Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

An ongoing malware campaign exploits Microsoft Exchange Server flaws

A threat actor is targeting organizations in Africa and the Middle East by exploiting Microsoft Exchange Server flaws to deliver malware. Positive Technologies researchers observed while responding to a customer’s incident spotted an unknown keylogger embedded in the main Microsoft Exchange Server page. The keylogger was used to collect account credentials. Further investigation allowed to identify over […]

Microsoft Exchange Server page

A threat actor is targeting organizations in Africa and the Middle East by exploiting Microsoft Exchange Server flaws to deliver malware.

Positive Technologies researchers observed while responding to a customer’s incident spotted an unknown keylogger embedded in the main Microsoft Exchange Server page. The keylogger was used to collect account credentials. Further investigation allowed to identify over 30 victims in multiple countries, most of whom were linked to government agencies. According to the researchers, the malware campaign targeting MS Exchange Server has been active since at least 2021. The researchers can’t attribute this campaign to a specific group, however, they observed that most victims are in Africa and the Middle East.

Some of the countries targeted by this campaign are Russia, the U.A.E., Kuwait, Oman, Niger, Nigeria, Ethiopia, Mauritius, Jordan, and Lebanon.

The threat actors exploited the ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) in Microsoft Exchange Server to inject an info stealer. They added keylogger code to the server’s main page by embedding it into the clkLgn() function.

The attackers also added a code that processes the results of the stealer in the logon.aspx file, then the code redirects account credentials in a file accessible from the internet.

Microsoft Exchange Server page

“You can check for potential compromise by searching for the stealer code on the main page of your Microsoft Exchange server.” concludes the report from Positive Technologies. “If your server has been compromised, identify the account data that has been stolen and delete the file where this data is stored by hackers. You can find the path to this file in the logon.aspx file. Make sure you are using the latest version of Microsoft Exchange Server, or install pending updates.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, MS Exchange Server)