Threat Research

Positive Technologies detects a series of attacks via Microsoft Exchange Server

PTsecurity-ESC

Positive Technologies’ PT ESC incident responders discovered an unknown keylogger embedded on the main Microsoft Exchange Server page of a customer, designed to collect account credentials into a file accessible from the internet. Attackers used ProxyShell to inject the stealer, affecting over 30 victims—primarily government agencies—in Africa and the Middle East, with the initial compromise dating back to 2021. Hashtags: #ProxyShell #MicrosoftExchangeServer #Keylogger #logon.aspx #PositiveTechnologies #PTESC #Africa #MiddleEast

Keypoints

  • PT ESC detected an unknown keylogger embedded on the main Exchange Server page during incident response.
  • The stealer collected credentials into a file accessible from the internet and exfiltrated them via a modified login flow.
  • More than 30 victims were identified, including government agencies, banks, IT firms, and educational institutions.
  • Victims span multiple countries: Russia, UAE, Kuwait, Oman, Niger, Nigeria, Ethiopia, Mauritius, Jordan, and Lebanon.
  • The first known compromise occurred in 2021, indicating a prolonged campaign.
  • Mitigation includes checking the Exchange server main page for stealer code, locating and removing stolen data via logon.aspx, and applying the latest updates.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – The attackers exploited ProxyShell, a known Microsoft Exchange Server vulnerability, to inject the stealer into the main page. Quote: “…exploited ProxyShell, a known Microsoft Exchange Server vulnerability.”
  • [T1056.001] Keylogging – The hackers embedded code to capture credentials on the login page, via the clkLgn() function. Quote: “…into the clkLgn() function”
  • [T1567.002] Exfiltration Over Web Service – The logon.aspx file processes the stealer’s results and redirects account credentials to a file accessible from the internet. Quote: “…redirects account credentials to a file accessible from the internet.”

Indicators of Compromise

  • [File] logon.aspx – The hackers added code that processes the stealer’s results and redirects account credentials to a file accessible from the internet

Read more: https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/positive-technologies-detects-a-series-of-attacks-via-microsoft-exchange-server/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint