Microsoft Exchange backdoors abused to spy on NGOs worldwide

By Scott Marlette Last updated Jul 1, 2022

Cybersecurity researchers from Kaspersky recently discovered a brand new IIS module, designed to steal credentials that victims type in when logging into their Outlook Web Access (OWA) accounts.

They dubbed the new module backdoor SessionManager, and claim it’s persistent, resistant to updates and stealthy. By leveraging SessionManager, Kaspersky further claims, threat actors can get access to company emails, can drop other malicious payloads (such as ransomware, for example) onto the target network, and manage compromised servers in utter secrecy.

What makes SessionManager stand out from other similar modules is its poor detection rate. It wasn’t until early 2022 that the module was discovered, and still some of the more popular antivirus programs (opens in new tab) do not flag it as malicious.

Gelsemium

According to the report, SessionManager is today deployed in more than 90% of targeted organizations.

The malicious module managed to compromise 34 servers, belonging to 24 organizations located in Europe, the Middle East, South Asia, and Africa. Most of the victims are non-government organizations (NGO), Kaspersky said, but added that there are medical organizations, oil companies, as well as transportation companies, among the victims as well.

While it’s hard to say with absolute certainty who the threat actor is, Kaspersky believes it’s a group known as GELSEMIUM. This is an old threat actor, dating back from 2014, which is known for targeting governments and religious organizations in the Middle East, as well as East Asia.

Kaspersky believes GELSEMIUM is behind this attack due to the similar profile of victim, and the use of the common “OwlProxy” variant.

Businesses wary of IIS module attacks are advised to check loaded IIS modules on exposed IIS servers regularly, as part of their threat hunting activities, every time a new vulnerability gets announced on Microsoft server products.

They should also focus their defensive strategies on detecting lateral movements and data exfiltration.

For all the latest Technology News Click Here

For the latest news and updates, follow us on Google News.

Read original article here

Denial of responsibility! TechNewsBoy.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.