Table of Contents
Microsoft Under Attack By A Hacking Group
Among the targets of a new series of targeted cyber intrusion attacks in the U.S. by a hacking group are major high-profile public and private organizations that contain Internet Information Services servers (IIS) with a high degree of capability.
“Praying Mantis” or “TG2021,” the advanced and stealthy adversary targeted by Sygnia, identifies itself as a cyber-security threat from Israel.
How It Targets:
A custom malware framework, built around an IIS-specific core, makes TG1021 virtually invisible on infected computers.
The toolkit is completely volatile, loaded into memory through reflection and leaves very little trace on infected machines,” the researchers wrote. As well as the stealthy backdoor, the threat actor might also use a few post-exploitation modules to manage network reconnaissance and move across networks laterally.”
Other than those evident in the capabilities themselves, this malware actively attacks logging mechanisms and evades commercial endpoint detection and response (EDR) systems.
As part of the threat actor’s method of gaining an initial foothold and backdooring the servers, they use an exploit set of ASP.NET web applications called “NodeIISWeb” that loads custom DLLs in addition to intercepting and handling HTTP requests.
Advantages Taken By The Actors:
Actors take advantage of the following vulnerabilities:
- Exploitation of the Checkbox Survey RCE (CVE-2021-27852)
- Exploitation of the VIEWSTATE serialization protocol
- Deserialization With Altserialization Is Insecure
- There are two Telerik-UI exploits (CVE-2019-18935 and CVE-2017-11317)
TG1021 has been discovered to use tactics, techniques, and procedures (TTPs) that have “major similarities” to those of Copy-Paste Compromises, a nation-sponsored adversary, according to an advisory from the Australian Cyber Security Initiative.
According to the Australian Cyber Security Centre (ACSC) in June 2020, unpatched flaws in Telerik UI and IIS servers were used to conduct a cyberattack on public-facing infrastructure.
As of yet, attribution has not been formalized.
Techniques of Cyber Criminals:
Cyber criminals are using sophisticated, nation-state attack methods to target commercial organizations, according to researchers who observed Praying Mantis targeting high-profile entities in two major Western markets.
In order to identify and effectively defend networks from attacks from the same threat actor, ongoing forensics activities and prompt incident response are crucial.