The entire cyber industry was put to the test over the Fourth of July weekend after Kaseya was breached and ransomware was deployed on at least 60 MSPs and at least 1,000 small or medium sized businesses utilizing the MSPs. Now, threat actors are taking advantage of the event launching a Kaseya phishing campaign by sending fake emails to potentially affected users. What they’re doing is recreating security alerts for Kaseya VSA updates that appear to be legitimate.

What should I look for?

The phishing emails contain an attachment called “SecurityUpdates.exe”. According to captured screenshots of the emails, threat actors are also including a link that downloads their malicious payloads. After they’ve successfully made their way into your network, they’re looking to exfiltrated critical assets such as your data or delivering even more malware.

To make the emails seem like a real update, threat actors are utilizing real logos and graphics in the emails. In a similar fashion with ransom payments, the phishing campaign includes a deadline for the update to urge users to click through their traps.

It’s important to note that Kaseya failed to deploy a fix as originally planned, so targeted victims become even more susceptible as it mimics something they’re expecting.

The Kaseya phishing campaign shows how threat actors seem to always follow the trends of what is successful among other threat groups. Following the Colonial Pipeline attack last month, threat actors utilized the same method we’re seeing by sending false claims to help prevent ransomware infections. This campaign was also utilizing the Cobalt Strike payloads as a way to enter environments and compromise networks. Cobalt Strike is a penetration testing and threat emulation tool used by threat actors to establish beacons for gaining remote access to compromised networks.

Threat actors also remain privy to developments and news among the industry to help their cause in stealing profits and information from organizations.

What can I do?

Train your employees on what things they should look for in these emails. If you’re receiving an email from an unrecognized sender, do not click anything in the email as threat actors can gain a foothold in your environment with just one click.

Engage SpearTip for continuous monitoring of your environment from the engineers in our 24/7 SOC. In addition to the constant monitoring and investigation, our ShadowSpear Platform detects and stops malicious threats in their tracks. Ransomware executables such as the attachments in the Kaseya emails or payloads hidden in links will be denied by our ShadowSpear platform, alert our engineers, and be responded to within minutes.

Remain vigilant, be proactive, and don’t hesitate to reach out to one of our cyber experts on any issues or concerns you may have.

If you’re looking to keep up with the event itself, you can view our blog with breaking investigation information from our engineers or our updated article on the Kaseya ransomware attack.

If your company is experiencing a breach, call our Security Operations Center at 833.997.7327 to speak directly with an engineer.