View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

SessionManager malware provides backdoor into Microsoft Exchange servers

Malware targeting Microsoft Exchange servers is proving difficult to detect and can leave systems compromised.

By Claudia Glover

Malware that provides a backdoor into Microsoft Exchange Servers has been used in attacks on government servers and military organisations in Europe, the Middle East, Asia and Africa. The malware is difficult to track, which makes removing it a problem, security researchers say.

The malware, dubbed SessionManager, is a malicious code module for Microsoft’s Internet Information Services (IIS) web server software, which forms part of Exchange systems.

Session manager affects Microsoft Outlook Exchange servers. (Photo Illustration by Jakub Porzycki/NurPhoto via Getty Images)

What is the Microsoft Exchange SessionManager malware?

Once deployed on a Microsoft Exchange server, SessionManager enables a wide range of malicious activities such as gaining access to emails, taking control of secondary systems and deploying more malware, says a report from security company Kaspersky. The backdoor will allow for “persistent, update-resistant and stealth access” to the IT infrastructure of an IT organisation, it adds. 

Session Manager appears to be difficult to detect. According to a scan carried out by Kaspersky researchers, the malware is still present in the systems of 90% of companies which were alerted to its presence when Session Manager was first discovered earlier this year.

The criminals who use the malware have shown a particular interest in NGOs and government entities and have compromised 34 servers of 24 organisations from Europe, the Middle East, South Asia and Africa overall, Kaspersky says.

Microsoft Exchange server vulnerabilities are a big target for criminals

Exchange server vulnerabilities are an increasingly popular target for hackers. Tech Monitor has reported on vulnerabilities including the Hafnium breach which affected thousands of email servers last year. Problems with Exchange accounted for three of the top ten most exploited security vulnerabilities of 2021, according to the Five Eyes security alliance. Exchange was the only system to feature in the top ten more than once.

Close monitoring of servers is the only way to stay ahead of cybercriminals, Kaspersky says. “In the case of Exchange servers, we cannot stress it enough: the past year’s vulnerabilities have made them perfect targets, whatever the malicious intent, so they should be carefully audited and monitored for hidden implants, if they were not already,” said Pierre Delcher, senior security researcher at Kaspersky global research and analysis team.

Indeed, Delcher notes that the volume of such attacks means removing the malware from networks is going to be a long task. “Facing massive and unprecedented server-side vulnerability exploitation, most cybersecurity actors were busy investigating and responding to the first identified offences,” he said. “As a result, it is still possible to discover related malicious activities months or years later, and this will probably be the case for a long time.”

Content from our partners
Why enterprises of all sizes must  embrace smart manufacturing solutions
European Technology Leadership: Deutsche Bank CTO Gordon Mackechnie
Print’s role in driving the environmental agenda

It is thought the malware is being deployed by Gelsemium, a hacking gang which has been active since 2014 and has mostly targeted organisations in Asia and the Middle East.

The Kaspersky Team recommends regularly checking loaded ISS modules on exposed ISS servers and focusing on detecting lateral movements and data exfiltration within the system, paying particular attention to outgoing traffic. 

“Threat intelligence is the only component that can enable reliable and timely anticipation of such threats,” agrees Delcher. “Gaining visibility into actual and recent cyberthreats is paramount for companies to protect their assets. Such attacks may result in significant financial or reputational losses and may disrupt a target’s operations.”

Read more: Microsoft patches Follina Office 365 vulnerability

Topics in this article: ,
Websites in our network
NEWSLETTER Sign up Tick the boxes of the newsletters you would like to receive. Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
I consent to New Statesman Media Group collecting my details provided via this form in accordance with the Privacy Policy
SUBSCRIBED

THANK YOU