[German]IKEA has experienced a cyber attack on its email system, the company said in an internal email alert to employees. Attackers are attempting a reply-chain email attack on IKEA employees' inboxes by replying to legitimate emails from the company but attaching links or attachments with the goal of installing malware on recipients' devices.
Advertising
Bleeping Computer has received the internal warning to IKEA employees and reports on it here. The email to staff states:
There is an ongoing cyber-attack that is targeting Inter IKEA mailboxes. Other IKEA organisations, suppliers and business partners are compromised by the same attack and are further spreading malicious emails to persons in Inter IKEA.
This means that the attack can come via email from someone that you work with, fraom any external organisation, and as reply to an already ongoing conversation. It is therefore difficult to detect, for which we ask yo to be extra cautious. […]
An attacker has probably managed to carry out a cyber attack on IKEA's internal email system. As a result, employees received malicious mails. Due to the reply chain email attack on IKEA employees' inboxes, other IKEA organizations, suppliers and business partners are also affected by the same attack. All of these entities may be distributing malicious emails to people within Inter IKEA.
Such mails are difficult to identify as an attack because the follow-up email attack may come from someone the recipients work with. This also applies to mails from an external organization or in response to an already ongoing conversation.
At this point, my warning about attacks on vulnerable Exchange servers, which are then used to spread SPAM mail or attacks, immediately comes to mind. See my posts at the end of the article.
IKEA's IT warned employees that reply chain emails contain links with seven digits at the end. Internally, a sample email was forwarded showing such a document. The following excerpt is from the email shown at Bleeping Computer.
IKEA sample email with malicious links, source: Bleeping Computer.
Advertising
Bleeping Computer colleagues seem to have managed to track the attack vector via the above links. If an employee accesses these URLs via browser, they are redirected to a download called "charts.zip". This archive file contains a malicious Excel document that prompts the user to click the "Enable Content" or "Enable Editing" buttons to properly view the document.
Bleeping Computer writes that when the user selects the buttons, the Excel file executes macros that download files named "besta.ocx", "bestb.ocx" and "bestc.ocx" from a remote site and store them in the C:\Datop folder. These OCX files are renamed to DLLs and executed with the regsvr32.exe command to install the malware payload.
Virustotal
These attack scenarios have been observed in malware campaigns that install the Qbot Trojan (also known as QakBot and Quakbot) and possibly Emotet, according to a VirusTotal entry, found by BleepingComputer.
Similar articles:
Babuk gang uses ProxyShell vulnerability in Exchange for ransomware attacks
Exchange Server November 2021 Security Updates Close RCE Vulnerability CVE-2021-423
CERT warning: Compromised Exchange servers are misused for email attacks (Nov. 2021)
CERT-Federation, USA, GB warns about attacks on Exchange and Fortinet
ProxyShell, Squirrelwaffle and a new PoC Exploit, patch your Exchange Server!
Media Markt/Saturn: Ransomware attack by hive gang, $240 million US ransom demand
Cyber attack on Eberspächer Group – workforce on short-time work
Ransomware Attack on electronic retail markets of Media Markt/Saturn
Ransomware attack on German medical service provider medatixx
Advertising
