Attacks leveraging Microsoft Exchange Server vulnerabilities to facilitate keylogger malware deployment have been launched against more than 30 government, financial, education, and IT organizations in Africa and the Middle East since 2021, reports The Hacker News.
Initial exploitation of the ProxyShell bugs, tracked as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207, has allowed authentication evasion, privilege escalation, and remote code execution followed by the installation of a keylogger to the main page of Exchange Server to enable account credential exfiltration from an internet-exposed file, according to a report from Positive Technologies, which has not yet linked the attack campaign to a specific operation due to inadequate information.
Organizations have been recommended to not only update their Exchange Server instances but also examine their Exchange Server's main page for potential compromise.
"If your server has been compromised, identify the account data that has been stolen and delete the file where this data is stored by hackers. You can find the path to this file in the logon.aspx file," said researchers.