company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO

Application Security Engineer

DevsecOps Engineer

IT Manager

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

Cobalt Strike

Microsoft

Kaseya

loading..
loading..
loading..

Cobalt Strike Payloads imitating Microsoft Security Updates deployed over Kaseya Victims

Kaseya victims face Cobalt Strikes spam emails, and malicious security patch deploys malware. Personal information of victims accessed...

08-Jul-2021
4 min read

Cyber attackers are trying to exploit the victims of Kaseya Ransomware attacks by deploying Cobalt Strikes imitating the VSA security path. The malware campaign is using two different strategies to obtain access to the systems of the victims. The threat actors are spreading a malicious link imitating a Microsoft update and an executable file (SecurityUpdates.exe) deploying Cobalt Strikes.

Malwarebytes Threat Intelligence shared a tweet of an image capturing the malicious email requesting the users to download the security patch from Microsoft as early as possible. The threat actors are consistently trying to gain access to victim's data who fall prey to their malicious campaign and launch the fake security patch or click on the link.

The lead analyst at Malwarebytes Threat Intelligence, Jerome Segura, reported that this is the first attack following the Kaseya ransomware attacks.

Cobalt Strike is a network penetration tool used to detect some vulnerabilities in the network and simulate an attack, predominantly used by security researchers. Recently many cases have come forward where threat actors used these cobalt strikes to exploit victims. According to the Cisco Talos Incident Response (CTIR) team, 66 percent of recent malware attacks involved cobalt strikes.

The threat actors use the network penetration tool to gain access to the victim's network and move sidelong through it, making it an easier target for cyberattacks and data theft. According to Proofpoint researchers, the use of cobalt strikes has increased by 161 percent in recent real-world attacks.

Fake-Kaseya-VSA-security-update-backdoors-networks-with-Cobalt-Strike-e1625667215212

The Malwarebytes team hasn't identified the source and location of these threat actors yet but, Segura said that "the cobalt strikes payloads are hosted on a similar IP address used for pushing another banking trojan, a few months earlier."

After all this, Kaseya announced that "Unfortunately, the deployment of the last VSA update was blocked because of an issue that remains unresolved for now. We will immediately get back with another update."