Cyber Security

New APT Hacking Group Targets Microsoft IIS Servers with ASP.NET Exploits

A new highly capable and persistent threat actor has been targeting major high-profile public and private entities in the U.S. as part of a series of targeted cyber intrusion attacks by exploiting internet-facing Microsoft Internet Information Services (IIS) servers to infiltrate their networks.

Israeli cybersecurity firm Sygnia, which identified the campaign, is tracking the advanced, stealthy adversary under the moniker “Praying Mantis” or “TG2021.”

Stack Overflow Teams

“TG1021 uses a custom-made malware framework, built around a common core, tailor-made for IIS servers. The toolset is completely volatile, reflectively loaded into an affected machine’s memory and leaves little-to-no trace on infected targets,” the researchers said. “The threat actor also uses an additional stealthy backdoor and several post-exploitations modules to perform network reconnaissance, elevate privileges, and move laterally within networks.”

APT Hacking Group

Besides exhibiting capabilities that show a significant effort to avoid detection by actively interfering with logging mechanisms and successfully evading commercial endpoint detection and response (EDR) systems, the threat actor has been known to leverage an arsenal of ASP.NET web application exploits to gain an initial foothold and backdoor the servers by executing a sophisticated implant named “NodeIISWeb” that’s designed to load custom DLLs as well as intercept and handle HTTP requests received by the server.

APT Hacking Group

The vulnerabilities are taken advantage of by the actor include:

Enterprise Password Management

Interestingly, Sygnia’s investigation into TG1021’s tactics, techniques, and procedures (TTPs) have unearthed “major overlaps” to those of a nation-sponsored actor named “Copy-Paste Compromises,” as detailed in an advisory released by the Australian Cyber Security Centre (ACSC) in June 2020, which described a cyber campaign targeting public-facing infrastructure primarily through the use of unpatched flaws in Telerik UI and IIS servers. However, a formal attribution is yet to be made.

“Praying Mantis, which has been observed targeting high-profile public and private entities in two major Western markets, exemplifies a growing trend of cyber criminals using sophisticated, nation-state attack methods to target commercial organizations,” the researchers said. “Continuous forensics activities and timely incident response are essential to identifying and effectively defending networks from attacks by similar threat actors.”

Products You May Like

Articles You May Like

Motorola Razr 2022, X30 Pro Could Launch on August 11, May Go on Sale the Same Day
PlayStation Summer Sale 2022 Round 2: Best Deals on PS5, PS4 Games
Amazfit GTR 4, GTS 4 Marketing Images Leaked: All You Need to Know
Oppo Watch 3 Design Renders Leaked Ahead of Imminent Launch, Design Tipped: Details
NASA Said to Have Planned Contingencies for Space Station as Russian Alliance Continued

Leave a Reply

Your email address will not be published.