Ongoing Malware Campaign Exploits Vulnerabilities in Microsoft Exchange Server

A threat actor is targeting organizations in Africa and the Middle East by exploiting flaws in Microsoft Exchange Server to deliver malware. Positive Technologies researchers, responding to a customer incident, detected an unknown keylogger embedded in the home page of the Microsoft Exchange server. This keylogger was used to collect account credentials. Upon further investigation, more than 30 victims were identified in several countries, most linked to government agencies. According to researchers, the malware campaign targeting Microsoft Exchange Server has been active since at least 2021. Although they cannot attribute this campaign to a specific group, they noted that the majority of victims are located in Africa and the Middle East.

 

AFFECTED COUNTRIES

Some of the countries affected by this campaign are Russia, United Arab Emirates, Kuwait, Oman, Niger, Nigeria, Ethiopia, Mauritius, Jordan and Lebanon. Threat actors exploited ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) in Microsoft Exchange Server to inject an info-stealer. Added keylogger code to the server home page by embedding it in the clkLgn() function.

 

ATTACK MECHANISM

The attackers also added code that processes the stealer results in the logon.aspx file, then the code redirects the account credentials to a file accessible from the internet.

MICROSOFT EXCHANGE SERVER PAGE

“You can verify a possible breach by looking for the stealer code on the home page of your Microsoft Exchange server,” concludes the Positive Technologies report. “If your server has been compromised, identify the account data that has been stolen and delete the file where this data is stored by the hackers. You can find the path to this file in the logon.aspx file. Make sure you are using the latest version of Microsoft Exchange Server, or install any pending updates.”

 

RECOMMENDATIONS FOR COMPANIES

Regular Audit: Perform regular audits on your Microsoft Exchange servers to detect potential compromises.

Constant Update: Keep your software updated to protect against known vulnerabilities.

Activity Monitoring: Implement monitoring systems to detect suspicious activity on your servers.

Staff Training: Train your staff in cybersecurity so they can recognize and respond appropriately to potential attacks.

Data Backup: Ensure regular backups of your data are made to minimize the impact of a potential attack.

 

Staying informed about the latest threats and vulnerabilities is crucial to protecting your company’s digital assets. Cybersecurity must be a constant priority in an ever-evolving digital environment.

Related Posts
Clear Filters

La Agencia de Seguridad de Infraestructura y Ciberseguridad de Estados Unidos (CISA) ha añadido una vulnerabilidad de alta severidad en…

Devel Group
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.