Mail server

Squirrelwaffle, Microsoft Exchange Server vulnerabilities exploited for financial fraud

The combination of Squirrelwaffle, ProxyLogon and ProxyShell against Microsoft Exchange servers is used to conduct financial fraud through email hijacking.

ZDNet recommends

The best security key

While strong passwords help secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read more

On Tuesday, Sophos researchers revealed a recent incident in which a Microsoft Exchange server, which had not been patched to protect against a set of critical vulnerabilities disclosed last year, was targeted to hijack threads and spreading malspam.

Microsoft released emergency patches on March 2, 2021 to address exploitable zero-day vulnerabilities to hijack servers. The Advanced Persistent Threat (APT) group Hafnium was actively exploiting the bugs at the time, and other APTs soon followed suit.

While the ProxyLogon/ProxyShell vulnerabilities are now well known, some servers are still unpatched and open to attack.

The recent case documented by Sophos combined flaws in Microsoft Exchange Server with Squirrelwaffle, a malware loader first documented in malicious spam campaigns last year. The loader is often distributed via malicious Microsoft Office documents or DocuSign content added to phishing emails.

If an intended victim enables macros in weaponized documents, then Squirrelwaffle is often used to extract and execute CobaltStrike tags via a VBS script.

Also: FritzFrog botnet returns to attack healthcare, education and government sectors

Sophos says that in the recent campaign, the loader was deployed after the Microsoft Exchange server was compromised. The server, owned by an anonymous organization, was used to “mass distribute” Squirrelwaffle to internal and external email addresses by hijacking existing threads between employees.

Email hacking can take many forms. Communication threads can be compromised by social engineering and spoofing – such as by an attacker impersonating an executive to trick accounting departments into signing a fraudulent transaction – or by sending e-mails. emails containing links leading to malware payloads.

In this case, the spam campaign was used to spread Squirrelwaffle, but in addition, the attackers extracted a chat thread and used inside knowledge to conduct financial fraud.

Client data was collected and a victim organization was selected. The attackers registered a domain with a name very similar to the victim – a technique known as typo-squatting – and then created email accounts through that domain to reply to the thread outside the server.

“To bolster the legitimacy of the conversation, the attackers copied additional email addresses to make it look like they were requesting support from an internal service,” Sophos explained. “In fact, the additional addresses were also created by the attacker under the typo-squatted domain.”

For six days, the attackers attempted to direct a legitimate financial transaction to a bank account they owned. The payment was about to be processed, and only because a bank involved in the transaction realized the transfer was likely fraudulent did the victim not fall prey to the attack.

“It’s a good reminder that patches alone aren’t always enough for protection,” commented Sophos researcher Matthew Everts. “In the case of vulnerable Exchange servers, for example, you should also verify that attackers have not left behind a web shell to maintain access. And when it comes to sophisticated social engineering attacks such as those used in the hacking of email threads, employees on what to watch out for and how to report it is critical for detection.”

See also


Do you have any advice? Get in touch securely via WhatsApp | Signal at +447713 025 499, or more at Keybase: charlie0