phishing emails to unsuspected customers.

This is yet another campaign in which unpatched Exchange Servers are being abused for malicious purposes. In August 2021, attackers were found targeting unpatched Exchange servers with ProxyShell attack – In September 2021, Conti ransomware affiliates were attacking unpatched Exchange Servers with ProxyShell exploits.

In a blog post, Peter Wagner of Certitude disclosed that disclosed in early November 2021, the company received information about phishing emails sent to one of its customers’ email account containing suspicious URLs.

These emails were sent as replies to previously sent messages, due to which these appeared legit. The email headers indicated that these originated from the customers’ Exchange rather than being spoofed from external sources.

Unpatched Microsoft Exchange Servers abused in new phishing campaign

Malicious emails identified by Certitude

Further probe revealed that the on-premise exchange servers that haven’t received any updates for several months and contained multiple vulnerabilities are targeted in this campaign.

The vulnerabilities include ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207), and ProxyLogon (CVE-2021-26855). However, researchers did not find malware on the Exchange server.

How does The Scheme Works?

As per the IIS logs analyzed by Certitude, the scammers used specially crafted server-side request forgery (SSRF) requests for exploiting CVE-2021-26855 focused at the Exchange Web Services API endpoint. This allowed scammers to conduct unauthorized actions under the guise of legitimate users.

Researchers also noted that the ItemClass of all emails in the Exchange Logs that the attacker created was set to IPM.Blabla. When researchers filtered these emails in Outlook, they realized that it worked for those mailboxes that received the suspicious emails.

However, researchers noted that they didn’t find those emails in the Sent folders of impacted users. Here’s a sample of the URLs that conformed to the regex pattern ([a-z]+.[a-z0-9]+.com/[a-z]+/[a-z]+-[0-9]+) – Sample: [sdf.wwkwe.com/tatamua/uzaro-3381926]

Later it was identified that organizations impacted by similar attacks were the victims of an attack campaign dubbed Squirrelwaffle, a malspam campaign to deliver Qakbot, Cobalt Strike.

Nevertheless, the certitude research team recommends users update all applications in short cycles and patch them timely.

Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.

Posted by Charlie