Security News > 2022 > March > IceID trojan delivered via hijacked email threads, compromised MS Exchange servers
A threat actor is exploiting vulnerable on-prem Microsoft Exchange servers and using hijacked email threads to deliver the IceID trojan without triggering email security solutions.
The threat actor - believe to be an initial access broker - compromises vulnerable on-prem Microsoft Exchange servers and existing email accounts, then hijacks email threads by replying to them.
"The attack-chain starts with a phishing email. The email includes a message about some important document and has a password protected 'zip' archive file attached. The password to the archive is given in the email body," the researchers explained.
Security researcher Kevin Beaumont and the Cryptolaemus Team have found that some of the compromised Microsoft Exchange servers sending the emails were popped via ProxyShell or ProxyLogon vulnerabilities.
Have your organizations' on-prem Microsoft Exchange servers been compromised and are they being used to deliver malware? If you haven't patched those vulnerabilities quickly - or at all - there's a chance they are being leveraged by these and other attackers.
"The majority of the originating Exchange servers we have observed appear to also be unpatched and publicly exposed, making the ProxyShell vector a good theory. While the majority of the Exchange servers used to send the phishing emails can be accessed by anyone over the Internet, we have also seen a phishing email sent internally on what appears to be an 'internal' Exchange server," Intezer researchers pointed out.
News URL
https://www.helpnetsecurity.com/2022/03/29/hijacked-email-threads/