Background
Earlier today Australian Cyber Security Centre (ACSC) released an advisory regarding a cyber campaign targeting Australian networks. The campaign is dubbed ‘Copy-paste compromises’ due to the threat actor’s heavy usage of proof-of-concept exploit code from open source.
What are the issues?
1. Telerik UI Arbitrary code execution vulnerability (CVE-2019-18935)
A vulnerability in Telerik UI for ASP.NET could allow for arbitrary code execution. ASP.NET is an open-source server-side web-application framework designed for web development to produce dynamic web pages. Successful exploitation of this vulnerability could allow for remote code execution within the context of a privileged process. Depending on the privileges associated with this application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of this vulnerability could have less impact than if it was configured with administrative rights.
Systems impacted
- Progress Telerik UI for ASP.NET AJAX versions prior to 2020.1.114
Reference: https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization
2. CVE-2019-0604 - Microsoft SharePoint Remote Code Execution Vulnerability
A remote code execution vulnerability was discovered in Microsoft SharePoint when the software fails to check the source markup of an application package. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account. Exploitation of this vulnerability requires that a user uploads a specially crafted SharePoint application package to an affected version of SharePoint.
Systems impacted
- Microsoft SharePoint Enterprise Server 2016
- Microsoft SharePoint Foundation 2010 Service Pack 2
- Microsoft SharePoint Foundation 2013 Service Pack 1
- Microsoft SharePoint Server 2010 Service Pack 2
- Microsoft SharePoint Server 2013 Service Pack 1
- Microsoft SharePoint Server 2019
Reference: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604
3. Vulnerability in Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance (CVE-2019-19781)
A vulnerability in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway formerly known as NetScaler Gateway that, if exploited, could allow an unauthenticated attacker to perform arbitrary code execution.
The scope of this vulnerability includes Citrix ADC and Citrix Gateway Virtual Appliances (VPX) hosted on any of Citrix Hypervisor (formerly XenServer), ESX, Hyper-V, KVM, Azure, AWS, GCP or on a Citrix ADC Service Delivery Appliance (SDX).
Systems impacted:
- Citrix ADC and Citrix Gateway version 13.0 all supported builds
- Citrix ADC and NetScaler Gateway version 12.1 all supported builds
- Citrix ADC and NetScaler Gateway version 12.0 all supported builds
- Citrix ADC and NetScaler Gateway version 11.1 all supported builds
- Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds.
Reference: https://support.citrix.com/article/CTX267027
4. Deserialization vulnerability in Microsoft IIS
A deserialization vulnerability exists in versions of Microsoft’s Internet Information Services (IIS) using the .NET framework (.NET). The vulnerability exploits the service’s VIEWSTATE parameter to allow for remote code execution by unauthorized users. A specially crafted VIEWSTATE parameter with malicious content is required for actors to successfully exploit this vulnerability. The contents of this parameter are protected by Message Authentication Code (MAC) validation on upto date installs of .NET on IIS and an actor must obtain the IIS server Machine Key to exploit this vulnerability.
5. Downloader and Malware Payloads
There are reports of malware downloader payloads including malicious documents distributed as an attachment via spear phishing campaigns. These attached documents are weaponized with above exploits leading to the download of PowerShell Empire, HTTPCore, or HTTPotato payloads for C&C communication.
What can you do to protect yourself?
All the vulnerabilities exploited in this campaign have been publicly disclosed previously and corresponding patches/mitigations were provided by the product developers. It is important to have updated security software and the latest software patches applied to the endpoints. As always, avoid opening suspicious emails containing attachments or links that come from any unknown sources. And disable macros in Office programs. Do not enable them unless it is essential to do so.
Zscaler coverage
Zscaler ThreatLabZ is actively monitoring this campaign and has ensured coverage for all known threat indicators and payloads.
- Advanced Threat Protection Signatures
- Win32.Exploit.CVE-2019-18935
- Win32.Exploit.CVE-2019-0604
- Linux.Exploit.CVE-2019-19781
- Html.Malurl.Gen
- Malware Protection
- ASP/Webshell
- ASP/Twoface.B
- Win64.Riskware.JuicyPotato
- Win32.Riskware.LazyCat
- VBA.Downloader.PowershellEmpire
- Win32.Downloader.CobaltStrike
- Advanced Cloud Sandbox provides proactive coverage against payloads involved.
Details related to these threat signatures can be found in the Zscaler Threat Library.
References
ACSC has previously reported about these attacks here:
- https://www.cyber.gov.au/threats/advisory-2020-004-telerik
- https://www.cyber.gov.au/threats/advisory-2020-006-active-exploitation-vulnerability-microsoft-internet-information-services