+92 310 8202561
ccienca@gmail.com
Facebook

0

Hackers Target Over 70 Microsoft Exchange Servers Using Keyloggers

Microsoft Exchange Keylogger Attack has been discovered, targeting over 70 public servers worldwide. Hackers are stealing user credentials by injecting malicious keyloggers into Microsoft Exchange login pages.

Cybersecurity researchers have identified a major credential theft campaign where hackers are targeting publicly exposed Microsoft Exchange servers to inject malicious keylogger code into login pages.

Credential Theft via Keyloggers

According to a recent analysis by Positive Technologies, attackers are using two types of JavaScript-based keyloggers on Outlook login pages:

  • Keyloggers that save stolen credentials locally on the server.

  • Keyloggers that immediately send credentials to an external server.

This campaign has compromised over 70 Microsoft Exchange servers across 26 countries, affecting government agencies, banks, IT companies, and educational institutions.

Exploited Vulnerabilities

The attackers are using known, unpatched vulnerabilities such as:

  • ProxyLogon Vulnerabilities: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065

  • ProxyShell Vulnerabilities: CVE-2021-31207, CVE-2021-34473, CVE-2021-34523

  • Older Flaws: CVE-2014-4078 (IIS Security Bypass), CVE-2020-0796 (SMBv3 RCE), CVE-2021-31206 (Exchange RCE)

Advanced Attack Methods

  • The malicious JavaScript reads login data and silently sends it to a controlled server.

  • Some variants store stolen data locally in files that can be easily accessed by attackers later.

  • Other variants use Telegram bots or DNS tunneling with HTTPS POST requests to exfiltrate credentials undetected.

Targeted Organizations

The key targets include:

  • Government institutions

  • IT and logistics companies

  • Industrial sectors

Top Targeted Countries:

  • Vietnam

  • Russia

  • Taiwan

  • China

  • Pakistan

  • Lebanon

  • Australia

  • Zambia

  • The Netherlands

  • Turkey

Why This Attack is Dangerous

By embedding malicious code directly into the Exchange login page, hackers can remain invisible to traditional security tools while capturing user credentials in plaintext for a long time.

“A large number of Microsoft Exchange servers accessible from the Internet remain vulnerable to older vulnerabilities,” researchers warned.

CCIE Academy Security Tips:

  • Patch Exchange Servers: Always update to the latest security fixes.

  • Monitor Login Pages: Regularly scan for unauthorized code changes.

  • Review Server Logs: Watch for unusual traffic patterns, especially DNS and HTTPS POST activity.

  • Limit Exposure: Do not expose Exchange servers directly to the internet whenever possible.

👉 For more cybersecurity updates, follow CCIE Academy