Keylogging malware is a particularly dangerous as it is often designed to steal login passwords or other sensitive information from victims. When you add a compromised Exchange server to the mix, it makes things significantly worse for any organisation.
Positive Technologies researchers recently published a new report on a keylogger-based campaign that targets organisations worldwide. The effort, which is identical to an attack uncovered in 2024, targets compromised Microsoft Exchange Server installations belonging to 65 victims in 26 nations.
The attackers infiltrated Exchange servers by exploiting well-known security flaws or using completely novel techniques. After getting access, the hackers installed JavaScript keyloggers to intercept login credentials from the organization's Outlook on the Web page.
OWA is the web version of Microsoft Outlook and is integrated into both the Exchange Server platform and the Exchange Online service within Microsoft 365. According to the report, the JavaScript keyloggers gave the attackers persistence on the compromised servers and went unnoticed for months.
The researchers uncovered various keyloggers and classified them into two types: those meant to save captured inputs to a file on a local server that could be accessed from the internet later, and those that transferred stolen credentials across the global network using DNS tunnels or Telegram bots. The files containing the logged data were properly labelled to help attackers identify the compromised organisation.
PT researchers explained that most of the affected Exchange systems were owned by government agencies. A number of other victims worked in industries like logistics, industry, and IT. The majority of infections were found in Taiwan, Vietnam, and Russia; nine infected companies were found in Russia alone.
The researchers emphasised that a huge number of Exchange servers remain vulnerable to well-known security issues. The PT experts encouraged companies to regard security flaws as major issues and implement adequate vulnerability management strategies.
Furthermore, organisations that use the Microsoft platform should implement up-to-date web applications and security measures to detect malicious network activities. It is also a good idea to analyse user authentication files on a regular basis for potentially malicious code.
