Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Targeted attacks on Australian Networks (ACSC Advisory) - Zscaler Coverage

June 2020 by Zscaler

Published on:
June 18, 2020

Authored by:

Krishna Kona

Jithin Nair

Category:
Vulnerability
Targeted attacks on Australian Networks (ACSC Advisory) - Zscaler Coverage

Background

Earlier today Australian Cyber Security Centre (ACSC) released an advisory regarding a cyber campaign targeting Australian networks. The campaign is dubbed ‘Copy-paste compromises’ due to the threat actor’s heavy usage of proof-of-concept exploit code from open source.

What are the issues?

1. Telerik UI Arbitrary code execution vulnerability (CVE-2019-18935)

A vulnerability in Telerik UI for ASP.NET could allow for arbitrary code execution. ASP.NET is an open-source server-side web-application framework designed for web development to produce dynamic web pages. Successful exploitation of this vulnerability could allow for remote code execution within the context of a privileged process. Depending on the privileges associated with this application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of this vulnerability could have less impact than if it was configured with administrative rights.

Systems impacted

Progress Telerik UI for ASP.NET AJAX versions prior to 2020.1.114

Reference: https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization

2. CVE-2019-0604 - Microsoft SharePoint Remote Code Execution Vulnerability

A remote code execution vulnerability was discovered in Microsoft SharePoint when the software fails to check the source markup of an application package. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account. Exploitation of this vulnerability requires that a user uploads a specially crafted SharePoint application package to an affected version of SharePoint.

Systems impacted

Microsoft SharePoint Enterprise Server 2016
Microsoft SharePoint Foundation 2010 Service Pack 2
Microsoft SharePoint Foundation 2013 Service Pack 1
Microsoft SharePoint Server 2010 Service Pack 2
Microsoft SharePoint Server 2013 Service Pack 1
Microsoft SharePoint Server 2019

Reference: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604

3. Vulnerability in Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance (CVE-2019-19781)

A vulnerability in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway formerly known as NetScaler Gateway that, if exploited, could allow an unauthenticated attacker to perform arbitrary code execution.

The scope of this vulnerability includes Citrix ADC and Citrix Gateway Virtual Appliances (VPX) hosted on any of Citrix Hypervisor (formerly XenServer), ESX, Hyper-V, KVM, Azure, AWS, GCP or on a Citrix ADC Service Delivery Appliance (SDX).

Systems impacted:

Citrix ADC and Citrix Gateway version 13.0 all supported builds
Citrix ADC and NetScaler Gateway version 12.1 all supported builds
Citrix ADC and NetScaler Gateway version 12.0 all supported builds
Citrix ADC and NetScaler Gateway version 11.1 all supported builds
Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds.

Reference: https://support.citrix.com/article/CTX267027

4. Deserialization vulnerability in Microsoft IIS

A deserialization vulnerability exists in versions of Microsoft’s Internet Information Services (IIS) using the .NET framework (.NET). The vulnerability exploits the service’s VIEWSTATE parameter to allow for remote code execution by unauthorized users. A specially crafted VIEWSTATE parameter with malicious content is required for actors to successfully exploit this vulnerability. The contents of this parameter are protected by Message Authentication Code (MAC) validation on upto date installs of .NET on IIS and an actor must obtain the IIS server Machine Key to exploit this vulnerability.

5. Downloader and Malware Payloads

There are reports of malware downloader payloads including malicious documents distributed as an attachment via spear phishing campaigns. These attached documents are weaponized with above exploits leading to the download of PowerShell Empire, HTTPCore, or HTTPotato payloads for C&C communication.

What can you do to protect yourself?

All the vulnerabilities exploited in this campaign have been publicly disclosed previously and corresponding patches/mitigations were provided by the product developers. It is important to have updated security software and the latest software patches applied to the endpoints. As always, avoid opening suspicious emails containing attachments or links that come from any unknown sources. And disable macros in Office programs. Do not enable them unless it is essential to do so.

Zscaler coverage

Zscaler ThreatLabZ is actively monitoring this campaign and has ensured coverage for all known threat indicators and payloads.

Advanced Threat Protection Signatures
Win32.Exploit.CVE-2019-18935
Win32.Exploit.CVE-2019-0604
Linux.Exploit.CVE-2019-19781
Html.Malurl.Gen

Malware Protection
ASP/Webshell
ASP/Twoface.B
Win64.Riskware.JuicyPotato
Win32.Riskware.LazyCat
VBA.Downloader.PowershellEmpire
Win32.Downloader.CobaltStrike

Advanced Cloud Sandbox provides proactive coverage against payloads involved.

Details related to these threat signatures can be found in the Zscaler Threat Library.

References

ACSC Advisory: https://www.cyber.gov.au/threats/advisory-2020-008-copy-paste-compromises-tactics-techniques-and-procedures-used-target-multiple-australian-networks

ACSC has previously reported about these attacks here:

https://www.cyber.gov.au/threats/advisory-2020-004-telerik
https://www.cyber.gov.au/threats/advisory-2020-006-active-exploitation-vulnerability-microsoft-internet-information-services


See previous articles

    

See next articles


Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts