Microsoft Exchange Servers being exploited to spread Qakbot malware
Amir Hadžipašić, CEO and founder of SOS Intelligence, said that a vulnerability in Microsoft Exchange, left unsolved since the last update on the 12th of October, had been exploited using a method similar to ProxyShell – a recent hack affecting Microsoft Exchange servers that allowed attackers remote code execution access, as reported in IT Pro.
Organisations who had fallen victim to the campaign confirmed Amir Hadžipašić’s suspicions that it was vulnerable Exchange servers being used to launch the malspam campaign, the report adds.
The new campaign is especially concerning for businesses given the unsuspecting nature of the attack. SquirrelWaffle hacks into inboxes and sends malicious emails in response to existing email threads, increasing the likelihood that a victim would find the malicious link or infected file trustworthy. Research into the victims’ logs reveals ProxyShell exploitation leads to mail exporting with Microsoft Exchange Web Services (EWS), allowing it to send from existing chains.
“What is interesting about this particular campaign and is an important development is that all of the emails we observed originated from on-premise Microsoft Exchange Servers that appeared to be vulnerable to ProxyShell,” Hadžipašić said to IT Pro.
“Following an investigation of the sender mail servers all were confirmed (by http://Shodan.io) to be vulnerable, further discussions with a number of victims – who had confirmed to have been compromised by a ProxyShell type exploit and indeed were a source of these emails – confirms that Exchange servers and email threads were being ‘hijacked’ to deliver this malspam.”
A recent development in the campaign saw the URLs used in the malspam emails are now changing. Previous hyperlinks have been abandoned for non-hyperlinked, shorter URLs which lead to the download of malicious payload such as Qakbot.
This allows for another element of failure as victims manually copy and paste the URL in a browser in order for the malware to be dropped.
The URLs have taken away the HTTP/HTTPS prefix to the link, removing the hyperlink and bypassing URL rewrite in the process. This has led to an increase in infections because it avoids email spam filters.
“Both of these factors increase the likelihood of success since they are social engineering a victim, who will receive an email apparently related to a topic discussed not long ago with the sender and secondly the link was sent in such a way as to bypass any URL rewrite protection mechanisms,” said Hadžipašić.
Businesses are advised to urgently patch their Exchange servers to Cumulative Update 22, at the very least, and prevent EWS exposure to the internet, most importantly.
Subscribe to our Editor's weekly newsletter