It is believed that, on July 2, the managed service provider (MSP) customers of Kaseya were impacted in a ransomware attack.
Leveraging the Kaseya Virtual System Administrator (VSA) platform cybercriminals were able to share ransomware with, Kaspersky Lab believes, approximately 5,000 attempts to infiltrate databases in roughly 22 countries. These attacks are believed to have taken place during the first three days after the initial breach. While it is, as of yet, unknown how many of the attempts bore fruit Kaseya estimates that 1,500 of its direct customers and downstream businesses were impacted during the attack.
The attack took advantage of reported KSA platform vulnerabilities identified in April by the Dutch Institute for Vulnerability Disclosure (DIVD). Following this discovery Kaseya released patches to address four of the seven reported vulnerabilities during April and May and was working on patches to fix the remaining three flaws. However, the REvil ransomware gang targeted a credential leaking flaw, referred to as CVE-2021-30116, before the patch was made available.
Once the breach was spotted by Kaseya they took action and created mitigations to restrict the potential reach of the attacks. These mitigations shut down all additional attempts to infiltrate the system but Kaseya users remain in danger from Kaseya phishing attacks.
Now hackers have created phishing Cobalt Strike attacks aimed at Kaseya customers pushing. These attacks are spoofed Kaseya VSA security updates. Cobalt Strike is an authentic penetration testing and threat emulation solution. Sadly, hackers are known to use it to obtain remote access to corporate databases.
The Malwarebytes Threat intelligence team were first to discover the attacks, using emails that carried a file titled SecurityUpdates.exe. There is also a URL that claims to host a Microsoft update to address the Kaseya vulnerability targeted by the ransomware group.
Users are directed to click on the included file or browse to an update page where they can download the Kaseya VSA to keep them safe from ransomware campaigns. Unfortunately completing this action will only result in Cobalt Strike beacons being delivered and allowing the hackers access to protected databases.
This is quite an intelligent attack as users will be expecting a security update to address the known flaw on Kaseya. Due to this the company (Kaseya) has broadcasted a warning to all users advising them not to click on any files or visit URLs click links in emails that appear to carry updates for the Kaseya VSA. Kaseya said any email sent in relation to this will never have hyperlinks or attachments included.
Alway deal with inbound emails that say they have security updates or files related to the same as potential ransomware attacks. Never visit a link in an email like this download attached files. If you must, go to the official company website to see if there are any security updates available.