The eSentire Threat Response Unit (TRU) revealed that threat actors are actively exploiting a six-year-old IIS vulnerability in Progress Telerik UI for ASP.NET AJAX to gain remote access to systems.
This vulnerability, identified as CVE-2019-18935, allows attackers to execute arbitrary code on vulnerable servers, posing a significant risk to organizations that have not updated their systems.
While this security flaw enables threat actors to gain remote access to systems running vulnerable versions of the software.
TRU observed the threat actors using w3wp.exe (IIS worker process) to load a reverse shell and run subsequent commands for reconnaissance via cmd.exe.
Cybersecurity analysts at TRU noted that the reverse shells were dropped in the C:WindowsTemp directory.
Exploitation Process
The exploitation process begins when threat actors send a specific request to the IIS server to determine if the file upload handler is available.
Once confirmed, they use a customized proof-of-concept (PoC) to upload and execute a remote shell.
The reverse shell is a mixed-mode .NET assembly that connects to a command and control (C2) server at 213.136.75.130 via Windows Sockets.
.webp)
After establishing a reverse shell, attackers execute commands to gather system information, including user enumeration using net.exe and net1.exe.
TRU also observed the deployment of the open-source privilege escalation tool JuicyPotatoNG on the host, along with several batch files whose purpose is currently unknown.
.webp)
To detect such reverse shells, a Yara rule can be used:-
rule TCP_Reverse_Shell_Windows_x64 {
meta:
description = "Detects Windows based 64-bit TCP reverse shell"
author = "YungBinary"
hash = "b971bf43886e3ab1d823477826383dfaee1e2935788226a285c7aebeabee7348"
strings:
$winsock_2_0 = { 66 B? 02 00 FF 15 }
$winsock_2_1 = { 66 B? 02 01 FF 15 }
$winsock_2_2 = { 66 B? 02 02 FF 15 }
$winsock_1_0 = { 66 B? 01 00 FF 15 }
$winsock_1_1 = { 66 B? 01 01 FF 15 }
$socket_params = { 41 B8 06 00 00 00 BA 01 00 00 00 B9 02 00 00 00 }
$cmd = { 48 C7 44 24 ?? 00 00 00 00 48 C7 44 24 ?? 00 00 00 00 C7 44 24 ?? 00 00 00 00 C7 44 24 ?? (01 | 00) 00 00 00 45 33 C9 45 33 C0 48 8D 15 ?? ?? ?? ?? 33 C9 FF 15 }
$wait = { BA FF FF FF FF 48 8B 4C ?? ?? FF 15 }
condition:
uint16(0) == 0x5a4d and
((1 of ($winsock*)) and $socket_params and $cmd and $wait)
}.webp)
To mitigate these threats, organizations should implement robust patch management and vulnerability management services.
Additionally, deploying Endpoint Detection and Response (EDR) solutions across all systems can help detect and respond to such attacks.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free