Posted on February 16, 2022 at 8:28 AM
A series of cybersecurity attacks have been detected affecting Microsoft Exchange Servers. The attacks have been launched by combining ProxyLogon, ProxyShell and Squirrelwaffle.
The announcement stated that the servers were being exploited for financial fraud. The exploitation was done on vulnerable systems that failed to enforce strong security measures.
Exploit on Microsoft Exchange Server
One of the ways that users can protect themselves from this vulnerability is by using strong passwords that will secure online accounts containing valuable information. One of the ways to boost this security is using a two-factor authentication process that enhances security.
A recent report from Sophos revealed the exploitation of the Microsoft Exchange Server. The research stated that the vulnerabilities on the server had not been patched, which failed to provide the needed protection against bugs that could be detected and exploited by threat actors. The attackers targeted these vulnerabilities to access email threads and send malspam.
Microsoft issued an emergency patch on these vulnerabilities on March 2, 2021. The company issued the patches to sort out the zero-day vulnerabilities that could be used to gain unauthorized access to servers. One of the threat actor groups exploiting the bugs is the advanced persistent threat (APT) group Hafnium. The group exploited the vulnerabilities before the patch was issued, and the action resulted in many other APTs also exploiting the bug.
Like in many cases, some organizations are yet to patch the vulnerabilities. One of the well-known bugs is the ProxyLogon/ProxyShell vulnerability, where, despite a patch being issued, some organizations have left the servers unpatched and open to attacks.
The recent report from Sophos linked exploitation of the Microsoft Exchange Server vulnerabilities with Squirrelwaffle. Squirrelwaffle is a malware loader whose activity was first revealed last year after being used in a series of malicious campaigns. The malware loader is usually deployed on the victim’s devices through infected Microsoft Office documents or DocuSign. These are usually attached in the form of a phishing email luring unsuspecting users to download the malware on their devices.
When a victim enables macros in the documents that have been compromised, the malware loader will be used to pull and run CobaltStrike beacons using a VBS script. The Sophos report also added that the malware loader was deployed onto the devices after the Microsoft Exchange Server was affected during the latest malicious campaign.
The report added that the server used to “mass distribute” the malware loader belonged to an unnamed organization. The Squirrelwaffle malware loader would be distributed to internal and external email addresses by gaining unauthorized access to the existing email threats sent between employees.
Attackers gain access to organization data
An email hijacking can be done in many ways. One of these ways is communication threads that will be exploited using social engineering and impersonation, whereby the threat actor pretends to be an executive of the company and cheat the accounting department into approving a false transaction. The attackers can also send an email with links directing the employees into malware payloads.
The attackers used Squirrelwaffle to spread the malware. They also went an extra step to gain access to an email thread and then use the internal information to conduct financial fraud.
When the attackers gained access to the organization’s servers, they collected customer information. The attackers then registered a domain with a name that was nearly similar to that of the affected organization. They also created email accounts using this domain and then replied to customers outside of its servers.
Sophos also stated that the legitimacy of the conversations was enhanced when the attacker copied different email addresses to show that it was working together with other departments. However, the attacker created these additional email addresses to make the email look genuine.
In one of the cases, the attacker attempted to initiate a financial transaction. However, the bank processing the transaction failed to follow through after suspecting that the recipient could be fraudulent, and the victim did not suffer financial loss from it.
According to Matthew Everts, a researcher with Sophos, detecting this malware showed that patching vulnerabilities were not enough.
“In the case of vulnerable Exchange servers, for example, you also need to check the attackers haven’t left behind a web shell to maintain access. And when it comes to sophisticated social engineering attacks such as those used in email thread hijacking, educating employees about what to look out for and how to report it is critical for detection,” Everts added.