Kaspersky (https://www.kaspersky.co.za/) experts have brought to light a misdetected SessionManager backdoor that was configured as a malicious module within Internet Information Services (IIS), a popular edited web server by Microsoft. Once propagated, SessionManager enables a wide range of malicious activities, from email harvesting to full control of the victim’s infrastructure. First exploited in late March 2021, the newly discovered backdoor has affected government institutions and NGOs around the world with victims in eight countries in the Middle East, Turkey and Africa region including Kuwait, Saudi Arabia, Nigeria , Kenya and Turkey.
In December 2021, Kaspersky discovered “Owowa” (https://bit.ly/3OGqMe4), a previously unknown IIS module that steals credentials entered by a user when logging into Outlook Web Access (OWA). Since then, the company’s experts have been keeping an eye on the new opportunity for cybercriminal activity: it has become clear that implementing a backdoor within IIS is a trend for threat actors, who previously exploited one of the “ProxyLogon type ” (https:/ /bit.ly/3yFKeC1) vulnerabilities within Microsoft Exchange servers. In a recent investigation, Kaspersky experts came across a new unwanted backdoor module called SessionManager.
The SessionManager backdoor allows threat actors to maintain persistent, update-resistant, and fairly stealthy access to a targeted organization’s IT infrastructure. Once inside a victim’s system, cybercriminals behind the backdoor can gain access to company emails, update malicious access by installing other types of malware, or surreptitiously manage compromised servers, which can be leveraged as malicious infrastructure.
A distinctive feature of SessionManager is its low detection rate. First discovered by Kaspersky researchers in early 2022, some of the backdoor samples have yet to be flagged as malicious by popular online file analysis services. To date, SessionManager is still deployed in more than 90% of selected organizations based on Internet analysis by Kaspersky researchers.
In total, 34 servers at 24 organizations in Europe, the Middle East, South Asia, and Africa were compromised by SessionManager. The threat actor running SessionManager shows a particular interest in NGOs and government entities, but they have also been targeted by medical organizations, oil companies, shipping companies, and more.
Due to similar victimology and the use of the common variant “OwlProxy” (https://bit.ly/3OGnLKH), Kaspersky experts believe that the malicious IIS module could have been exploited by GELSEMIUM (https://bit. ly /3Ap46dJ) threat actor, as part of its espionage operations.
“Exploitation of exchange server vulnerabilities has been a favorite of cybercriminals looking to break into targeted infrastructure since the first quarter of 2021. In particular, it enabled a series of long-hidden cyber espionage campaigns. The newly discovered SessionManager was misdetected for a year. Facing massive and unprecedented exploitation of server-side vulnerabilities, most cybersecurity actors were busy investigating and responding to the first identified crimes. As a result, it is still possible to discover related malicious activities months or years later, and this is likely to be the case for a long time,” said Pierre Delcher, Senior Security Researcher at Kaspersky’s Global Research and Analysis team.
“Gaining visibility into real and recent cyber threats is critical for companies to protect their assets. Such attacks can result in significant financial or reputational loss and can disrupt a target’s operations. Threat intelligence is the only component that can enable reliable and timely anticipation of such threats. In the case of Exchange servers, we can’t stress it enough: last year’s vulnerabilities have made them prime targets, regardless of malicious intent, so they need to be carefully audited and monitored for hidden implants, if any. they haven’t,” adds Pierre. .