CarderPlanet
Professional
- Messages
- 2,549
- Reaction score
- 722
- Points
- 113
Cybercriminals exploit a vulnerability in Microsoft Exchange servers to distribute the Qakbot malware.
Global furniture giant IKEA has launched an investigation into an ongoing malware campaign targeting its computer systems. According to company representatives, evidence has been found that points to the compromise of Microsoft Exchange servers.
As reported by Bleeping Computer, which had a letter to IKEA employees, a "full-scale investigation" of the incident is ongoing and there are currently no signs of compromise of customer data. Other organizations, suppliers and business partners of IKEA were affected by the attack.
In a malicious campaign, criminals distributed emails disguised as a real response to an existing chain of letters. E-mail interception is one of the unique identifiers of the current SquirrelWaffle malicious spam campaign. Cybercriminals exploit ProxyShell and ProxyLogin vulnerabilities in Microsoft Exchange servers to distribute Qakbot malware.
The emails may come from allegedly trusted colleagues or third-party companies that the employee has previously interacted with, thereby increasing the likelihood of a socially engineered cyberattack being successful.
“Our email filters can identify some of the malicious emails and quarantine them. Because an email can be a response to an ongoing conversation, it's easy to think that the email filter has made a mistake and quarantine the email. Therefore, until further notice, we have disabled all employees' ability to move emails out of quarantine, ”IKEA told its employees.
IKEA recommends that employees be extra vigilant when scanning their inbox for phishing emails, especially if they contain seven-digit links at the end.
When visiting URLs in malicious emails, the user will be redirected to download a file named charts.zip containing the malicious Microsoft Excel document. Recipients are prompted to click the "Include Content" or "Allow Editing" buttons, ostensibly to view it correctly. After clicking these buttons, malicious macros will be launched that download the files besta.ocx, bestb.ocx and bestc.ocx from a remote site and save them in the C: \ Datop folder. OCX files are renamed DL-L Libraries and run with regsvr32.exe to install the payload.
Global furniture giant IKEA has launched an investigation into an ongoing malware campaign targeting its computer systems. According to company representatives, evidence has been found that points to the compromise of Microsoft Exchange servers.
As reported by Bleeping Computer, which had a letter to IKEA employees, a "full-scale investigation" of the incident is ongoing and there are currently no signs of compromise of customer data. Other organizations, suppliers and business partners of IKEA were affected by the attack.
In a malicious campaign, criminals distributed emails disguised as a real response to an existing chain of letters. E-mail interception is one of the unique identifiers of the current SquirrelWaffle malicious spam campaign. Cybercriminals exploit ProxyShell and ProxyLogin vulnerabilities in Microsoft Exchange servers to distribute Qakbot malware.
The emails may come from allegedly trusted colleagues or third-party companies that the employee has previously interacted with, thereby increasing the likelihood of a socially engineered cyberattack being successful.
“Our email filters can identify some of the malicious emails and quarantine them. Because an email can be a response to an ongoing conversation, it's easy to think that the email filter has made a mistake and quarantine the email. Therefore, until further notice, we have disabled all employees' ability to move emails out of quarantine, ”IKEA told its employees.
IKEA recommends that employees be extra vigilant when scanning their inbox for phishing emails, especially if they contain seven-digit links at the end.
When visiting URLs in malicious emails, the user will be redirected to download a file named charts.zip containing the malicious Microsoft Excel document. Recipients are prompted to click the "Include Content" or "Allow Editing" buttons, ostensibly to view it correctly. After clicking these buttons, malicious macros will be launched that download the files besta.ocx, bestb.ocx and bestc.ocx from a remote site and save them in the C: \ Datop folder. OCX files are renamed DL-L Libraries and run with regsvr32.exe to install the payload.
