IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Hackers use SquirrelWaffle malware to hack Exchange servers in new campaign

Researchers discovered malicious emails being sent as replies to existing email chains

Hackers are using ProxyShell and ProxyLogon exploits to break into Microsoft Exchange servers in a new campaign to infect systems with malware, bypassing security measures by replying to pre-existing email chains.

Security researchers at Trend Micro said investigations into several intrusions related to Squirrelwaffle led to a deeper examination into the initial access of these attacks, according to a blog post.

Researchers said that Squirrelwaffle first emerged as a new loader spreading through spam campaigns in September. The malware is known for sending its malicious emails as replies to pre-existing email chains.

The intrusions observed by researchers originated from on-premise Microsoft Exchange Servers that appeared to be vulnerable to ProxyLogon and ProxyShell. According to researchers, there was evidence of the exploits on the vulnerabilities CVE-2021-26855CVE-2021-34473, and CVE-2021-34523 in the IIS Logs on three of the Exchange servers that were compromised in different intrusions.

“The same CVEs were used in ProxyLogon (CVE-2021-26855) and ProxyShell (CVE-2021-34473 and CVE-2021-34523) intrusions. Microsoft released a patch for ProxyLogon in March; those who have applied the May or July updates are protected from ProxyShell vulnerabilities,” said researchers.

In one case, all the internal users in the affected network received spam emails sent as legitimate replies to existing email threads.

“All of the observed emails were written in English for this spam campaign in the Middle East. While other languages were used in different regions, most were written in English. More notably, true account names from the victim’s domain were used as sender and recipient, which raises the chance that a recipient will click the link and open the malicious Microsoft Excel spreadsheets,” they said.

In the same intrusion, researchers analyzed the email headers for the received malicious emails and found that the mail path was internal, indicating that the emails did not originate from an external sender, open mail relay, or any message transfer agent (MTA).

“Delivering the malicious spam using this technique to reach all the internal domain users will decrease the possibility of detecting or stopping the attack, as the mail getaways will not be able to filter or quarantine any of these internal emails,” they added.

Related Resource

The secure cloud configuration imperative

The central role of cloud security posture management

The secure cloud configuration imperativeFree download

Researchers said that the hackers also did not drop or use tools for lateral movement after gaining access to the vulnerable Exchange servers in order to avoid detection. Additionally, no malware was executed on the Exchange servers to avoid triggering alerts before the malicious email could be spread across the environment.

According to researchers, the recent Squirrelwaffle campaigns should make users wary of the different tactics used to mask malicious emails and files.

“Emails that come from trusted contacts may not be enough of an indicator that whatever link or file included in the email is safe,” they warned.

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

Microsoft to double salary budget to retain workers
Careers & training

Microsoft to double salary budget to retain workers

17 May 2022
Microsoft warns of new botnet variant targeting Windows and Linux systems
Security

Microsoft warns of new botnet variant targeting Windows and Linux systems

16 May 2022
Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
Actively exploited Windows vulnerability reaches peak severity when paired with popular attack
Security

Actively exploited Windows vulnerability reaches peak severity when paired with popular attack

11 May 2022

Most Popular

Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
IT admin deletes company’s databases and is jailed for seven years
Policy & legislation

IT admin deletes company’s databases and is jailed for seven years

16 May 2022