Sophos, a global leader in next-generation cybersecurity, recently published research detailing an incident when the Squirrelwaffle malware loader was used in conjunction with the ProxyLogon and ProxyShell exploits to target an unpatched Microsoft Exchange server and mass distribute Squirrelwaffle to internal and external recipients by inserting malicious replies onto employees’ existing email threads.
The researchers discovered that while the malicious spam campaign was being implemented, the same vulnerable server was used for a financial fraud attack with knowledge extracted from a stolen email thread and “typo-squatting” to convince an employee to redirect a legitimate customer transaction to the attackers. The fraud almost succeeded. The transfer of funds to the malicious recipient was authorized, but luckily a bank became suspicious and prevented the transaction from going through.
Matthew Everts, an analyst at Sophos Rapid Response and one of the researchers, said:
“In a typical Squirrelwaffle attack leveraging a vulnerable Exchange server, the attack ends when defenders detect and remediate the breach by patching the vulnerabilities, removing the attacker’s ability to send emails through the server. However, in the incident investigated by Sophos Rapid Response, such remediation wouldn’t have stopped the financial fraud attack because the attackers had exported an email thread about customer payments from the victim’s Exchange server. It is a good reminder that patching alone isn’t always enough protection. For example, in the case of vulnerable Exchange servers, you need to check that the attackers haven’t left behind a web shell to maintain access. When it comes to sophisticated social engineering attacks such as those used in email thread hijacking, educating employees about what to look out for and how to report it is critical for detection.”
The Squirrelwaffle Incident Guide
Alongside the new research, Sophos has published a Squirrelwaffle Incident Guide that provides step-by-step guidance on investigating, analyzing, and responding to incidents involving this increasingly popular malware loader, which is distributed as a malicious office document in spam campaigns and provides attackers with an initial foothold in a victim’s environment and a channel to deliver and infect systems with other malware.
The guide is part of a series of Incident Guides by the Sophos Rapid Response team to help incident responders and security operations teams identify and remediate widely seen threat tools, techniques, and behaviors.
Additional Resources
- Information on attacker behaviors, incident reports, and advice for security operations professionals is available on Sophos News SecOps
- Learn more about Sophos’ Rapid Response Service that contains, neutralizes, and investigates attacks 24/7
- The four top tips for responding to a security incident from Sophos Rapid Response and the Managed Threat Response Team
- Further details on the evolving cyberthreat landscape can be found in the Sophos 2022 Threat Report
- Tactics, techniques, and procedures (TTPs) and more for different types of threats are available on SophosLabs Uncut, which provides Sophos’ latest threat intelligence
Read the latest security news and views on Sophos’ award-winning news website Naked Security and Sophos News
Liked this post? Follow SwirlingOverCoffee on Facebook, YouTube, and Instagram.