CERT warning: Compromised Exchange servers are misused for email attacks (Nov. 2021)

Sicherheit (Pexels, allgemeine Nutzung)[German]Security researcher, and the Federal Office for Information Security (BSI), and CERT-Bund have issued a warning. These organizations are currently (Nov. 2021) observing a significant increase in e-mail attacks. The two organizations assume that these e-mails are sent from compromised Exchange servers. Malware (Qakbot etc.) is being sent with the emails.


Two tweets with corresponding warnings have already come to my attention this morning. The BSI has packaged the warning in this tweet. From German CERT-Bund there is this tweet, with reference to the following tweet from early November 2021.

CERT warning: Compromised Exchange servers are misused for email attacks (Nov. 2021)

The facts: Malicious emails from legitimate servers

The German Federal Office for Information Security (BSI) is currently observing a significant increase in attacks via e-mail. As in the past with Emotet, the attackers are using supposed responses to actual e-mail conversations of the affected parties to distribute malware links.

What is new, however, is that the fake e-mails are sent via the legitimate mail servers of the senders themselves, making technical detection and recognition by the reader much more difficult. It can therefore be assumed that the attackers have access to the mail server, which then "properly" acts as the sender itself. The links refer to different malware variants, such as:

  • Qakbot (aka: Pinkslipbot),
  • QBot)
  • DanaBot
  • SquirrelWaffle

An infection with QakBot, for example, usually leads to the compromise of the entire network and eventually to a ransomware incident for the affected individuals. However, an infection with DanaBot or SquirrelWaffle can also result in a ransomware incident. How the perpetrators gain access to the mail traffic is still unclear at this point, writes the BSI.  


Compromised Microsoft Exchange servers? 

In the above tweet and the BSI report, however, it is suspected that the attackers have compromised Microsoft Exchange servers and are now abusing them to send mail. It states (translated) in this regard:

The BSI assumes that compromised Exchange servers have been used for the attacks for some time. The reason for this assessment is the repeated successful attacks over the course of the year via critical vulnerabilities in these systems. The Federal Office had already warned of these attacks at the time (including in March and October).

However, it is unclear which vulnerability in the Exchange server is actually being used for these current attacks. Even a current patch level on Exchange servers is not a sure indicator that a compromise can be ruled out. The background is that an applied patch does not eliminate a compromise that has already taken place. And in the past, there was often an acute risk of Exchange installations being compromised very quickly, i.e. even before an update was applied.

In addition, access data for these infected systems is currently traded on underground marketplaces on the Internet (Access Broker / Access-as-a-Service). 

BSI recommendations in case of compromise

If the Exchange server is suspected of being compromised, the BSI recommends rebooting the server and restoring necessary data. An infection with Qakbot often results in a complete compromise of the entire network. Due to the usually far-reaching infection, the entire network usually has to be rebuilt! According to the BSI, such massive incidents as in the case of compromises with QakBot have also been observed with the DanaBot malware, independently of the campaign now being observed.

SquirrelWaffle is a relatively new malware, which can also load other malware as a loader and can thus also be an entry point for ransomware attackers. It has already been observed that the QakBot malware was loaded via SquirrelWaffle [TAL2021], because all these network compromises are usually the basis for the subsequent use of ransomware.

From the BSI's point of view, it must be assumed in principle that these fake emails with their extended pretexting methodology could be more successful than Emotet was back then. However, the number of emails sent / harvested is still much lower, which currently puts the acute damage potential into perspective.

Similar articles:
Security updates for Exchange Server (July 2021)
Cumulative Exchange CUs June 2021 released
Exchange Server Security Update KB5001779 (April 13, 2021)
Exchange isues with ECP/OWA search after installing security update (March 2021)
Exchange security updates from July 2021 breaks ECP and OWA
Exchange 2016/2019: Outlook problems due to AMSI integration
Wave of attacks, almost 2,000 Exchange servers hacked via ProxyShell
Exchange Server 2016-2019: Custom attributes in ECP no longer updatable after CU installation (July 2021)
Exchange Server: Authentication bypass with ProxyToken
Exchange vulnerabilities: Will we see Hafnium II?
Exchange 2016/2019: Outlook problems due to AMSI integration
Exchange Server September 2021 CU comes Sept. 28 with Microsoft Exchange Emergency Mitigation Service
Exchange Server September 2021 CU (2021/09/28)
Security updates for Exchange Server (October 2021)
Tianfu Cup 2021: Exchange 2019 and iPhone hacked
Babuk gang uses ProxyShell vulnerability in Exchange for ransomware attacks
Exchange Server November 2021 Security Updates Close RCE Vulnerability CVE-2021-423

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Software and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *