In recent developments, a previously unidentified threat actor has been leveraging existing security vulnerabilities in Microsoft Exchange Server to deploy keylogger malware, with targets primarily located in Africa and the Middle East. This alarming trend was highlighted by Positive Technologies, a Russian cybersecurity firm, which reports over 30 victims, including various government organizations, banks, IT firms, and educational institutions. These attacks can be traced back to an initial compromise identified as early as 2021.
The cybersecurity firm notes that the keylogger functions by collecting user credentials and saving them to a file that is accessible online, a critical flaw that puts sensitive data at risk. Countries affected by these intrusions include Russia, the United Arab Emirates, Kuwait, Oman, Niger, Nigeria, Ethiopia, Mauritius, Jordan, and Lebanon.
The modus operandi of these attacks begins with the exploitation of known ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207). Microsoft issued patches for these issues in May 2021, but a significant number of organizations appear to have not implemented these critical updates. When successfully exploited, these vulnerabilities can permit attackers to bypass authentication measures, escalate privileges, and initiate unauthorized remote code execution. The exploitation chain was first publicized by researcher Orange Tsai from the DEVCORE Research Team.
Following the initial breach, the threat actors add the keylogger to a critical page within the server’s structure—specifically the “logon.aspx” page. They inject code designed to capture user credentials, saving these to the aforementioned file when users attempt to login.
Despite the confirmed breaches and the detailed report, Positive Technologies is unable to conclusively attribute the attacks to a specific group or actor at this time without further intelligence. This underscores the complexities of tracking and identifying cyber threats in today’s digital landscape.
Organizations running Microsoft Exchange Server are advised to promptly update their systems to the latest version. Additionally, they should meticulously search for signs of compromise on their main server page, particularly in the clkLgn() function where the keylogger may be embedded. If a breach is detected, it is crucial for organizations to determine which account data has been compromised and delete any files containing stolen information, with specific reference to the logon.aspx file where the keylogger is inadvertently recorded.
From a cybersecurity framework perspective, several tactics outlined in the MITRE ATT&CK Matrix are relevant in understanding the techniques employed in these attacks. Initial access is gained through the exploitation of the aforementioned vulnerabilities, while persistence could be established via the keylogger. Privilege escalation and credential access tactics are also apparent, as attackers seek to manipulate and gather sensitive data from compromised systems.
As the cybersecurity landscape continually evolves, staying informed and vigilant is paramount for business owners to protect sensitive information from increasingly sophisticated threats.
