First leveraged in late March 2021, the newly discovered backdoor has hit governmental institutions and NGOs across the globe with victims in eight countries from the Middle East, Turkey and Africa region, including Kuwait, Saudi Arabia, Nigeria, Kenya and Turkey
Kasperky advises that you focus your defense strategy on detecting lateral movements and data exfiltration to the Internet. Pay special attention to outgoing traffic to detect cybercriminal connections. Back up data regularly. Make sure you can quickly access it in an emergency.
Researchers have discovered a new malware providing a backdoor into Microsoft Exchange Servers used to attack government servers and NGOs in Kenya and other countries across Europe, the Middle East, Asia and Africa.
The malware was set up as a malicious module within the Internet Information Services (IIS), a popular web server edited by Microsoft. Once propagated, SessionManager enables a wide range of malicious activities, starting from collecting emails to complete control over the victim’s infrastructure.
First leveraged in late March 2021, the newly discovered backdoor has hit governmental institutions, military organizations, and NGOs across the globe with victims in eight countries from the Middle East, Turkey and Africa region, including Kuwait, Saudi Arabia, Nigeria, Kenya and Turkey.
The SessionManager malware enables threat actors to keep persistent, update-resistant and stealthy access to a targeted organisation’s IT infrastructure, which makes removing it a problem, security researchers say.
Once dropped into the victim’s system, cybercriminals behind the backdoor can gain access to company emails and update further malicious access by installing other types of malware or clandestinely manage compromised servers, which can be leveraged as malicious infrastructure.
A distinctive feature of SessionManager is its poor detection rate. First discovered in early 2022, some of the backdoor samples were still not flagged as malicious in most popular online file scanning services.
To date, SessionManager is still deployed in more than 90 percent of targeted organisations, according to an Internet scan carried out by Kaspersky researchers.
The newly discovered malware has compromised 34 servers of 24 organisations from Europe, the Middle East, South Asia and Africa. It has been used increasingly to target NGOs and government entities. However, medical organisations, oil companies, and transportation companies, among others, have been targeted as well.
Because of similar victimology and the use of the common “OwlProxy” variant, experts believe that the malicious IIS module might have been leveraged by the GELSEMIUM threat actor as part of its espionage operations.
The exploitation of exchange server vulnerabilities has been a favourite of cybercriminals looking to get into targeted infrastructure since Q1 2021. It notably enabled a series of long unnoticed cyberespionage campaigns. The recently discovered SessionManager was poorly detected for a year.
“Facing massive and unprecedented server-side vulnerability exploitation, most cybersecurity actors were busy investigating and responding to the first identified offences. As a result, it is still possible to discover related malicious activities months or years later, and this will probably be the case for a long time,” said Pierre Delcher, Senior Security Researcher at Kaspersky’s Global Research and Analysis team.
Gaining visibility into actual and recent cyberthreats is paramount for companies to protect their assets. Such attacks may result in significant financial or reputational losses and may disrupt a target’s operations. Threat intelligence is the only component that can enable reliable and timely anticipation of such threats.
“In the case of Exchange servers, we cannot stress it enough: the past year’s vulnerabilities have made them perfect targets, whatever the malicious intent, so they should be carefully audited and monitored for hidden implants if they were not already,” added Pierre.
As a recommendation, governments, businesses, and NGOs should regularly check loaded IIS modules on exposed IIS servers (notably Exchange servers), leveraging existing tools from the IIS servers suite.
It is also vital for organizations to check for such modules as part of their threat hunting activities every time a major vulnerability is announced on Microsoft server products.
Experts also street the importance of focusing your defense strategy on detecting lateral movements and data exfiltration to the Internet. Pay special attention to outgoing traffic to detect cybercriminal connections. Back up data regularly, and ensure you can quickly access it in an emergency.