Cyber attackers are trying to exploit the victims of Kaseya Ransomware attacks by deploying Cobalt Strikes imitating the VSA security path. The malware campaign is using two different strategies to obtain access to the systems of the victims. The threat actors are spreading a malicious link imitating a Microsoft update and an executable file (SecurityUpdates.exe) deploying Cobalt Strikes.

Malwarebytes Threat Intelligence shared a tweet of an image capturing the malicious email requesting the users to download the security patch from Microsoft as early as possible. The threat actors are consistently trying to gain access to victim's data who fall prey to their malicious campaign and launch the fake security patch or click on the link.

The lead analyst at Malwarebytes Threat Intelligence, Jerome Segura, reported that this is the first attack following the Kaseya ransomware attacks.

Cobalt Strike is a network penetration tool used to detect some vulnerabilities in the network and simulate an attack, predominantly used by security researchers. Recently many cases have come forward where threat actors used these cobalt strikes to exploit victims. According to the Cisco Talos Incident Response (CTIR) team, 66 percent of recent malware attacks involved cobalt strikes.

The threat actors use the network penetration tool to gain access to the victim's network and move sidelong through it, making it an easier target for cyberattacks and data theft. According to Proofpoint researchers, the use of cobalt strikes has increased by 161 percent in recent real-world attacks.

The Malwarebytes team hasn't identified the source and location of these threat actors yet but, Segura said that "the cobalt strikes payloads are hosted on a similar IP address used for pushing another banking trojan, a few months earlier."

After all this, Kaseya announced that "Unfortunately, the deployment of the last VSA update was blocked because of an issue that remains unresolved for now. We will immediately get back with another update."