Squirrelwaffle, ProxyShell, and ProxyLogon are used against Microsoft Exchange Servers to perform financial fraud via email hijacking. Sophos researchers revealed on Tuesday that a Microsoft Exchange Server, not patched to protect it against a set of serious vulnerabilities identified last year, was used to hijack email threads and disseminate spam.
On March 2, 2021, Microsoft released emergency updates to address zero-day vulnerabilities that might be used to hijack servers. At the time, Hafnium, an advanced persistent threat (APT), was aggressively exploiting the flaws, and other APTs swiftly followed suit. Even though the ProxyLogon/ProxyShell flaws are now well known, some servers remain unpatched and vulnerable to attacks.
Sophos has described an instance that coupled Microsoft Exchange Server weaknesses with Squirrelwaffle, a malware loader initially discovered in malicious spam operations last year. Malicious Microsoft Office documents or DocuSign material pasted to phishing emails are frequently used to spread the loader. Squirrelwaffle is commonly used to fetch and run CobaltStrike beacons through a VBS script if an intended victim has enabled macros in the infected documents.
According to Sophos, the loader was used in the latest campaign once the Microsoft Exchange Server had been hacked. By hijacking existing email conversations between workers, the server of an undisclosed firm was exploited to “bulk distribute” Squirrelwaffle to internal and external email accounts. Email hijacking may take various forms. Social engineering and impersonation, such as an attacker posing as an executive to dupe accounting departments into signing off on a fraudulent transaction, or sending email blasts with links to malware payloads, can compromise communication channels.
The spam campaign was intended to disseminate Squirrelwaffle in this example, but attackers also retrieved an email thread and exploited the inside knowledge contained within to commit financial fraud. Customer information was gathered, and a victim organization was chosen. The attackers generated email accounts using this domain to reply to the email thread outside of the server, using a method known as typo-squatting to register a domain with a name near to the victim’s — a technique known as typo-squatting.
The attackers sought for six days to divert a genuine financial transaction to a bank account they controlled. The payment was about to be executed, and the victim was spared the attack only because a bank engaged in the transaction realized the transfer was most likely fake.