IKEA is suffering from a reply-chain attack, where its employees are being targeted with malicious links spread through internal emails.
The furniture is thus asking its employees to be extra cautious, and report any such email to the IT team. Reply-chain attacks are hard to detect, as they are spread from trusted contacts within the company.
Reply-Chain Attacks on IKEA
IKEA, the popular furniture brand is having warehouse and customer outlets all over the world, is now under a reply-chain attack. A reply-chain attack is a campaign where the threat actor typically uses one of the connected employees’ email account, for sending malicious attachments.
He may get his hands on an internal email account in various ways, like phishing an employee or compromising the email server for hijacking all accounts in it. As we see hackers are actively preying on Microsoft Exchange Servers lately, we assume this could be the case in IKEA, where a threat actor is able to get it.
IKEA noticed several replies with malicious links are being sent to its employees, which can hack the infrastructure ultimately. Thus, it’s now informing the employees about this ongoing campaign and asking them to be extra cautious.
These are hard to detect, as they come from peer employees or a boss, or an external client. As the sender’s email address seems legit, there are higher chances one might actually pursue it and perform actions desired by the hacker. So, IKEA is asking them not to open any suspicious emails, and report any of them to the IT department immediately.
An analysis by BleepingComputer revealed that the URLs shared in these reply-chain attacks, download zip files, which are actually Excel sheets, and ask users to enable content for running macros. When done, it’ll proceed to download additional files and save them in the system’s internal folders.
These additional files are noted as renamed DLLs, and will be executed with the help of the regsvr32.exe command for installing the ultimate malware payload! Campaigns of such in past were generally seen dumping trojans like Qbot or Emotet, which form as backdoors for ransomware groups.