Researchers have found that hackers have been attacking Microsoft Exchange servers in government and military institutions with new malware, starting in 2021. Many networks have been infiltrated, according to current reports. This is due to the fact that many Exchange servers, despite being vulnerable in 2021, are not up-to-date and thus secured.
According to Kaspersky security researchers, this is the truth. The attackers are not well-known. They have been operating undetected for so many years. Kaspersky calls it SessionManager malware. This malicious module is part of the Internet Information Services (IIS), which are used for Exchange Server.
In a blog post, Kaspersky explains that the SessionManager backdoor gives attackers persistent, update-resistant and relatively unobtrusive entry to target companies’ IT infrastructure. Cybercriminals can access the victim’s email system to gain backdoor access, modify malicious access with other malware, or covertly manage compromised server that can be used for malicious infrastructure. We have mostly read about victims in Europe, Asia and Africa.
Once the malware has been installed, credentials as well as other information about the victims’ network are collected and sent to hackers. Since Q1 2021, cybercriminals have been targeting Exchange servers to exploit vulnerabilities. Pierre explains that the newly discovered SessionManager was only detected after a year, and is still being used by cybercriminals in the wild.” Kaspersky senior security researcher Delcher.
Connections to the Gelsemium hacking team
Kaspersky security researchers believe that Gelsemium launched the attacks due to similar victimology. This hacker group is active since at most 2014.