Home » Technology » Hackers keep attacking Microsoft Exchange servers since 2021

Hackers keep attacking Microsoft Exchange servers since 2021

Security researchers have discovered that unknown hackers have been targeting Microsoft Exchange servers at government and military institutions with new malware since early 2021. Currently, many networks are said to have infiltrated unnoticed. This is mainly because, despite the vulnerabilities that became known in 2021, many Exchange servers are still not updated and therefore secured.

This is according to a report by Kaspersky security researchers. Not much is known about the attackers. This is probably mainly due to the fact that they have been able to operate undetected for so long. It uses malware that Kaspersky called SessionManager. This is a malicious native code module for the Internet Information Services (IIS) for Exchange Server.

Unobtrusive entrances

“The SessionManager backdoor provides attackers with persistent, update-resistant, and rather unobtrusive access to a target company’s IT infrastructure,” explains Kaspersky in a blog published today. “Once inside the victim’s system, cybercriminals can gain backdoor access to corporate email, update further malicious access by installing other types of malware, or covertly manage compromised servers that can be used as malicious infrastructure.” So far we have mainly read about those affected in Europe, Asia, Africa, and the Middle East.

After the malware is installed, credentials and other information from the victims’ network and the infected devices are collected and sent to the hackers. “Exploiting vulnerabilities in Exchange servers has been a popular target for cybercriminals to gain access to targeted infrastructure since Q1 2021. The newly discovered SessionManager was barely detected in a year and is still being used in the wild,” explains Pierre out. Delcher, a senior security researcher at Kaspersky.

Connections to the Gelsemium hacking group

Due to the similar victimology, Kaspersky’s security researchers believe the new attacks were launched by a group called Gelsemium as part of a global espionage operation. This hacker group has been active since at least 2014.