A major cyberattack recently struck Swedish retail giant IKEA with malicious actors targeting and phishing for internal mailboxes of employees of the company. According to BleepingComputer who accessed an internal alert email sent by IKEA, the retail giant suffered a reply-chain phishing attack.
The attackers are leveraging stolen reply-chain emails to carry out the phishing attack, aiming to infect target systems with malware. This may be different from the Microsoft Exchange Server attacks observed by Trend Micro. In IKEA’s case, the threat actors are using stolen reply-chain emails to compromise IKEA as opposed to exploiting ProxyShell and ProxyLogon vulnerabilities in exchange servers.
What’s similar about both attacks is that both involve reliance on lending credence from stolen email/hacked servers, to instill trust in targets that the email is indeed coming from a trustworthy source. This is why speculation is rife that the attack on IKEA may very well be a part of the Microsoft Exchange Server hack.
In case you haven’t read about the term before, a reply-chain phishing attack is the one where threat actors subtly take over legitimate email correspondence chains and infect them by inserting malicious payloads. This is usually done by replying to an email conversation that already has a certain degree of established trust, with an email laden with malware.
The attack technique is highly sophisticated because an attacker doesn’t aim to spoof someone their target is corresponding with, nor do they have to hide as a news correspondent. This is because the attacker is communicating with their target through the legitimate email ID of someone their target may know, making the attack all the more dangerous.
The legitimate email in question here can be obtained by an attacker either by exploiting vulnerabilities in servers such as the Microsoft Exchange Server or by taking over an account using credential stuffing and password spraying techniques.
“Since the attacker has access to the whole thread, they can tailor their malspam message to fit the context of an ongoing conversation. This, on top of the fact that the recipient already trusts the sender, massively increases the chance of the victim opening the malicious attachment or clicking a dangerous link,” SentinelOne explained.
BleepingComputer obtained a screenshot of the internal email sent by IKEA to employees. It outlines how the attack has compromised “other IKEA organizations, suppliers and business partners.”
With no public disclosure from IKEA, the scope of the attack remains unknown as of now. However, the retailer is restricting the ability of employees to release emails from quarantine until things cool down given that it is almost impossible to spot the warning signs in a reply-chain phishing attack.
BleepingComputer assessed that this phishing attack is created to deliver and install the Qbot trojan and possibly the Emotet malware, which resurfaced recently. The phishing links in emails are actually downloaded links for a compressed zip file called charts.zip containing an Excel file.
Clicking on ‘Enable Content’ or ‘Enable Editing’ execute macros that in turn download ‘besta.ocx,’ ‘bestb.ocx,’ and ‘bestc.ocx,’ which are later renamed with the .dll extension. These are saved in the C:\Datop folder which then installs malware.
“Our email filters can identify some of the malicious emails and quarantine them. Due to [the fact] that the email could be a reply to an ongoing conversation, it’s easy to think that the email filter made a mistake and release the email from quarantine,” IKEA added. “We are therefore until further notice disabling the possibility for everyone to release emails from quarantine.”
A spokesperson from IKEA also told IT Pro that the company has launched a “full-scale investigation” to determine the severity of the attack and to resolve it as soon as possible.
“We are aware of the situation regarding the phishing attack against parts of the Ikea organization. Actions have been taken to prevent damages and a full-scale investigation is ongoing to seal and solve the issue. We take the matter very seriously as safeguarding personal data is a primary concern for Ikea,” the spokesperson said.