Unknown threat actors are exploiting known security vulnerabilities in Microsoft Exchange Server to deploy keylogging malware in attacks targeting entities across Africa and the Middle East.
Russian cybersecurity firm Positive Technologies has identified over 30 victims, including government agencies, banks, IT companies, and educational institutions. The initial breaches date back to 2021.
“This keylogger collects account credentials into files accessible via the internet,” the company stated in a report released last week.
Countries affected by the attacks include Russia, UAE, Kuwait, Oman, Niger, Nigeria, Ethiopia, Mauritius, Jordan, and Lebanon.
The attack chain begins with exploiting the ProxyShell vulnerabilities patched by Microsoft in May 2021 (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207). Successfully exploiting these vulnerabilities allows attackers to bypass authentication, escalate privileges, and execute remote code execution without authentication. The vulnerabilities were discovered and disclosed by the DEVCORE research team’s Orange Tsai.
After exploiting the ProxyShell vulnerabilities, threat actors add the keylogger to the server’s homepage “logon.aspx” and inject code to capture credentials into files accessible on the internet upon clicking the login button.
Positive Technologies noted that the attacks cannot currently be attributed to known threat actors or groups.
The company advises organizations to update Microsoft Exchange Server to the latest version and look for potential compromise signs on the Exchange Server homepage, including the insertion of the clkLgn() function for keyloggers.
“If your server has been compromised, identify stolen account data and remove files where hackers store this data,” the company stated. “You can find the path to this file in the logon.aspx file.”