Microsoft: Office 365 will boost default protection for all users
Microsoft increases Windows 11 rollout pace to Windows 10 devices
Emotet botnet comeback orchestrated by Conti ransomware gang
Six million Sky routers exposed to takeover attacks for 17 months
US SEC warns investors of ongoing govt impersonation attacks
Become a full stack developer with this comprehensive course bundle
Microsoft Exchange servers hacked in internal reply-chain attacks
Microsoft: Office 365 will boost default protection for all users
Qualys BrowserCheck
Junkware Removal Tool
How to remove the PBlock+ adware browser extension
Remove the Search Redirect
Remove the Search Redirect
Remove the Search Redirect
Remove Security Tool and SecurityTool (Uninstall Guide)
How to remove Antivirus 2009 (Uninstall Instructions)
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
Locky Ransomware Information, Help Guide, and FAQ
CryptoLocker Ransomware Information Guide and FAQ
CryptorBit and HowDecrypt Information Guide and FAQ
CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
How to make the Start menu full screen in Windows 10
How to install the Microsoft Visual C++ 2015 Runtime
How to open an elevated PowerShell Admin prompt in Windows 10
How to Translate a Web Page in Google Chrome
How to start Windows in Safe Mode
How to remove a Trojan, Virus, Worm, or other Malware
How to show hidden files in Windows 7
How to see hidden files in Windows
IT Certification Courses
Gear + Gadgets
Mirosoft Exchange
Threat actors are hacking Microsoft Exchange servers using ProxyShell and ProxyLogon exploits to distribute malware and bypass detection using stolen internal reply-chain emails.
When threat actors conduct malicious email campaigns, the hardest part is to trick users into trusting the sender enough so that they open up linked to or included malware-distributing attachments.
TrendMicro researchers have discovered an interesting tactic used of distributing malicious email to a company’s internal users using the victim’s compromised Microsoft exchange servers.
The actors behind this attack are believed to be ‘TR’, a known threat actor who distributes emails with malicious attachments that drop malware, including Qbot, IcedID, Cobalt Strike, and SquirrelWaffle payloads.
As a way to trick corporate targets into opening malicious attachments, the threat actor exploits Microsoft Exchange servers using the ProxyShell and ProxyLogon vulnerabilities.
The threat actors then uses these compromised Exchange servers to reply to the company’s internal emails in reply-chain attacks containing links to malicious documents that install various malware.
“In the same intrusion, we analyzed the email headers for the received malicious emails, the mail path was internal (between the three internal exchange servers’ mailboxes), indicating that the emails did not originate from an external sender, open mail relay, or any message transfer agent (MTA),” explains Trend Micro’s report.
As these emails originate from the same internal network and appear to be a continuation of a previous discussion between two employees, it leads to a greater degree of trust that the email is legitimate and safe.
Not only is this effective against the human recipients, but it’s also excellent for not raising any alarms on the email protection systems used in the target firm.
The attachments that come or are linked to by these emails are your standard malicious Microsoft Excel templates that tell recipients to ‘Enable Content’ to view a protected file.
However, once the user enables content, malicious macros are executed to download and install the malware distributed by the attachment, whether that be Qbot, Cobalt Strike, SquirrelWaffle, or another malware.
According to Trend Micro’s report, the researchers said that they have seen these attacks distribute the SquirrelWaffle loader, which then installs Qbot.
However, Cryptolaemus researcher ‘TheAnalyst‘ says that the malicious document used by this threat actor drop both malware as discrete payloads, rather than SquirrelWaffle distributing Qbot.
Some of this name confusing might come from initial phrases like “SquirrelWaffle drops QakBot”, however as far as I know this has never happened. The maldoc has dropped both DLLs, but the timing is att the qbot traffic starts later than SqWa, so just looks that way in pcaps. 
Microsoft has fixed the ProxyLogon vulnerabilities in March and the ProxyShell vulnerability in April and May, addressing them as zero-days at the time.
Threat actors have abused both vulnerabilities to deploy ransomware or install webshells for later backdoor access. The ProxyLogon attacks got so bad that the FBI removed web shells from compromised US-based Microsoft Exchange servers without first notifying the servers’ owners.
After all this time and the wide media these vulnerabilities have received, not patching Exchange Servers is just an open invitation to hackers.
QBot returns for a new wave of infections using Squirrelwaffle
Microsoft Exchange ProxyShell exploits used to deploy Babuk ransomware
Spammers use Squirrelwaffle malware to drop Cobalt Strike
Hacking group used ProxyLogon exploits to breach hotels worldwide
Android malware BrazKing returns as a stealthier banking trojan
Why don’t the FBI & Microsoft share their knowledge on how to remove these webshells so that affected businesses can eradicate these threats without having to resort to nuclear options like rebuilding their servers.
Cb31, patching an on-prem exchange server with the latest CU is roughly a 1-1.5 hr task for any experienced exadmin.
Not a member yet? Register Now
Some Tesla owners unable to unlock cars due to server errors
Microsoft: Windows Installer breaks apps after updates, repairs
To receive periodic updates and news from BleepingComputer, please use the form below.
Malwarebytes for Mac
Malwarebytes Anti-Malware
Farbar Recovery Scan Tool
Windows Repair (All In One)
Sophos Home
Terms of Use Privacy PolicyEthics Statement
Copyright @ 2003 – 2021 Bleeping Computer® LLC – All Rights Reserved
Not a member yet? Register Now
Read our posting guidelinese to learn what content is prohibited.


You May Also Like

Western Digital warns customers to update their My Cloud devices

TellYouThePass ransomware revived in Linux, Windows Log4j attacksCredit card info of 1.8…

Microsoft Defender scares admins with Emotet false positives

FBI seized $2.3M from affiliate of REvil, Gandcrab ransomware gangsEwDoor botnet targets…

Microsoft rolls out end-to-end encryption for Teams calls

Microsoft December 2021 Patch Tuesday fixes 6 zero-days, 67 flawsBugs in billions…

New Windows 11 build fixes Microsoft Installer issue breaking apps

Microsoft: Office 365 will boost default protection for all usersMicrosoft increases Windows…