Threat actors are installing a backdoor into installations of Microsoft’s Internet Information Services (IIS) Windows web server that isn’t being caught by some online file scanning services, say Kaspersky researchers.
They also warn IIS servers must undergo “a complete and dedicated investigation process” for possible compromises.
Dubbed SessionManager, the backdoor is a malicious native-code IIS module that can process legitimate HTTP requests that are continuously sent to the server.
According to the report, threat actors are leveraging a ProxyLogon-type of vulnerability to insert the module. ProxyLogon is the name for CVE-2021-26855, a vulnerability on Microsoft Exchange Server that allows an attacker to bypass authentication and impersonate the administrator.
“Dropping an IIS module as a backdoor enables threat actors to maintain persistent, update-resistant and relatively stealthy access to the IT infrastructure of a targeted organization; be it to collect emails, update further malicious access, or clandestinely manage compromised servers that can be leveraged as malicious infrastructure,” Kaspersky researchers said in the report issued today.
SessionManager has been used against non-government organizations (NGOs), government, military, and industrial organizations in Africa, South America, Asia, Europe, Russia, and the Middle East, starting from at least March 2021.
It’s just the latest of a number of malicious IIS modules researchers have seen. In December, Kaspersky reported on one it called Owowa because it steals credentials and enables remote command execution from what had been called Outlook Web App (OWA) and is now known as Outlook on the web.
Malicious modules handle seemingly legitimate but specifically crafted HTTP requests from threat actors, trigger actions based on the operators’ hidden instructions, if any, then transparently pass the request to the server for it to be processed just like any other request. As a result, such modules are not easily spotted by usual monitoring practices: they do not necessarily initiate suspicious communications to external servers, receive commands through HTTP requests to a server that is specifically exposed to such processes, and their files are often placed in overlooked locations that contain a lot of other legitimate files.
SessionManager offers three capabilities that, when combined, make it a lightweight persistent initial access backdoor, says the report:
- reading, writing to, and deleting arbitrary files on the compromised server;
- executing arbitrary binaries from the compromised server, also known as “remote command execution”;
- establishing connections to arbitrary network endpoints that can be reached by the compromised server, as well as reading and writing in such connections.
“We cannot stress enough that IIS servers must undergo a complete and dedicated investigation process after the gigantic opportunity that ProxyLogon-style vulnerabilities exposed,” says Kaspersky.
The report says that to find all loaded IIS modules, use the IIS Manager GUI, or from the IIS appcmd command line. If a malicious module is found, deleting it isn’t enough. Kaspersky recommends investigators
- take a volatile memory snapshot on the currently running system where IIS is executed. Request assistance from forensics and incident response experts if required;
- stop the IIS server, and ideally disconnect the underlying system from publicly reachable networks;
- back up all files and logs from the IIS environment, to retain data for further incident response. Check that the backups can be opened or extracted successfully;
- using IIS Manager or the appcmd command tool, remove every reference of the identified module from apps and server configurations. Manually review associated IIS XML configuration files to make sure any reference to the malicious modules have been removed – manually remove the references in XML files otherwise;
- update the IIS server and underlying operating system to make sure no known vulnerabilities remain exposed to attackers;
- restart the IIS server and bring the system online again.
After that, the malicious module, memory snapshot, and backups should be analyzed to understand how the identified malicious tools have been leveraged.