image of breaking badness
Breaking Badness
Breaking Badness

111. Neither Hide nor Malware


Here are a few highlights from each article we discussed:

Does Squirrelwaffle Ring a ProxyShell?

  • The Sophos Rapid Research team recently investigated an incident with Squirrelwaffle malware used in conjunction with the ProxyLogon and ProxyShell to target an unpatched Microsoft Exchange server.
  • DomainTools covered Squirrelwaffle several months ago when it was new on the scene. It’s a new loader malware, but saw more pickup toward the end of 2021. The Sophos team has been battling it recently and wanted to share new behavior and activity.
  • The typical Squirrelwaffle attack involved distributing malicious office documents in spam campaigns.
  • The latest twist is that adversaries began using some of the intelligence they gleaned from email threads to register “typo-squatted” domains — we at DomainTools see typosquat domains all the time.
  • Bad actors were using this technique to attempt to re-route payment information within email threads. It was clever because when they shifted the email thread to the typo-squat domain, they went a step further and copied other people’s emails with the same typo-squat domain to make it appear as if the recipient was on the same thread with the same people as before, so it was difficult to tell they’d been duped.
  • The concept of email thread hijacking is when individuals participate in an email thread with a third party and the server is then compromised to the adversary. In this instance, the bad actors likely tracked many threads and chose this particular one because it was leaning toward a transaction.
  • In the late stage of the dupe, attackers would prod their victims for payment by insisting banking information had changed and money needed to go to a new routing number. There was lots of social engineering in this attack and they did not get caught by the victims. It all came to a head when the financial institution registered potentially fraudulent activity, so they froze the transaction right there.
  • In order to prevent this type of attack, check if your own domain has been flagged for sending spam. You can also check your domain for typosquatting.

CSRB Ahead of the Game

  • The Department of Homeland Security announced earlier this month the creation of the Cyber Safety Review Board (CRSB) as part of President Biden’s Executive Order (EO) 14028 on Improving the Nation’s Cybersecurity.
  • The board was appointed by CISA Director Jen Easterly (and she will continue to appoint new people when needed).
  • The purpose of this board is not just to respond to individual events — it’s more about understanding systemic or underlying issues that lead up to an event.
  • Their first assignment surrounds Log4j and identifies lessons learned for helping prevent future vulnerabilities. The goal is to present specificities on what to strengthen based on what they observe in families of events.
  • The response from the InfoSec community to this board seems positive and it comes as no surprise. When you look at the composition of the board, they are luminaries, so it comes as no surprise people are reacting so positively.
  • The US Government has taken a number of steps to improve the response to cyber incidents. Other policies it has put in place include last spring was when the EO that was the genesis of the CSRB was actually released, and that EO identified some specific steps including enhancing supply chain security through things like a software bill of materials, or stipulating more adoption of zero trust architectures.
  • One of the big picture items regarding this board is the increasing reliance on public/private partnerships. This board is made up of people from the federal government as well as the private sector. This collaboration means increased information sharing and working to enhance that. We’re confident we’ll see good things come from this as it’s well-intentioned and well thought out.
  • The government is taking a step in the right direction, but the question is now, how big is that step? The coterie assembled has an immense dedication to their mission and there’s no question regarding their commitment to making the Internet a safer place. It will be interesting to see how this board progresses, what their working rhythm will be, and how they define success.

Two Truths and a Lie

Introducing our newest segment on Breaking Badness. We are going to play a game you are all likely familiar with called two truths and a lie, with a fun twist. Each week, one us with come prepared with three article titles, two of which are real, and one is, you guessed it, A LIE.

You’ll have to tune in to find out!

Current Scoreboard

Breaking Badness Two Truths and a Lie


This Week’s Hoodie/Goodie Scale

Does Squirrelwaffle Ring a ProxyShell?

[Taylor]: 4.5/10 Hoodies
[Tim]: 5/10 Hoodies

CSRB Ahead of the Game

[Taylor]: 6/10 Hoodies
[Tim]: 7.3862/10 Hoodies


That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.

*A special thanks to John Roderick for our incredible podcast music!