MS Exchange Server Flaws Exploited to Deploy Keylogger in Targeted Attacks

Share:

An unknown threat actor is exploiting known security flaws in Microsoft Exchange Server to deploy a keylogger malware in attacks targeting entities in Africa and the Middle East.

Russian cybersecurity firm Positive Technologies said it identified over 30 victims spanning government agencies, banks, IT companies, and educational institutions. The first-ever compromise dates back to 2021.

“This keylogger was collecting account credentials into a file accessible via a special path from the internet,” the company said in a report published last week.

Countries targeted by the intrusion set include Russia, the U.A.E., Kuwait, Oman, Niger, Nigeria, Ethiopia, Mauritius, Jordan, and Lebanon.

The attack chains commence with the exploitation of ProxyShell flaws (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) that were originally patched by Microsoft in May 2021.

Successful exploitation of the vulnerabilities could allow an attacker to bypass authentication, elevate their privileges, and carry out unauthenticated, remote code execution. The exploitation chain was discovered and published by Orange Tsai from the DEVCORE Research Team.

MS Exchange Server Flaws

The ProxyShell exploitation is followed by the threat actors adding the keylogger to the server main page (“logon.aspx”), in addition to injecting code responsible for capturing the credentials to a file accessible from the internet upon clicking the sign in button.

Positive Technologies said it cannot attribute the attacks to a known threat actor or group at this stage without additional information.

Besides updating their Microsoft Exchange Server instances to the latest version, organizations are urged to look for potential signs of compromise in the Exchange Server’s main page, including the clkLgn() function where the keylogger is inserted.

“If your server has been compromised, identify the account data that has been stolen and delete the file where this data is stored by hackers,” the company said. “You can find the path to this file in the logon.aspx file.”

Ravie Lakshmanan

Leave a Comment

Your email address will not be published. Required fields are marked *

loader-image
London, GB
12:04 am, Jan 31, 2025
weather icon 3°C
L: 1° | H: 4°
broken clouds
Humidity: 87 %
Pressure: 1025 mb
Wind: 6 mph SW
Wind Gust: 0 mph
UV Index: 0
Precipitation: 0 mm
Clouds: 72%
Rain Chance: 0%
Visibility: 10 km
Sunrise: 7:40 am
Sunset: 4:47 pm
DailyHourly
Daily ForecastHourly Forecast
Today 9:00 pm
weather icon
1° | 4°°C 1 mm 100% 8 mph 92 % 1028 mb 0 mm/h
Tomorrow 9:00 pm
weather icon
4° | 7°°C 0 mm 0% 7 mph 83 % 1030 mb 0 mm/h
Sun Feb 02 9:00 pm
weather icon
2° | 8°°C 0 mm 0% 6 mph 78 % 1026 mb 0 mm/h
Mon Feb 03 9:00 pm
weather icon
2° | 9°°C 0 mm 0% 8 mph 86 % 1027 mb 0 mm/h
Tue Feb 04 9:00 pm
weather icon
6° | 10°°C 0 mm 0% 12 mph 94 % 1028 mb 0 mm/h
Today 3:00 am
weather icon
3° | 4°°C 0 mm 0% 5 mph 84 % 1025 mb 0 mm/h
Today 6:00 am
weather icon
4° | 4°°C 1 mm 100% 7 mph 91 % 1024 mb 0 mm/h
Today 9:00 am
weather icon
6° | 6°°C 1 mm 100% 8 mph 91 % 1022 mb 0 mm/h
Today 12:00 pm
weather icon
7° | 7°°C 0.8 mm 80% 5 mph 88 % 1023 mb 0 mm/h
Today 3:00 pm
weather icon
8° | 8°°C 0 mm 0% 5 mph 80 % 1024 mb 0 mm/h
Today 6:00 pm
weather icon
6° | 6°°C 0 mm 0% 4 mph 92 % 1026 mb 0 mm/h
Today 9:00 pm
weather icon
6° | 6°°C 0 mm 0% 5 mph 92 % 1028 mb 0 mm/h
Tomorrow 12:00 am
weather icon
6° | 6°°C 0 mm 0% 5 mph 83 % 1029 mb 0 mm/h
Name Price24H (%)
Bitcoin(BTC)
€100,869.78
1.07%
Ethereum(ETH)
€3,127.18
4.35%
XRP(XRP)
€3.01
2.11%
Tether(USDT)
€0.96
0.01%
Solana(SOL)
€230.19
4.64%
USDC(USDC)
€0.96
0.02%
Dogecoin(DOGE)
€0.318867
2.14%
Shiba Inu(SHIB)
€0.000018
2.14%
Pepe(PEPE)
€0.000013
4.09%
Scroll to Top