Nigerian Organizations Are Among Those Targeted By Worldwide Spy Hack

Photo by Tima Miroshnichenko on Pexels.com

Experts from Russian cybersecurity firm Kaspersky have discovered an undetected backdoor program called “SessionManager” set up as a malicious module in Internet Information Services (IIS), a popular Microsoft-published web server.

Photo by Salvatore De Lellis on Pexels.com

Once propagated, SessionManager enables a wide range of malicious activities, from collecting emails to taking complete control of the victim’s infrastructure.

First exploited in late March 2021, Kaspersky claims that the newly discovered backdoor has hit government and NGO organizations around the world with victims in 8 countries including China, Kuwait, Saudi Arabia, Nigeria, Kenya and Turkey.

Photo by Pixabay on Pexels.com

The SessionManager backdoor allows threat actors to maintain persistent, update-resistant, and fairly stealthy access to a targeted organization’s IT infrastructure. After infiltrating the victim’s system, the cybercriminals behind the backdoor can gain access to corporate email, and update other malicious accesses by installing other types of malware or secretly. manage compromised servers, which can be exploited as malicious infrastructure.

A distinguishing feature of SessionManager is its low detection rate. First discovered by Kaspersky researchers in early 2022, some backdoor samples are still not flagged as malicious in popular online file scanning services.

Photo by Sora Shimazaki on Pexels.com

To date, SessionManager is still deployed in more than 90% of organizations targeted by an Internet scan conducted by Kaspersky researchers. In December 2021, Kaspersky discovered “Owowa”, a previously unknown IIS module that stole credentials entered by users when logging into Outlook Web Access (OWA). Since then, the company’s experts have been monitoring new opportunities for cybercriminal activity – apparently, backdoor implementation in IIS is a trend towards threat actors, who have previously exploited one of the “ProxyLogon” type vulnerabilities in the Microsoft Exchange Server.

Photo by Tima Miroshnichenko on Pexels.com

A total of 34 servers from 24 organizations in Europe, the Middle East, South Asia and Africa were compromised by SessionManager. The threat actor running SessionManager shows particular interest in NGOs and government organizations, but healthcare organizations, oil companies, and transportation companies, among others. , has also been targeted.

Due to the same victimization and the use of the popular “OwlProxy” variant, Kaspersky experts believe that the malicious IIS module may have been exploited by the GELSEMIUM threat actor, as part of espionage activities.

Photo by Tima Miroshnichenko on Pexels.com

Pierre Delcher, Senior Security Researcher at Kaspersky Global Research and Analytics said “The newly discovered SessionManager has been falsely detected for a year. Faced with unprecedented and massive exploits of server-side vulnerabilities, most cybersecurity organizations are busy investigating and responding to the first breaches identified. As a result, it is always possible to detect relevant malicious activity months or years later, and it may be a long time to come,” concludes Delcher.

Source: IT News Africa

1 comment

Leave a comment

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: