A hot potato: If anyone needed more indication that Microsoft Exchange server security still resembles Swiss cheese, a threat actor known as Gelsemium has some. Security researchers at Kaspersky believe the group has been using covert malware called SessionManager for more than a year to attack the server infrastructure of public organizations around the world.
On Thursday, Kaspersky researchers published a disturbing report of a new, elusive backdoor targeting Exchange servers used by government and medical institutions, military organizations and NGOs in multiple countries. The malware, called SessionManager, was first spotted in early 2022.
At the time, some of the malware samples observed by analysts were not flagged by many popular online file scanning services. In addition, the SessionManager infection persists in more than 90 percent of targeted organizations.
The threat actors behind SessionManager have been using it for the past 15 months. Kaspersky suspects that a hacking group called Gelsemium is responsible for the attacks because the hacking patterns match the group’s methods. However, analysts cannot confirm that Gelsemium is the culprit.
The malware uses powerful malicious native code modules written for Microsoft’s Internet Information Services (IIS) web server software. Once installed, they respond to special HTTP requests to collect sensitive information. Attackers can also take full control of the servers, deploy additional hacking tools and use them for other malicious purposes.
Interestingly, the SessionManager installation process relies on exploiting a set of vulnerabilities collectively called ProxyLogon (CVE-2021-26855† Last year, Microsoft said more than 90 percent of Exchange servers had been patched or mitigated, but that still put many already compromised servers at risk.
The disinfection process is quite complicated, but Kaspersky’s researchers have as long as a few tips to protect your organization from threats like SessionManager. You can also consult Securelist for more relevant information on how SessionManager operates and indicators of compromise.