An unidentified group of hackers is exploiting Known vulnerabilities in Microsoft Exchange Server to deploy keylogger malware in attacks targeting associations and organizations (governmental and non-governmental) in Africa and the Middle East.
What has been leaked about this Malware Keylogger
The Russian cybersecurity company, known as Positive Technologies, said it had identified more than 30 victims among government agencies, banks, IT companies and educational institutions. The first compromise dates back to 2021.
“This [malware] keylogger collected account credentials in a file accessible via a special path from the internet“, has declared the company in a report released last week.
Which countries have been targeted by this keylogger malware
The countries targeted by this keylogger malware intrusion include Russia, United Arab Emirates, Kuwait, Oman, Niger, Nigeria, Ethiopia, Mauritius, Jordan and Lebanon.
Attack chains begin with exploiting vulnerabilities ProxyShell (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) which were initially patched by Microsoft in May 2021.
The success exploiting vulnerabilities could allow an attacker to bypass authentication, elevate privileges, and execute remote code without authentication; the attack chain that used this exploit was discovery and published by Orange Tsai of the DEVCORE Research Team.
Cyber security experts have the last word
After exploiting ProxyShell, threat actors add the keylogger to the server’s main page (“logon.aspx”), as well as injecting malicious code, responsible for capturing credentials in a file accessible from the internet upon clicking the login button.
Positive Technologies stated that cannot attribute the attacks to a known bad actor or group at this stage without further information.
In addition to updating Microsoft Exchange Server instances to the latest version, organizations are encouraged to look for potential signs of compromise on the Exchange Server home page, including the clkLgn() function where the keylogger malware is inserted.
“If your server has been compromised, identify the account data that has been stolen and delete the file where this data is stored by the hackers“, the company said. “You can find the path to this file in the logon.aspx file“.
Some similar cases occurred in the past
In the past, similar cases of vulnerability exploitation have been reported in Microsoft Exchange Server to distribute malware.
The case of the Hafnium hacker group
In March 2021, for example, the hacker group known as Hafnium (a well-known group of hackers), with alleged links to the Chinese government, exploited multiple security flaws in Exchange Server to compromise tens of thousands of servers around the world.
These attacks led to the insertion of malicious web shells, allowing attackers to maintain access to compromised servers, exfiltrate data, and install additional malware.
The case of the Stuxnet worm
Another significant case occurred in 2010, when the worm Stuxnet exploited zero-day vulnerabilities in Windows systems to damage Iranian nuclear centrifugesdemonstrating the critical importance of cybersecurity in critical infrastructure systems.
These incidents highlight the ongoing need to update and protect information systems against emerging threats.
Conclusions
In conclusion, recent attacks that exploit vulnerabilities in Microsoft Exchange Server to distribute keylogger malware pose a significant threat to various entities in Africa and the Middle East.
The history of similar attacks, such as those perpetrated by the Hafnium group and the Stuxnet worm, highlights the importance of keeping systems up to date and constantly monitoring for signs of compromise.
Organizations must take proactive measures to protect their systems and sensitive data, regularly updating software and implementing robust security controls to prevent future attacks.
#Malware #Keylogger #attack #Microsoft #Exchange
