An attack has been reported in which hackers are attempting to hack into Microsoft Exchange mail servers used worldwide, gain access to internal messaging functions, send malicious emails to company customers and employees, and infect them with malware
Squirrelwaffle has emerged as a new loader being spread by spam campaigns, Squirrelwaffle sends malicious emails as replies to existing email chains. It has been known to send malicious emails as replies to existing email chains.
This is a tactic to lower the victim’s vigilance against cyber attacks, and it is believed that this technique used a combination of both ProxyLogon and ProxyShell exploits.
According to a report released by security firm Trend Micro, attackers are specifically targeting Exchange servers that have not been patched for older vulnerabilities such as ProxyLogon (CVE-2021-26855) and ProxyShell (CVE-2021-34473 and CVE-2021-34523). (CVE-2021-26855) and ProxyShell (CVE-2021-34473 and CVE-2021-34523). It appears to specifically target unpatched Exchange servers.
According to Trend Micro, once the attackers gained access to the server, they used Powershell functionality to read and manipulate the server’s mail storage system, and hijacked existing conversations by inserting and sending new replies to all participants.
According to the researchers, the reply contained a link to a malicious Excel document, which, if the user allowed it to run, contained a malicious macro script that installed a version of the Squirrelwaffle malware.
First discovered in September 2021, this is a new malware operation built on the model of cybercrime services such as Emotet, Dridex, and TrickBot, where Squirrelwaffle is able to lend access to a botnet of infected systems to other threat groups to rent out to other threat groups.
The incident pointed out by Trend Micro is also a rare example of a spam campaign breaking into a mail server.
Since the attacker did not drop or use any tools for lateral movement after accessing the vulnerable Exchange server, no suspicious network activity will be detected
In addition, malicious malware that would cause an alert was not running on the Exchange server before the malicious email was spread throughout the environment.
Trend Micro also points out that if malicious spam is delivered using this method to reach users within an enterprise, email recipients will not be able to filter or quarantine email sent in this way, making it less likely that security tools will detect and stop the attack. They also pointed out that if the email is delivered in this way, email recipients will not be able to filter or quarantine it, making it less likely that security tools will detect and stop the attack.
The originality and effectiveness of this technique ensures that this new spam technique will be copied by other groups.
While patching your Exchange server is one way to keep your system secure, there are countless other Exchange bugs that can be exploited as entry points, so we recommend that you always apply security patches to your Exchange server. However, there are countless other bugs in Exchange that can be exploited as entry points, so we recommend that you always apply security patches to your Exchange server.
Comments