When you experience a breach, time is crucial. Our 24/7 Security Operations Center responds immediately with precision to eliminate the threat and restore operations.
ShadowSpear® is an unparalleled resource that defends your organizations against advanced cyber threats and attacks 24/7/365.
Your organization has cybersecurity weaknesses and vulnerabilities you don’t yet even know about. They need to be found and found immediately. If you don’t someone else will.
Under Attack? Breach Response Hotline: Call 833.997.7327 (US/CAN)
IKEA is dealing with a cyberattack targeting the email systems of employees using stolen reply-chain emails to implement phishing attacks. A reply-chain email attack occurs when threat actors infiltrate legitimate corporate email accounts and reply with links to documents installing malware on recipients’ devices. When reply-chain emails are viewed as legitimate company emails and are sent from compromised email accounts and internal servers, recipients are likely to trust the email and open the documents.
Corporate leadership issued a warning to employees about the ongoing reply-chain phishing cyberattack targeting email systems and internal mailboxes. The emails are being sent from other compromised IKEA companies and business partners. IKEA employees received an internal email saying the Inter IKEA mailboxes, other IKEA companies, suppliers, and business partners are compromised by the ongoing cyberattack and spreading the malicious emails to people using Inter IKEA. In other words, the attack can come through an email from a trusted co-worker, or any partner company, and as a reply to an ongoing conversation.
IKEA is asking employees to be extra cautious because this type of cyberattack is difficult to detect. IKEA IT teams are warning employees the reply-chain emails contain links with seven digits at the end and to avoid opening these emails. The IT teams strongly encourage employees to report senders of malicious emails through a Microsoft Teams chat to the IT department.
Threat actors earlier this year compromised internal Microsoft Exchange servers using ProxyShell and ProxyLogon vulnerabilities to implement phishing attacks. After gaining access to a server, threat actors can use internal Microsoft Exchange servers to implement reply-chain attacks against employees via stolen corporate emails. A higher level of trust is gained with the emails labeled as not malicious and that they are sent from internally compromised servers and existing email chains.
Another concern is recipients are opening or sharing malicious phishing emails from quarantine believing they were caught in filters by mistake. Because of this, IKEA is disabling employees’ ability to release emails until the attack is resolved. IKEA issued a statement to employees that email filters can automatically identify and quarantine these malicious emails. However, with some emails formatted as a reply to an ongoing conversation, employers may think the filter made a mistake and release the email from quarantine.
According to BleepingComputer, the attack unfolds by first clicking a URL that redirects the browser to a “charts.zip” download containing a malicious Excel document. The attachment instructs recipients to click on the “Enable Content” or “Enable Editing” button to view it. After a button is clicked, the malicious macros execute the download files “besta.ocx”, “bestb.ocx”, and “bestc.ocx” from a remote site and save them to the C:\Datop folder. According to a VirusTotal submission found by BleepingComputer, campaigns using this method installed the Qbot trojan (aka QakBot and Quakbot) and Emotet. Both Qbot and Emotet trojans result in compromise and ransomware deployment on a breached network. With the severity of the infections and compromise of their Microsoft Exchange servers, IKEA is treating the security incident as a major cyberattack that could result in a more disruptive attack.
With threat actors continuously targeting and exploiting company email systems with reply-chain email attacks, it’s crucial for companies to remain alert of the latest threat landscape, warn employees to avoid opening suspicious emails and encourage immediate reporting of malicious attacks. At SpearTip, certified engineers at our Security Operations Centers continuously monitor your networks 24/7 for potential cyberattacks from threat actors. Our ShadowSpear platform, an unparalleled resource that immediately enhances a company’s security posture and optimizes network visibility, engages in constant threat hunting to prevent cyberattacks against your environment.
If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.
Identify, neutralize, and counter cyberattacks - provide confidence in your security posture
24/7 Breach Response: US/CAN: 833.997.7327
Main Office: 800.236.6550
1714 Deer Tracks Trail, Suite 150
St. Louis, MO 63131
©2024 SpearTip, LLC. All rights reserved.