Cybercriminals are trying to capitalize on the widely-covered ransomware attack conducted by REvil that hit Kaseya and over 1,500 businesses.
Kaseya warns about an ongoing phishing campaign that is designed to trick users into clicking on suspicious links and attachments presented as VSA security updates.
Yesterday, the company warned that scammers are using the news about the incident to send out fraudulent email notifications with the goal of breaching corporate networks.
“Spammers are using the news about the Kaseya incident to send out fake email notifications that appear to be Kaseya updates. These are phishing emails that may contain malicious links and/or attachments,” the company said in an alert issued on Thursday evening.
Kaseya warned that customers should not engage with these emails:
“Do not click on any links or download any attachments claiming to be a Kaseya advisory. Moving forward, Kaseya email updates will not contain any links or attachments.”
The company did not provide any details about the attacks, but the phishing campaign is similar to another campaign we reported yesterday that is targeting customers with the Cobalt Strike payload. This series of phishing attacks were detected by security researchers at Malwarebytes and are designed to take advantage of the ongoing ransomware crisis at Kaseya and steal sensitive information from targeted organizations.
“A malspam campaign is taking advantage of Kaseya VSA ransomware attack to drop CobaltStrike,” Malwarebytes researchers said. “It contains an attachment named ‘SecurityUpdates.exe’ as well as a link pretending to be security update from Microsoft to patch Kaseya vulnerability!”
Once the attackers have executed the fake Microsoft update, they can gain remote access to the targeted systems.
The same happened after the Colonial Pipeline attack in June, when threat actors distributed fake systems updates claiming they can block ransomware.
These campaigns highlight the lengths cybercriminals go to in order to create successful phishing attacks.
Since Kaseya has yet to fix the VSA zero-day, some of its customers might fall for this campaign’s tricks.
Following the Kaseya attack, the FBI and the CIA shared their guidance with victims.