First came the ransomware rampage stemming from the breach of Miami-based software firm Kaseya. Now comes a wave of malicious emails seeking capitalize on the rush to find a fix.
Security vendor MalwareBytes highlighted the malware spam campaign Tuesday, describing how unidentified attackers send “malspam” messages with both a URL and a file that purports to be a Microsoft update of the Kaseya VSA vulnerability. Clicking on the the link, or “SecurityUpdates.exe,” drops Cobalt Strike on a victim. Cybercriminals have increasingly leveraged that security testing tool for attacks, according to recent research.
It’s another example of how cyberattacks can have long tails after their initial infections. The zero-day vulnerability that the ransomware gang REvil apparently used to infiltrate Kaseya systems turned into a way for intruders to access the systems of Kaseya’s managed service provider customers, who provide IT services to a wider range of potential victims.
It has turned into one of the biggest mass ransomware events ever.
It’s not uncommon for hackers to exploit awareness of a major vulnerability for malspam campaigns. Perhaps most prominently, Germany’s BSI issued a warning in 2018 about spammers imitating the cybersecurity agency in emails purporting to link users to patches for chip flaws known as Meltdown and Spectre.
MalwareBytes didn’t provide additional details about the Kaseya malspam campaign.
The VSA malspam comes as Kaseya is still struggling to deploy a VSA update.
“Unfortunately, during the deployment of the VSA update an issue was discovered that has blocked the release,” Kaseya said Wednesday morning. “We have not yet been able to resolve the issue. The R&D and operations teams worked through the night and will continue to work until we have unblocked the release.”
The White House was scheduled to have a meeting on the Kaseya ransomware outbreak Wednesday.