IKEA is fighting a hack in which threat actors are utilising stolen reply-chain emails to target employees in internal phishing assaults.
Threat actors steal authentic corporate email and then reply with links to malicious documents that install malware on recipients’ devices in a reply-chain email assault.
Because the reply-chain emails appear to be authentic company emails and are frequently sent from hacked email accounts and internal servers, users are more likely to trust the email and open the infected documents.
IKEA is currently under attack.
IKEA is notifying staff in internal emails acquired by BleepingComputer about an ongoing reply-chain phishing cyber-attack targeting internal mailboxes. Other compromised IKEA companies and business partners are also sending these emails.
“Inter IKEA mailboxes are currently the subject of a cyber-attack. The same attack has infiltrated other IKEA organisations, suppliers, and business partners, who are circulating malicious emails to Inter IKEA employees “According to an internal email seen by BleepingComputer, it was sent to IKEA staff.
“This means that the attack could come in the form of an email from a coworker, an external organisation, or a response to an existing dialogue. As a result, it is difficult to identify, therefore please exercise extra caution.”
IKEA IT teams have issued a warning to employees that the reply-chain emails contain links with seven numbers at the conclusion, as illustrated below. Employees are also instructed not to open the emails, regardless of who sent them, and to immediately report them to the IT department.
Recipients are also instructed to report the emails to the sender using Microsoft Teams chat.
Threat actors have recently started utilising the ProxyShell and ProxyLogin vulnerabilities to infiltrate internal Microsoft Exchange servers in order to launch phishing attacks.
They exploit internal Microsoft Exchange servers to launch reply-chain attacks against employees using stolen company emails after they acquire access to a server.
There is a higher level of trust that the emails are not harmful because they are sent from within hacked systems and existing email chains.
There’s also a risk that recipients will unintentionally release the dangerous phishing emails from quarantine, believing they were caught in filters by accident. As a result, they’ve disabled employees’ capacity to send emails until the incident is rectified.
“Some of the malicious emails are detected and quarantined by our email filters. As a result of the possibility that the email is a reply to an ongoing conversation, it’s simple to assume that the email filter made a mistake and released the email from quarantine. As a result, we’ve disabled the ability for anyone to release emails from quarantine until future notice “Employees were informed by IKEA.
While IKEA has not reacted to our queries regarding the incident and has not told staff whether internal servers have been hacked, it looks that they are under attack as well.
The Emotet or Qbot trojan was disseminated using this attack.
BleepingComputer was able to identify the assault targeting IKEA based on the URLs supplied in the redacted phishing email above.
A browser will be sent to a download called ‘charts.zip’ that contains a malicious Excel sheet when visiting certain URLs. To properly read this attachment, recipients must select the ‘Enable Content’ or ‘Enable Editing’ buttons, as indicated below.
When those buttons are pressed, malicious macros are launched, downloading files named ‘besta.ocx,’ ‘bestb.ocx,’ and ‘bestc.ocx’ from a remote site and saving them to the C:Datop folder.
To install the malware payload, these OCX files are renamed DLLs and run with the regsvr32.exe command.
According to a VirusTotal submission received by BleepingComputer, campaigns using this strategy have been spotted installing the Qbot trojan (also known as QakBot and Quakbot) and perhaps Emotet.
Both the Qbot and Emotet trojans lead to additional network infiltration and, eventually, ransomware deployment on a compromised network.
IKEA is addressing this security problem as a severe hack that might potentially escalate to a considerably more disruptive attack due to the severity of these infections and the suspected penetration of their Microsoft Exchange servers.