Warning: Undefined array key "HTTP_ACCEPT_LANGUAGE" in /home/u596154002/domains/usbusinessreviews.com/public_html/wp-includes/load.php on line 2057

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the rank-math domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u596154002/domains/usbusinessreviews.com/public_html/wp-includes/functions.php on line 6114
Squirrelwaffle, Microsoft Exchange Server vulnerabilities exploited for financial fraud - Best Business Review Site 2024

Squirrelwaffle, Microsoft Exchange Server vulnerabilities exploited for financial fraud

[ad_1]

The combination of Squirrelwaffle, ProxyLogon, and ProxyShell against Microsoft Exchange Servers is being used to conduct financial fraud through email hijacking. 

ZDNet Recommends


The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

On Tuesday, researchers from Sophos revealed a recent incident in which a Microsoft Exchange Server, which had not been patched to protect it against a set of critical vulnerabilities disclosed last year, was targeted to hijack email threads and spread malspam. 

Microsoft issued emergency patches on March 2, 2021, to resolve zero-day vulnerabilities exploitable to hijack servers. The advanced persistent threat (APT) group Hafnium was actively exploiting the bugs at this time, and other APTs quickly followed suit. 

While the ProxyLogon/ProxyShell vulnerabilities are now well-known, some servers are still unpatched and open to attacks. 

The recent case documented by Sophos combined the Microsoft Exchange Server flaws with Squirrelwaffle, a malware loader first documented last year in malicious spam campaigns. The loader is often distributed through malicious Microsoft Office documents or DocuSign content tacked on to phishing emails. 

If an intended victim enables macros in the weaponized documents, Squirrelwaffle then is often used to pull and execute CobaltStrike beacons via a VBS script. 

Also: FritzFrog botnet returns to attack healthcare, education, government sectors

Sophos says that in the recent campaign, the loader was deployed once the Microsoft Exchange Server had been compromised. The server, belonging to an unnamed organization, was used to “mass distribute” Squirrelwaffle to internal and external email addresses by hijacking existing email threads between employees. 

Email hijacking can take many forms. Communication threads can be compromised through social engineering and impersonation — such as by an attacker pretending to be an executive to fool accounting departments into signing off a fraudulent transaction — or by sending email blasts containing links leading to malware payloads. 

In this case, the spam campaign was used to spread Squirrelwaffle, but in addition, attackers extracted an email thread and used the internal knowledge within to conduct financial fraud. 

Customer data was taken, and a victim organization was selected. The attackers registered a domain with a name very close to the victim — a technique known as typo-squatting — and then created email accounts through this domain to reply to the email thread outside of the server.

“To add further legitimacy to the conversation, the attackers copied additional email addresses to give the impression that they were requesting support from an internal department,” Sophos explained. “In fact, the additional addresses were also created by the attacker under the typo-squatted domain.” 

Over six days, the attackers tried to direct a legitimate financial transaction to a bank account they owned. The payment was on its way to being processed, and it was only due to a bank involved in the transaction realizing the transfer was likely fraudulent that the victim did not fall prey to the attack. 

“This is a good reminder that patching alone isn’t always enough for protection,” commented Matthew Everts, Sophos researcher. “In the case of vulnerable Exchange servers, for example, you also need to check the attackers haven’t left behind a web shell to maintain access. And when it comes to sophisticated social engineering attacks such as those used in email thread hijacking, educating employees about what to look out for and how to report it is critical for detection.”

See also


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0


[ad_2]

Source link

slot gacor slot gacor togel macau slot hoki bandar togel slot dana slot mahjong link slot link slot777 slot gampang maxwin slot hoki slot mahjong slot maxwin slot mpo slot777 slot toto slot toto situs toto toto slot situs toto situs toto situs toto situs toto slot88 toto slot slot gacor thailand slot bet receh situs toto situs toto slot toto slot situs toto situs toto situs toto situs togel macau toto slot slot demo slot pulsa slot pragmatic situs toto deposit dana 10k surga slot toto slot link situs toto situs toto slot situs toto situs toto slot777 slot gacor situs toto slot slot pulsa 10k toto togel situs toto slot situs toto slot gacor terpercaya slot dana slot gacor pay4d agen sbobet kedai168 kedai168 deposit pulsa situs toto slot pulsa situs toto slot pulsa situs toto situs toto situs toto slot dana toto slot situs toto slot pulsa toto slot situs toto slot pulsa situs toto situs toto situs toto toto slot toto slot slot toto akun pro maxwin situs toto slot gacor maxwin slot gacor maxwin situs toto slot slot depo 10k toto slot toto slot situs toto situs toto toto slot toto slot toto slot toto togel slot toto togel situs toto situs toto toto slot slot gacor slot gacor slot gacor situs toto situs toto cytotec toto slot situs toto situs toto toto slot situs toto situs toto slot gacor maxwin slot gacor maxwin link slot 10k slot gacor maxwin slot gacor slot pulsa situs slot 10k slot 10k toto slot toto slot situs toto situs toto situs toto bandar togel 4d toto slot