Microsoft Exchange servers worldwide backdoored with new malware

[itman 1,659]

Quote

Attackers used a newly discovered malware to backdoor Microsoft Exchange servers belonging to government and military organizations from Europe, the Middle East, Asia, and Africa.

The malware, dubbed SessionManager by security researchers at Kaspersky, who first spotted it in early 2022, is a malicious native-code module for Microsoft's Internet Information Services (IIS) web server software.

It has been used in the wild without being detected since at least March 2021, right after the start of last year's massive wave of ProxyLogon attacks.

"The SessionManager backdoor enables threat actors to keep persistent, update-resistant and rather stealth access to the IT infrastructure of a targeted organization," Kaspersky revealed on Thursday.

"Once dropped into the victim's system, cybercriminals behind the backdoor can gain access to company emails, update further malicious access by installing other types of malware or clandestinely manage compromised servers, which can be leveraged as malicious infrastructure."

SessionManager's capabilities include, among other features:

• dropping and managing arbitrary files on compromised servers
• remote command execution on backdoored devices
• connecting to endpoints within the victim's local network and manipulating the network traffic

In late April 2022, while still investigating the attacks, Kaspersky found that most of the malware samples identified earlier were still deployed on 34 servers of 24 organizations (still running as late as June 2022).

https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-worldwide-backdoored-with-new-malware/