Kaspersky experts have brought to light a poorly
detected SessionManager backdoor that was set up as a malicious module within
the Internet Information Services (IIS), a popular web server edited by
Microsoft. Once propagated, SessionManager enables a wide range of malicious
activities, starting from collecting emails to complete control over the
victim's infrastructure. First leveraged in late March 2021, the newly
discovered backdoor has hit governmental institutions and NGOs in Africa, South
Asia, Europe and the Middle East. Most of the targeted organizations are still
compromised to date.
In December 2021, Kaspersky uncovered "Owowa", a
previously unknown IIS module that steals credentials entered by a user when
logging into Outlook Web Access (OWA). Since then, the company's experts have
kept an eye on the new opportunity for cybercriminal activity. It has become
clear that deploying a backdoor within IIS is a trend for threat actors, who
previously exploited one of the "ProxyLogon-type"
vulnerabilities within Microsoft Exchange servers. In a recent investigation,
Kaspersky experts came across a new unwanted module backdoor dubbed
SessionManager.
The SessionManager backdoor enables threat actors to keep
persistent, update-resistant and rather stealth access to the IT infrastructure
of a targeted organization. Once dropped into the victim's system,
cybercriminals behind the backdoor can gain access to company emails, update
further malicious access by installing other types of malware or clandestinely
manage compromised servers, which can be leveraged as malicious infrastructure.
A distinctive feature of SessionManager is its poor
detection rate. First discovered by Kaspersky researchers in early 2022, some
of the backdoor samples were still not flagged as malicious in most popular
online file scanning services. To date, SessionManager is still deployed in
more than 90% of targeted organizations according to an Internet scan carried
out by Kaspersky researchers.
Overall, 34 servers of 24 organizations from Europe, the
Middle East, South Asia and Africa were compromised by SessionManager. The
threat actor who operates SessionManager shows a special interest in NGOs and
government entities. Medical organizations, oil companies, transportation
companies are among the others that have been targeted as well.
Because of a similar victimology and the use of the common "OwlProxy" variant,
Kaspersky experts believe that the malicious IIS module might have been
leveraged by the GELSEMIUM threat
actor as part of its espionage operations.
"The exploitation of exchange server vulnerabilities has
been a favorite of cybercriminals looking to get into targeted infrastructure
since Q1 2021. Notably, it enabled a series of long unnoticed cyberespionage
campaigns. The recently discovered SessionManager was poorly detected for a
year and is still deployed in the wild. Facing massive and unprecedented
server-side vulnerability exploitation, most cybersecurity actors were busy
investigating and responding to the first identified offences. As a result, it
is still possible to discover related malicious activities months or years
later, and this will probably be the case for a long time," comments Pierre
Delcher, senior security researcher at Kaspersky's Global Research and Analysis
team.
"Gaining visibility into actual and recent cyberthreats
is paramount for companies to protect their assets. Such attacks may result in
significant financial or reputational losses and may disrupt a target's
operations. Threat intelligence is the only component that can enable
reliable and timely anticipation of such threats. In the case of Exchange
servers, we cannot stress it enough: the past-year's vulnerabilities have made
them perfect targets, whatever the malicious intent, so they should be
carefully audited and monitored for hidden implants, if they were not already,"
adds Pierre.
Kaspersky products detect several malicious IIS modules,
including SessionManager.
To learn more about SessionManager's operation style and
targets, visit Securelist.com.