Kaspersky said the SessionManager malware is difficult to detect and is still deployed in about 90 percent of targeted organizations.

According to Kaspersky Lab, a new malware has been discovered within Microsoft’s Internet Information Services (IIS), which has been used to access servers belonging to governments and other agencies around the world.

The Russian cybersecurity provider said the malware allows threat actors to maintain persistent, update-resistant and “stealth” access to a target organization’s IT infrastructure.

Kaspersky researchers first discovered the malware, called SessionManager, in early 2022. The company said the malware has a poor detection rate, as some of the back samples were not flagged as malicious by the “most popular” services ” of online file scanning.

Once the backdoor is on a victim’s system, Kaspersky said it can be used to gain access to company emails, install other types of malware or subtly manage compromised servers, which can be used as malicious infrastructure for the cyber attacker.

The cybersecurity provider said 24 organizations using Microsoft IIS from Europe, the Middle East, South Asia and Africa have been compromised by SessionManager. The threat actor behind the malware has shown a “special interest” in NGOs and government entities.

However, Kaspersky said medical organizations, oil companies, shipping companies and other groups have been targeted.

Map of target organizations from SessionManager. Image: Kaspersky Labs

“To date, SessionManager is still deployed in more than 90 percent of targeted organizations according to a web scan conducted by Kaspersky researchers,” the Russian company said in a blog post yesterday (June 30).

Kaspersky shared recommended ways for organizations to protect themselves, such as performing regular checks of loaded ISS modules, using endpoint security services and having a focused defense strategy to detect lateral movements and exfiltration of data.

Pierre Delcher, a senior security researcher at Kaspersky, said exploiting “exchange server vulnerabilities” has become a “favorite” for cybercriminals looking to break into target infrastructure.

“In the case of Exchange servers, we cannot stress enough, last year’s vulnerabilities have made them perfect targets, regardless of malicious intent, so they should be carefully audited and monitored for hidden implants, if not were already,” Delcher. said.

Kaspersky Lab was hit earlier this year when it was designated a national security threat by the US Federal Communications Commission. This provision prevents US businesses from using federal subsidies to purchase products or services from the company.

“This decision is not based on any technical evaluation of Kaspersky’s products – which the company consistently defends – but rather was made on political grounds,” the company said in a statement.

10 things you need to know straight to your inbox every weekday. Register for Daily summarySilicon Republic’s roundup of essential tech news.

Leave a Reply

Your email address will not be published.