Connect with us

Hi, what are you looking for?

HEADLINES

Sophos uncovers Squirrelwaffle malware, financial fraud attacks using the same vulnerable Exchange server

The researchers discovered that while the malicious spam campaign was being implemented, the same vulnerable server was used for a financial fraud attack with knowledge extracted from a stolen email thread and “typo-squatting” to convince an employee to redirect a legitimate customer transaction to the attackers.

Sophos, a global leader in next-generation cybersecurity, published research detailing an incident when the Squirrelwaffle malware loader was used in conjunction with the ProxyLogon and ProxyShell exploits to target an unpatched Microsoft Exchange server and mass distribute Squirrelwaffle to internal and external recipients by inserting malicious replies onto employees’ existing email threads.

The researchers discovered that while the malicious spam campaign was being implemented, the same vulnerable server was used for a financial fraud attack with knowledge extracted from a stolen email thread and “typo-squatting” to convince an employee to redirect a legitimate customer transaction to the attackers.

The fraud almost succeeded. The transfer of funds to the malicious recipient was authorized, but luckily a bank became suspicious and prevented the transaction from going through. 

Matthew Everts, an analyst at Sophos Rapid Response and one of the researchers, said: “In a typical Squirrelwaffle attack leveraging a vulnerable Exchange server, the attack ends when defenders detect and remediate the breach by patching the vulnerabilities, removing the attacker’s ability to send emails through the server. However, in the incident investigated by Sophos Rapid Response, such remediation wouldn’t have stopped the financial fraud attack because the attackers had exported an email thread about customer payments from the victim’s Exchange server.

Advertisement. Scroll to continue reading.

“It is a good reminder that patching alone isn’t always enough protection. For example, in the case of vulnerable Exchange servers, you need to check that the attackers haven’t left behind a web shell to maintain access. When it comes to sophisticated social engineering attacks such as those used in email thread hijacking, educating employees about what to look out for and how to report it is critical for detection.”

The Squirrelwaffle Incident Guide 

Alongside the new research, Sophos has published a Squirrelwaffle Incident Guide that provides step-by-step guidance on investigating, analyzing, and responding to incidents involving this increasingly popular malware loader, which is distributed as a malicious office document in spam campaigns and provides attackers with an initial foothold in a victim’s environment and a channel to deliver and infect systems with other malware.

Advertisement. Scroll to continue reading.
Advertisement
Advertisement
Advertisement

Like Us On Facebook

You May Also Like

HEADLINES

Kaspersky has been at the forefront of raising awareness about cybercrimes and empowering individuals and organizations to protect themselves.

HEADLINES

“We remind our customers to carefully inspect URLs before opening them. Criminals often use spellings very close to legitimate domains to deceive customers into...

HEADLINES

For the Philippines, PH-CERT and NADPOP estimate that the country needs 180,000 trained and validated cybersecurity professionals to proactively and effectively protect the country’s...

White Papers

46% of geo-distributed companies encountered network problems between one and three times per month, while 13% stated they experienced network challenges every week. The...

HEADLINES

“Data is the new oil. Cyber criminals steal personal information to defraud you or use your identity to victimize people close to you. Guard...

White Papers

According to the report, among organizations surveyed, 97% of those hit by ransomware over the past year engaged with law enforcement and/or official government...

HEADLINES

This development marks a major step forward in Globe's long-standing #PlayItRight advocacy to help promote and protect the country’s ₱1.6-trillion creative industry from the...

HEADLINES

Spoofing is a technique where fraudsters impersonate SMS channels to deceive recipients. The practice has seen a marked rise, especially in Metro Manila, with...

Advertisement