What you need to know
- A malicious email campaign is targetting victims of the Kaseya ransomware attack.
- The email claims to have a Windows update that fixes addresses the Kaseya attack.
- Instead of a fix, its attachment includes Cobalt Strike software that can be used to break into people's systems and networks.
A malicious email campaign has been detailed by Malwarebytes' Threat Intelligence Team). It tries to trick people who have fallen victim to the Kaseya-REvil ransomware attack into handing over more control of their PC (via TechRadar). The new campaign pretends to have a fix for the Kaseya attacks in the form of a Windows update when in reality, all it has is an email attachment that breaks into people's computers and networks.
"Guys please install the update from Microsoft to protect against ransomware as soon as possible. This is fixing a vulnerability in Kaseya," the malicious email reads.
A #malspam campaign is taking advantage of Kaseya VSA #ransomware attack to drop #CobaltStrike.
It contains an attachment named "SecurityUpdates.exe" as well as a link pretending to be security update from Microsoft to patch Kaseya vulnerability! pic.twitter.com/0nIAOX786iA #malspam campaign is taking advantage of Kaseya VSA #ransomware attack to drop #CobaltStrike.
It contains an attachment named "SecurityUpdates.exe" as well as a link pretending to be security update from Microsoft to patch Kaseya vulnerability! pic.twitter.com/0nIAOX786i— Malwarebytes Threat Intelligence (@MBThreatIntel) July 6, 2021July 6, 2021
If someone opens the attachment, it includes the penetration testing software Cobalt Strike. The software can then be used to break into networks or machines. The attachment is named "SecurityUpdates.exe."
As is the case with most security threats, it's important to look at the source of emails and consider what they're asking you to do. Microsoft does not send email attachments with Windows updates, so any email asking you to download such an attachment could put you at risk.
While the Kaseya ransomware attack has been attributed to a gang known as REvil, Malwarebytes hasn't speculated as to the identity of the group behind this new malspam campaign.
The Kaseya ransomware attack reportedly affected thousands of businesses, though that figure is a conservative estimate. This new campaign piggybacks off of that major ransomware attack and attempts to take advantage of people who have already been victimized.
Sean Endicott brings nearly a decade of experience covering Microsoft and Windows news to Windows Central. He joined our team in 2017 as an app reviewer and now heads up our day-to-day news coverage. If you have a news tip or an app to review, hit him up at firstname.lastname@example.org (opens in new tab).
I've been getting about 3 of these a day recently. I can't believe how bad Outlook's spam filter is--it is so obviously malware posing as coming from Microsoft yet Outlook keeps putting 90% of them in my inbox while only got put directly in my junk mail.
Today, the org I work at got hit with a major phishing attack. An email came through pretending to be from Microsoft support in regards to Azure Active Directory - saying that users needed to reset their password as the current password was due to expire. None us (in my team) clicked the link in the e mail. But it's alarming never the less that such as obvious phishing email made it through the all the filters put in place.
Thank you for signing up to Windows Central. You will receive a verification email shortly.
There was a problem. Please refresh the page and try again.