Contact Information

The Square, Kenmare
Co. Kerry, V93 CY93

We Are Available 24/ 7. Call Now.

Join thousands of people who receive the latest breaking cybersecurity news every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
Share this article:
Researchers have never before seen SquirrelWaffle attackers use typosquatting to keep sending spam once a targeted Exchange server has been patched for ProxyLogon/ProxyShell.
SquirrelWaffle – the newish malware loader that first showed up in September – once again got its scrabbly little claws into an unpatched Microsoft Exchange server to spread malspam with its tried-and-true trick of hijacking email threads.
That’s the same-old, same-old, as in, a SquirrelWaffle campaign will hijack an email thread to increase the chances that a victim will click on malicious links. Those rigged links are tucked into an email reply, similar to how the virulent Emotet malware – typically spread via malicious emails or text messages – has operated.
But this time, the operators added a twist: They sucked knowledge out of an email thread and used it to trick the target into a money transfer.
Infosec Insiders Newsletter
They almost pulled it off. The targeted organization initiated a money transfer to an attacker-controlled account, but thankfully, one of the financial institutions involved in the transaction smelled a rat and flagged the deal as fraudulent.
In a Tuesday post, Sophos analysts Matthew Everts and Stephen McNally said that typically, in SquirrelWaffle attacks – which typically entail the threat actors walking through holes left by unpatched, notorious, oft-picked-apart ProxyLogon and ProxyShell Exchange server vulnerabilities – the attack ends when those holes finally get patched, removing the attacker’s ability to send emails through the server.
But in this recent engagement, the Sophos Rapid Response team found that while a SquirrelWaffle malspam campaign was wreaking havoc on an unpatched server, that same vulnerable server was being used by the attackers to siphon off knowledge from a stolen email thread and to launch a financial fraud attack.
“The combination of Squirrelwaffle, ProxyLogon, and ProxyShell has been encountered by the Sophos Rapid Response team multiple times in the last few months, but this is the first time we have seen attackers use typo-squatting to maintain the ability to send spam once the Exchange server has been remediated,” the analysts wrote.
In this case, patching Exchange wouldn’t have clipped SquirrelWaffle’s tail, the analysts said, given that the attackers had already spirited away an email thread about customer payments from the victim’s Exchange server.
Besides which, as the analysts noted and as Sophos detailed last March, patching isn’t the end-all, be-all for remediating vulnerable Exchange servers. For one thing, you also need to determine whether attackers have pulled off any other mischief, such as installing webshells.
The double-up attack on the vulnerable Exchange server started with the attackers registering a typosquat domain. In other words, they registered a domain name that resembled the victim’s legitimate domain but with a small typo, then used email addresses from the look-alike domain to reply to the email thread.
“Moving the conversation out of the victim’s email infrastructure gave the attackers operational control over what happened next,” Everts and McNally explained.
What happened next was that the attackers tried to divert the victim’s customer’s payments to accounts they controlled. In their hunt for legitimacy, they went so far as to copy more email addresses, to make it look like they were requesting support from an internal department. But these additional email addresses were just as bogus, being sent with the same almost, not-quite, look-alike typosquat domain.
Next, they started using “this transaction’s ready to go!” language, as in the screen capture Sophos provided below.
Source: Sophos.
Next came some foot-tappingly stern language to ratchet up the urgency, as shown in the next screen grab. “I appreciate how busy you are,” the crooks crooned, among other things that sounded like legitimate accounting blah-blah-blah, “but wondered if you could give me an update regarding the renewal?”
Source: Sophos.
The attackers’ fake accountant faux-relaxed after the SquirrelWaffle operators received an email indicating that the illegitimate payment was being processed, assuring their mark that they’d get them an invoice ASAP.
Source: Sophos.
Sophos offered advice on how to protect against malicious email attacks such as the SquirrelWaffle campaign, the first of which is a head-desk-bang-bang cliché: Namely, patch those servers.
“The single biggest step defenders can take to prevent the compromise and abuse of on premises Microsoft Exchange servers is to ensure that they have been patched with the most recent updates from Microsoft,” according to the post.
Sophos also provided tips on what to do if your organization has already been attacked. In fact, it’s put together a Squirrelwaffle Incident Guide to help victims investigate, analyze and respond.
Join Threatpost on Wed. Feb 23 at 2 PM ET for a LIVE roundtable discussion “The Secret to Keeping Secrets,” sponsored by Keeper Security, focused on how to locate and lock down your organization’s most sensitive data. Zane Bond with Keeper Security will join Threatpost’s Becky Bracken to offer concrete steps to protect your organization’s critical information in the cloud, in transit and in storage. REGISTER NOW and please Tweet us your questions ahead of time @Threatpost so they can be included in the discussion.
Share this article:
The year’s 1st Chrome zero-day can lead to all sorts of misery, ranging from data corruption to the execution of arbitrary code on vulnerable systems.
Since 2017, the attacker has flung simple off-the-shelf malware in malicious email campaigns aimed at aviation, aerospace, transportation and defense.
Hours before the Superbowl and two days after the FBI warned about the ransomware gang, BlackByte leaked what are purportedly the NFL team’s files.

This site uses Akismet to reduce spam. Learn how your comment data is processed.
Join thousands of people who receive the latest breaking cybersecurity news every day.
Get the latest breaking news delivered daily to your inbox.
The First Stop For Security News
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.




Leave a Reply