Experts at the Russian research center Kaspersky have discovered a malicious back-port created to become malicious software exploiting the well-known Internet Information Services (IIS) web server, which is undergoing changes from Microsoft.
The backdoor, called the SessionManager, enables a wide range of malicious activities once deployed, from collecting e-mail messages to fully controlling the target victim’s infrastructure.
This backdoor was first used at the end of March 2021 when it hit government agencies and non-profit organizations in different parts of the world, causing casualties in eight countries in the Middle East, Turkey and Africa, including Kuwait, Saudi Arabia has. Nigeria, Kenya and Turkey.
In December 2021, Kaspersky unveiled Owowa, the then-unidentified malware that exploits the IIS Web server and steals users’ credentials to the Outlook Web service. Since then, the company’s experts have been monitoring the activity of cybercriminals to exploit this new opportunity, as it appears that the use of a backport in IIS has become a trend among cybercriminals who previously exploited a ProxyLogon vulnerability within Microsoft Exchange servers has.
The SessionManager background enables malicious actors to stay active and resilient against updates and steganography of the target enterprise’s IT infrastructure. The cybercriminals behind the backport can gain access to emails and enable more malicious access by installing other types of malware or secretly managing compromised servers, which can be exploited as malicious infrastructure just by entering the victim’s system.
SessionManager is poorly detectable, Kaspersky researchers found in early 2022 that some samples of this backport were not classified as “malicious” in a number of popular online file scanning services. To date, SessionManager is still deployed in more than 90% of target organizations. after an internet scan conducted by Kaspersky researchers.
SessionManager hacked 34 servers belonging to 24 institutions and organizations in Europe, the Middle East, South Asia and Africa, with the entity running it, showing a special interest in non-profit organizations and government agencies, but also medical organizations and companies operating in the oil, transportation and other sectors.
Kaspersky experts believe that the IIS malicious module may have been used by the GELSEMIUM gang, as part of espionage operations, due to the phenomenon of “victim uniformity” and the use of the common OwlProxy mutation.
Pierre Delcher, senior security researcher in the global research and analysis team at Kaspersky, said that cybercriminals who wanted to access the target infrastructure since the first quarter of 2021 prefer to exploit the security holes in the email server.
He added, “This backdoor has enabled a long, unnoticed series of digital espionage campaigns after being secretly active for about a year. Most of the digital security industry is investigating and responding to the first identified crimes, in the face of exploitation. “Massive and unprecedented vulnerabilities in the email server. As a result, it will still be possible to detect relevant malicious activity even months or years later, and this is likely to remain the case for a long time to come. “
Delcher stressed the importance of giving organizations the ability to see modern digital threats, to protect their assets, and stressing that such attacks can cause significant financial losses to organizations or damage reputation by disrupting operations. He added: “Threat information is the only element that can allow the ability to anticipate such threats in a timely manner, and the risk is most acute in the case of Exchange servers, and vulnerabilities in recent years have made them ideal. all malicious intentions, so they need to be carefully investigated. ” and closely monitor them for any malicious implants that may be hidden in them. ”
Kaspersky experts recommend the following measures and procedures to protect businesses from such threats:
• Regularly check IIS modules loaded on exposed IIS servers (especially Exchange servers), and use the tools in the IIS server family. As well as verifying the presence of such devices within the activities of the search for threats when any announcement of the discovery of a major security vulnerability in Microsoft servers.
• The defense strategy focuses on the detection of lateral traffic and the retrieval of data to the Internet, with particular attention to outbound traffic, to detect attempts by cybercriminals to connect to enterprise systems.
• Ensure that data is backed up regularly, and that backups are quickly accessible in the event of an emergency.