Threat Signal Report

Advisory 2020-008: Copy-paste compromises - tactics, techniques and procedures used to target multiple Australian networks.

Description

The Australian Cyber Security Centre (ACSC) issued advisory 2020-008: Copy-paste compromises - tactics, techniques and procedures used to target multiple Australian networks. According to the advisory, this attack leverages multiple known vulnerabilities in Citrix Application Delivery Controller (CVE-2019-19781), Microsoft IIS (ACSC 2020-006), Microsoft SharePoint (CVE-2019-0604), and Progress Telerik UI (CVE-2019-18935). All IOC's were shared with FortiGuard Labs in advance of this advisory through trusted partnerships and Fortinet customers running the latest definitions were protected at the time of disclosure.

In a nutshell what is the attack specifically?

The ACSC advisory highlights state level threat actors using various tactics to ultimately compromise networks, specific businesses, governmental entities, and organizations in Australia. According to the advisory, the unnamed threat actor's modus operandi is to try and exploit known vulnerabilities in Citrix ADC (CVE-2019-19781), Progress Telerik UI (CVE-2019-18935), Microsoft IIS, and Microsoft Sharepoint (CVE-2019-0604). If unsuccessful, the attackers have been observed to initiating spearphishing attacks as an alternative attack vector. The spearphishing attack vectors observed were links to credential harvesting websites; links to malware or attached malware; links to Office365 OAuth tokens to the attacker, as well as other vectors identifying whether the email was opened. Malware tactics observed by ASCS were the usage of HTTPCore malware, malicious Word documents, PowerShell Empire, HTTPotato, webshells and a PowerShell reverse shell. Other observations made were the usage of open source tools and publicly available proof of concept code.

What were the specifics of the vulnerabilities mentioned in this advisory?

Citrix Application Delivery Controller ADC (CVE-2019-19781)

A vulnerability exists in the Citrix Application Delivery Controller (ADC) (also known as NetScaler ADC) and the Citrix Gateway (formerly known as NetScaler Gateway). if exploited, it could allow an unauthenticated attacker to perform arbitrary code execution.

Microsoft IIS (No CVE assignment refer to ACSC-2020-006 in APPENDIX)

A de-serialization vulnerability exists in all versions of Microsoft's Internet Information Services (IIS) using the .NET framework (.NET). The vulnerability exploits the service's VIEWSTATE parameter to allow for remote code execution by unauthorized users.

Microsoft SharePoint (CVE-2019-0604)

A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package. An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account. Exploitation of this vulnerability requires a user to upload a specially crafted SharePoint application package to an affected version of SharePoint.

Progress Telerik UI (CVE-2019-18935)

ASP.NET AJAX through 2019.3.1023 contains a .NET de-serialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation of this vulnerability can result in remote code execution.

Are there reports of active exploitation in the wild and how serious is this?

It appears that this campaign is limited to Australia at this time. According to the ACSC it appears that this was a reconnaissance campaign made by the threat actors per this quote: "During its investigations, the ACSC identified no intent by the actor to carry out any disruptive or destructive activities within victim environments."

Is there a patch available at this time for vulnerabilities mentioned?

For the affected CVEs mentioned in this advisory, vendors of the affected software have all already released patches. It is advised that organizations running affected software patch it as soon as possible.

Any other suggested mitigations?

All vendors of affected software mentioned in this advisory have provided patches for known vulnerabilities. If it is deemed that patching is not feasible at this time, it is recommended that a risk assessment be conducted to determine additional mitigation safeguards within an environment. Organizations are encouraged to conduct ongoing training sessions to educate and inform personnel about the latest phishing/spearphishing attacks. FortiGuard Labs recommends that all AV and IPS definitions are kept up to date on a continual basis, and that organizations maintain a proactive patching routine when vendor updates are available. For additional guidance, please refer to the APPENDIX section which contains links to specific vendor suggestions and mitigation.

What is the status of AV/IPS/WebFiltering coverage?

Fortinet customers running the latest AV definitions at the time of discovery were protected by the following signatures:

JS/TWOface.DA35!tr

W32/Kryptik.VLO!tr

Riskware/JuicyPotato

JS/Csharpaws.23D1!tr

VBA/Agent.2725!tr

Fortinet customers running the latest IPS definitions at the time of discovery were protected by the following signatures

China.Chopper.Web.Shell.Client.Connection

All network IOC's are actively blocked by the WebFiltering client.