Malicious code collects credentials and stores them in a file accessible from the Internet.
The Positive Technologies Security Expert Center (PT Expert Security Center) reported identifying a previously unknownkeyloggerthat was embedded in the main page of Microsoft Exchange Server and collected user account data in a file accessible via a special path from the Internet.
Attack detection and analysis
The incident was identified by the Incident Response Positive Technologies team at one of the company's clients. In order to embed the styler, hackers exploited known Exchange server vulnerabilities — ProxyShell. After that, they added the keylogger code to the main page.
Injecting malicious code
clkLgn()Code that hackers embed in the Exchange Server home page, in the function:
Code of the main page of the compromised Exchange server
Hackers also added code to the logon.aspx file that processes the result of the styler's work and redirects the entered account data to a special file that is accessible from the outside.
Code of the compromised logon.aspx file
As a result of executing the code shown in the figure above, attackers gain access to the account data entered by users:
Stolen account Data
Victims of the attack
The Threat Intelligence PT ESC team identified more than 30 victims of this attack. Most of them are government agencies of various countries. In addition, banks, IT companies and educational institutions are among the victims. The countries targeted include Russia, the United Arab Emirates, Kuwait, Oman, Niger, Nigeria, Ethiopia, Mauritius, Jordan, Lebanon, and others. All victims were notified of the compromise.
According to the data obtained, the earliest compromise was carried out in 2021.
Security recommendations
To verify the fact of compromise, make sure that there is no styler code on the main page of the Exchange server. If a compromise is detected, you need to determine which accounts were stolen, and delete the file in which hackers stored this data. The path to this file can be found in logon. aspx. It is also important to use the latest version of Microsoft Exchange Server and install all necessary updates.
The Positive Technologies Security Expert Center (PT Expert Security Center) reported identifying a previously unknownkeyloggerthat was embedded in the main page of Microsoft Exchange Server and collected user account data in a file accessible via a special path from the Internet.
Attack detection and analysis
The incident was identified by the Incident Response Positive Technologies team at one of the company's clients. In order to embed the styler, hackers exploited known Exchange server vulnerabilities — ProxyShell. After that, they added the keylogger code to the main page.
Injecting malicious code
clkLgn()Code that hackers embed in the Exchange Server home page, in the function:
Code of the main page of the compromised Exchange server
Hackers also added code to the logon.aspx file that processes the result of the styler's work and redirects the entered account data to a special file that is accessible from the outside.
Code of the compromised logon.aspx file
As a result of executing the code shown in the figure above, attackers gain access to the account data entered by users:
Stolen account Data
Victims of the attack
The Threat Intelligence PT ESC team identified more than 30 victims of this attack. Most of them are government agencies of various countries. In addition, banks, IT companies and educational institutions are among the victims. The countries targeted include Russia, the United Arab Emirates, Kuwait, Oman, Niger, Nigeria, Ethiopia, Mauritius, Jordan, Lebanon, and others. All victims were notified of the compromise.
According to the data obtained, the earliest compromise was carried out in 2021.
Security recommendations
To verify the fact of compromise, make sure that there is no styler code on the main page of the Exchange server. If a compromise is detected, you need to determine which accounts were stolen, and delete the file in which hackers stored this data. The path to this file can be found in logon. aspx. It is also important to use the latest version of Microsoft Exchange Server and install all necessary updates.
