Positive Technologies’ Expert Security Centre (PT ESC) has discovered a sophisticated keylogger embedded in the main page of Microsoft Exchange Servers. This breach, which affects a wide range of organizations globally, has been active since 2021. During an incident response operation, the PT ESC team identified the keylogger in the clkLgn() function of the server’s primary page. The keylogger captures user credentials, such as usernames and passwords, and stores them in an accessible file via a specific internet path.
The attackers exploited the ProxyShell vulnerability, allowing them to inject the keylogger code into the server. The altered logon.aspx file processes and redirects the obtained credentials, enabling undetected exfiltration of sensitive information. Over 30 victims have been identified, primarily government agencies, with educational institutions, corporations, and IT companies also affected. Countries impacted include Russia, the UAE, Kuwait, Oman, Niger, Nigeria, Ethiopia, Mauritius, Jordan, and Lebanon.
Positive Technologies has notified affected organizations and recommended immediate actions: searching for the stealer code, patching vulnerabilities, monitoring server logs, and enhancing security measures with multi-factor authentication. This incident highlights the necessity of robust cybersecurity defenses and proactive measures to protect sensitive information against evolving threats.
Reference:
