Attacks exploited ProxyShell and ProxyLogOn vulnerabilities.
Internet-exposed Microsoft Exchange servers belonging to 65 organisations have been compromised with two different types of keyloggers enabling credential exfiltration.
According to a report from Positive Technologies and reported by The Hacker News, attacks exploited ProxyShell and ProxyLogOn vulnerabilities, and facilitated the injection of a keylogger that also pilfered user cookies and User Agent strings.
Other keyloggers were found to have used a Telegram bot, as well as a DNS tunnel and HTTP POST request, for data exfiltration.
Most impacted by the intrusions were government organisations, while Vietnam, Russia, Taiwan, China, and Pakistan were the most targeted countries. "By embedding malicious code into legitimate authentication pages, attackers are able to stay undetected for long periods while capturing user credentials in plaintext," said researchers.
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
