New malware has been identified by Kaspersky security experts that targets Microsoft Exchange servers that are used by numerous enterprises globally. Most targeted servers are operated by military and governmental organisations from Asia, the Middle East, Africa, and Europe.
Government agencies and NGOs are of particular interest to the threat actor, however, a number of other entities have also been targeted, including healthcare organisations, energy businesses, and transportation organisations.
Recently, Kaspersky disclosed:
Threat actors may maintain permanent, update-resistant, and mostly covert access to the IT infrastructure of a targeted business thanks to the SessionManager backdoor. Cybercriminals using a backdoor can read corporate emails after being inserted on the victim’s computer and update more harmful access by adding other kinds of malware.
SessionManager, once it had spread, would have made a variety of harmful actions possible, from email collection to total command over the infrastructure of the victim.
Kaspersky discovered that most of the malware samples discovered previously were still being used on many servers belonging to 24 different organisations in late April 2022 while still looking into the attacks. Even months after the first discovery, a well-known online file scanning service had not yet classified them as harmful.
The malicious Microsoft Exchange Servers (IIS) module enables its operators to collect information from the victims’ network and infected devices, harvest credentials from system memory, and distribute further payloads. The security professionals said that they discovered similarities between “Owowa” and SessionManager in terms of attribution. The credentials sent by a user to use Outlook Web Access were stolen via a previously unidentified internet information services (IIS) module (OWA).
Since Q1 2021, attackers trying to access a target infrastructure have preferred to exploit Microsoft Exchange servers vulnerabilities. For a year, SessionManager went undetected but is still in use today.
Further written by Kaspersky:
We cannot highlight enough how vulnerable Exchange servers have become as a result of the previous year’s security flaws, regardless of the nefarious intention. As a result, if they haven’t already been, they should be properly audited and checked for hidden devices.
Deployment of Malware
The virus is a malicious native-code module for Microsoft Exchange servers software, and it was originally identified by security experts at Kaspersky in early 2022. The term “SessionManager” was applied to it. Since the commencement of the large wave of ProxyLogon attacks last year, which began in March 2021, it has been used in the public without being discovered. According to a Kaspersky researchers’ Internet scan, more than 90% of the targeted firms still use SessionManager today.
Additional details (SessionManager)
Experts think that the SessionManager Microsoft Exchange servers vulnerabilities are the work of the Gelsemium hacker group. It could be a part of a global surveillance operation. Governments, electronics producers, and universities in East Asia and the Middle East are among the main targets of the Gelsemium Advanced Persistent Threat (APT) organisation. Most of the time, it remains hidden.
As of 2014, when G DATA’s SecurityLabs was looking into the “Operation TooHash” cyber-espionage campaign, some of this hacker group’s harmful tools were discovered, they have remained operational. In a presentation given by Verint Systems at the HITCON conference in 2016, new Gelsemium signs of compromise were revealed.
Last year, ESET also disclosed that its researchers had connected Operation NightScout with Gelsemium. Between September 2020 and January 2021, a supply-chain attack could attempt to infect gaming computers by attacking the NoxPlayer Android emulator for Windows and macOS update system.
Start your Phishing Tackle security awareness training today with our two-week free trial.