Saturday, July 2, 2022

Beware of emails with alleged Kaseya-themed security updates

Cyber crooks never miss a chance to take advantage of a topical event to launch new phishing campaigns in the hopes of tricking victims to click on malicious links. The latest example is an email campaign this week that tries to take advantage of ransomware worries in the wake of the attack on Kaseya.

The message, spotted by Malwarebytes, has a subject line “Our Shipping Renewal 2021,” which is a standard header for phishing which the attacker hopes will get serious attention.

However, the message — from someone who appears to be a supplier — says, “Guys please install the update fro= microsoft to protect against ransomware as soon as possible. This is fi=ing a vulnerability in Kaseya.” The attached link seems at first glance to come from Kaseya. There’s also an attachment called “SecurityUpdates.”

Actually, says Malwarebytes, the link drops the Cobalt Strike software favoured by cyberattackers for its ability to deploy an agent or beacon on a victim machine. Beacon is an in-memory (and therefore fileless) application whose capabilities include keylogging, file transfer, SOCKS proxying, privilege escalation, the mimikatz credentials capturing tool, port scanning and lateral movement — in other words almost everything a hacker needs to exploit initial access.

There are clues this particular message is a phishing attack. For one thing, the email address of the sender is a jumble of words. Second, the name of the email sender is different from the name in the body of the message. And third, there are those odd = signs in the message instead of letters.

Still, an anxious and not well-trained employee might click on the link or download the attachment.

As of Tuesday night, Kaseya still hadn’t distributed a patch for on-premise versions of its VSA remote monitoring suite.

The release of that patch is dependent on the company first remediating the software-as-a-service version of the application, and that was behind schedule. It had hoped to be finished by 7 p.m. Eastern on Tuesday. But at 10 p.m. it issued a statement saying a glitch had delayed things. Kaseya said the next update on its progress would be issued on Wednesday morning at 8 a.m.

UPDATE: On Wednesday morning Kaseya said the issue stalling the re-deployment of VSA online still hadn’t be fixed despite staff working through the night. The next report on the status is scheduled for noon Eastern time.

 

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.