Recently, an infamous threat actor group going by the name of TG1021 or Praying Mantis, has been caught targeting Microsoft IIS servers by exploiting vulnerabilities. In this blog, we’re taking a look at Sygnia’s Incident Response Team’s report on the current events regarding the threat actors activities, how they do it and more importantly, how you can protect yourself.
TG1021 has been using an in-house framework to exploit vulnerabilities and Common Vulnerability Exposures (CVE) to compromise and exfiltrate data from victims’ systems and/or solutions. According to Sygnia’s report titled ‘Praying Mantis (TG1021): An Advanced Memory-Resident Attack’, the Incident Response Team found that “the operators behind the activity targeted Windows internet-facing servers, using mostly deserialisation attacks, to load a completely volatile, custom malware platform tailored for the Windows IIS environment.”
What is a deserialisation attack?
Before we dive into deserialisation attacks, it first helps to understand what data serialisation is, and the below explanation from Acunetix is the perfect place to start:
“Serialisation refers to a process of converting an object into a format which can be persisted to disk (for example saved to a file or a datastore), sent through streams (for example stdout), or sent over a network.”
We can then apply this knowledge to better understand a deserialisation attack which is the method of exploiting a system by submitting data that is used to abuse the logic of an application or system. Using this method, hackers can inflict Denial of Service (DoS) attacks or use it to execute arbitrary code upon the data being deserialised. In the case of TG1021, they conduct their attacks by abusing an ASP.NET ViewState deserialisation exploit, which you can find more information on here.
With this level of damage and interference at their disposal, it’s easy to see how deserialisation attacks currently rank number 8 in the OWASP top 10 list for the most critical security risks to web applications.
How does TG1021 get away with it?
According to the Sygnia report, “the malware used by TG1021 shows a significant effort to avoid detection, both by actively interfering with logging mechanisms, successfully evading commercial EDRs and by silently awaiting incoming connections, rather than connecting back to a C2 channel and continuously generating traffic. Furthermore, the threat actor actively removed all disk-resident tools after using them, effectively giving up on persistency in exchange for stealth.” What this means is that users must be more proactive in looking for vulnerabilities and ensuring patch management is in place.
After taking a look at the full report, it seems that the TG1021 group also exploited a vulnerability within Telerik software which is known for numerous products providing functionality to web application development. One such product, Telerik UI for ASP.net AJAX, is an extensively used suite of UI components for web applications. This product was observed to be at risk because of vulnerable encryption, enabling a malicious actor to upload a file and/or to run malicious code.
TG1021 have taken advantage of these vulnerabilities to upload a web shell loader to IIS servers available from the internet. The web shell was later used to upload extra modules and was deleted after a brief time period. Following the initial use, the web shell was uploaded at the start of every following wave of threat actor activity.
So, how do I know if I am vulnerable?
Now we know how TG1021 exploits vulnerabilities, it’s time to learn how to protect yourself from being targeted by such an attack.
Whilst there are multiple methods for deserialisation attacks, in the case of TG1021, they targeted a vulnerability in the Checkbox Survey software. Fortunately, according to the Software Engineering Institute at Carnegie Mellon University, “starting with Checkbox Survey 7.0, View State data is not used. Therefore, Checkbox Survey versions 7.0 and later do not contain this vulnerability.”
What this means for you, is that by installing Checkbox Survey version 7.0 (or higher) and ensuring that a version below 7.0 is not installed within the system, you will be able to protect yourself from being targeted by that vulnerability.
In the event of other methods of attack, we wanted to share some other ways to protect yourself from HDIV Security:
- Implement integrity checks such as digital signatures on any serialised objects to prevent hostile object creation or data tampering.
- Enforce strict type constraints during deserialisation before object creation as the code typically expects a definable set of classes. Bypasses to this technique have been demonstrated, so reliance solely on this is not advisable.
- Isolate and run code that deserialises in low privilege environments when possible.
- Log deserialisation exceptions and failures, such as where the incoming type is not the expected type, or the deserialisation throws exceptions.
- Restrict or monitor incoming and outgoing network connectivity from containers or servers that deserialise.
- Monitor deserialisation, alerting if a user deserialises constantly.
Currently, further research into the threat actor TG1021 has uncovered nothing regarding other companies or bodies that have been targeted. However, there is the possibility that this could change now that their activities have been brought to light. In which case, there are two possible effects to be aware of: firstly some users will be more proactive in patching their IIS servers. However, secondly, the spread of the news could subsequently attract the attention of other threat actors and possibly cause the TG1021 group to become more powerful than they currently are as they gain more malicious experience under their belts.
What does FluidOne think of this?
At FluidOne, we believe that events such as this are a key reason to ensure that patch management is in place and regulated. By ensuring any CVE's are patched, adversaries will struggle more in their efforts to compromise your data and cause more issues than there should be. If you are in a role that would include managing an IIS server, we recommend that you ensure you are at the pinnacle of understanding the latest threats and vulnerabilities to your systems such as the one discussed here.
You can start by reading the full report by Sygnia here, and book your appointment with one of our cyber experts over at CSA to see how they can help.
About the author
Luke Osborne, Principle SOC Analyst at CSA