In a recent revelation, a malicious actor has been exploiting vulnerabilities in Microsoft Exchange Server to infiltrate systems and deploy a keylogger-type malware. This attack has impacted over 30 organizations in Africa and the Middle East, according to cybersecurity company Positive Technologies. The victims range from government agencies to financial and educational institutions. The first recorded infiltration dates back to 2021.
Positive Technologies has detailed the modus operandi of this keylogger, which collects account credentials and stores them in a file accessible through a specific Internet path. The affected countries include Russia, United Arab Emirates, Kuwait, Oman, Niger, Nigeria, Ethiopia, Mauritius, Jordan, and Lebanon.
The infiltration exploited known vulnerabilities known as ProxyShell flaws, specifically CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. Microsoft addressed these flaws in May 2021, which allowed for authentication evasion, privilege escalation, and remote code execution, facilitating the installation of the keylogger on the Exchange Server main page.
The attack begins with the exploitation of ProxyShell, followed by the surreptitious addition of the keylogger to the server’s main page, specifically in the “logon.aspx” file. This code injection captures credentials that are then stored in a file accessible via the Internet when the user clicks on the login button.
It is crucial for organizations to update their Microsoft Exchange Server instances to the latest version to mitigate data privacy risks. Endpoint protection is vital to safeguard devices against evolving cyber threats. Monitoring and supervising the system, especially the presence of the keylogger in the “logon.aspx” file, is recommended. If a compromise is detected, it is vital to identify and remove the file storing the stolen account data.
Ensuring the security of the email server is paramount in today’s digital landscape. Organizations should promptly update their Exchange Server instances and conduct thorough assessments to ensure the integrity of their systems. Incorporating threat intelligence into cybersecurity operations enhances proactive detection and mitigation strategies.
Vulnerabilities in Microsoft Exchange Server that allow for keylogger deployment highlight the constant evolution of cybersecurity threats. Staying informed, adopting security updates, and collaborating with cybersecurity experts are essential steps to protect digital assets and maintain operational integrity against emerging threats.
Sources: The Hacker news, SCMagazine, and Tuxcare.