Security News > 2022 > June > Microsoft Exchange servers worldwide backdoored with new malware

Attackers used a newly discovered malware to backdoor Microsoft Exchange servers belonging to government and military organizations from Europe, the Middle East, Asia, and Africa.

In late April 2022, while still investigating the attacks, Kaspersky found that most of the malware samples identified earlier were still deployed on 34 servers of 24 organizations.

"The exploitation of exchange server vulnerabilities has been a favorite of cybercriminals looking to get into targeted infrastructure since Q1 2021. The recently discovered SessionManager was poorly detected for a year and is still deployed in the wild," added Pierre Delcher, a Senior Security Researcher at Kaspersky's GReAT. "In the case of Exchange servers, we cannot stress it enough: the past year's vulnerabilities have made them perfect targets, whatever the malicious intent, so they should be carefully audited and monitored for hidden implants, if they were not already."

Kaspersky uncovered the SessionManager malware while continuing to hunt for IIS backdoors similar to Owowa, another malicious IIS module deployed by attackers on Microsoft Exchange Outlook Web Access servers since late 2020 to steal Exchange credentials.

Based on similar victimology and the use of the OwlProxy malware variant, Kaspersky's security experts believe the SessionManager IIS backdoor was leveraged in these attacks by the Gelsemium threat actor as part of a worldwide espionage operation.

Two years later, in 2018, VenusTech unveiled malware samples linked to the Operation TooHash and an unknown APT group, later tagged by Slovak internet security firm ESET as early Gelsemium malware versions.

News URL

https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-worldwide-backdoored-with-new-malware/