{"id":42609,"date":"2021-11-23T15:59:36","date_gmt":"2021-11-23T15:59:36","guid":{"rendered":"http:\/\/icloud.pe\/blog\/?guid=3e6f42443e365162963535fecd846a1c"},"modified":"2021-11-23T15:59:36","modified_gmt":"2021-11-23T15:59:36","slug":"hackers-use-squirrelwaffle-malware-to-hack-exchange-servers-in-new-campaign","status":"publish","type":"post","link":"https:\/\/icloud.pe\/blog\/hackers-use-squirrelwaffle-malware-to-hack-exchange-servers-in-new-campaign\/","title":{"rendered":"Hackers use SquirrelWaffle malware to hack Exchange servers in new campaign"},"content":{"rendered":"


\n Rene Millman<\/a><\/span>
\n <\/span><\/p>\n

\n
\n
23 Nov, 2021<\/span><\/div>\n<\/p><\/div>\n<\/div>\n

\n<\/a><\/p>\n

\n

Hackers are using ProxyShell<\/span> and ProxyLogon<\/span> exploits to break into Microsoft Exchange servers\u00a0in a new campaign to infect systems with malware, bypassing security measures by replying to pre-existing email chains.<\/p>\n

Security<\/a> researchers at Trend Micro said investigations into several intrusions related to Squirrelwaffle<\/span> led to a deeper examination into the initial access of these attacks, according to a blog post<\/a>.<\/p>\n

Researchers said that Squirrelwaffle first emerged<\/a>\u00a0as a new loader spreading through spam campaigns in September. The malware<\/a> is known for sending its malicious emails as replies to pre-existing email chains.<\/p>\n

The intrusions observed by researchers originated\u00a0from on-premise Microsoft Exchange Servers that appeared to be vulnerable to ProxyLogon<\/span> and ProxyShell<\/span>.\u00a0According to researchers, there was evidence of the exploits on the vulnerabilities\u00a0CVE-2021-26855<\/a>,\u00a0CVE-2021-34473<\/a>, and\u00a0CVE-2021-34523<\/a>\u00a0in the IIS<\/span> Logs on three of the Exchange servers that were compromised in different intrusions.<\/p>\n

\u201cThe same CVEs<\/span> were used in ProxyLogon<\/span> (CVE<\/span>-2021-26855) and ProxyShell<\/span> (CVE<\/span>-2021-34473 and CVE<\/span>-2021-34523) intrusions. Microsoft\u00a0released a patch for\u00a0ProxyLogon<\/span>\u00a0in\u00a0March<\/a>; those who have applied the\u00a0May or July<\/a>\u00a0updates are protected from\u00a0ProxyShell<\/span>\u00a0vulnerabilities,\u201d said researchers.<\/p>\n

In one case, all the internal users in the affected network received spam emails\u00a0sent as legitimate replies to existing email threads.<\/p>\n

\u201cAll of the observed emails were written in English for this spam campaign in the Middle East. While other languages were used in different regions, most were written in English. More notably, true account names from the victim\u2019s domain were used as sender and recipient, which raises the chance that a recipient will click the link and open the malicious Microsoft Excel spreadsheets,\u201d they said.<\/p>\n

In the same intrusion, researchers analyzed<\/span> the email headers for the received malicious emails and found that the mail path was internal, indicating that the emails did not originate from an external sender, open mail relay, or any message transfer agent (MTA<\/span>).<\/p>\n

\u201cDelivering the malicious spam using this technique to reach all the internal domain users will decrease the possibility of detecting or stopping the attack, as the mail getaways will not be able to filter or quarantine any of these internal emails,\u201d they added.<\/p>\n

Researchers said that the hackers also did not drop or use tools for lateral movement after gaining access to the vulnerable Exchange servers in order to avoid detection. Additionally, no malware was executed on the Exchange servers to avoid triggering alerts before the malicious email could be spread across the environment.<\/p>\n

According to researchers, the recent Squirrelwaffle<\/span> campaigns should make users wary of the different tactics used to mask malicious emails and files.<\/p>\n

\u201cEmails that come from trusted contacts may not be enough of an indicator that whatever link or file included in the email is safe,\u201d they warned. <\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"

Rene Millman<\/p>\n

23 Nov, 2021 <\/p>\n

Hackers are using ProxyShell and ProxyLogon exploits to break into Microsoft Exchange servers\u00a0in a new campaign to infect systems with malware, bypassing security measures by replying to pre-exi…<\/p>\n","protected":false},"author":417,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[],"class_list":["post-42609","post","type-post","status-publish","format-standard","hentry"],"_links":{"self":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/42609","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/users\/417"}],"replies":[{"embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/comments?post=42609"}],"version-history":[{"count":1,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/42609\/revisions"}],"predecessor-version":[{"id":42610,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/42609\/revisions\/42610"}],"wp:attachment":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/media?parent=42609"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/categories?post=42609"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/tags?post=42609"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}