Unknown threats were observed on publicly exposed Microsoft Exchange servers to introduce malicious code into the entry pages that collect their powers.
Positive technology in a new analysis published last week, – Note He identified two different types of Keylogger code written on JavaScript on the Outlook login page –
- The ones that store the collected data to the local file available over the Internet
- Those who immediately sends the collected data to the external server
Russian cybersecurity supplier said the attacks were aimed at 65 victims in 26 countries, and is reported Continued company This was first recorded in May 2024 as a target to Africa and the Middle East.
At the time, the company said it had found at least 30 victims covering state bodies, banks, IT companies and educational institutions, which testifies to the first compromise that begins by 2021.
The attack networks provide for the operation of known deficiencies on the Microsoft Exchange server (eg Proxyshell) to insert the Keylogger code into the entry page. It is now unknown who is behind these attacks.
Some armed vulnerabilities are below – below –
- Cve-2014-4078-in the IIS security feature
- Cve-2020-0796-Windows SMBV3 Customer/Server Remote Code Vulneration
- CVE-2021-26855, Cve-2021-26857, Cve-2021-26858 and Cve-2011-27065-Recovery remote code Microsoft Exchange Code (Proxylogon)
- CVE-2021-31206-Benching Remote Microsoft Exchange Server Code Code Code
- Cve-2021-31207, Cve-2021-34473, Cve-2021-34523-Up Breaking Microsoft Exchange Server Security (Proxyshell)
‘JavaScript reads and processes data from the authentication form and then sends it through Request Xhr On a specific page on the compromised Exchange server, ” – said Klimentiy Galkin and Maxim Suslov security researchers.
“The source code of the target page contains the handler feature that reads the incoming request and records the data to the file on the server.”
The file containing stolen data is available from the external network. It has been found that selected options with the possibility of a local keyboard are also collected by user files, user strings and a temporary brand.
One of the advantages of this approach is that the chances of detecting have nothing because there is no outgoing traffic to transmit information.
The second option, revealed by positive technologies, on the other hand, uses a bot telegram as an Experience point through XHR to receive requests with coded entrance and password stored in the Apikey and Authtoken headlines respectively.
The second method involves the use of domain names (DNS) tunnel Combined with the HTTPS message to send user credentials and penetrate the organization’s defense.
Twenty -two violated servers were found in state organizations, after which infections in IT, industrial and logistics companies. Vietnam, Russia, Taiwan, China, Pakistan, Lebanon, Australia, Zambia, the Netherlands and Turkey are among the top 10 goals.
“A large number of Microsoft Exchange servers available on the Internet remain vulnerable to old vulnerabilities,” the researchers said. “Having built the malicious code into the legal authentication pages, the attackers may go unnoticed over a long period, capturing users’ accounts in the open text.”
