- What is AI networking? How it automates your infrastructure (but faces challenges)
- I traveled with a solar panel that's lighter than a MacBook, and it's my new backpack essential (and now get 23% off for Black Friday)
- Windows 11 24H2 hit by a brand new bug, but there's a workaround
- This Samsung OLED spoiled every other TV for me, and it's $1,400 off for Black Friday
- How to Protect Your Social Media Passwords with Multi-factor Verification | McAfee Blog
New ‘SessionManager’ Backdoor Targeting Microsoft Exchange Servers Worldwide
Kaspersky security experts have discovered new malware targeting Microsoft Exchange servers belonging to several organizations worldwide.
Dubbed “SessionManager” and first spotted by the company in early 2022, the backdoor enables threat actors to keep “persistent, update-resistant and rather stealth access to the IT infrastructure of a targeted organization.”
According to Kaspersky, once propagated, SessionManager would enable a wide range of malicious activities, from collecting emails to complete control over the victim’s infrastructure.
The analyses by the security researchers suggested that the threat actors (TA) behind SessionManager first started operating in late March 2021.
Kaspersky said the malware would have hit 34 servers of 24 organizations across Africa, South Asia, Europe and the Middle East, with most of them still compromised to date.
“The threat actor who operates SessionManager shows a special interest in NGOs and government entities, but medical organizations, oil companies and transportation companies, among others, have been targeted as well.”
Kaspersky also warned that a distinctive feature of SessionManager is its poor detection rate by antivirus software.
“First discovered by Kaspersky researchers in early 2022, some of the backdoor samples were still not flagged as malicious in most popular online file scanning services,” the company wrote in an advisory on Thursday.
“To date, SessionManager is still deployed in more than 90% of targeted organizations according to an Internet scan carried out by Kaspersky researchers.”
In terms of attribution, the security experts said they found similarities between SessionManager and ‘Owowa,’ a previously unknown internet information services (IIS) module that stole credentials entered by a user when logging into Outlook Web Access (OWA).
“It has become clear that deploying a backdoor within IIS is a trend for threat actors, who previously exploited one of the ‘ProxyLogon-type’ vulnerabilities within Microsoft Exchange servers,” Kaspersky wrote.
Because of these similarities and the use of the common “OwlProxy” variant, Kaspersky concluded their advisory by claiming the malicious IIS module might have been leveraged by the Gelsemium threat actor.