July 5 — A newly discovered malware has been used to infiltrate Microsoft Exchange servers. In this case, the servers belong to government and military organizations in Europe, the Middle East, Asia and Africa.
The malware, dubbed SessionManager, is a malicious native-code module for Microsoft’s Internet Information Services (IIS) web server software. SessionManager has seen use ‘in the wild’ since at least March of 2021.
The backdoor that the malware exploits enables attackers to maintain persistent, update-resistant and rather stealth access to the IT infrastructure of a targeted organization.
After installation on a victim’s system, cyber criminals can access corporate emails, increase system access through the deployment of other malware, or clandestinely manage compromised servers.
- Remote command execution on backdoored devices
- Dropping and managing arbitrary files on compromised servers
- Connecting to endpoints within a victim’s local network
- Manipulation of network traffic
In addition to the aforementioned capabilities, the malware can also collect information from victims’ networks, and harvest credentials from system memory.
By April of 2022, while the malware remained under investigation, the majority of the malware samples identified were deployed on 34 servers belonging to 24 distinctive organizations. The malware was still running as of late June 2022. Popular online file scanning services missed the malware altogether.
Experts believe that the hacking group known as Gelsemium is behind the SessionManager IIS backdoor-based attacks, which may or may not be part of a worldwide espionage operation.
The Gelsemium Advanced Persistent Threat (APT) group is largely known for targeting governments, electronics manufacturers and universities from East Asia and the Middle East. It largely flies under the radar.
For more information about recent Microsoft Exchange hacks, please see CyberTalk.org’s past coverage. Lastly, to receive cutting-edge cyber security news, exclusive interviews, expert analyses and security resources, please sign up for the CyberTalk.org newsletter.