Recent Reply-Chain Email Attack Delivering Qakbot
Description
FortiGuard Labs is aware of a report that a reply-chain email attack is using compromised Microsoft Exchange servers to target employees within the affected company. Often refered as "hijacked email reply-chain attack" and "thread hijacking attack", a reply-chain email attack is an attack vector where the attacker sends an email reply with a malicious link or attachment to legitimate emails that were previously stolen. This way, the recipient is tricked into thinking that the reply came from a trusted sender and as such the victim is more likely to open the link or the attachment. In the latest report, Qakbot was reportedly delivered to the victim as a result.
Why is this Significant?
This is significant because the affected Microsoft Exchange servers were reportedly compromised using ProxyShell and ProxyLogon. The attacker then harvests legitimate corporate emails from the compromised email servers and send emails to the potential victims within the affected organization as a reply. Those fake "replied" emails typically have a malicious link or malicious attachment that delivers malware documents. Because the malicious emails are replies to legitimate emails and were sent from legitimate but compromised email servers, the recipients are more likely to open the link or the attachment resulting in malware infection.
What is ProxyShell?
ProxyShell is an exploit attack chain involving three Microsoft exchange vulnerabilities: CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207. When used in a chain on a vulnerable Microsoft Exchange server, the attack allows the attacker to remotely run malicious code on the targeted system as a result.
FortiGuard Labs previously released two Threat Signals associated with ProxyShell. See the Appendix for a link to "Vulnerable Microsoft Exchange Servers Actively Scanned for ProxyShell" and "Brand New LockFile Ransomware Distributed Through ProxyShell and PetitPotam" and "New Threat Actor Leverages ProxyShell Exploit to Serve Ransomware".
Relevant patches were released by Microsoft in April and May 2021.
What is ProxyLogon?
ProxyLogon refers to CVE-2021-26855. It is a pre-authentication proxy vulnerability in Microsoft Exchange servers that allows a remote actor to bypass authentication and receive admin server privileges. CVE-2021-26855 is typically chained with other exploits for remote code execution. Most notably, the HAFNIUM ATP group used CVE-2021-26855 with CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 as a 0-day in targeted attacks, which prompted Microsoft released out-of-cycle patches in March, 2021.
FortiGuard Labs previously released two Threat Signals associated with ProxyLogon. See the Appendix for a link to "Out of Band Patches Released for Active Exploitation of Microsoft Exchange Server".
What Malware is Delivered in the recent Reply-chain Email Attack?
Qakbot appears to be delivered in the recent attack. However, the replay-chain email attack is not new and is known to deliver other malware such as Emotet, SquirrelWaffle and IcedID.
What is the Status of Coverage?
FortiGuard Labs provides the following AV coverage against files used in the attack:
XF/CoinMiner.Z!tr
All known network IOC's related to this threat are blocked by the FortiGuard WebFiltering Client.
FortiGuard Labs provides the following IPS signature against ProxyShell:
MS.Exchange.Server.CVE-2021-34473.Remote.Code.Execution
MS.Exchange.MailboxExportRequest.Arbitrary.File.Write
MS.Exchange.Server.Common.Access.Token.Privilege.Elevation
FortiEDR detects and blocks ProxyShell attacks out of the box without any prior knowledge or special configuration beforehand.
FortiGuard Labs provides the following IPS signature against ProxyLogon:
MS.Exchange.Server.ProxyRequestHandler.Remote.Code.Execution
Any Other Suggested Mitigation?
To protect against attacks leveraging ProxyShell and ProxyLogon, it is recommended to restrict untrusted connections to Exchange servers. An alternate recommendation is to set up a VPN to separate the Exchange server from external access. Using either of these mitigation recommendations will only protect against the initial portion of the attack. Other portions of the chain can still be triggered if an attacker already has access or can convince an administrator via social engineering methods to open a malicious file. it is recommended to prioritize installing the available patches on Exchange Servers immediately.
Due to the ease of disruption and potential for damage to daily operations, reputation, and unwanted release of personally identifiable information (PII), etc., it is important to keep all AV and IPS signatures up to date. It is also important to ensure that all known vendor vulnerabilities within an organization are addressed, and updated to protect against attackers establishing a foothold within a network.
Also - organizations are encouraged to conduct ongoing training sessions to educate and inform personnel about the latest phishing/spearphishing attacks. They also need to encourage employees to never open attachments from someone they don't know, and to always treat emails from unrecognized/untrusted senders with caution. Since it has been reported that various phishing and spearphishing attacks have been delivered via social engineering distribution mechanisms, it is crucial that end users within an organization be made aware of the various types of attacks being delivered. This can be accomplished through regular training sessions and impromptu tests using predetermined templates by an organizations' internal security department. Simple user awareness training on how to spot emails with malicious attachments or links could also help prevent initial access into the network.
Appendix
Vulnerable Microsoft Exchange Servers Actively Scanned for ProxyShell (Fortinet)
New Threat Actor Leverages ProxyShell Exploit to Serve Ransomware (Fortinet)
Brand New LockFile Ransomware Distributed Through ProxyShell and PetitPotam (Fortinet)
Out of Band Patches Released for Active Exploitation of Microsoft Exchange Server (Fortinet)
Tweet by Frost (@fr0s7_)
IKEA email systems hit by ongoing cyberattack (BleepingComputer)