A newly discovered backdoor dubbed ‘SessionManager’ that is targeting governmental institutions and non-governmental organisations (NGOs) across the globe claiming victims in eight countries from the Middle East, Turkey and Africa region has been brought to light by cybersecurity firm Kaspersky.
The SessionManager backdoor which was first leveraged in late March 2021, was set up as a malicious module within the Internet Information Services (IIS), a popular web server edited by Microsoft.
Kaspersky says once propagated, SessionManager also enables a wide range of malicious activities, starting from collecting emails to complete control over the victim’s infrastructure.
The SessionManager backdoor enables threat actors to keep persistent, update-resistant and rather stealth access to the IT infrastructure of a targeted organisation.
Once dropped into the victim’s system, cybercriminals behind the backdoor can gain access to company emails, update further malicious access by installing other types of malware or clandestinely manage compromised servers, which can be leveraged as malicious infrastructure, Kaspersky says.
The cybersecurity firm discovered the SessionManager in 2022 and says a distinctive feature of the backdoor is its poor detection rate. To date, SessionManager is still deployed in more than 90% of targeted organisations according to an Internet scan carried out by Kaspersky researchers.
Pierre Delcher, Senior Security Researcher at Kaspersky said, “The exploitation of exchange server vulnerabilities has been a favourite of cybercriminals looking to get into targeted infrastructure since Q1 2021. It notably enabled a series of long unnoticed cyberespionage campaigns. The recently discovered SessionManager was poorly detected for a year. Facing massive and unprecedented server-side vulnerability exploitation, most cybersecurity actors were busy investigating and responding to the first identified offences. As a result, it is still possible to discover related malicious activities months or years later, and this will probably be the case for a long time.”
Overall, Kaspersky says 34 servers of 24 organisations from Europe, the Middle East, South Asia and Africa were compromised by SessionManager.
The company observed that the threat actor who operates SessionManager shows a special interest in NGOs and government entities, but medical organisations, oil companies, transportation companies, among others, have been targeted as well.
“Gaining visibility into actual and recent cyberthreats is paramount for companies to protect their assets. Such attacks may result in significant financial or reputational losses and may disrupt a target’s operations. Threat intelligence is the only component that can enable reliable and timely anticipation of such threats. In the case of Exchange servers, we cannot stress it enough: the past-year’s vulnerabilities have made them perfect targets, whatever the malicious intent, so they should be carefully audited and monitored for hidden implants, if they were not already,” Concludes Delcher.