Microsoft Exchange Server Vulnerabilities Leveraged in Keylogger Attacks

May 22, 2024

An unidentified cyber threat actor has been exploiting known security vulnerabilities in Microsoft Exchange Server to install a keylogger malware. The attacks are primarily targeted at entities in Africa and the Middle East. The cybersecurity firm Positive Technologies, based in Russia, reported that it had identified over 30 victims of these attacks, including government agencies, banks, IT companies, and educational institutions. The earliest known compromise traced back to 2021.

The keylogger deployed in these attacks was designed to collect account credentials and store them in a file that could be accessed via a specific path from the internet. The countries that have been targeted by these intrusions include Russia, the U.A.E., Kuwait, Oman, Niger, Nigeria, Ethiopia, Mauritius, Jordan, and Lebanon.

The attack chains began with the exploitation of ProxyShell flaws (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) that Microsoft originally patched in May 2021. Successful exploitation of these vulnerabilities could allow an attacker to bypass authentication, elevate their privileges, and execute remote code without authentication. The exploitation chain was originally discovered and published by Orange Tsai from the DEVCORE Research Team.

Following the ProxyShell exploitation, the threat actors added the keylogger to the server's main page ('logon.aspx'), and injected code responsible for capturing the credentials to a file that could be accessed from the internet when the sign-in button was clicked. Positive Technologies stated that it could not attribute the attacks to a known threat actor or group without additional information.

In addition to updating their Microsoft Exchange Server instances to the latest version, organizations are advised to look for potential signs of compromise on the Exchange Server's main page, including in the clkLgn() function where the keylogger is inserted. 'If your server has been compromised, identify the account data that has been stolen and delete the file where this data is stored by hackers,' the company said. 'You can find the path to this file in the logon.aspx file.'

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.