February 17, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Advisory – Multiple IBM Security Vulnerabilities
November 24, 2021Rewterz Threat Advisory – Multiple McAfee Policy Auditor Vulnerabilities
November 24, 2021Rewterz Threat Advisory – Multiple IBM Security Vulnerabilities
November 24, 2021Rewterz Threat Advisory – Multiple McAfee Policy Auditor Vulnerabilities
November 24, 2021
Severity
Medium
Analysis Summary
Squirrelwaffle is a malspam loader that emerged in September, 2021 which utilizes malicious links or Microsoft Office files spread through spam campaigns that trigger and infection chain upon being opened. ProxyLogon and Proxyshell were two exploits used in the attacks.
Vulnerabilities CVE-2021-26855 (ProxyLogon), CVE-2021-34473and CVE-2021-34523 (ProxyShell) were used in the exploitation of the servers. ProxyLogon is a server-side request forgery (SSRF) vulnerability that allows threat actors to access an exchange server by sending a specially crafted web request. The ProxyShell vulnerability on the other hand abused URL normalization of explicit Logon URLs to access the exchange machines. The other PowerShell vulnerability can be used to impersonate a local administrator to run PowerShell commands.
The malicious emails contain malicious Microsoft Excel or Word files which lead to downloading ZIP files on the system and executes the malicious DLL.
Impact
- Unauthorized Access
- Data Exfiltration
- Exposure of Sensitive Data
Indicators of Compromise
Domain Name
- taketuitions[.]com
- stunningmax[.]com
- omoaye[.]com[.]br
- mcdreamconcept[.]ng
- imprimija[.]com[.]br
- iperdesk[.]com
URL
- https[:]//taketuitions[.]com/dTEOdMByori/j[.]html
- https[:]//oel[.]tg/MSOFjh0EXRR8/j[.]html
- https[:]//mcdreamconcept[.]ng/9jFVONntA9x/r[.]html
- https[:]//headlinepost[.]net/3AkrPbRj/x[.]html
- https[:]//dongarza[.]com/gJW5ma382Z/x[.]html
- https[:]//constructorachg[.]cl/eFSLb6eV/j[.]html
- https[:]//agoryum[.]com/lPLd50ViH4X9/r[.]html
- http[:]//stunningmax[.]com/JR3xNs7W7Wm1/y1[.]html
Remediation
Block all threat indicators at your respective controls.
Search for IOCs in your environment.
Download patches for all the CVEs mentioned above at
https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/
Use Detection and Protection services like XDRs, SOARs, and EDRs