Connect with us

Hi, what are you looking for?

Technology

Microsoft Exchange servers hacked in internal reply-chain attacks


Mirosoft Exchange

Threat actors are hacking Microsoft Exchange servers using ProxyShell and ProxyLogon exploits to distribute malware and bypass detection using stolen internal reply-chain emails.

When threat actors conduct malicious email campaigns, the hardest part is to trick users into trusting the sender enough so that they open up linked to or included malware-distributing attachments.

TrendMicro researchers have discovered an interesting tactic used of distributing malicious email to a company’s internal users using the victim’s compromised Microsoft exchange servers.

The actors behind this attack are believed to be ‘TR’, a known threat actor who distributes emails with malicious attachments that drop malware, including Qbot, IcedID, Cobalt Strike, and SquirrelWaffle payloads.

As a way to trick corporate targets into opening malicious attachments, the threat actor exploits Microsoft Exchange servers using the ProxyShell and ProxyLogon vulnerabilities.

The threat actors then uses these compromised Exchange servers to reply to the company’s internal emails in reply-chain attacks containing links to malicious documents that install various malware.

“In the same intrusion, we analyzed the email headers for the received malicious emails, the mail path was internal (between the three internal exchange servers’ mailboxes), indicating that the emails did not originate from an external sender, open mail relay, or any message transfer agent (MTA),” explains Trend Micro’s report.

Advertisement. Scroll to continue reading.
One of Squirrelwaffle's emails to a target
One of Squirrelwaffle’s emails to a target
Source: TrendMicro

As these emails originate from the same internal network and appear to be a continuation of a previous discussion between two employees, it leads to a greater degree of trust that the email is legitimate and safe.

Not only is this effective against the human recipients, but it’s also excellent for not raising any alarms on the email protection systems used in the target firm.

The attachments that come or are linked to by these emails are your standard malicious Microsoft Excel templates that tell recipients to ‘Enable Content’ to view a protected file.

Malicious Microsoft Excel document used by SquirrelWaffle
Malicious Microsoft Excel document used by SquirrelWaffle

However, once the user enables content, malicious macros are executed to download and install the malware distributed by the attachment, whether that be Qbot, Cobalt Strike, SquirrelWaffle, or another malware.

According to Trend Micro’s report, the researchers said that they have seen these attacks distribute the SquirrelWaffle loader, which then installs Qbot.

However, Cryptolaemus researcher ‘TheAnalyst‘ says that the malicious document used by this threat actor drop both malware as discrete payloads, rather than SquirrelWaffle distributing Qbot.

Keep your Exchange servers updated

Microsoft has fixed the ProxyLogon vulnerabilities in March and the ProxyShell vulnerability in April and May, addressing them as zero-days at the time.

Threat actors have abused both vulnerabilities to deploy ransomware or install webshells for later backdoor access. The ProxyLogon attacks got so bad that the FBI removed web shells from compromised US-based Microsoft Exchange servers without first notifying the servers’ owners.

After all this time and the wide media these vulnerabilities have received, not patching Exchange Servers is just an open invitation to hackers.





Source link

Advertisement. Scroll to continue reading.

Click to comment

Leave a Reply

Advertisement

Latest

Technology

Threat actors are hacking Microsoft Exchange servers using ProxyShell and ProxyLogon exploits to distribute malware and bypass detection using stolen internal reply-chain emails. When...

Online Business Success

— Reuters/File Gold prices in the local bullion market settled at Rs123,800 per tola and Rs106,138 per 10 grams. During the outgoing week, the...

Technology

Source: iMore It might not be easy to visit your favorite hair salon in real life right now, but you can still sport the...

Online Business Success

— Reuters/File Reliance is abandoning a $15 billion deal for Saudi Aramco to buy a 20% stake in its oil refining and chemicals unit....

Top Stories

If the words “derivatives trading” conjures up images of men in suits with disheveled white sleeves rolled up to the elbows and exacerbated expressions...

Top Stories

We’ve argued many times in the past that the correlation between Bitcoin’s price and the market capitalization of hundreds of altcoins makes very little...

Top Stories

Bitcoin (BTC) has been on an impressive price run since the announcement of the United States Securities and Exchange Commission’s approval of ProShares’ Bitcoin...

Technology

The big picture: TSMC, the world’s largest foundry, said in its most recent financial report that it accepted an unprecedented amount in advance payments...

Advertisement

You May Also Like

SEO Guide

How to index website on Google? Do you want to drive more organic traffic to your new website? I am sure your answer is...

SEO Guide

There are all kinds of pictures of the world on the internet, but to find one of these specific pictures that you want to...

Blogging

In this post, I will discuss the top ten profitable blogging niches ideas for Adsense approval and high traffic. whether you use Blogger or...

SEO Guide

Want to rank in Google image search? Images that you use as a featured images when writing a post actually appear on Google Images...

Advertisement