Researchers at Sophos have released information about a financial attack on an unnamed organization. In the attack, the threat actors were leveraging ProxyLogon/ProxyShell vulnerabilities in Microsoft Exchange servers that had an emergency patch released in March 2021. These vulnerabilities are now well known within the security community, but there are still organizations that do not have the issues patched. In this case, the attackers took advantage of the unpatched servers and combined them with the Squirrelwaffle malware loader that was being distributed through malicious emails containing Microsoft Office documents or DocuSign content. If the victim were to enable macros, then Squirrelwaffle would be used to pull and execute Cobalt Strike beacons via a VBS script. The threat actors were using the attack to hijack email communications and use them to initiate fraudulent financial transactions within the organization.
The threat actors’ use of unpatched vulnerabilities and a malware loader is not uncommon. It is important for organizations to implement security patches as soon as they can to prevent attacks like these from happening. The use of email hijacking in this case is also not uncommon, which is why whenever large amounts of money are being requested via email, it is never wrong to double check with the person making the request either in person or over the phone.