An investigation into the recent SquirrelWaffle malware campaign by cybersecurity experts has revealed the use of compromised Microsoft Exchange servers that were attacked using a chain of both ProxyLogon and ProxyShell exploits.
The tactic was discovered by researchers at TrendMicro who found that the attackers lent legitimacy to their malicious messages by breaking into on-premise Microsoft Exchange servers using its two popular vulnerabilities.
The threat actors then used these compromised Exchange servers to reply to the company's internal emails in the classic reply-all email chain attack, stuffing malicious links in legitimate email chains to install malware.
We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.
“In the same intrusion, we analyzed the email headers for the received malicious emails, the mail path was internal (between the three internal exchange servers’ mailboxes), indicating that the emails did not originate from an external sender, open mail relay, or any message transfer agent (MTA),” notes TrendMicro.
In addition to appearing to be a continuation of an ongoing discussion, the malicious email now originated from within an organization’s email servers, lending a far greater legitimacy to the spammy email.
Furthermore, the researchers said that delivering malicious content using the compromised internal email servers also helps eradicate the issue of having to deal with network-level protections since they won’t block internal communication.
“More notably, true account names from the victim’s domain were used as sender and recipient, which raises the chance that a recipient will click the link and open the malicious Microsoft Excel spreadsheets,” observe the researchers.
These fake reply-all emails drop malicious Microsoft Word or Excel files that will then trick the recipient into enabling the execution of macros that will pull and install the SquirrelWaffle malware.