View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

SessionManager malware provides backdoor into Microsoft Exchange servers

Malware targeting Microsoft Exchange servers is proving difficult to detect and can leave systems compromised.

By Claudia Glover

Malware that provides a backdoor into Microsoft Exchange Servers has been used in attacks on government servers and military organisations in Europe, the Middle East, Asia and Africa. The malware is difficult to track, which makes removing it a problem, security researchers say.

The malware, dubbed SessionManager, is a malicious code module for Microsoft’s Internet Information Services (IIS) web server software, which forms part of Exchange systems.

Session manager affects Microsoft Outlook Exchange servers. (Photo Illustration by Jakub Porzycki/NurPhoto via Getty Images)

What is the Microsoft Exchange SessionManager malware?

Once deployed on a Microsoft Exchange server, SessionManager enables a wide range of malicious activities such as gaining access to emails, taking control of secondary systems and deploying more malware, says a report from security company Kaspersky. The backdoor will allow for “persistent, update-resistant and stealth access” to the IT infrastructure of an IT organisation, it adds. 

Session Manager appears to be difficult to detect. According to a scan carried out by Kaspersky researchers, the malware is still present in the systems of 90% of companies which were alerted to its presence when Session Manager was first discovered earlier this year.

The criminals who use the malware have shown a particular interest in NGOs and government entities and have compromised 34 servers of 24 organisations from Europe, the Middle East, South Asia and Africa overall, Kaspersky says.

Microsoft Exchange server vulnerabilities are a big target for criminals

Exchange server vulnerabilities are an increasingly popular target for hackers. Tech Monitor has reported on vulnerabilities including the Hafnium breach which affected thousands of email servers last year. Problems with Exchange accounted for three of the top ten most exploited security vulnerabilities of 2021, according to the Five Eyes security alliance. Exchange was the only system to feature in the top ten more than once.

Close monitoring of servers is the only way to stay ahead of cybercriminals, Kaspersky says. “In the case of Exchange servers, we cannot stress it enough: the past year’s vulnerabilities have made them perfect targets, whatever the malicious intent, so they should be carefully audited and monitored for hidden implants, if they were not already,” said Pierre Delcher, senior security researcher at Kaspersky global research and analysis team.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Indeed, Delcher notes that the volume of such attacks means removing the malware from networks is going to be a long task. “Facing massive and unprecedented server-side vulnerability exploitation, most cybersecurity actors were busy investigating and responding to the first identified offences,” he said. “As a result, it is still possible to discover related malicious activities months or years later, and this will probably be the case for a long time.”

It is thought the malware is being deployed by Gelsemium, a hacking gang which has been active since 2014 and has mostly targeted organisations in Asia and the Middle East.

The Kaspersky Team recommends regularly checking loaded ISS modules on exposed ISS servers and focusing on detecting lateral movements and data exfiltration within the system, paying particular attention to outgoing traffic. 

“Threat intelligence is the only component that can enable reliable and timely anticipation of such threats,” agrees Delcher. “Gaining visibility into actual and recent cyberthreats is paramount for companies to protect their assets. Such attacks may result in significant financial or reputational losses and may disrupt a target’s operations.”

Read more: Microsoft patches Follina Office 365 vulnerability

Topics in this article : ,
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.