Sophos discovers new attack targeting Exchange Servers

Sophos uncovered a new threat to vulnerable Microsoft Exchange servers that involves financial fraud.

In a report Tuesday, Sophos analysts Matthew Everts and Stephen McNally detailed how a new malware loader, dubbed Squirrelwaffle, was used in conjunction with ProxyLogon and ProxyShell exploits to initiate a fraudulent money transfer. The attack was nearly successful, but was flagged by the target's bank just before the transaction completed. Still, it highlighted the ongoing risks of unpatched Microsoft Exchange Servers and the use of business email compromise (BEC) to trick targets.

The attackers hid Squirrelwaffle in Microsoft Office documents to spread spam campaigns. When recipients open the malicious file and enable macros, Cobalt Strike Beacon is executed and the attacker gains control of the computer, according to the report.

Sophos observed the use of Squirrelwaffle combined with the two Exchange Server flaws "multiple times in the last few months," but the added use of "typo-squatting to maintain the ability to send spam once the Exchange server has been remediated" was a first. Typo-squatting can be successful, as it's almost impossible to differentiate between the altered domains and it depends heavily on the security awareness of the recipient.

The attackers utilized BEC by impersonating the victim's email, along with others in the organization. To make the message requests for payment appear more legitimate, they used information stolen from the thread.

Peter Mackenzie, director of incident response at Sophos, told SearchSecurity that the use of email thread hijacking is quite common among Squirrelwaffle and the Emotet malware attacks. It is considered to be very successful, he said, due to how believable the emails are.

"The attackers set the stage for a legitimate financial transaction to be redirected to a bank account under their control," the report said.

Sophos noted the attackers' persistence over the span of the six days, with repeated follow-up emails sent to the target company designed to pressure the recipient into approving the transaction.

The targeted organization eventually initiated a money transfer, which would have gone directly to the attackers if it had not been flagged as fraudulent. Only one of the financial institutions involved in the transaction caught the potential theft, according to the report.

While patching usually resolves the issue in a typical Squirrelwaffle attack against a vulnerable Exchange Server, this attack utilizes multiple flaws, malware and social engineering, which requires more attention.

"In the incident investigated by Sophos Rapid Response, however, such remediation wouldn't have stopped the financial fraud attack because the attackers had exported an email thread about customer payments from the victim's Exchange Server," the report said.

Still, Everts and McNally said applying the most recent updates from Microsoft was the "single biggest step defenders can take to prevent the compromise and abuse of on premises Microsoft Exchange servers."

The Exchange Server flaws that impacted a wide and growing range of victims were disclosed and patched nearly one year ago. Mackenzie said that while many are patched now, there have been multiple vulnerabilities for Exchange recently, and admins may have not added the latest updates.

"It is also important to understand that if Exchange is exploited and the attackers are able to create web shells or mailboxes that they would still have access to these even after Exchange is patched, which is why you need to investigate," he said in an email to SearchSecurity.

Because social engineering played a large role, user awareness when it comes to spotting phishing attempts is also vital. Sophos also recommended using "industry recognized standards for email authentication" to make these types of impersonations and email spoofing more difficult.

Earlier this month, Microsoft announced it disabled macros by default. While McKenzie said the change will certainly help defend against this, Sophos expects to still see malicious macros being used regularly.