IKEA is suffering an ongoing reply-chain email attack in which threat actors are targeting employees using a stolen legitimate corporate email.
Reply-Chain Email Attacks
A reply-chain email attack is when scammers steal a corporate email account and then reply with URLs to malicious files that install malware on the victim’s device.
The reply-chain emails are actually legitimate emails from a company and are usually sent from hijacked email accounts and internal servers, recipients are more likely to trust the sender and open the poisoned documents.
IKEA Dealing With The Active Cyberattack
In the internal emails published by Bleeping Computer, the giant furniture retailer is alerting employees of an ongoing reply-chain phishing attack targeting internal mailboxes. The malicious emails come from not only internal servers, but also from other compromised organizations and business partners.
“There is an ongoing cyber-attack that is targeting Inter IKEA mailboxes. Other IKEA organizations, suppliers, and business partners are compromised by the same attack and are further spreading malicious emails to persons in Inter IKEA,” explained an internal email sent to IKEA employees.
“This means that the attack can come via email from someone that you work with, from any external organization, and as a reply to an already ongoing conversation. It is therefore difficult to detect, for which we ask you to be extra cautious.”
The company’s IT teams warned staff that the malicious emails contained links with seven digits at the end and shared an example email. In addition, employees are instructed not to open the emails, regardless of who the sender seems to be, and report them immediately.
Scammers have recently turned their attention to internal Microsoft Exchange servers and compromised them using the ProxyShell and ProxyLogin flaws to carry out phishing attacks.
Once infiltrated, threat actors use the internal Microsoft Exchange servers to conduct reply-chain attacks targeting employees via stolen legitimate corporate emails.
Given the fact that the emails are sent from internal servers and existing email chains, they appear genuine and harmless enough for recipients to trust that the messages are not malicious.
The possibility of employees releasing phishing emails from quarantine also raises concerns, for they may think the messages got caught up in filters accidentally. To tackle this issue, employees have their ability to release emails disabled until the attack is resolved.
“Our email filters can identify some of the malicious emails and quarantine them. Due to that, the email could be a reply to an ongoing conversation, it’s easy to think that the email filter made a mistake and release the email from quarantine. We are therefore until further notice disabling the possibility for everyone to release emails from quarantine,” the retailer communicated to employees.
Phishing Attack Spreading Emotet or Qbot Trojan
When visiting the malicious URLs included in the phishing emails, the browser will download an archive called ‘charts.zip’ containing an infected Excel document. The attachment asks the target to ‘Enable Content’ or ‘Enable Editing’ to view it properly.
By clicking these buttons, the recipient enables malicious macros that will download files named ‘besta.ocx,’ ‘bestb.ocx,’ and ‘bestc.ocx’ from a remote website and save them to the C:\Datop folder.
These files are then used to install the malware payload – Emotet or Qbot trojan.
Considering how severe these infections are and the high probability of their Microsoft Exchange servers being compromised, IKEA is treating this security breach as a serious incident that could result in far more damaging attacks.
Sources:
Bleeping Computer IKEA email systems hit by ongoing cyberattack
CPO IKEA Suffers Ongoing Phishing Attacks From Compromised Internal and Vendor Accounts
Attribution:
Photo by Jueun Song on Unsplash
