Researchers at Sophos have released information about a financial attack on an unnamed organization. In the attack, the threat actors were leveraging ProxyLogon/ProxyShell vulnerabilities in Microsoft Exchange servers that had an emergency patch released in March 2021. These vulnerabilities are now well known within the security community, but there are still organizations that do not have the issues patched. In this case, the attackers took advantage of the unpatched servers and combined them with the Squirrelwaffle malware loader that was being distributed through malicious emails containing Microsoft Office documents or DocuSign content. If the victim were to enable macros, then Squirrelwaffle would be used to pull and execute Cobalt Strike beacons via a VBS script. The threat actors were using the attack to hijack email communications and use them to initiate fraudulent financial transactions within the organization.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is