Users of software from Kaseya Ltd. are being targeted with fake updates following an attack by the REvil ransomware group, as it was revealed today that the company was allegedly informed of a vulnerability exploited in a ransomware attack by REvil earlier this month.

Detected by researchers at Malwarebytes Labs, the campaign targets potential victims with spam that pushes Cobalt Strike payloads disguised as Kaseya VSA security updates.

Cobalt Strike is penetration testing software with legitimate uses but can also be used by bad actors to attack a company. As noted in November, when the source code for software allegedly leaked, in the hands of hackers the software can be used to identify security issues that can be exploited.

The “malspam” campaign involves an email with a message asking victims to install an update from Microsoft Corp. to protect against ransomware. Attached to the email is a file labeled called SecurityUpdates.exe and the email also includes a link pretending to be a security update from Microsoft to patch Kaseya vulnerabilities. The attachment subsequently installs Cobalt Strike.

While victims are being targeted with fake security updates, the Dutch Institute for Vulnerability Disclosure has disclosed that it discovered one of the vulnerabilities exploited by REvil in early April and informed Kaseya at the time.

“After some deliberation, we decided that informing the vendor and awaiting the delivery of a patch was the right thing to do,” Frank Breedijk from DIVD explained in a blog post. “We hypothesized that, in the wrong hands, these vulnerabilities could lead to the compromise of large numbers of computers managed by Kaseya VSA.”

Breedijk added that Kaseya’s response to the disclosure had been “on point and timely, unlike other vendors,” and that the company released two patches to address the identified vulnerabilities.” Clearly, it didn’t address them all, however, with Breedijk adding that “we later learned that one of the two vulnerabilities used in the attack was one we previously disclosed to Kaseya VSA.”

Kaseya has yet to comment on the claim. If true and Kaseya failed to act, whether intentionally or by accident, it does raise the issue that the company could potentially face legal liability issues, potentially given the theft of data involved in the attack.

As of its latest updates today, Kaseya is still struggling with the aftermath of the REvil attack. The company has published a runbook of the changes that should be made to the on-premises environment so that customers can prepare for a patch release.

The news comes a day after the White House vowed to take action against Russia if the Kaseya REvil attack was proved to be linked to the country. REvil is a known Russian ransomware gang with a long history, although it’s not known to be directly linked to the Russian government.

Image: Malwarebytes/Kaseya