Internal emails published by Bleeping Computer reveal that leading furniture retailer IKEA is battling an ongoing campaign of phishing attacks, fueled by internal and vendor accounts that have already been compromised.
The emails advise employees to expect phishing attack attempts from “other IKEA organisations, suppliers and business partners” that have fallen victim. The campaign appears to be particularly tenacious as it is exploiting reply chains in the compromised accounts, stepping into the middle of ongoing conversations and directing victims to malicious Excel files. IKEA has reportedly disabled the ability to release emails that are automatically flagged for quarantine from its employee email system.
Endemic IKEA phishing attack shows some signs of being a ransomware attempt
The reply-chain email phishing attacks tend to work well for hackers as the attempt is not only coming from an email account the victims recognize, but is inserted into the middle of an existing email exchange. If these phishing emails don’t stand out too much in terms of language used or odd filenames/URLs, the recipient has little reason to believe it isn’t a trusted party following up with legitimate documents.
In the case of the IKEA phishing attack, the leaked email screenshots indicate that neither the language nor the malicious URLs used were exactly flawless in execution. Nevertheless, they seem to have compromised multiple parties in the company that clicked without carefully looking at the email contents.
There are indications that the phishing attack is making use of a known vulnerability in Microsoft Exchange email servers, one related to the series of zero-days in January used to compromise thousands of businesses. The vulnerability takes advantage of ProxyShell and ProxyLogon to intercept and jump into the middle of ongoing email conversations without having direct access to a target’s inbox. Microsoft patched out these vulnerabilities in March and May, but admins need to install the patches manually and clearly some still have not.
A previously unknown threat actor being called “TR” has compromised other businesses in recent weeks with this approach, using similar malware payload types. They also use a Excel document with malicious macros that tells the recipient to enable the “content” and “editing” modes, at which time the document downloads the malware (often Qbot, Emotet and SquirrelWaffle). The attacker’s ultimate goal appears to be to move laterally to an account that will allow it to compromise the entire network with ransomware, an approach that has already been used on other targets.
IKEA battling to contain phishing attack campaign
Since the Exchange vulnerability has been known for some time, email filters are often able to automatically recognize and catch it. IKEA’s internal emails indicate that they are having at least some success in automatically quarantining the phishing attacks. However, since the attack targets ongoing legitimate email exchanges, recipients often release emails from quarantine; IKEA’s admins appear to have disabled this ability due to it leading to further compromise.
Though the purpose of the phishing attack appears to be data exfiltration and possibly the installation of ransomware, a spokesperson for IKEA said that they had yet to see any evidence of customer or business partner data being stolen from their internal network. Of course, that does not preclude the possibility of internal documents being taken or of vendors experiencing their own follow-on compromise.
IKEA has also said that it is in the midst of a full investigation of the phishing attack and that it has taken action to prevent damages, and that employees have received training on identifying phishing emails.
Danny Lopez, CEO of Glasswall, notes that this incident is an indictment of phishing training: “This is a perfect example of why employees should not be your only line of defence against cyberattacks. Instead, organisations should take a proactive, zero-trust approach to cybersecurity and have the measures in place to prevent attacks from penetrating your systems. A simple, proactive solution like Content Disarm and Reconstruction (CDR) technology is so valuable because it helps to create a digital environment where a threat cannot exist. This means that users can trust every email attachment that enters or leaves an organisation, as these can also contain bad links and malicious content. It’s also far more efficient and cost-effective than relying solely on your employees.”
Brent Johnson, CISO at Bluefin, has not given up on phishing training but stresses that it must be more rigorous and targeted: “In a post-coronavirus world, CISOs can further training efforts and maintain employee vigilance by implementing targeted phishing campaigns on end-users, sending periodic security best practice reminders, and providing relevant security training programs based on the business and employee role … CISOs with a remote workforce should consider evolving cloud-based security platforms to assist with endpoint security to ensure hardened and monitored systems are used for work purposes even while not connected to a corporate network/VPN. These are effective first steps in controlling potential vulnerabilities that accompany new remote work setups.”
The SquirrelWaffle ransomware associated with this attack has become something of a trend in cyber attacker circles since at least October, with the approach reminiscent of (and sometimes even incorporating) the notorious Emotet malware. Reply-chain attackers seem to be primarily targeting English-language organizations, but have been seen targeting several other specific European countries and sending messages in their native languages: France, Germany, the Netherlands and Poland.
The phishing attacks may end up being attributable to multiple parties, but the approach is always fundamentally the same as was seen in this IKEA attack: jumping into the middle of a Microsoft Exchange-hosted email conversation with the “Reply All” feature, and attempting to get the target(s) to click on a malicious Excel file and enable editing features to run a script that fetches the malware. SquirrelWaffle is generally used as a loader to install Qakbot or a cracked version of the popular penetration testing tool Cobalt Strike.
Garret Grajek, CEO of YouAttest, sees this sort of thing as the “new normal”: “Another example of the constant scanning and probing of our enterprises. Every vulnerability will be explored and exploited … Constant vigilance on both user and admin accounts are required especially when an enterprise is securing customer, financial and health care data.”