Researchers from Kaspersky have uncovered a backdoor called SessionManager that was set up as a malicious module within the Internet Information Services (IIS), a popular web server edited by Microsoft.
Once propagated, SessionManager enables bad actors to keep persistent, update-resistant and rather stealth access to the IT infrastructure of a targeted organisation.
In addition, the attackers behind the backdoor can gain access to company emails, update further malicious access by installing other types of malware or clandestinely manage compromised servers, which can be leveraged as malicious infrastructure.
First leveraged in late March last year, the backdoor has hit governmental institutions and NGOs across the globe with victims in eight countries from the Middle East, Turkey and Africa region, including Kuwait, Saudi Arabia, Nigeria, Kenya and Turkey.
In December last year, researchers uncovered “Owowa”, a previously unknown IIS module that steals credentials entered by a user when logging into Outlook Web Access (OWA).
Researchers have subsequently kept an eye on the new opportunity for cyber criminal activity, as they believe deploying a backdoor within IIS has become a trend for threat actors, who previously exploited one of the “ProxyLogon-type” vulnerabilities within Microsoft Exchange servers.
A distinctive feature of SessionManager is its poor detection rate. Although first discovered by Kaspersky’s researchers in early 2022, some of the backdoor samples were still not flagged as malicious in most popular online file scanning services. To date, the backdoor is still deployed in more than 90% of targeted organisations according to an Internet scan carried out by the researchers.
In total, 34 servers of 24 organisations from Europe, the Middle East, South Asia and Africa were compromised by the threat. The criminal who operates SessionManager has shown a special interest in NGOs and government entities, but medical organisations, oil companies, transportation companies, among others, have been targeted as well.
Because of a similar victimology and the use of the common “OwlProxy” variant, Kaspersky experts believe that the malicious IIS module might have been leveraged by the GELSEMIUM threat actor, as part of its espionage operations.
Exchange server vulnerabilities
Pierre Delcher, senior security researcher at Kaspersky’s Global Research and Analysis team, says the exploitation of exchange server vulnerabilities is popular with attackers looking to gain access to targeted infrastructure, and has been since Q1 2021.
“It notably enabled a series of long unnoticed cyber espionage campaigns. The recently discovered SessionManager was poorly detected for a year. Facing massive and unprecedented server-side vulnerability exploitation, most cyber security actors were busy investigating and responding to the first identified offences,” he adds.
As a result, Delcher says it is still possible to discover related malicious activities months or years later, and this will probably be the case for a long time.
He says gaining visibility into cyber threats is critical for companies to protect their assets.
“Such attacks may result in significant financial or reputational losses and may disrupt a target’s operations. Threat intelligence is the only component that can enable reliable and timely anticipation of such threats. In the case of Exchange servers, we cannot stress it enough: the past-year’s vulnerabilities have made them perfect targets, whatever the malicious intent, so they should be carefully audited and monitored for hidden implants, if they were not already,” he ends.