by Reese Kimmons, MS ISA
Researchers at cybersecurity firm Trend Micro have discovered a new attack vector that allows bad actors to gain access to Microsoft Exchange servers and inject themselves into email message threads.
Hackers are able to reply to emails as if they were parties to the original conversation. Because their messages appear to come from trusted internal sources, those who receive them are far more likely to click on malicious links and infect company systems.
Worse yet, this attack variant does not typically trigger any security alerts early on and will likely become very popular among bad actors worldwide as a result of its undetectability and likelihood of success.
Anatomy of the Email Attack
To gain access, hackers are leveraging known, unpatched vulnerabilities in Microsoft Exchange servers, including CVE-2021-26855 (ProxyLogon) and CVE-2021-34473/34523 (ProxyShell). Once they’re inside, they use PowerShell functionality to access users’ stored messages and send malicious replies to their emails.
In the instances analyzed by Trend Micro, replies sent by the threat actors included links to Excel files that, if downloaded, would install malware known as Squirrelwaffle. This malware adds the systems it infects to a botnet. Access to the botnet is then rented out by the perpetrators of the initial email-based attack.
Why Security Controls Aren’t Stopping Them
In the initial attack, hackers are not installing any malware on the Exchange servers or any other systems, nor are they moving laterally about the network, so no security alerts are typically triggered.
Because the emails they send originate from within, they aren’t blocked or quarantined by email filters. By all appearances, they are authentic replies from authorized email addresses sent from within the domain.
The email headers examined by Trend Micro revealed nothing suspicious and did not indicate that any of the messages were from external senders. All path information provided in the headers was internal.
Internal Email Attacks Have the Potential for Explosive Growth
Considering all of its advantages, cybercriminals are likely to quickly adopt this strategy and use it to deliver a wide range of malware packages. They will have a better than average chance of gaining access to the resources they need without being detected.
They need not be concerned about getting their messages, links, and attachments past email filters, nor do they need to expend much effort coming up with a believable scam since their emails already appear to be from known, trusted senders.
When targets receive these malicious messages, the built-in trust factor of seeing an actual email address makes it far more likely that they will download the infected attachment and facilitate the installation of malware.
Mitigating the Threat of Email Breaches
Given that the emails used by these bad actors come from within and don’t typically trigger security alerts, it is up to the recipient to evaluate the message and email address and determine whether they are legitimate.
Be Aware of Anything Suspicious
The user community should be made aware of this threat as part of their ongoing cybersecurity training. Users should be advised to look for anything suspicious in the messages they receive before they click on links or download attachments even if the emails appear to come from trusted internal sources.
Look Out for Unnecessary Links and Attachments
Users should be wary of emails wherein the reply does not appear to directly relate to the original message, or where the inclusion of an attachment or link seems unnecessary. If suspicions arise, users should be trained to call the sender directly and verify the email’s authenticity. Procedures for reporting malicious emails like these should also be included as a component of user training.
Managed Detection and Response Services
With regard to technical controls, patch management protocols should be in place to ensure that security patches for Exchange servers and other systems are installed promptly.
In today’s environment of continually evolving and growing threats, organizations may also wish to consider implementation of a managed detection and response (MDR) service that monitors systems 24/7, detects and analyzes potential threats through the use of artificial intelligence, and can either stop attacks before they occur or mitigate the potential for damage should an attack succeed.
New Email Threat: In Closing
Phishing attacks are on the rise, and more and more advanced email threats are happening in real time and within seemingly secure mail servers. These types of new email threats will unfortunately continue to occur if they are found to be successful, so it’s up to individuals and companies alike to be proactive and stay on the lookout for email scams.
About the Author:
Reese Kimmons is an experienced IT executive with an AAS in Applications Programming, a BS in IT Management and an MS in Information Security and Assurance. During his time in the IT industry, Reese has earned certifications in ethical hacking, forensics investigations, ISO/GIAC, and Cisco networking.
- How Secure is Your Car? Tips to Stop Car Key Fob Hacking - December 17, 2022
- Cybercriminals Raking in Millions with “Hi Mom” WhatsApp Scam - December 17, 2022
- EU Websites Charging Visitors to Reject Tracking Cookies: A Practice Expected to Spread - December 17, 2022
