Attackers typically leverage vulnerable Exchange servers to mass distribute Squirrelwaffle malware loader. This time, threat actors exploited the server for a financial fraud attack that nearly succeeded.
Cybersecurity teams are familiar with a typical Squirrelwaffle attack where threat actors leverage vulnerable servers to mass distribute the malware by inserting malicious replies into employees’ existing email threads ((known as email thread hijacking.) It provides attackers with an initial foothold in a victim’s environment and a channel to deliver and infect systems with other malware.
It is an increasingly popular malware loader, typically used in conjunction with the ProxyLogon and ProxyShell exploits to target unpatched Microsoft Exchange servers.
This type of attack usually ends when defenders detect and remediate the breach by patching the vulnerabilities and removing the attacker’s ability to send emails through the server.
The Sophos Rapid Response team recently observed the Squirrelwaffle used for a financial fraud attack. While the malicious spam campaign was being implemented, the same vulnerable server was also used to carry out a financial offense using knowledge extracted from a stolen email thread.
The attackers registered a typo-squatted domain (one that appears to be the victim’s domain but with a minor typo) that they used to reply to the email thread and attempted to redirect the victim’s customers payments to themselves. They sent over new banking details and created a sense of urgency for the transaction to be made.
The attackers very nearly achieved their goal. The victim organization initiated a transfer of money to the attackers. However, one of the financial institutions involved in the transaction flagged the transaction as fraudulent, and so the transfer did not complete,Sophos said.
Matthew Everts, an analyst in Sophos Rapid Response and one of the research authors, highlighted that patching a vulnerable server is insufficient. In this recent incident, patching wouldn’t have stopped the financial fraud attack because the attackers had exported an email thread about customer payments from the victim’s Exchange server.
“This is a good reminder that patching alone isn’t always enough for protection. In the case of vulnerable Exchange servers, for example, you also need to check the attackers haven’t left behind a web shell to maintain access. And when it comes to sophisticated social engineering attacks such as those used in email thread hijacking, educating employees about what to look out for and how to report it, is critical for detection,” he said.
To protect against malicious email attacks, it is crucial to patch servers with the most recent updates and conduct extensive employee phishing training. Sophos encouraged defenders to help companies better determine the legitimacy of the emails by implementing industry-recognized standards for email authentication.
“As attackers become increasingly skilled at social engineering, creating sophisticated phishing lures and impersonation messages, and more, it may be time to start using email security products that integrate artificial intelligence,” Sophos concluded.
More from CyberNews:
Subscribe to our newsletter