Compromised exchange servers are being hijacked and exploited in a particularly sneaky wave of email-based cyberattacks. In an approach similar to the Emotet attacks, the recipient receives purported responses to genuine email conversations which contain links leading to malware. The difference here is that these attack emails are actually sent using the legitimate mail server of the supposed sender.
This makes it a lot more difficult to filter out these messages technically or for the user to identify them as inauthentic. According to an alert issued by Germany’s Federal Office for Information Security (BSI), the links relay users through to various forms of malware, including DanaBot, SquirrelWaffle and the especially menacing Quakbot. “Bleeping Computer” also reported on this.
At present it has neither been discovered is unclear how the attackers gain access to the email traffic or exactly which vulnerability in Microsoft Exchange is being exploited in this new wave of attacks. The BSI presumes that the servers in question had already been taken over some time ago without companies noticing. In the meanwhile, criminals continue to trade the corresponding credentials to the highest bidder on darknet marketplaces. With this highly sophisticated method of duping recipients, this latest rendition of bogus emails threatens to be even more “successful” than Emotet once was (even if the volume of such emails sent thus far remains much lower for the time being).
Should a company suspect that their Exchange server has been compromised, the BSI advises them to reset their Exchange servers and reinstall the necessary data. To combat attacks, outages, and incidents, Retarus offers their Email Continuity service, which is consciously not based on Microsoft products. The service makes ready-to-use, pre-provisioned webmail accounts available to users in emergency situations. The routing of messages can then instantly be redirected to this “active” backup, ensuring that staff can keep communicating without disruption.
Email Continuity is closely tightly integrated with Retarus Email Security, which naturally also provides full protection for these emergency email accounts. Other Retarus Secure Email Platform services, including Email Archive and Email Encryption, are also available for this failover service on request.