Scammers distribute fake patches for Kaseya VSA

fake patches for Kaseya VSA
Written by Emma Davis

The scammers are trying to capitalize on a massive ransomware attack and are distributing fake patches for the Kaseya VSA.

Attackers are sending spam disguised as updates for Kaseya, but in reality they are Cobalt Strike payloads.

Cobalt Strike is a legitimate commercial tool created for pentesters and red teams and is focused on exploitation and post-exploitation. It has long been loved by hackers, from government APT groups to ransomware operators.

Although it is not available to ordinary users and the full version is priced at about $3,500 per install, attackers still find ways to use it (for example, relying on old, pirated, jailbroken and unregistered versions).

For example, we talked about the fact that ransomware operators also use Cobalt Strike in about 66% of cases.

Typically, the ultimate goal of such attacks is the collection and theft of confidential data, as well as the delivery of second-level malware.

The malicious spam associated with the recent attack on Kaseya was spotted by analysts at Malwarebytes. They warn that such messages contain a link that looks like a Microsoft patch to fix a vulnerability in the Kaseya VSA.

A malspam campaign is taking advantage of Kaseya VSA ransomware attack to drop CobaltStrike. It contains an attachment named “SecurityUpdates.exe” as well as a link pretending to be security update from Microsoft to patch Kaseya vulnerability!Malwarebytes Threat Intelligence Tweeter said.

fake patches for Kaseya VSA
If a user falls for a scammer and installs an “update”, after launching a malicious attachment or downloading and running a fake patch, the attackers gain permanent remote access to the victim’s systems.

Let me remind you that about 1,500 businesses really suffered from the REvil ransomware attack, and hackers exploited the CVE-2021-30116 vulnerability for this.

Attackers were able to exploit a zero-day vulnerability in a VSA product to bypass authentication and trigger arbitrary command execution. This allowed them to use standard VSA product features to deploy ransomware at endpoints. There is no evidence that the VSA Kaseya codebase has changed. the company said.

However, there is no patch for this problem yet, and the Kaseya developers are asking all customers to temporarily keep VSA off.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply


This site uses Akismet to reduce spam. Learn how your comment data is processed.