fbpx
Founder Institute Lagos Founder Institute Lagos Founder Institute Lagos
  • Home
  • About
  • Partners
  • Advertise
  • Contact
  • Signup to receive updates
Innovation | Startups | Funding | Tech Blog in Africa
Advertisement
  • Home
  • Startups
  • Hubs
  • Funding
  • WomenTech
  • CleanTech
  • Blockchain
No Result
View All Result
  • Home
  • Startups
  • Hubs
  • Funding
  • WomenTech
  • CleanTech
  • Blockchain
No Result
View All Result
Innovation | Startups | Funding | Tech Blog in Africa
No Result
View All Result
Home General

New Backdoor targets Governments, NGOs across Africa, Turkey and the Middle East – Kaspersky

First leveraged in late March 2021, the newly discovered backdoor has hit governmental institutions and NGOs across the globe with victims in eight countries from the Middle East, Turkey and Africa region, including Kuwait, Saudi Arabia, Nigeria, Kenya and Turkey

by Editor
2022/07/04
in General
Backdoor - techbuild

Credits: Bleeping Computer

Share on FacebookShare on Twitter
Tweet
Share
Share

Kaspersky experts have brought to light a poorly detected SessionManager backdoor that was set up as a malicious module within the Internet Information Services (IIS), a popular web server edited by Microsoft.

Once propagated, SessionManager enables a wide range of malicious activities, starting from collecting emails to complete control over the victim’s infrastructure.

First leveraged in late March 2021, the newly discovered backdoor has hit governmental institutions and NGOs across the globe with victims in eight countries from the Middle East, Turkey and Africa region, including Kuwait, Saudi Arabia, Nigeria, Kenya and Turkey.

In December 2021, Kaspersky uncovered “Owowa”, a previously unknown IIS module that steals credentials entered by a user when logging into Outlook Web Access (OWA).

RelatedPosts

CBN, Partners Host Second International Financial Inclusion Conference (IFIC) October 2023

Infobip, Spryker partner to support Businesses deliver Personal Shopping Experiences

The Importance of Partnerships to drive Local Retail Success

From SaaS Company to Full-stack Tech Platform, Zoho offers an All-in-One Solution to Businesses

Since then, the company’s experts have kept an eye on the new opportunity for cybercriminal activity – it has become clear that deploying a backdoor within IIS is a trend for threat actors, who previously exploited one of the “ProxyLogon-type” vulnerabilities within Microsoft Exchange servers. In a recent investigation, Kaspersky experts came across a new unwanted module backdoor, dubbed SessionManager.

The SessionManager backdoor enables threat actors to keep persistent, update-resistant and rather stealth access to the IT infrastructure of a targeted organization.

Once dropped into the victim’s system, cybercriminals behind the backdoor can gain access to company emails, and update further malicious access by installing other types of malware or clandestinely managing compromised servers, which can be leveraged as malicious infrastructure.

A distinctive feature of SessionManager is its poor detection rate. First discovered by Kaspersky researchers in early 2022, some of the backdoor samples were still not flagged as malicious in most popular online file scanning services.

To date, SessionManager is still deployed in more than 90% of targeted organizations according to an Internet scan carried out by Kaspersky researchers.

Overall, 34 servers of 24 organizations from Europe, the Middle East, South Asia and Africa were compromised by SessionManager. The threat actor who operates SessionManager shows a special interest in NGOs and government entities, but medical organizations, oil companies, and transportation companies, among others, have been targeted as well.

Because of similar victimology and the use of the common “OwlProxy” variant, Kaspersky experts believe that the malicious IIS module might have been leveraged by the GELSEMIUM threat actor, as part of its espionage operations.

“The exploitation of exchange server vulnerabilities has been a favourite of cybercriminals looking to get into targeted infrastructure since Q1 2021. It notably enabled a series of long unnoticed cyberespionage campaigns.

The recently discovered SessionManager was poorly detected for a year. Facing massive and unprecedented server-side vulnerability exploitation, most cybersecurity actors were busy investigating and responding to the first identified offences.

As a result, it is still possible to discover related malicious activities months or years later, and this will probably be the case for a long time,” comments Pierre Delcher, Senior Security Researcher at Kaspersky’s Global Research and Analysis team.

“Gaining visibility into actual and recent cyberthreats is paramount for companies to protect their assets. Such attacks may result in significant financial or reputational losses and may disrupt a target’s operations.

Threat intelligence is the only component that can enable reliable and timely anticipation of such threats. In the case of Exchange servers, we cannot stress it enough: the past-year’s vulnerabilities have made them perfect targets, whatever the malicious intent, so they should be carefully audited and monitored for hidden implants, if they were not already,” adds Pierre.

Kaspersky products detect several malicious IIS modules, including SessionManager.

To learn more about SessionManager’s operation style and targets, visit here.

To protect your businesses from such threats, Kaspersky experts also recommend that you:

  • Regularly check loaded IIS modules on exposed IIS servers (notably Exchange servers), leveraging existing tools from the IIS servers suite. Check for such modules as part of your threat hunting activities every time a major vulnerability is announced on Microsoft server products.
  • Focus your defense strategy on detecting lateral movements and data exfiltration to the Internet. Pay special attention to outgoing traffic to detect cybercriminal connections. Back up data regularly. Make sure you can quickly access it in an emergency.
  • Use solutions like Kaspersky Endpoint Detection and Response and the Kaspersky Managed Detection and Response service, which help to identify and stop the attack in the early stages, before the attackers achieve their goals.
  • Use a reliable endpoint security solution, such as Kaspersky Endpoint Security for Business (KESB), that is powered by exploit prevention, behaviour detection and a remediation engine that is able to roll back malicious actions. KESB also has self-defense mechanisms that can prevent its removal by cybercriminals.

Don’t miss important articles during the week. Subscribe to techbuild.africa weekly digest for updates

Join @techbuildafrica on Telegram
Tweet
Share
Share
ShareTweetShareSendShare

Subscribe us

Recent Posts

  • CBN, Partners Host Second International Financial Inclusion Conference (IFIC) October 2023
  • Infobip, Spryker partner to support Businesses deliver Personal Shopping Experiences
  • The Importance of Partnerships to drive Local Retail Success
  • NCC Extends Hackathon Application for Talent Hunt Research (Sep 30)
  • From SaaS Company to Full-stack Tech Platform, Zoho offers an All-in-One Solution to Businesses
  • LG takes CSR Project to Federal Medical Centre Abuja, donates Products, Mosquito Nets & Baby Care Kits
  • YouTube launches New Generative AI Products, redefines a New Era for Creators
  • Techeconomy to Hold Special Session at #StartupSouth8
  • Without Robust Infrastructure, the Potential of AI will remain untapped – NCC Boss
  • Digital Wallets as an Enabler for Financial Services in Africa
Innovation | Startups | Funding | Tech Blog in Africa

© 2013-2021 techbuild.africa. All Rights Reserved.

Navigate Site

  • About
  • Contact
  • WE-Forum
  • Privacy
  • Sitemap
  • Terms
  • Blockchain
  • CleanTech

Follow Us

No Result
View All Result
  • Home
  • Startups
  • Hubs
  • Funding
  • WomenTech
  • CleanTech
  • Blockchain

© 2013-2021 techbuild.africa. All Rights Reserved.

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In