Severity

High

Analysis Summary

Squirrelwaffle debuted in September 2021 as a malspam loader. It has made its way into the wild, giving supporting actors a mechanism to deliver malware onto compromised computers and networks. It spreads via spam campaigns and uses malicious URLs or Microsoft Office files to start an infection chain when they are accessed. Two vulnerabilities were employed in the attacks: ProxyLogon and Proxyshell. The servers were exploited using CVE-2021-26855 (ProxyLogon), CVE-2021-34473, and CVE-2021-34523 (ProxyShell) vulnerabilities. ProxyLogon is a server-side request forgery vulnerability that allows cybercriminals to get access to an exchange server by delivering a carefully crafted web request.

On the other hand, to get access to the exchange machines, the ProxyShell vulnerability took advantage of the URL normalization of explicit Login URLs. The other PowerShell vulnerability allows you to perform PowerShell commands as a local administrator.

In this new attack method, the attackers exported an email thread about customer payments from the victim’s Exchange server. They used the knowledge obtained from the thread and created a similar-looking domain to reply to the exported thread. They then redirected the victim’s payments to themselves. 

The attack was multi-layered as the attackers also copied additional email addresses to give the impression that they were requesting support from an internal department.

From Sophos

Impact

• Unauthorized Access
• Data Exfiltration
• Exposure of Sensitive Data

Indicators of Compromise

MD5

• 00937cae89c4cbb26619c8797b649b0e
• 37aaf07ce937f101b4da0da27a6feaa8
• 040509556a79e4dfbd3c8bb7cebe95ed
• 9b6a757f56ea6ee1a1f6c86fab783e40
• d053bb2b6ff6eedd7cfd3e2c89f1bc66
• 3e0b598642485be6b9601fb7c6ec17de
• 875b742806292ecb35fafae4d24a9cfa
• f2c210f5a33685912a1b9777b4b10663
• f8119fd18cfbba3dbbaea5ff3f45bade
• 77477c6d7e63392e6a202fcb2776e213
• 77bd39191fdc817f2f14f0462bff8d86
• 3152459f291226374aef89b376666c02
• 6da6f9b9e9347e7d66db96313f9cda63
• 7618a71886f51d33afdd773526bb044b

SHA-256

• ce31d139e6ea2591a8a15fcf37232f97c799e9c5d1410ef86b54a444a7d24d0f
• 77c8d399c3cdbb22502432f6ab49a8e56a2a8e4bf9bd02b37797a0ae5962b7d6
• aaea40485a04b071bd65fc732e70630b314cdadf4f03ba9b7a0030ccf63b1115
• 637af43b3f656ffa8839ab8f23ff2aad7910cc4bd9ed0551d337a02341864e05
• 079a22b70109d00f571ea22079cde3baf9ebe6a3afd93347e09c38c7fccf38dc
• a56c6b3d58c66042effa180738197415d840443ba839bb7f45042bdb9e51c04f
• b7fa56ddedd0fff91af460edc504574ddc7b1df97d33d635d854e71a7be34060
• 0e52e26aff6f4cf678515e7c1a491603085e717458cfc12d2b95d46c98eda7ba
• 783e3b86c24af82773b0dae3e738c46a79de252b1bcc5945b65da0d040ee6e9d
• 65f594b4cb31e25f711dd954700bab6d2ac507bd7aab184cc500812b08f8ee03
• 3f453d0703fa81709d25c6ade25215066f38abceec9699b7b49fb9b4171bbb50
• 182a11ae9b66c9abcd9fd9dbd7a0176a5895f354443e31ab3258182ca62d3a47
• 5401103614610b1e109c674b2f90732e0a056be81dbdd8886324aa2d41f0cf2a
• fc42fbe6525ef4b976bca50eb1c4be6c1696e180c55fbeb5f1c9ce5d32957c88

SHA-1

• 571315c0fb139c339d439f85aa8f0412eccdde9c
• 239fc2b2132ed2a6fd21ff944d7eb1184d1c911d
• 9ec82f2d811f132c0efb231ae11d577cc1bbc530
• 8ca602db5f46431d9e5a4738a0eaf8514f9541ed
• 5cba66b11849370175525b9ab335a6719c4583ea
• b432d55dcfd95e882563840b78fe5430c5003360
• 381c81b7d1a3d0427335c45b3721ee9fd5089158
• 16b200adcb4cd242e94571988eea0dcb2e829e64
• f874244ec8db446e2dc1688ec6a44bfdd8a4539c
• 9a9609dd4b1b148e7ea3cef5d72136cb762af4d9
• ea94f85f59615cfec1b3d330810e9d91ff79bd71
• c0df1029fe79a5d42f24c0ed9459b2a8104e6120
• 2a5e42eb87b66b0c6dda93dd1f463e0f2026d1a9
• 22bb5b996ed37095ef3cdd42d866f286c694da12

Remediation

• Block all threat indicators at your respective controls.
• Search for IOCs in your environment.
• Download patches for all the CVEs mentioned above at https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/