[BreachExchange] Vulnerability in Popular Survey Tool Exploited in Possible Chinese Attacks on U.S.

[Sophia Kingsbury]

https://www.securityweek.com/vulnerability-popular-survey-tool-exploited-possible-chinese-attacks-us

Cybersecurity consulting and incident response solutions provider Sygnia on
Tuesday published a report detailing attacks launched by a threat actor
against “high-profile public and private entities” in the United States.
Sygnia does not mention China in its report, but the company said it found
some links to attacks that were previously attributed to the Chinese
government.

The attacks involve CVE-2021-27852, a deserialization-related code
execution vulnerability affecting Checkbox Survey, an ASP.NET tool designed
for adding survey functionality to websites.

The Checkbox Survey vulnerability can be exploited remotely without
authentication and it impacts version 6 of the application. The flaw does
not exist in version 7.0 (released in 2019), but older versions are no
longer supported and they will not receive patches.

When it disclosed the vulnerability in May, the CERT Coordination Center
(CERT/CC) at Carnegie Mellon University warned that it had been exploited
in the wild, but it did not share any information about the attacks. It’s
unclear if the CERT/CC advisory refers to the attacks detailed by Sygnia,
but the company told SecurityWeek that it reported its findings to CERT/CC
at around the same time the advisory was published. CERT/CC credited an
anonymous researcher for reporting the flaw.

Checkbox Survey says its products are used by many organizations worldwide.
Its website lists hundreds of high-profile customers, including NATO, NASA,
the U.S. Army, the Secret Service, the State Department, and the Nuclear
Regulatory Commission.

Sygnia has found some links to attacks that targeted government and private
sector organizations in Australia last year. Those attacks were described
by an Australian cybersecurity agency as “Copy-Paste Compromises” and at
the time they were unofficially linked to China.

Sygnia has found similarities between the malware used in the Australia
attacks and the one involved in the attacks analyzed by its experts.
However, the company noted that the activity described by the Australian
agency is “wider” and consists of other TTPs that were not seen in the
attacks it observed.

Sygnia tracks the threat actor as TG1021 and Praying Mantis, and describes
it as a highly capable and persistent group that uses deserialization
exploits aimed at internet-exposed Windows IIS servers and web applications
for initial access into an organization’s network.

The malware used by TG1021 includes custom-made tools specifically designed
for IIS servers, a stealthy backdoor, as well as several post-exploitation
modules that enable the attackers to perform reconnaissance, elevate
privileges and move laterally within the network.

The malware has been described as “volatile” — it is loaded into the
compromised device’s memory in an effort to avoid leaving a trace.

“The nature of the activity and general modus-operandi suggest TG1021 to be
an experienced stealthy actor, highly aware of OPSEC,” Sygnia said in its
report. “The malware used by TG1021 shows a significant effort to avoid
detection, both by actively interfering with logging mechanisms,
successfully evading commercial EDRs and by silently awaiting incoming
connections, rather than connecting back to a C2 channel and continuously
generating traffic. Furthermore, the threat actor actively removed all
disk-resident tools after using them, effectively giving up on persistency
in exchange for stealth.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210727/467876b3/attachment.html>