IKEA is dealing with a cyberattack in which threat actors exploit stolen reply-chain emails to target workers in internal phishing efforts. IKEA is seen advising staff in internal emails about an ongoing reply-chain phishing cyber-attack affecting internal mailboxes. Other hacked IKEA companies and business partners are also sending these emails.
IKEA IT teams have warned workers that reply-chain emails contain URLs with seven numbers at the end. Employees are also instructed not to open the emails, irrespective of who sent them and immediately report them to the IT department. Recipients are also advised to report the emails to the sender using Microsoft Teams chat.
There is a higher degree of trust that the emails are not harmful because they are sent from hacked systems and existing email chains. There’s also a risk that receivers would unintentionally release the dangerous phishing emails from quarantine, believing they were captured in filters by accident. As a result, they’ve disabled employees’ capacity to send emails until the incident is rectified.
The attack against IKEA may be detected using the URLs supplied in the redacted phishing email. A browser will be sent to a download named ‘charts.zip’ containing a malicious Excel sheet when visiting specific URLs. To properly read this attachment, recipients must select the ‘Enable Content’ or ‘Enable Editing’ buttons.
When those buttons are pressed, malicious macros are launched, downloading files named ‘besta.ocx,’ ‘bestb.ocx,’ and ‘bestc.ocx’ from a remote site and saving them to the C:Datop folder. To deploy the malware payload, these OCX files are renamed DLLs and run with the regsvr32.exe command.
Based on a VirusTotal report, campaigns employing this strategy have been spotted installing the Qbot trojan (also known as QakBot and Quakbot) and perhaps Emotet. Both Qbot and Emotet trojans lead to additional network infiltration and, eventually, ransomware deployment on a compromised network.
IKEA is addressing this security problem as a severe hack that might escalate to a considerably more disruptive assault due to the severity of these infections and the suspected penetration of their Microsoft Exchange servers.