Experts from Russian cybersecurity firm Kaspersky have discovered an undetected backdoor program called “SessionManager” set up as a malicious module in Internet Information Services (IIS), a popular Microsoft-published web server.
Once propagated, SessionManager enables a wide range of malicious activities, from collecting emails to taking complete control of the victim’s infrastructure.
First exploited in late March 2021, Kaspersky claims that the newly discovered backdoor has hit government and NGO organizations around the world with victims in 8 countries including China, Kuwait, Saudi Arabia, Nigeria, Kenya and Turkey.
The SessionManager backdoor allows threat actors to maintain persistent, update-resistant, and fairly stealthy access to a targeted organization’s IT infrastructure. After infiltrating the victim’s system, the cybercriminals behind the backdoor can gain access to corporate email, and update other malicious accesses by installing other types of malware or secretly. manage compromised servers, which can be exploited as malicious infrastructure.
A distinguishing feature of SessionManager is its low detection rate. First discovered by Kaspersky researchers in early 2022, some backdoor samples are still not flagged as malicious in popular online file scanning services.
To date, SessionManager is still deployed in more than 90% of organizations targeted by an Internet scan conducted by Kaspersky researchers. In December 2021, Kaspersky discovered “Owowa”, a previously unknown IIS module that stole credentials entered by users when logging into Outlook Web Access (OWA). Since then, the company’s experts have been monitoring new opportunities for cybercriminal activity – apparently, backdoor implementation in IIS is a trend towards threat actors, who have previously exploited one of the “ProxyLogon” type vulnerabilities in the Microsoft Exchange Server.
A total of 34 servers from 24 organizations in Europe, the Middle East, South Asia and Africa were compromised by SessionManager. The threat actor running SessionManager shows particular interest in NGOs and government organizations, but healthcare organizations, oil companies, and transportation companies, among others. , has also been targeted.
Due to the same victimization and the use of the popular “OwlProxy” variant, Kaspersky experts believe that the malicious IIS module may have been exploited by the GELSEMIUM threat actor, as part of espionage activities.
Pierre Delcher, Senior Security Researcher at Kaspersky Global Research and Analytics said “The newly discovered SessionManager has been falsely detected for a year. Faced with unprecedented and massive exploits of server-side vulnerabilities, most cybersecurity organizations are busy investigating and responding to the first breaches identified. As a result, it is always possible to detect relevant malicious activity months or years later, and it may be a long time to come,” concludes Delcher.
Source: IT News Africa