Exchange Servers Backdoored Globally by SessionManager

Malicious IIS module exploitation is the latest trend among threat actors targeting Exchange servers, analysts say.

malicious code on a screen depicting a cyberattack
Source: Liubomir Paut-Fluerasu via Alamy

Attackers once focused on exploiting ProxyLogon Microsoft Exchange server vulnerabilities have made a pivot to the new SessionManager backdoor, which can be used to gain persistent, undetected access to emails -- and even take over the target organization's infrastructure. 

Researchers from Kaspersky today report the emergence of SessionManager, which they say is part of a bigger trend of attackers deploying malicious backdoor modules inside Internet Information Services (IIS) servers for Windows, like Exchange servers. 

The malicious SessionManager backdoor, first observed in March 2021, has been used to target nongovernmental organizations (NGOs) across Africa, Europe, the Middle East, and South Asia, the researchers add. The Kaspersky report says 34 servers across 24 individual NGOs have been compromised by SessionManager. 

"The exploitation of Exchange server vulnerabilities has been a favorite of cybercriminals looking to get into targeted infrastructure since Q1 2021," said Pierre Delcher, senior security researcher at Kaspersky, in a post about the findings. "The recently discovered SessionManager was poorly detected for a year and is still deployed in the wild."

The Kaspersky team recommends regular threat hunting for malicious modules in exposed IIS servers and focusing detection on lateral movement across the network, as well as close monitoring of data exfiltration to the Internet. 

"In the case of Exchange servers, we cannot stress it enough: The past year’s vulnerabilities have made them perfect targets, whatever the malicious intent, so they should be carefully audited and monitored for hidden implants, if they were not already,” Delcher warned.

About the Author

Becky Bracken, Senior Editor, Dark Reading

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights