IKEA has announced that it is fighting a cyber attack targeting its employees with an internal phishing attack using reply chain emails stolen by attackers.
A reply chain email attack is an attack in which an attacker steals a company’s legitimate email, replies to it with a link to a malicious document, and then installs malware on the recipient’s device.
Because reply chain emails are legitimate emails from companies, and are typically sent from compromised email accounts or internal servers, recipients are more likely to trust the email and open the malicious document.
IKEA to deal with cyber attacks
According to an internal email, IKEA has alerted employees to an ongoing chain of reply phishing cyber attacks targeting internal mailboxes.
These emails appear to have been sent by other IKEA organizations and business partners that have been compromised.
Cyber attacks continue to target IKEA mailboxes. Other IKEA organizations, suppliers and business partners have been hit by the same attacks, and it appears that more malicious emails are being spread to IKEA stakeholders.
This means that the attacks can come from people you work with, from outside organizations, or even as a reply to a conversation already in progress. This makes it difficult to detect and requires extreme caution
The IKEA IT team warns employees that reply chain emails contain links with 7-digit numbers at the end, and provides the following example of an email. They also tell employees not to open the email, regardless of who sent it, and to report it to the IT department immediately.
We also tell recipients to report to the sender of the email in the Microsoft Teams chat.
The attackers appear to be using vulnerabilities in ProxyShell and ProxyLogin to compromise internal Microsoft Exchange servers and conduct phishing attacks.
Once they have access to the server, they use the internal Microsoft Exchange server to launch reply chain attacks against employees using stolen corporate email.
Mails are sent from compromised internal servers or existing mail chains, so there is more confidence that they are not malicious.
We are also concerned that recipients may accidentally release malicious phishing emails from quarantine, thinking they have been caught in a filter. Therefore, we prohibit employees from releasing the email until the attack is resolved.
Our email filter identifies and quarantines some of the malicious emails. Therefore, there are times when the email filter decides that it has made a mistake and releases the quarantined emails. Therefore, we will not be able to release everyone’s email from quarantine until we inform you
Ikea has not responded to emails about the attack and has not disclosed to employees whether its internal servers have been compromised, but it is believed to have suffered a similar attack.
Attacks used to spread Emotet or Qbot Trojans
From the URL shared in the phishing email, we were able to identify the attack targeting IKEA.
When these URLs are accessed, the browser is redirected to a download file called “charts.zip” which contains a malicious Excel document. This attachment instructs the recipient to click on the “Enable Content” or “Enable Editing” button to view it properly, as shown below.
When these buttons are clicked, a malicious macro will run and download the files named “besta.ocx”, “bestb.ocx”, and “bestc.ocx” from the remote site and save them in the “C:\Datop” folder.
These OCX files will be renamed to DLLs and executed using the regsvr32.exe command to install the malware payload.
Attacks using this technique have been confirmed to install the Qbot Trojan (aka QakBot and Quakbot) and, according to information posted on VirusTotal, possibly Emotet.
Both the Qbot and Emotet Trojans will further compromise the network and eventually deploy ransomware on the compromised network.
Because of the severity of these infections and the high probability that Microsoft Exchange servers have been compromised, IKEA is treating this security incident as a serious cyber attack that could lead to a far more devastating attack.
Comments