Hot potato: If anyone needed more indication that Microsoft Exchange server security still looks like Swiss cheese, the threat actor known as Gelsemium has provided it. Security researchers at Kaspersky Lab believe that the group has been using hidden malware called SessionManager to attack the server infrastructure of government organizations around the world for more than a year.

- Advertisement -

On Thursday, Kaspersky researchers published a disturbing report of a new, hard-to-find backdoor targeting Exchange servers used by government, medical, military, and non-governmental organizations in many countries. The malware, dubbed SessionManager, was first detected in early 2022.

- Advertisement -

At the time, some of the malware samples found by analysts were not flagged by many popular online file scanning services. In addition, the SessionManager infection persists in more than 90 percent of targeted organizations.

- Advertisement -

Map of organizations targeted by the SessionManager campaign

The attackers behind the SessionManager have been using it for the past 15 months. Kaspersky Lab suspects that a hacker group called Gelsemium is behind the attacks, as the hacking schemes match the group’s MO. However, analysts cannot confirm that Gelsemium is the culprit.

The malware uses powerful self-coded malicious modules written for the Microsoft Internet Information Services (IIS) web server software. Once installed, they will respond to special HTTP requests to collect sensitive information. Attackers can also take full control of servers, deploy additional hacking tools and use them for other malicious purposes.

Interestingly, the installation process of SessionManager depends on the use of a set of vulnerabilities under the general name ProxyLogon (CVE-2021-26855). Microsoft last year said that over 90 percent of Exchange servers have been patched or mitigated, but this still puts many already compromised servers at risk.

The disinfection process is quite complicated, but Kaspersky Lab researchers on condition some tips to protect your organization from threats like SessionManager. You can also consult Securelist for more up-to-date information on how the SessionManager valid and indicators of compromise.