Malware that provides a backdoor into Microsoft Exchange Servers has been used in attacks on government servers and military organisations in Europe, the Middle East, Asia and Africa. The malware is difficult to track, which makes removing it a problem, security researchers say.

The malware, dubbed SessionManager, is a malicious code module for Microsoft’s Internet Information Services (IIS) web server software, which forms part of Exchange systems.

Session manager affects Microsoft Outlook Exchange servers. (Photo Illustration by Jakub Porzycki/NurPhoto via Getty Images)

What is the Microsoft Exchange SessionManager malware?

Once deployed on a Microsoft Exchange server, SessionManager enables a wide range of malicious activities such as gaining access to emails, taking control of secondary systems and deploying more malware, says a report from security company Kaspersky. The backdoor will allow for “persistent, update-resistant and stealth access” to the IT infrastructure of an IT organisation, it adds. 

Session Manager appears to be difficult to detect. According to a scan carried out by Kaspersky researchers, the malware is still present in the systems of 90% of companies which were alerted to its presence when Session Manager was first discovered earlier this year.

The criminals who use the malware have shown a particular interest in NGOs and government entities and have compromised 34 servers of 24 organisations from Europe, the Middle East, South Asia and Africa overall, Kaspersky says.

Microsoft Exchange server vulnerabilities are a big target for criminals

Exchange server vulnerabilities are an increasingly popular target for hackers. Tech Monitor has reported on vulnerabilities including the Hafnium breach which affected thousands of email servers last year. Problems with Exchange accounted for three of the top ten most exploited security vulnerabilities of 2021, according to the Five Eyes security alliance. Exchange was the only system to feature in the top ten more than once.

Close monitoring of servers is the only way to stay ahead of cybercriminals, Kaspersky says. “In the case of Exchange servers, we cannot stress it enough: the past year’s vulnerabilities have made them perfect targets, whatever the malicious intent, so they should be carefully audited and monitored for hidden implants, if they were not already,” said Pierre Delcher, senior security researcher at Kaspersky global research and analysis team.

Indeed, Delcher notes that the volume of such attacks means removing the malware from networks is going to be a long task. “Facing massive and unprecedented server-side vulnerability exploitation, most cybersecurity actors were busy investigating and responding to the first identified offences,” he said. “As a result, it is still possible to discover related malicious activities months or years later, and this will probably be the case for a long time.”

It is thought the malware is being deployed by Gelsemium, a hacking gang which has been active since 2014 and has mostly targeted organisations in Asia and the Middle East.

The Kaspersky Team recommends regularly checking loaded ISS modules on exposed ISS servers and focusing on detecting lateral movements and data exfiltration within the system, paying particular attention to outgoing traffic. 

“Threat intelligence is the only component that can enable reliable and timely anticipation of such threats,” agrees Delcher. “Gaining visibility into actual and recent cyberthreats is paramount for companies to protect their assets. Such attacks may result in significant financial or reputational losses and may disrupt a target’s operations.”

Read more: Microsoft patches Follina Office 365 vulnerability