Cyberattack actors are trying to monetize off the currently ongoing Kaseya ransomware attack incident by attacking probable victims in a spam campaign attack forcing Cobalt Strike payloads acting as Kaseya VSA security updates. Cobalt Strike is a genuine penetration testing software and threat detection tool which is also used by attackers for post-cyberattack tasks and plant beacons that lets them to gain remote access to hack into compromised systems. The primary goal of such attacks is either stealing data (harvesting)/exfiltrating sensitive information, or deploying second-stage malware payloads. Cisco Talos Incident Response (CTIR) team in a September report said that "interestingly, 66 percent of all ransomware attacks this quarter involved red-teaming framework Cobalt Strike, suggesting that ransomware actors are increasingly relying on the tool as they abandon commodity trojans." The malware spam campaign discovered by Malwarebytes Threat Intelligence experts use two distinct approaches to plant the Cobalt Strike payloads. Emails sent as a part of this spam campaign comes with an infected attachment and an attached link built to disguised as a Microsoft patch for Kaseya VSA zero-day compromised in the Revil ransomware attack. Malwarebytes Threat Intelligence team said that a malspam campaign is taking advantage of the Kaseya VSA ransomware attack to drop CobaltStrike. It contains an attachment named 'SecurityUpdates.exe' as well as a link pretending to be a security update from Microsoft to patch Kaseya vulnerability, the report said. The hackers gain persistent remote access to attack systems after running malicious attachments/downloads and launching fake Microsoft updates on their devices. Bleeping Computer reports "just as with this month's malspam campaign, the June phishing campaign was also pushing malicious payloads designed to deploy the Cobalt Strike pene ..
Support the originator by clicking the read the rest link below.
