This month’s Kaseya VSA ransomware attack took a turn for the worse on Wednesday with word that miscreants have launched a phishing campaign to ensnare victims with a remote-control tool disguised as a VSA update.
Since late last week, instances of VSA – Kaseya’s monitoring and management software for fleets of PCs and other IT gear – have been exploited to distribute REvil ransomware, prompting the biz to shut down its Kaseya Cloud service and to tell customers to turn off their on-prem Kaseya VSA servers while it worked on a patch for whatever vulnerability is being abused.
The malware outbreak, which has yet to be resolved, is said to have affected as many as 1,500 businesses through compromised VSA systems, and has been compounded by Kaseya’s decision to delay patch deployment on Wednesday. The company is currently hoping to restore its Cloud Service on the evening of Thursday, July 8.
The software maker told its on-prem customers, “we will be publishing a runbook of the changes to make to your on-premises environment by 3PM US EDT today so customers can prepare for the patch release.”
The gap in patch deployment has provided attackers with an opportunity to fill the void. Security companies have warned that miscreants have undertaken a malware spam campaign to distribute payloads of Cobalt Strike, a post-exploitation penetration and security testing tool used for both legitimate and malicious purposes.
In what may or may not be a coincidence, the REvil crew, which is behind the malware that made its way through VSA’s user base, also injects Cobalt Strike’s Beacon into compromised networks. It might just be that the tool is popular among miscreants.
According to MalwareBytes, the phishing emails contain “an attachment named ‘SecurityUpdates.exe’ as well as a link pretending to be a security update from Microsoft to patch the Kaseya vulnerability.” Installing this will actually put Cobalt Strike code on your system, allowing it to be commandeered from afar.
The compromise of Kaseya VSA instances was done using vulnerabilities that were confidentially disclosed to the company by the Dutch Institute for Vulnerability Disclosure. In a blog post on Wednesday, the DIVD’s CSIRT group said the attack used “a vulnerability which we confidentially disclosed to Kaseya [in April], together with six other vulnerabilities.”
It’s not clear how the attackers learned of the vulnerabilities, but supply chain attacks have been the focus of cybercrime groups for the past several months. ®