirmed that "spammers are using the news about the [ransomware] incident to send out fake email notifications that appear to be Kaseya updates."
Kaseya warns clients "not to click any links or download any attachments in emails claiming to be a Kaseya advisory. Moving forward, all new Kaseya email updates will not contain any links or attachments."
Malwarebytes reports that the spam messages read: "Guys please install the update from Microsoft to protect against ransomware as soon as possible. This is fixing a vulnerability in Kaseya."
An 'Opportunistic Attack'
Malwarebytes says the campaign is "a classic example of an opportunistic attack conducted by (potentially) another threat actor/group off the back of another … attack. It's the perfect time and opportunity to also capitalize on organizations who are eagerly waiting for the hotfix that REvil exploited in the first place."
The malicious link leads to the download of a file called ploader.exe, while the attachment is named SecurityUpdate.exe. Both are Cobalt Strike payloads, Malwarebytes says.
The location on the malspam payload matches the IP address used in a similar campaign spreading Dridex, a malware strain that specializes in lifting bank credentials, Malwarebytes says. Threat actors behind Dridex also used Cobalt Strike.
Attackers are frequently using Cobalt Strike, a legitimate tool, to exfiltrate network data and create command-and-control profiles that avoid detection. The tool is increasingly being used for initial access, versus a second-stage tool.
"Links and/or attachments sent your way, even from a trusted colleague, should be suspect until you have confirmed with your vendor the availability of a patch and where or how to get it," Malwarebytes warns. "Realize that this is not the first time that threat opportunists bank on attacks like Kaseya. … [They] will show no mercy in targeting cyberattack victims multiple times as long as they get something out of it."
Best Practice Guide
In it, the vendor tells users to:
- Leverage endpoint protection and SOC to protect the VSA server: Kaseya is providing FireEye's service to all customers.
- Perform periodic reviews of the VSA product logs: This includes system logs and remote control/live connect logs.
- Patch the underlying Microsoft Operating Systems: Patch MS SQL server and other infrastructure every 30 days or less for critical updates.
- Monitor VSA patch updates: Update to the latest VSA patch version as it is released.