An unknown threat actor is exploiting known security flaws in Microsoft Exchange Server to deploy a keylogger malware in attacks targeting entities in Africa and the Middle East.

Russian cybersecurity firm Positive Technologies said it identified over 30 victims spanning government agencies, banks, IT companies, and educational institutions. The first-ever compromise dates back to 2021.

“This keylogger was collecting account credentials into a file accessible via a special path from the internet,” the company said in a report published last week.

Countries targeted by the intrusion set include Russia, the U.A.E., Kuwait, Oman, Niger, Nigeria, Ethiopia, Mauritius, Jordan, and Lebanon.

The attack chains commence with the exploitation of ProxyShell flaws (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) that were originally patched by Microsoft in May 2021.

Successful exploitation of the vulnerabilities could allow an attacker to bypass authentication, elevate their privileges, and carry out unauthenticated, remote code execution. The exploitation chain was discovered and published by Orange Tsai from the DEVCORE Research Team.

The ProxyShell exploitation is followed by the threat actors adding the keylogger to the server main page (“logon.aspx”), in addition to injecting code responsible for capturing the credentials to a file accessible from the internet upon clicking the sign in button.

Positive Technologies said it cannot attribute the attacks to a known threat actor or group at this stage without additional information.

Besides updating their Microsoft Exchange Server instances to the latest version, organizations are urged to look for potential signs of compromise in the Exchange Server’s main page, including the clkLgn() function where the keylogger is inserted.

“If your server has been compromised, identify the account data that has been stolen and delete the file where this data is stored by hackers,” the company said. “You can find the path to this file in the logon.aspx file.”