Threat authors install a backdoor in Microsoft Internet Information Services (IIS) Windows web server installations that are not detected by some online file scanning services, according to Kaspersky researchers.
They also warn that IIS servers must undergo “a thorough and dedicated investigation process” for possible compromises.
Dubbed SessionManager, the backdoor is a malicious native code IIS module that can process legitimate HTTP requests that are continuously sent to the server.
According to the report, hackers are exploiting a ProxyLogon vulnerability to insert the module. ProxyLogon is the name of CVE-2021-26855, a vulnerability in Microsoft Exchange Server that allows an attacker to bypass authentication and impersonate the administrator.
“Removing an IIS module as a backdoor allows attackers to maintain persistent, update-resistant, and relatively stealthy access to a targeted organization’s IT infrastructure; whether to collect emails, update other malicious access, or clandestinely manage compromised servers that can be exploited as malicious infrastructure,” Kaspersky researchers said in the report released today.
SessionManager has been used against non-governmental organizations (NGOs), government, military and industrial organizations in Africa, South America, Asia, Europe, Russia and the Middle East, since at least March 2021.
This is just the latest of a number of malicious IIS modules that researchers have seen. In December, Kaspersky reported one it called Owowa because it steals credentials and allows remote command execution from what used to be called Outlook Web App (OWA) and is now known as Outlook on the web.
Malicious modules process threat actors’ seemingly legitimate but specifically crafted HTTP requests, trigger actions based on hidden operator instructions if any, and then transparently pass the request to the server to be handled as expected. any other query. Therefore, these modules are not easily spotted by usual monitoring practices: they do not necessarily initiate suspicious communications to external servers, receive commands via HTTP requests to a server that is specifically exposed to such processes, and their files are often placed in ignore files. locations that contain lots of other legitimate files.
SessionManager offers three features that, when combined, make it a lightweight persistent initial access backdoor, the report says:
- read, write and delete arbitrary files on the compromised server;
- executing arbitrary binaries from the compromised server, also known as “remote command execution”;
- establish connections to arbitrary network endpoints that can be reached by the compromised server, as well as read and write to those connections.
“We can’t stress enough that IIS servers must undergo a thorough and dedicated investigation process after the massive opportunity that ProxyLogon-type vulnerabilities have exposed,” Kaspersky says.
The report says that to find all loaded IIS modules, use the IIS manager GUI or from the IIS command line appcmd. If a malicious module is found, removing it is not enough. Kaspersky recommends investigators
- Take a snapshot of volatile memory on the running system where IIS is running. Seek assistance from forensic and incident response experts as needed;
- shut down the IIS server and, ideally, disconnect the underlying system from publicly accessible networks;
- back up all IIS environment files and logs, to preserve the data for future incident response. Verify that backups can be opened or retrieved successfully;
- Using the IIS manager or the appcmd command tool, remove all references to the identified module from applications and server configurations. Manually review the associated IIS XML configuration files to ensure that any references to malicious modules have been removed. Otherwise, manually remove the references in the XML files;
- update the IIS server and underlying operating system to ensure that no known vulnerabilities remain exposed to attackers;
- restart the IIS server and bring the system back online.
After that, the malicious module, memory snapshot and backups should be analyzed to understand how the identified malicious tools were exploited.