Israeli cybersecurity firm Sygnia reported a new highly capable and persistent threat actor doubled “Praying Mantis” or “TG2021” launched advanced memory-resident attacks on Microsoft IIS servers of major high-profile public and private entities in the US. Let’s see who is behind the attacks, on whom the attacks were launched, and at last, how to prevent Advanced Memory Resident Attacks.
According to the report, The threat actor, operating almost completely in memory. The threat actors mostly targeted Windows internet-facing servers to load a completely volatile, custom malware platform tailored for the Windows IIS environment in the US.
The research organization named the advance persisted attacker “Praying Mantis” or “TG2021”. Based on the Tactics, Techniques, and Procedures (TTPs) used in the attack were similar to those of “Copy-Paste Compromises” nation-sponsored actor, Please check the
released by the Australian Cyber Security Centre (ACSC).
The actor leveraged a variety of exploits targeting internet-facing Microsoft IIS servers to gain initial access. These exploits abuse deserialization mechanisms and known vulnerabilities in web applications to execute a sophisticated memory-resident malware that acts as a backdoor. The malware is known as the “NodeIISWeb” malware. Let see the identified vulnerabilities used to exploit to deploy the NodeIISWeb malware.
A 0-day vulnerability is associated with the insecure implementation of the deserialization mechanism within the “Checkbox Survey” web application. This vulnerability enables attackers to execute remote code execution (RCE) on the target resulting in the initial compromise of an IIS server.
“The threat actor also leveraged and exploited the standard VIEWSTATE deserialization process to regain access to compromised machines. VIEWSTATE is a mechanism in .NET used to maintain and preserve web page session data between a client and a server. “
By Sygnia, a Israeli based cybersecurity firm.
Fig #1. Altserialization Insecure Deserialization
ASP.NET allows web applications to store user sessions in a session object to be used later. The application saves the serialized .NET session object to an MSSQL database and assigns it to a cookie. When the user tries browsing the application again with the cookie, the session state is loaded and deserialized. The vulnerability enables to craft a malicious serialized object and writes to the database, leading to remote code execution on a web application server if the implanted cookie is passed in an HTTP request.
A suite of UI components for web applications was found to be vulnerable due to weak encryption, enabling a malicious actor to upload a file and/or to run malicious code. TG1021 used this vulnerability to upload a web shell loader on the targets, which is used to upload additional malware modules in the later phases.
Prevention is the best way to protect. Please go through these points which would help preventing Advanced Memory Resident Attacks on your IIS servers.
View State data is removed from version 7.0. Use Checkbox Survey 7.0 or above. which doesn’t contain the vulnerability.
Use newer versions of .NET to enforce encryption and validation of the VIEWSTATE data, which offers protection against this kind of exploit.
Always keep the encryption and validation keys safe. if the encryption and validation keys are stolen, Attackers bypass the integrity check mechanism and eventually execute malicious code on the IIS server.
Upgrade Telerik to R3 2019 SP1 (v2019.3.1023) or later.
Refer Telerik’s RadAsyncUpload security guide.
Configure the control according to the recommended security settings.
Files
• Default.aspx (Loader web shell)
f69d32157189945fa2bf47a690a8bd62
4f10e10050d3da0b369f6636ede18a418ecab3a0
ea463bf8e502d0ff68736afa3dcbb59c969a6dc5776c0d7d10bb282ec3b62282
• NodeIISWeb.dll
de19ea6e9cdf2ac5d22a00d24898532d
0786eb857c20dedb578e181cafba81ef0a097205
562cfbab3c6c4daf3a7f81412c77d5b70402c48aed3f49066cb758742b068afd
• PSRunner.dll (Memory Resident)
c8d12b90e9efd04a2c523efaef3d01d4
abd78cf430d91d07387e7305be6523249af38caa
88cb332eb82f3c086eaa33607a173cf6410bff0b9a21d6692225ffb9bbe877c6
• PotatoEx.dll (Memory Resident)
92fd2e7d4dfced8c635fbcb54bb651b9
be6648ada0074cb76b5da7854c37cb784c52f989
4a41a1b8adf426959ece8ebed0fccdcd5db1124eb0686c2f590b3b93392429e6
• ExtDLL.dll (Memory Resident)
6322a2a4b5dd34ecff3af22c4fac94cf
5679ada30e9cdbdfe62a05448d76e7034489945a
40b1bc34ecaddc7f08ca6399cb2a07520a7203394aa3accb1bb7d94aa21b35d6
• WebTunnel.dll (Memory Resident)
3a0f85d811916f66371b9a994472667c
ba251c5f2884e2535a2178509b9065a9be969965
0d6dec29075584af62801306913430c1733882955eedcd9e9a4916b2dae4d457
• AssemblyManager.dll (Memory Resident)
0bd1d822710ca4cd8612cfcd78a12155
94df55b21bbd7bb82ab269d7840a3188003e5d35
e1f3763092aa779fd291afe9aa18866658966332b13caa57d34d294120e1f608
• ReflectiveLoadForms.dll
9d705f6333fc8cb3e75dde04e7a71ca4
cb84313a708723268a0608929887ad16fcf83a26
01e33b20366589b19f66ffdd560538e83fe1a63cab7f29e0a6754bcbb49ec7bb
• Malicious HTTP Identifiers:
User-agent hard-coded in the tools –
“Mozilla/5.0+(Windows+NT+10.0;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko”
HTTP parameter and cookie – “AESKey”
HTTP parameter – “__VSTATEGENERATOR”
Please go here to download the original
for detailed information. Thanks for reading this post. Please share this and help to save the digital world.
You may also like these articles:
How To Protect Your IIS Servers From The SessionManager Backdoor
What is Fileless Malware? How to Protect Against Fileless Malware?
How To Fix CVE-2021-34481 Another Windows Print Spooler Remote Code Execution Vulnerability?
What Is Remote Code Execution? How To Prevent Remote Code Execution?
How To Fix CVE-2022-26809- A Critical RCE Vulnerability In Windows RPC Runtime
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”
"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.
BurpGPT is a cutting-edge Burp Suite extension that harnesses the power of OpenAI's language models to revolutionize web application security testing. With customizable prompts and advanced AI capabilities, BurpGPT enables security professionals to uncover bespoke vulnerabilities, streamline assessments, and stay ahead of evolving threats.
PentestGPT, developed by Gelei Deng and team, revolutionizes penetration testing by harnessing AI power. Leveraging OpenAI's GPT-4, it automates and streamlines the process, making it efficient and accessible. With advanced features and interactive guidance, PentestGPT empowers testers to identify vulnerabilities effectively, representing a significant leap in cybersecurity.
Tenable BurpGPT is a powerful Burp Suite extension that leverages OpenAI's advanced language models to analyze HTTP traffic and identify potential security risks. By automating vulnerability detection and providing AI-generated insights, BurpGPT dramatically reduces manual testing efforts for security researchers, developers, and pentesters.
Microsoft Security Copilot is a revolutionary AI-powered security solution that empowers cybersecurity professionals to identify and address potential breaches effectively. By harnessing advanced technologies like OpenAI's GPT-4 and Microsoft's extensive threat intelligence, Security Copilot streamlines threat detection and response, enabling defenders to operate at machine speed and scale.