An email server breach at Microsoft’s Exchange servers was detected by a security firm. A threat actor has infiltrated Microsoft Exchange email servers in several parts of the world, to sneak into their messaging capabilities. The end goal of this email server breach is to access the hacked victim company’s email communication and use Exchange’s messaging facility to spread further malware. This is a new type of malware, which the cyber security world has termed as Squirrelwaffle.
How is the email server breach being exploited?
The security firm which caught the incident reported that the threat actor has pointedly targeted Exchange email servers which had not yet applied the security patch for the known vulnerabilities, ProxyLogon (CVE-2021-26855) and ProxyShell (CVE-2021-34473 and CVE-2021-34523).
After a successful email server breach, the hackers are using a PowerShell to scrub the email storage system of the machine, to get their hands on existing email conversation. They are replying to these threads, and further spreading malware through an infected Excel file.
On interacting with the Excel file, the malware triggers a macro code, which installs the Squirrelwaffle onto the system.
A brief on the Squirrelwaffle malware
SquirrelWaffle is a new malware that has been modelled according to the disastrous effects of known malware like Emotet, TrickBot, and Dridex. It has capabilities that allow other threat actors from the Squirrelwaffle ‘gang’ to access an infected system. They do this using shared access to the botnet which is active on the infected system.
The Squirrelwaffle has suddenly gotten hyper active since September 2021. They started by making a bang with their vast spam campaign. Some believe it was a replacement to the Emotet malware, but then Emotet itself made a reappearance.
The iniqueness of this email server breach
The security firm looking into this Squirrelwaffle attack notes that this was a very rare occasion where an email server was broken into, just to piggyback on existing messaging capabilities. Usually, hackers don’t show a proclivity to scrub an entire server for email trails as it’s much simpler for them to achieve the same effect with phishing. This is an indicator that hackers are advancing their skills to exploit technical gaps in servers. Once spotted, such techniques are likely to be copied by other threat actors.
“The attacker also did not drop or use tools for lateral movement after gaining access to the vulnerable Exchange servers, so that no suspicious network activities will be detected,” the security team explained. “Additionally, no malware was executed on the Exchange servers that will trigger any alerts before the malicious email is spread across the environment.”