IKEA email systems have been under constant cyber attack

IKEA is combating an ongoing cyber attack as threat actors target employees in internal phishing attacks using emails stolen from the reply chain.

An email reply chain attack occurs when attackers steal legitimate corporate email and then reply back with links to malicious documents that install malware on recipients’ machines.

Since reply chain emails are legitimate corporate emails and are usually sent from compromised email accounts and internal servers, recipients will trust the email and will be more likely to open malicious documents.

IKEA is dealing with a constant attack

In internal emails viewed by BleepingComputer, IKEA warns employees of an ongoing phishing chain reaction cyber attack targeting internal mailboxes. These emails are also sent from IKEA organizations and other business partners who have been compromised.

An internal email sent to IKEA explained: “There is an ongoing cyber attack targeting Inter IKEA mailboxes. Other organizations, suppliers and business partners at IKEA are being hacked by the same attack and are spreading malicious emails to people at Inter IKEA.” Staff and watched by BleepingComputer.

“This means that the attack can come via email from someone you’re working with, from any external organization, and in response to conversations already in progress. So it’s hard to detect, which we ask you to be extra careful about.”

An internal email has been sent to IKEA staff
An internal email has been sent to IKEA staff

The IKEA IT teams warn employees that reply chain emails contain seven-digit links at the end and share an example email, as shown below. Additionally, employees are instructed not to open emails, no matter who sent them, and to report them to the IT department immediately.

Recipients are also asked to tell the sender of the emails via Microsoft Teams chat to report the emails.

An example of a phishing email sent to IKEA employees
An example of a phishing email sent to IKEA employees

Threat actors have recently begun to compromise internal Microsoft Exchange servers using vulnerabilities in ProxyShell and ProxyLogin to carry out phishing attacks.

Once they reach a server, they use internal Microsoft Exchange servers to carry out chain reply attacks against employees using stolen company emails.

Since emails are sent from compromised internal servers and existing email threads, there is a higher level of confidence that the emails are not malicious.

There are also concerns that recipients may release malicious emails from quarantine, thinking they have fallen into the filters by mistake. As a result, they disable employees’ ability to issue emails until the attack is resolved.

“Email filters can identify and quarantine some malicious emails. Since an email can be in response to an ongoing conversation, it is easy to think that an email filter made a mistake and fired the email out of quarantine. So we are until further notice, which leads to Disable the ability for everyone to issue quarantine emails,” IKEA informed employees.

While IKEA did not respond to our emails about the attack and did not disclose to staff whether internal servers were compromised, it appears they are experiencing a similar attack.

An attack used to spread the Emotet or Qbot trojan

From the URLs shared in the above redacted phishing email, BleepingComputer was able to identify the attack targeting IKEA.

When you visit these URLs, your browser will be redirected to a download called “charts.zip” that contains a malicious Excel document. This attachment tells recipients to click the Enable Content or Enable Editing button to view it properly, as shown below.

Excel attachment used in phishing campaign
Excel attachment used in phishing campaign

Once you click these buttons, malicious macros will be executed to download the files named “besta.ocx”, “bestb.ocx” and “bestc.ocx” from a remote location and save them to the C:Datop folder.

These OCX files have been renamed as DLLs and are executed using the regsvr32.exe command to install the malware payload.

Campaigns using this method seen Install Qbot trojan (also known as QakBot and Quakbot) and possibly Emotet based on a VirusTotal submission found by BleepingComputer.

Both Qbot and Emotet trojans lead to further network penetration and eventually spread of ransomware on a compromised network.

Given the seriousness of these infections and the potential infiltration of their Microsoft Exchange servers, IKEA treats this security incident as a major cyber attack that could lead to a more disruptive attack.

Leave a reply:

Your email address will not be published.