Positive Technologies detects a series of attacks via Microsoft Exchange Server


While responding to an incident, the Incident Response team of Positive Technologies Expert Security Center (PT ESC) discovered an unknown keylogger embedded in the main Microsoft Exchange Server page of one of our customers.

This keylogger was collecting account credentials into a file accessible via a special path from the internet. The team identified over 30 victims, most of whom were linked to government agencies across various countries. According to the researchers’ data, the first compromise occurred in 2021. Without additional data, they were not able to attribute these attacks to a specific group; however, most victims are located in Africa and the Middle East.

Read more…
Source: Positive Technologies


Sign up for our Newsletter


Related:

  • Kremlin critics targeted with spyware inside European Union

    June 5, 2024

    At least seven critics of the Kremlin, including journalists were targeted inside the European Union (EU) by a state using Pegasus, a report by digital civil rights NGO Access Now said on Thursday (May 30). In its report, Access Now said on Thursday an investigation by the NGO revealed that the use of Pegasus (a hacking ...

  • Sapphire Werewolf polishes Amethyst stealer to attack over 300 companies

    June 5, 2024

    Since March 2024, the BI.ZONE Threat Intelligence team has been tracking the cluster of activity dubbed Sapphire Werewolf. The threat actor targets Russia’s industries, such as education, manufacturing, IT, defense, and aerospace engineering. Over 300 attacks were carried out using Amethyst, an offshoot of the popular open‑source SapphireStealer. The attackers disguise the malware as an enforcement ...

  • Pakistani hackers target ‘Make in India’ defence programs

    May 28, 2024

    As per a report, three public sector defence equipment manufacturers as well as India’s security forces have been on the target of an espionage campaign run by a notorious Pakistani hacking group with suspected links to its military. Transparent Tribe, known as Advanced Persistent Threat (APT) 36 among cybersecurity professionals, has been targeting employees in defence ...

  • Spying, hacking and intimidation: Israel’s nine-year ‘war’ on the ICC exposed

    May 28, 2024

    When the chief prosecutor of the International criminal court (ICC) announced he was seeking arrest warrants against Israeli and Hamas leaders, he issued a cryptic warning: “I insist that all attempts to impede, intimidate or improperly influence the officials of this court must cease immediately.” Now, an investigation by the Guardian and the Israeli-based magazines +972 ...

  • Positive Technologies detects a series of attacks via Microsoft Exchange Server

    May 17, 2024

    While responding to an incident, the Incident Response team of Positive Technologies Expert Security Center (PT ESC) discovered an unknown keylogger embedded in the main Microsoft Exchange Server page of one of our customers. This keylogger was collecting account credentials into a file accessible via a special path from the internet. The team identified over 30 ...

  • Springtail: New Linux Backdoor Added to Toolkit

    May 16, 2024

    Symantec’s Threat Hunter Team has uncovered a new Linux backdoor developed by the North Korean Springtail espionage group (aka Kimsuky) that is linked to malware used in a recent campaign against organizations in South Korea. The backdoor (Linux.Gomir) appears to be a Linux version of the GoBear backdoor, which was used in a recent Springtail campaign ...