Under Attack? Breach Response Hotline: Call 833.997.7327 (US/CAN)

Email Systems

Chris Swagler | November 29th, 2021

 

IKEA is dealing with a cyberattack targeting the email systems of employees using stolen reply-chain emails to implement phishing attacks. A reply-chain email attack occurs when threat actors infiltrate legitimate corporate email accounts and reply with links to documents installing malware on recipients’ devices. When reply-chain emails are viewed as legitimate company emails and are sent from compromised email accounts and internal servers, recipients are likely to trust the email and open the documents.

Email Systems Targeted

Corporate leadership issued a warning to employees about the ongoing reply-chain phishing cyberattack targeting email systems and internal mailboxes. The emails are being sent from other compromised IKEA companies and business partners. IKEA employees received an internal email saying the Inter IKEA mailboxes, other IKEA companies, suppliers, and business partners are compromised by the ongoing cyberattack and spreading the malicious emails to people using Inter IKEA. In other words, the attack can come through an email from a trusted co-worker, or any partner company, and as a reply to an ongoing conversation.

IKEA is asking employees to be extra cautious because this type of cyberattack is difficult to detect. IKEA IT teams are warning employees the reply-chain emails contain links with seven digits at the end and to avoid opening these emails. The IT teams strongly encourage employees to report senders of malicious emails through a Microsoft Teams chat to the IT department.

Threat actors earlier this year compromised internal Microsoft Exchange servers using ProxyShell and ProxyLogon vulnerabilities to implement phishing attacks. After gaining access to a server, threat actors can use internal Microsoft Exchange servers to implement reply-chain attacks against employees via stolen corporate emails. A higher level of trust is gained with the emails labeled as not malicious and that they are sent from internally compromised servers and existing email chains.

Another concern is recipients are opening or sharing malicious phishing emails from quarantine believing they were caught in filters by mistake. Because of this, IKEA is disabling employees’ ability to release emails until the attack is resolved. IKEA issued a statement to employees that email filters can automatically identify and quarantine these malicious emails. However, with some emails formatted as a reply to an ongoing conversation, employers may think the filter made a mistake and release the email from quarantine.

According to BleepingComputer, the attack unfolds by first clicking a URL that redirects the browser to a “charts.zip” download containing a malicious Excel document. The attachment instructs recipients to click on the “Enable Content” or “Enable Editing” button to view it. After a button is clicked, the malicious macros execute the download files “besta.ocx”, “bestb.ocx”, and “bestc.ocx” from a remote site and save them to the C:\Datop folder. According to a VirusTotal submission found by BleepingComputer, campaigns using this method installed the Qbot trojan (aka QakBot and Quakbot) and Emotet. Both Qbot and Emotet trojans result in compromise and ransomware deployment on a breached network. With the severity of the infections and compromise of their Microsoft Exchange servers, IKEA is treating the security incident as a major cyberattack that could result in a more disruptive attack.

With threat actors continuously targeting and exploiting company email systems with reply-chain email attacks, it’s crucial for companies to remain alert of the latest threat landscape, warn employees to avoid opening suspicious emails and encourage immediate reporting of malicious attacks. At SpearTip, certified engineers at our Security Operations Centers continuously monitor your networks 24/7 for potential cyberattacks from threat actors. Our ShadowSpear platform, an unparalleled resource that immediately enhances a company’s security posture and optimizes network visibility, engages in constant threat hunting to prevent cyberattacks against your environment.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.

Categories

Connect With Us

Featured Articles

Protecting Space Satellites
Protecting Space Satellites Using Cybersecurity
25 March 2024
Ransomware-as-a-Service
Growing Cyber Threat: Ransomware-as-a-Service
11 March 2024
Information Security Threats
10 Information Security Threats IT Teams Need To Know
08 March 2024
Data Protection
Companies Investing More Into Data Protection
06 March 2024

See ShadowSpear in Action

Identify, neutralize, and counter cyberattacks - provide confidence in your security posture

Stay Connected With SpearTip

Inside the SOC Newsletter

View our articles that cover trending topics in cybersecurity with insights from our 24/7/365 Security Operations Center.

ShadowSpear Platform

Cybersecurity actors are working around the clock, shouldn’t your security team be too? Technology solutions and security controls fail for a number of reasons, poor deployment, improper implementation, or just no one monitoring the alerts.

ShadowSpear Demo

Experience ShadowSpear for yourself. Our lightweight, integrated solution will help you sleep easier at night and provide immediate confidence in your security posture.