Sophos has published a new article detailing a recent incident where the Squirrelwaffle malware loader was used in conjunction with the ProxyLogon and ProxyShell exploits to target an unpatched Microsoft Exchange server and leverage it to mass distribute Squirrelwaffle to both internal and external recipients by inserting malicious replies into employees’ existing email threads.
The researchers discovered that while the malicious spam campaign was being implemented, the same vulnerable server was also used for a financial fraud attack using knowledge extracted from a stolen email thread and “typo-squatting” to try to convince an employee to redirect a legitimate customer transaction to the attackers. The fraud almost succeeded: the transfer of funds to the malicious recipient was authorised, but luckily a bank grew suspicious, and the transaction was stopped.
Matthew Everts, analyst in Sophos Rapid Response and one of the authors of the research, said: “In a typical Squirrelwaffle attack leveraging a vulnerable Exchange server, the attack ends when defenders detect and remediate the breach by patching the vulnerabilities, removing the attacker’s ability to send emails through the server. In the incident investigated by Sophos Rapid Response, however, such remediation wouldn’t have stopped the financial fraud attack because the attackers had exported an email thread about customer payments from the victim’s Exchange server.
This is a good reminder that patching alone isn’t always enough for protection. In the case of vulnerable Exchange servers, for example, you also need to check the attackers haven’t left behind a web shell to maintain access. And when it comes to sophisticated social engineering attacks such as those used in email thread hijacking, educating employees about what to look out for and how to report it, is critical for detection.”