Nigerian NGOs, Government Institutions Suffer Worldwide Spy Hack
A poorly identified backdoor application called “SessionManager” was set up as a malicious module within the Internet Information Services (IIS), a well-known web server created by Microsoft, according to experts at the Russian antivirus firm Kaspersky.
Once it has spread, SessionManager makes a variety of harmful operations possible, from email collection to total command over the infrastructure of the victim.
According to Kaspersky, the recently discovered backdoor, which was first used in late March 2021, has affected governmental organizations and NGOs all across the world, with victims in eight countries in the Middle East, Turkey, and Africa, including Kuwait, Saudi Arabia, Nigeria, Kenya, and Turkey.
Threat actors can maintain permanent, update-resistant, and somewhat stealthy access to the IT infrastructure of a targeted organization thanks to the SessionManager backdoor.
Once they’ve infiltrated the victim’s system, hackers using backdoors can view business emails, upgrade their malicious access by putting other software on the system, or covertly run compromised servers that can be used as malicious infrastructure.
SessionManager’s low detection rate is one of its distinguishing characteristics. Some of the backdoor samples, which were first uncovered by Kaspersky researchers in early 2022, were still not marked as dangerous in the majority of well-known online file scanning services.
According to a Kaspersky Internet scan, SessionManager is still in use in more than 90% of the targeted organizations as of today.
“Owowa,” a previously undiscovered IIS module that steals login credentials entered by a user while entering into Outlook Web Access, was discovered by Kaspersky in December 2021. (OWA).
Since then, the company’s experts have kept a close eye on the new window of opportunity for cybercriminal activity. It has become evident that threat actors, who previously exploited one of the “ProxyLogon-type” vulnerabilities within Microsoft Exchange servers, are increasingly installing backdoors within IIS.
SessionManager compromised 34 servers across 24 organizations in Europe, the Middle East, South Asia, and Africa. NGOs and government organizations are of particular interest to the threat actor behind SessionManager, while other targets include healthcare organizations, oil firms, and transportation businesses.
According to Kaspersky specialists, the malicious IIS module may have been used by the GELSEMIUM threat actor as part of its espionage activities because to similar victimologies and the use of the popular “OwlProxy” variation.
Since Q1 2021, attackers attempting to access a target infrastructure have preferred to exploit exchange server vulnerabilities. A number of lengthy undetected cyberespionage activities were made possible, particularly, according to Pierre Delcher, Senior Security Researcher with Kaspersky’s Global Research and Analysis team.
“For a year, SessionManager was only marginally noticed. The majority of cybersecurity players were occupied looking into and responding to the initial reported crimes while facing large and unprecedented server-side vulnerability exploitation. As a result, associated harmful behaviors can still be found months or years later, and this is likely to continue for a while, says Delcher.
