Cyber crooks never miss a chance to take advantage of a topical event to launch new phishing campaigns in the hopes of tricking victims to click on malicious links. The latest example is an email campaign this week that tries to take advantage of ransomware worries in the wake of the attack on Kaseya.
The message, spotted by Malwarebytes, has a subject line “Our Shipping Renewal 2021,” which is a standard header for phishing which the attacker hopes will get serious attention.
However, the message — from someone who appears to be a supplier — says, “Guys please install the update fro= microsoft to protect against ransomware as soon as possible. This is fi=ing a vulnerability in Kaseya.” The attached link seems at first glance to come from Kaseya. There’s also an attachment called “SecurityUpdates.”
Actually, says Malwarebytes, the link drops the Cobalt Strike software favoured by cyberattackers for its ability to deploy an agent or beacon on a victim machine. Beacon is an in-memory (and therefore fileless) application whose capabilities include keylogging, file transfer, SOCKS proxying, privilege escalation, the mimikatz credentials capturing tool, port scanning and lateral movement — in other words almost everything a hacker needs to exploit initial access.
There are clues this particular message is a phishing attack. For one thing, the email address of the sender is a jumble of words. Second, the name of the email sender is different from the name in the body of the message. And third, there are those odd = signs in the message instead of letters.
Still, an anxious and not well-trained employee might click on the link or download the attachment.
As of Tuesday night, Kaseya still hadn’t distributed a patch for on-premise versions of its VSA remote monitoring suite.
The release of that patch is dependent on the company first remediating the software-as-a-service version of the application, and that was behind schedule. It had hoped to be finished by 7 p.m. Eastern on Tuesday. But at 10 p.m. it issued a statement saying a glitch had delayed things. Kaseya said the next update on its progress would be issued on Wednesday morning at 8 a.m.
UPDATE: On Wednesday morning Kaseya said the issue stalling the re-deployment of VSA online still hadn’t be fixed despite staff working through the night. The next report on the status is scheduled for noon Eastern time.
