Kaseya has urged customers to beware of a wave of phishing emails that exploited the interruption from a recent ransomware attack.
Last Friday, Kaseya – one of its Managed Service Providers (MSPs) customer base – was hit by REvil, a ransomware group that managed to exploit vulnerabilities in the company’s VSA software.
As a precaution, the company has taken both VSA and SaaS servers offline. However, around 50 direct customers and up to 1,500 companies further down the chain are affected.
On July 8, the software solutions provider said that fraudsters Use of the security incident to “send fake email notifications that look like Kaseya updates.”
“These are phishing emails that may contain malicious links and / or attachments,” the company added.
Examples of fake emails sent by Kaseya, as noted by Malwarebytesrequest recipients to download and run an attachment called SecurityUpdates.exe to fix a vulnerability in Kaseya and to protect themselves from ransomware.
However, the attachment, a Windows executable, is actually a Cobalt Strike package. The legitimate threat emulation tool is used by penetration testers, but unfortunately it is also widely abused by threat actors.
Cobalt Strike can be used to connect to a command and control server (C2). Along with Metasploit, an open source penetration testing toolkit, these tools have been used to host over a quarter of all Malware-linked C2s in 2020.
The email sample also included a direct link to a malicious executable file.
Before that some seem to have legitimate emails to customers included links to the Kaseya Helpdesk; However, once customers get used to this type of format, they may be more vulnerable to clicking malicious links emailed by threat actors.
Given this potential security risk, which increases the existing burden of recovery efforts, the company says it will no longer send email updates with links or attachments.
Kaseya encountered some issues while attempting to restore. In one Update from July 8thsaid Kaseya CTO Dan Timpson that the vulnerabilities have been addressed and additional security measures will be “put in place prior to deployment to improve the overall security of our products.”
Currently, the company is hoping to get customers back online at 4:00 p.m. EDT that Sunday.
Previous and Related Reporting
Do you have a tip? Contact us securely via WhatsApp | Signal at +447 713 025 499 or over there at Keybase: charlie0
#Fraudsters #advantage #Kaseyas #security #flaws #deliver #malware #ZDNet