Kaspersky announced that in a recent investigation, cyber security experts found a new module backdoor, named SessionManager. The module within the Internet Information Services, a popular web server edited by Microsoft, allows various malicious activities, from collecting emails to gaining unauthorized control over the infrastructure. Kaspersky also stated that it was leveraged in March of 2021 first and most of the victims are still compromised to date.
Poor detection rate
The SessionManager backdoor provides persistent, update-resistant, and rather stealth access to the victim’s infrastructure. Once it is dropped into the system, it provides access to company emails and updates further malicious access by installing other types of malware or clandestinely managing compromised servers.
The backdoor, discovered by the Kaspersky team in early 2022, is hard to detect; most victims are unaware of the backdoor. Some of its samples are still not flagged as malicious in most popular online file scanning services. It is deployed in more than 90% of the targeted organizations according to an Internet scan. Pierre Delcher, Senior Security Researcher at Kaspersky’s Global Research and Analysis team said,
« The exploitation of exchange server vulnerabilities has been a favorite of cybercriminals looking to get into targeted infrastructure since Q1 2021. It notably enabled a series of long unnoticed cyberespionage campaigns. The recently discovered SessionManager was poorly detected for a year and is still deployed in the wild. Facing massive and unprecedented server-side vulnerability exploitation, most cybersecurity actors were busy investigating and responding to the first identified offenses. As a result, it is still possible to discover related malicious activities months or years later, and this will probably be the case for a long time.
Gaining visibility into actual and recent cyberthreats is paramount for companies to protect their assets. Such attacks may result in significant financial or reputational losses and may disrupt a target’s operations. Threat intelligence is the only component that can enable reliable and timely anticipation of such threats. In the case of Exchange servers, we cannot stress it enough: the past-year’s vulnerabilities have made them perfect targets, whatever the malicious intent, so they should be carefully audited and monitored for hidden implants, if they were not already. »