Security News > 2022 > July > New 'SessionManager' Backdoor Targeting Microsoft IIS Servers in the Wild
A newly discovered malware has been put to use in the wild at least since March 2021 to backdoor Microsoft Exchange servers belonging to a wide range of entities worldwide, with infections lingering in 20 organizations as of June 2022.
Dubbed SessionManager, the malicious tool masquerades as a module for Internet Information Services, a web server software for Windows systems, after exploiting one of the ProxyLogon flaws within Exchange servers.
A total of 34 servers have been compromised by a SessionManager variant to date.
"Dropping an IIS module as a backdoor enables threat actors to maintain persistent, update-resistant and relatively stealthy access to the IT infrastructure of a targeted organization; be it to collect emails, update further malicious access, or clandestinely manage compromised servers that can be leveraged as malicious infrastructure," Kaspersky researcher Pierre Delcher said.
ProxyLogon, since its disclosure in March 2021, has attracted the repeated attention of several threat actors, and the latest attack chain is no exception, with the Gelsemium crew exploiting the flaws to drop SessionManager, a backdoor coded in C++ and is engineered to process HTTP requests sent to the server.
Said to be a "Lightweight persistent initial access backdoor," SessionManager comes with capabilities to read, write, and delete arbitrary files; execute binaries from the server; and establish communications with other endpoints in the network.
News URL
https://thehackernews.com/2022/07/new-sessionmanager-backdoor-targeting.html
Related news
- Microsoft confirms Windows Server issue behind domain controller crashes (source)
- Microsoft releases emergency fix for Windows Server crashes (source)
- Microsoft confirms memory leak in March Windows Server security update (source)
- 17,000+ Microsoft Exchange servers in Germany are vulnerable to attack, BSI warns (source)
- Germany warns of 17K vulnerable Microsoft Exchange servers exposed online (source)
- These 17,000 unpatched Microsoft Exchange servers are a ticking time bomb (source)
- Week in review: Backdoor found in XZ utilities, weaponized iMessages, Exchange servers at risk (source)
- Microsoft: Copilot ‘app’ on Windows Server mistakenly added by Edge (source)
- Microsoft: April Windows Server updates cause NTLM auth failures (source)