Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains

Researchers identified evidence of exploits targeting the vulnerabilities CVE-2021-26855, CVE-2021-34473, and CVE-2021-34523 within IIS logs on three compromised Exchange servers during separate intrusions. These CVEs were previously associated with the ProxyLogon (CVE-2021-26855) and ProxyShell (CVE-2021-34473 and CVE-2021-34523) attack chains.

Analysis of the IIS logs revealed that the threat actor used a publicly available exploit, allowing them to access user SIDs and emails. They could also search for and download targeted emails.

Exploitation via ProxyShell

The ProxyShell vulnerability leverages the URL normalization process of the explicit Logon URL. If the suffix is autodiscover/autodiscover.json, the logon email is removed from the URL, granting arbitrary backend URLs the same access as the Exchange machine account (NT AUTHORITY\SYSTEM).

Though NT AUTHORITY\SYSTEM lacks a mailbox, Exchange’s PowerShell remoting feature can be accessed directly through this vulnerability. By using the X-Rps-CAT query string parameter, attackers can deserialize and restore a user’s identity, enabling them to impersonate a local administrator and execute PowerShell commands.

Malicious Email Campaign Observations

Spam Email Delivery

In one observed intrusion, attackers hijacked legitimate email chains to send malicious spam as replies. All internal users on the affected network received emails written in English, though different regions saw other languages used. True account names from the victim’s domain were used as sender and recipient, increasing the likelihood that recipients would trust the messages and click on the malicious links.

Email Path Analysis

Analysis of email headers revealed that the spam emails were transmitted internally between the three Exchange servers. This internal routing bypassed external message transfer agents (MTAs), open mail relays, and mail gateways, reducing the chances of detection or quarantine.

Techniques to Evade Detection

The attacker avoided using tools for lateral movement or executing malware on the Exchange servers. This minimized suspicious network activity and avoided triggering alerts prior to the malicious email campaign’s launch.

Malicious Links and Payloads

Link Details

The spam emails contained links leading to the following URLs:

• aayomsolutions[.]co[.]in/etiste/quasnam[]-4966787
• aparnashealthfoundation[.]aayom.com/quasisuscipit/totamet[-]4966787

Clicking these links dropped a ZIP file onto the victim’s machine.

Malicious Payloads

The ZIP file contained a malicious Microsoft Excel sheet embedded with Excel 4.0 macros designed to download and execute a malicious DLL associated with Qbot malware.

Delivery Method

The macros executed the DLL download and execution upon opening the Excel file, enabling the malware to infect the victim’s system without requiring any lateral movement or additional malware execution on the Exchange servers.

Threat Actor Objectives and Impact

Exploitation for Spam Campaigns

The attackers exploited Exchange servers to deliver internal emails, ensuring the spam campaign remained within the organization’s network. By avoiding external mail paths, the attack bypassed traditional filtering mechanisms, making it more likely for users to interact with the malicious files.

User Manipulation

The carefully crafted spam campaign aimed to catch users off-guard, exploiting trust in internal emails. This increased the likelihood of victims clicking the links and opening the malicious Excel or Word files, initiating the infection process.

Conclusion

This attack underscores the sophistication of exploiting Exchange vulnerabilities for malicious campaigns. By leveraging ProxyShell vulnerabilities and internal email delivery, the attackers minimized detection opportunities and maximized impact.

Organizations should prioritize patching known vulnerabilities like CVE-2021-26855, CVE-2021-34473, and CVE-2021-34523. Additionally, implementing advanced monitoring and security solutions is essential to detect abnormal activities, even within internal email communications.