Is Gelsemium APT Behind a Targeted Attack in Southeast Asian Government?

Cyber Security Threat Summary:
Researchers at Kaspersky Lab have uncovered a new backdoor called "SessionManager" that has been used in attacks targeting Microsoft IIS Servers since March 2021. This backdoor allows threat actors to maintain persistent, update-resistant, and stealthy access to a targeted organization's IT infrastructure. It has been deployed in over 20 organizations, and as of late April 2022, many samples were not yet flagged as malicious by online file scanning services.

SessionManager was utilized in attacks against a wide range of organizations, including NGOs, government agencies, military entities, and industrial organizations across regions like Africa, South America, Asia, Europe, Russia, and the Middle East. The researchers attribute these attacks to the GELSEMIUM threat actor due to shared victims and the use of a common OwlProxy variant.

The backdoor, written in C++, functions as a malicious native-code IIS module. It processes legitimate HTTP requests sent to the server and executes hidden instructions within specially crafted HTTP requests from threat actors. These malicious modules are difficult to detect using standard monitoring methods.”

Security Officer Comments:
SessionManager offers various capabilities, including:

  • Reading, writing, and deleting arbitrary files on the compromised server.
  • Executing arbitrary binaries from the compromised server (remote command execution).
  • Establishing connections to arbitrary network endpoints reachable by the compromised server, as well as reading and writing in such connections.
Additionally, the backdoor can serve as a post-deployment tool for operators, enabling reconnaissance within the targeted environment, collecting in-memory passwords, and deploying further malicious payloads.

Suggested Correction(s):
Strong cybersecurity is vital for protecting organizations against ever-evolving threats. It involves multiple strategies like firewalls, multi-factor authentication, and regular software updates. By segmenting networks, protecting endpoints, and using encryption, organizations reduce risks. Having an incident response plan and regular security checks ensures readiness to handle incidents efficiently. These measures collectively provide robust defense against cyber threats, safeguarding data and systems.