IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Hackers use SquirrelWaffle malware to hack Exchange servers in new campaign

Researchers discovered malicious emails being sent as replies to existing email chains

Hackers are using ProxyShell and ProxyLogon exploits to break into Microsoft Exchange servers in a new campaign to infect systems with malware, bypassing security measures by replying to pre-existing email chains.

Security researchers at Trend Micro said investigations into several intrusions related to Squirrelwaffle led to a deeper examination into the initial access of these attacks, according to a blog post.

Researchers said that Squirrelwaffle first emerged as a new loader spreading through spam campaigns in September. The malware is known for sending its malicious emails as replies to pre-existing email chains.

The intrusions observed by researchers originated from on-premise Microsoft Exchange Servers that appeared to be vulnerable to ProxyLogon and ProxyShell. According to researchers, there was evidence of the exploits on the vulnerabilities CVE-2021-26855CVE-2021-34473, and CVE-2021-34523 in the IIS Logs on three of the Exchange servers that were compromised in different intrusions.

“The same CVEs were used in ProxyLogon (CVE-2021-26855) and ProxyShell (CVE-2021-34473 and CVE-2021-34523) intrusions. Microsoft released a patch for ProxyLogon in March; those who have applied the May or July updates are protected from ProxyShell vulnerabilities,” said researchers.

In one case, all the internal users in the affected network received spam emails sent as legitimate replies to existing email threads.

“All of the observed emails were written in English for this spam campaign in the Middle East. While other languages were used in different regions, most were written in English. More notably, true account names from the victim’s domain were used as sender and recipient, which raises the chance that a recipient will click the link and open the malicious Microsoft Excel spreadsheets,” they said.

In the same intrusion, researchers analyzed the email headers for the received malicious emails and found that the mail path was internal, indicating that the emails did not originate from an external sender, open mail relay, or any message transfer agent (MTA).

“Delivering the malicious spam using this technique to reach all the internal domain users will decrease the possibility of detecting or stopping the attack, as the mail getaways will not be able to filter or quarantine any of these internal emails,” they added.

Related Resource

The secure cloud configuration imperative

The central role of cloud security posture management

The secure cloud configuration imperativeFree download

Researchers said that the hackers also did not drop or use tools for lateral movement after gaining access to the vulnerable Exchange servers in order to avoid detection. Additionally, no malware was executed on the Exchange servers to avoid triggering alerts before the malicious email could be spread across the environment.

According to researchers, the recent Squirrelwaffle campaigns should make users wary of the different tactics used to mask malicious emails and files.

“Emails that come from trusted contacts may not be enough of an indicator that whatever link or file included in the email is safe,” they warned.

Featured Resources

Three ways manual coding is killing your business productivity

...and how you can fix it

Free Download

Goodbye broadcasts, hello conversations

Drive conversations across the funnel with the WhatsApp Business Platform

Free Download

Winning with multi-cloud

How to drive a competitive advantage and overcome data integration challenges

Free Download

Talking to a business should feel like messaging a friend

Managing customer conversations at scale with the WhatsApp Business Platform

Free Download

Recommended

The IT Pro Podcast: Enabling bilingual business
collaboration

The IT Pro Podcast: Enabling bilingual business

30 Sep 2022
Podcast transcript: Enabling bilingual business
collaboration

Podcast transcript: Enabling bilingual business

30 Sep 2022
Windows 11 Update 2022: The "first major" Windows 11 update brings slew of new business features
Microsoft Windows

Windows 11 Update 2022: The "first major" Windows 11 update brings slew of new business features

21 Sep 2022
Three critical vulnerabilities and one zero-day feature in Microsoft's September Patch Tuesday
Security

Three critical vulnerabilities and one zero-day feature in Microsoft's September Patch Tuesday

14 Sep 2022

Most Popular

Vodafone UK confirms talks to merge with Three are underway
mergers and acquisitions

Vodafone UK confirms talks to merge with Three are underway

3 Oct 2022
BT's new platform promises to slash AI development time from months to days
artificial intelligence (AI)

BT's new platform promises to slash AI development time from months to days

3 Oct 2022
How to secure your hybrid workforce
Advertisement Feature

How to secure your hybrid workforce

23 Sep 2022