The majority of the thirty or so victims that the team uncovered were connected to government organizations in different nations. The data indicates that 2021 saw the first compromise. It is impossible to link these attacks to a particular organization without more information, however, the majority of victims are found in Africa and the Middle East.

The attackers used ProxyShell, a known Microsoft Exchange Server vulnerability, to insert the stealer. The keylogger code was then uploaded to the server's home page. Additionally, the threat actors included code in the logon.aspx page that interprets the outcome of the stealer's efforts and reroutes account credentials to an online file. The attackers were able to obtain the user credentials as a consequence of the code execution.

There are already over thirty known victims, most of whom are government institutions from different nations. Banks, IT firms, and educational establishments are also on the list of victims. These attacks are targeting Russia, the United Arab Emirates, Kuwait, Oman, Niger, Nigeria, Ethiopia, Mauritius, Jordan, and Lebanon. The firm says that the breach has been communicated to all victims.

Users can investigate whether there may have been a compromise by looking for the stealer code on their Microsoft Exchange server's home page. If a server has been compromised, locate the stolen account information and remove the file that the intruders used to store it. The logon.aspx file contains the path to this file. Verify that users are running the most recent version of Microsoft Exchange Server, or install any updates that are still due.

Impact

• Credential Theft
• Unauthorized Access
• Code Execution

Remediation

• Prioritize updating and patching Microsoft Exchange servers to the latest supported versions.
• Apply security updates and patches released by Microsoft to address vulnerabilities, especially critical ones.
• Implement available mitigations for known vulnerabilities, even if a full update is not immediately possible.
• Follow Microsoft's guidance on mitigating specific vulnerabilities to reduce the risk of exploitation.
• Conduct a thorough risk assessment to identify and prioritize vulnerable systems within the organization.
• Evaluate the severity of the vulnerabilities and potential impact on business operations.
• Conduct regular security audits to identify and address any weaknesses or outdated systems within the network.
• Implement network segmentation to isolate critical systems, including Exchange servers, from the public internet to reduce exposure to potential threats.
• For servers that have reached end-of-life, consider upgrading to a supported version that receives security updates.
• Provide training and awareness programs for users and IT staff to recognize and report potential security threats.
• Emphasize the importance of staying vigilant against social engineering tactics.