APT group hits IIS web servers with deserialization flaws and memory-resident malware

APT group hits IIS web servers with deserialization flaws and memory-resident malware


A sophisticated, likely government-sponsored threat actor has been compromising major public and private organizations over the past year by exploiting deserialization flaws in public-facing ASP.NET applications to deploy fileless malware. Dubbed Praying Mantis, or TG1021, by researchers from incident response firm Sygnia, the hacker group puts a strong focus on detection evasion by using a volatile and custom malware toolset built specifically for Internet Information Services (IIS) web servers to perform credential harvesting, reconnaissance and lateral movement.

“The nature of the activity and general modus-operandi suggest TG1021 to be an experienced stealthy actor, highly aware of OPSEC (operations security),” the Sygnia researchers said in a detailed report. “The malware used by TG1021 shows a significant effort to avoid detection, both by actively interfering with logging mechanisms, successfully evading commercial EDRs and by silently awaiting incoming connections, rather than connecting back to a C2 channel and continuously generating traffic. Furthermore, the threat actor actively removed all disk-resident tools after using them, effectively giving up on persistency in exchange for stealth.”

Old and new deserialization exploits

In programming, serialization is the process of converting data into a stream of bytes, usually to transmit it over the wire. Deserialization is the reversal of that process and like with most data parsing operations in software, it can be a source of vulnerabilities if users control the input. Unsafe deserialization flaws have plagued Java applications for years, but Java is not the only programming language where deserialization is common.

The vulnerabilities exploited by Praying Mantis target deserialization implementations in ASP.NET, an open-source framework for developing web apps that are hosted on Windows IIS web servers. ASP.NET has a mechanism called VIEWSTATE that’s used by the framework to store the state and controls of a web page when sent to a client during a POST request. It is stored as a hidden input field called _VIEWSTATE. When the client performs the POST action and sends the page back to the server, the VIEWSTATE is deserialized and validated. ASP.NET provides some security and integrity checking mechanisms to ensure the serialized data is valid, but their correct usage comes down to developer implementation.

Praying Mantis was seen exploiting a remote code execution (RCE) vulnerability resulting from unsafe deserialization in an ASP.NET application called Checkbox that allows website owners to implement user surveys. At the time of the group’s attacks, this flaw had zero-day status and affected versions 6 and earlier of Checkbox that used a custom implementation of VIEWSTATE functionality. Even though Checkbox version 7 has been available since 2019 and is not affected, official support for Checkbox version 6 did not end until July 1st.

“Prior to version 7.0, Checkbox Survey implements its own VIEWSTATE functionality by accepting a _VSTATE argument, which it then deserializes using LosFormatter,” analysts from CERT/CC said in an advisory in May. “Because this data is manually handled by the Checkbox Survey code, the ASP.NET VIEWSTATE Message Authentication Code (MAC) setting on the server is ignored. Without MAC, an attacker can create arbitrary data that will be deserialized, resulting in arbitrary code execution.”

Copyright © 2021 IDG Communications, Inc.


Source link


Leave a Reply

Your email address will not be published. Required fields are marked *

Share This