Security Advisory - Microsoft Exchange servers worldwide backdoored with new malware
Updated: Dec 28, 2022
Attackers broke into Microsoft Exchange servers run by military and governmental institutions in Europe, the Middle East, Asia, and Africa using recently discovered malware.
The virus is a malicious native-code module for Microsoft's Internet Information Services (IIS) web server software, and it was originally identified by security experts at Kaspersky in early 2022. It was given the name SessionManager.
Since the beginning of the large wave of ProxyLogon assaults last year, in March 2021, it has been utilised in the wild without being discovered.
"The SessionManager backdoor enables threat actors to keep persistent, update-resistant and rather stealth access to the IT infrastructure of a targeted organization," Kaspersky revealed on Thursday.
"Once dropped into the victim's system, cybercriminals behind the backdoor can gain access to company emails, update further malicious access by installing other types of malware or clandestinely manage compromised servers, which can be leveraged as malicious infrastructure."
Among other characteristics, SessionManager's capabilities include:
dropping and managing arbitrary files on compromised servers
remote command execution on backdoored devices
connecting to endpoints within the victim's local network and manipulating the network traffic
Kaspersky discovered that the majority of the malware samples discovered earlier were still being used on 34 servers belonging to 24 firms in late April 2022 while still looking into the attacks (still running as late as June 2022).
Furthermore, "a popular online file scanning service" did not mark them as dangerous even months after the first discovery.
The malicious IIS module, once it has been installed, enables its operators to harvest passwords from system memory, gather data from the victims' networks and infected devices, and distribute additional payloads (such as a PowerSploit-based Mimikatz reflective loader, Mimikatz SSP, ProcDump, and a legitimate Avast memory dump tool).
"The exploitation of exchange server vulnerabilities has been a favorite of cybercriminals looking to get into targeted infrastructure since Q1 2021. The recently discovered SessionManager was poorly detected for a year and is still deployed in the wild," added Pierre Delcher, a Senior Security Researcher at Kaspersky's GReAT.
"In the case of Exchange servers, we cannot stress it enough: the past year's vulnerabilities have made them perfect targets, whatever the malicious intent, so they should be carefully audited and monitored for hidden implants, if they were not already."
While looking for IIS backdoors comparable to Owowa, a malicious IIS module used by attackers on Microsoft Exchange Outlook Web Access servers since late 2020 to steal Exchange passwords, Kaspersky discovered the SessionManager virus.
Gelsemium APT Group Links
Security specialists from Kaspersky think the SessionManager IIS backdoor was used in these assaults by the Gelsemium threat actor as part of a global espionage operation based on identical victimologies and the usage of an HTTP server-type backdoor variant named OwlProxy.
This hacking gang has been operating at least since 2014, when G DATA's SecurityLabs discovered some of its malicious tools while looking into the "Operation TooHash" cyber-espionage campaign. Verint Systems presented new Gelsemium signs of compromise in 2016 at the HITCON conference.
Two years later, in 2018, VenusTech released malware samples connected to Operation TooHash and an unidentified APT organisation. These samples were ultimately identified as early Gelsemium malware versions by Slovak internet security company ESET.
Additionally, ESET disclosed in 2017 that its researchers had connected Gelsemium to Operation NightScout, a supply-chain attack that aimed to infect gamers' computers between September 2020 and January 2021 using the NoxPlayer Android emulator for Windows and macOS, which has over 150 million users.
Other than that, the Gelsemium APT group is best known for primarily slipping under detection while targeting governments, electronics producers, and institutions in East Asia and the Middle East.