Opportunistic cybercrime appears to have started affecting over 1,000 victims of. to exploit the $ 70 million Revil ransomware attack on Kaseya Managed Service Provider (MSP) customers as indications of a new malware spam campaign emerged.
First discovered by researchers at Malwarebytes, the campaign, which targeted some UK organizations, is said to be a patch for the affected Kaseya VSA product made by Microsoft. It has an attachment called SecurityUpdates.exe and a link that will be deleted when clicked Cobalt strikein order to gain access to the network and the systems of their victim from the attackers and to carry out further attacks of their own, possibly even with other ransomware.
With the ongoing Kaseya attack entering its fifth day, the emergence of parallel campaigns from threat actors unlikely to be associated with the REvil gang and its affiliates is no big surprise: the downstream SMB customers of the affected MSPs are with The likelihood of using appropriate security technology or trained personnel to protect themselves is significantly less likely to be an easy target in some respects.
Meanwhile, Kaseya began bringing its Software-as-a-Service (SaaS) VSA servers online at the end of July 6th, which were configured with an additional layer of security services, but it was activated on July 7th at 3:00 am British era exposed to identification of an undisclosed technical problem. The company hopes to have a patch deployed to local VSA servers within 24 hours of the SaaS operations being fully restored, but that schedule is now clearly postponed.
Some of the new security measures it adds include: Providing a 24/7 independent Security control center (SOC) for each VSA server; a complementary Content delivery network (CDN) with Web application firewall (WAF) for each VSA server, including local users who want to log in; and new requirements around IP whitelisting for customers who do so. Kaseya said this would greatly reduce the overall attack service that VSA is exposed to.
In a newly recorded videosaid Fred Voccola, CEO of Kaseya, said the company was “incredibly conservative” about the schedule for restoring services.
He revised the number of affected MSPs again to around 50, around 10 fewer than previously indicated. He said the attack was “very good” due to the modular nature of Kaseya’s security architecture that prevents it from spreading beyond VSA, as well as the company’s rapid response force and support from outside law enforcement, the US government and cyber investigators.
Voccola also thanked some of the company’s competitors for offers of help and promised that the Kaseya employees, who he said had slept about four hours since July 3, would stay at their posts until “everything is as perfect as possible “. .
“When something happens, it is how well prepared the organization was, how quickly the organization admitted that something happened and was not trying to hide it, seeking help from people and focusing on and extracting information from customers “, he said.
“We do it the best we can, we do it with the advice of the best people in the world, and we pledge to continue to do so.”
Voccola has previously refused to comment on whether Kaseya has entered into negotiations with REvil or whether he plans to pay a ransom to the gang, who, as previously reported, are often willing Negotiate significantly lower payments.
#Opportunists #target #Kaseya #REvil #victims