OVERVIEW The SessionManager backdoor enables threat actors to keep persistent, update-resistant and rather stealth access to the IT infrastructure of a targeted organization.
SYSTEMS AFFECTED: Microsoft Exchange servers vulnerable to ProxyLogon-type exploits
RISK: The SessionManager backdoor enables threat actors to keep persistent, update-resistant and rather stealth access to the IT infrastructure of a targeted organization.
THREAT SUMMARY: SessionManager IIS Backdoor On June 30,2022 Kaspersky researchers discovered backdoor that was set up as a malicious module within IIS. This backdoor is deployed by threat actors who previously exploited of the ProxyLogon-type vulnerabilities in Microsoft Exchange servers. Once dropped into the victim’s system, cybercriminals behind the backdoor can gain access to company emails, update further malicious access by installing other types of malware.
CyFlare Actions Taken: • Stellar Cyber – BDS: Stellar Cyber’s Machine Learning-IDS engine, as well as built-in threat intelligence is also consistently updated with the latest threats identified by the open-source cyber threat intelligence community. • SentinelOne: We have implemented a custom STAR query to detect currently known indicators of compromise regarding this vulnerability. This vulnerability is also being analyzed by the SentinelOne Analysis team.
If a malicious module is identified, we recommend the following template of actions (merely deleting the malicious module file will not be enough to get rid of it): • Take a volatile memory snapshot on the currently running system where IIS is executed. Request assistance from forensics and incident response experts if required. • Stop the IIS server, and ideally disconnect the underlying system from publicly reachable networks. • Back up all files and logs from your IIS environment, to retain data for further incident response. Check that the backups can be opened or extracted successfully. • Using IIS Manager or the appcmd command tool, remove every reference of the identified module from apps and server configurations. Manually review associated IIS XML configuration files to make sure any reference to the malicious modules have been removed – manually remove the references in XML files otherwise. • Update the IIS server and underlying operating system to make sure no known vulnerabilities remain exposed to attackers. • Restart the IIS server and bring the system online again.
Developing Situation: The SOC will continue to research emerging related threats in the wild or from the cyber community. Furthermore, the SOC will hunt related indicators of compromise, as well as scan for the vulnerabilities within our clients that have the Vulnerability Management Service.