Microsoft Exchange Server vulnerabilities targeted to conduct financial fraud
By MYBRANDBOOK
On Tuesday, Sophos researchers revealed a recent incident in which a Microsoft Exchange Server, which had not been patched to protect it against a set of critical vulnerabilities disclosed last year, was targeted to hijack email threads and spread malspam. The incident documented by Sophos also used the combination of Squirrelwaffle, ProxyLogon, and ProxyShell against Microsoft Exchange Servers to conduct financial fraud through email hijacking.
Squirrelwaffle is a malware loader first documented last year in malicious spam campaigns. The loader is often distributed through malicious Microsoft Office documents or DocuSign content tacked on to phishing emails. If an intended victim enables macros in the weaponized documents, Squirrelwaffle then is often used to pull and execute CobaltStrike beacons via a VBS script.
The advanced persistent threat (APT) group Hafnium was actively exploiting the bugs at this time, and other APTs quickly followed suit. While the ProxyLogon/ProxyShell vulnerabilities are now well-known, some servers are still unpatched and open to attacks.
Sophos says that in the recent campaign, the loader was deployed once the Microsoft Exchange Server had been compromised. The server, belonging to an unnamed organization, was used to "mass distribute" Squirrelwaffle to internal and external email addresses by hijacking existing email threads between employees.
The spam campaign was used to spread Squirrelwaffle, but in addition, attackers extracted an email thread and used the internal knowledge within to conduct financial fraud.
Customer data was taken, while a victim organization was also selected. The attackers registered a domain with a name very close to the victim -- a technique known as typo-squatting -- and then created email accounts through this domain to reply to the email thread outside of the server.
"To add further legitimacy to the conversation, the attackers copied additional email addresses to give the impression that they were requesting support from an internal department," Sophos explained. "In fact, the additional addresses were also created by the attacker under the typo-squatted domain."
Over six days, the attackers tried to direct a legitimate financial transaction to a bank account they owned. The payment was on its way to being processed, and it was only due to a bank involved in the transaction realizing the transfer was likely fraudulent that the victim did not fall prey to the attack.
SAP launches cloud services to help Indian scaleups innovate m
SAP at SAP unveils now "GROW with SAP for Scaleups," a new cloud service d...
Denodo and Sonata form alliance to unlock data-to-value creati
Denodo and Sonata Information Technology India Limited (SITL) have annou...
Google Play Store will now let users download two apps simulta
Google Play Store now lets users download two apps simultaneously. While a...
Google Pay has added "Open Wallet" shortcut
With the introduction of the "Open Wallet" shortcut, Google Pay has impro...
LUMINOUS POWER TECHNOLOGIES PVT. LTD.
SAMSUNG INDIA ELECTRONICS PVT. LTD.
WIPRO LTD.
RAMCO SYSTEMS Ltd.
Technology Icons Of India 2023: Vijay Shekhar Sharma
Vijay Shekhar Sharma is an Indian technology entrepreneur and billiona...
Technology Icons Of India 2023: Anant Maheshwari
As President of Microsoft India, he is responsible for Microsoft’s o...
Technology Icons Of India 2023: Nikhil Rathi
Nikhil Rathi, Co-founder & CEO of Web Werks, a global leader in Data C...
GeM maintains transparency in online procurement of goods & services
Created in a record time of five months, Government eMarketplace is a ...
NIC bridging the digital divide and supporting government in eGovernance
The National Informatics Centre (NIC) is an Indian government departme...
DRDO is India's largest and most diverse research organisation
DRDO is the R&D wing of Ministry of Defence, Govt of India, with a vis...
RAH INFOTECH
RAH Infotech is India’s fastest growing technology value added dist...
INGRAM MICRO INDIA PVT. LTD.
Ingram Micro India, a large national distributor offers a comprehensiv...
TECHNOBIND SOLUTIONS PVT. LTD.
TechnoBind’s business model is focused on identifying and partnering...