Cobalt Strike Payloads: Hackers Capitalizing on Ongoing Kaseya Ransomware Attacks

11 months ago 7

9. July 2021

This article has been indexed from E Hacking News – Latest Hacker News and IT Security News

Cyberattack actors are trying to monetize off the currently ongoing Kaseya ransomware attack incident by attacking probable victims in a spam campaign attack forcing Cobalt Strike payloads acting as Kaseya VSA security updates. Cobalt Strike is a genuine penetration testing software and threat detection tool which is also used by attackers for post-cyberattack tasks and plant beacons that lets them to gain remote access to hack into compromised systems. The primary goal of such attacks is either stealing data (harvesting)/exfiltrating sensitive information, or deploying second-stage malware payloads. 

Cisco Talos Incident Response (CTIR) team in a September report said that “interestingly, 66 percent of all ransomware attacks this quarter involved red-teaming framework Cobalt Strike, suggesting that ransomware actors are increasingly relying on the tool as they abandon commodity trojans.” The malware spam campaign discovered by Malwarebytes Threat Intelligence experts use two distinct approaches to plant the Cobalt Strike payloads. Emails sent as a part of this spam campaign comes with an infected attachment and an attached link built to disguised as a Microsoft patch for Kaseya VSA zero-day compromised in the Revil ransomware attack. 

Malwarebytes Threat Intelligence team said that a malspam campaign is taking advantage of the Kaseya VSA ransomware attack to drop CobaltStrike. It contains an attachment named ‘SecurityUpdates.exe’ as well as a link pretending to be a security update from Microsoft to patch Kaseya vulnerability, the report said. The hackers gain persistent remote access to attack systems after running malicious attachments/downloads and launching fake Microsoft updates on their devices. 

Content was cut in order to protect the source.Please visit the source for the rest of the article.

Read the original article: Cobalt Strike Payloads: Hackers Capitalizing on Ongoing Kaseya Ransomware Attacks

Read Entire Article