Autosummary:
rule CISA_10424018_01 {
meta:
Author = "CISA Code & Media Analysis"
Incident = "10424018"
Date = "2023-02-07"
Last_Modified = "20230216_1500"
Actor = "n/a"
Family = "n/a"
Capabilities = "n/a"
Malware_Type = "n/a"
Tool_Type = "n/a"
Description = "Detects open-source exploit samples"
SHA256 = "n/a"
strings:
$s0 = { 3D 20 7B 20 22 63 6D 22 2C 20 22 64 2E 65 22 2C }
$s1 = { 20 22 78 22 2C 20 22 65 22 20 7D 3B }
$s2 = { 52 65 76 65 72 73 65 53 68 65 6C 6C 28 29 }
$s3 = { 54 65 6C 65 72 69 6B 20 55 49 }
$s4 = { 66 69 6C 65 6E 61 6D 65 5F 6C 6F 63 61 6C }
$s5 = { 66 69 6C 65 6E 61 6D 65 5F 72 65 6D 6F 74 65 }
$s6 = { 41 55 43 69 70 68 65 72 2E 65 6E 63 72 79 70 74 }
$s7 = { 31 32 31 66 61 65 37 38 31 36 35 62 61 33 64 34 }
$s8 = { 43 6F 6E 6E 65 63 74 53 74 61 67 69 6E 67 53 65 72 76 65 72 28 29 }
$s9 = { 53 74 61 67 69 6E 67 53 65 72 76 65 72 53 6F 63 6B 65 74 }
$s10 = { 2A 62 75 66 66 65 72 20 3D 20 28 75 6E 73 69 67 6E 65 }
$s11 = { 28 2A 29 28 29 29 62 75 66 66 65 72 3B 0A 20 20 20 20 66 75 6E 63 28 29 3B }
$s12 = { 75 70 6C 6F 61 64 28 70 61 79 6C 6F 61 64 28 54 65 6D 70 54 61 72 67 65 74 }
$s13 = { 36 32 36 31 36 66 33 37 37 35 36 66 32 66 }
condition:
($s0 and $s1 and $s2) or ($s3 and $s4 and $s5 and $s6 and $s7) or ($s8 and $s9 and $s10 and $s11) or ($s12 and $s13)
}
Log Collection, Retention, and Analysis
CISA, FBI, and MS-ISAC recommend that organizations utilize a centralized log collection and monitoring capability, as well as implement or increase logging and forensic data retention.Application Crash {"EventData":{"Data":"0, APPCRASH, Not available, 0, w3wp.exe, 8.5.9600.16384, 5215df96, 1664175639.65719.dll, 0.0.0.0, 63314d94, c00000fd, 00000000000016f8,
C:\\Windows\\Temp\\WERE3F6.tmp.appcompat.txt
C:\\Windows\\Temp\\WERE639.tmp.All of the analyzed samples have network parameters, including host name, domain name, Domain Name System (DNS) server Internet Protocol (IP) address and machine name, Network Basic Input/Output System (NetBIOS) ID, adapter information, IP address, subnet, gateway IP, and Dynamic Host Configuration Protocol (DHCP) server [T1016].|1664175639.65719.dll |c:\windows\system32\inetsrv\w3wp.exe |C:\Windows\Temp\1664175639.65719.dll Application Error {"EventData":{"Data":"w3wp.exe, 8.5.9600.16384, 5215df96, 1664175639.65719.dll, 0.0.0.0, 63314d94, c00000fd, 00000000000016f8, 1708, 01d8d0a5f84af443, c:\\windows\\system32\\inetsrv\\w3wp.exe, C:\\Windows\\Temp\\1664175639.65719.dll, eed89eeb-3d68-11ed-817c-005056990ed7","Binary":""}} 1001 w3wp.exe
CISA, the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint Cybersecurity Advisory (CSA) to provide IT infrastructure defenders with tactics, techniques, and procedures (TTPs), IOCs, and methods to detect and protect against similar exploitation.These descriptions are sourced directly from Microsoft.[6]
Table 5: Four Fields Searched in IIS Logs General Name Field Name Description Method cs-method Requested action; for example, a GET method URI Stem cs-uri-stem Universal Resource Identifier (URI), or target, of the action URI Query cs-uri-query The query, if any, that the client was trying to perform; A URI query is necessary only for dynamic pages.TA1’s malware gathers network parameters, including host name, domain name, DNS servers, NetBIOS ID, adapter information, IP address, subnet, gateway IP, and DHCP server.Web.UI.WebResource.axd, [*redacted*], False, [*redacted*], 15, [*redacted*], False, at Telerik.For example, file 1596835329.5015914.png , which decodes to August 7, 2020, 21:22:09 UTC, first appeared on October 13, 2022, but the file system shows a creation date of August 7, 2020.WERInternalMetadata.xml
C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_w3wp.exe_d538da447d49df5862c37684118d0c25c2eff_9e3fd63b_cab_0c3ee656\\memory.hdmp
C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_w3wp.exe_d538da447d49df5862c37684118d0c25c2eff_9e3fd63b_cab_0c3ee656\\triagedump.dmp, C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_w3wp.exe_d538da447d49df5862c37684118d0c25c2eff_9e3fd63b_cab_0c3ee656, 0, eed89eeb-3d68-11ed-817c-005056990ed7, 4","Binary":""}}
The EventID field maps to Windows EventIDs for an easy filter.
VALIDATE SECURITY CONTROLS
In addition to applying mitigations, CISA, FBI, and MS-ISAC recommend exercising, testing, and validating your organization"s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory.Proof-of-Concept Exploit for CVE-2019-18935
[6] Microsoft: Configure Logging in IIS
[7] GitHub: CVE-2019-18935
ACKNOWLEDGEMENTS
Google’s Threat Analysis Group (TAG) contributed to this CSA.
Other Best Practice Mitigation Recommendations
Implement phishing-resistant multifactor authentication (MFA) for as many services possible—particularly for webmail, virtual private networks (VPNs), accounts that access critical systems, and privileged accounts that manage backups.
In addition to CVE-2019-18935, this version (2013.2.717) of Telerik UI for ASP.NET AJAX contains the following known vulnerabilities: CVE-2017-11357, CVE-2017-11317, and CVE-2017-9248.Example Regex: \d{10}\.\d{1,8}\.dll
These numbers can be copied and translated from digits into readable language with the month, day, year, hour, minute, and seconds displayed.As presented by Bishop Fox and proven during authoring organizations’ investigation of IIS server logs, an exception does not mean that the exploit failed, but more likely that it executed successfully.[3]
Figure 1: Threat Actor Assembly Installer
If a Werfault crash report was written, Windows event application logs may contain evidence of this— even if the DLLs have been removed from the system as part of a cleanup effort by the threat actors.Analysts determined that multiple cyber threat actors, including an APT actor, were able to exploit a .NET deserialization vulnerability (CVE-2019-18935) in Progress Telerik user interface (UI) for ASP.NET AJAX, located in the agency’s Microsoft Internet Information Services (IIS) web server.
Overview
CISA and authoring organizations assess that, beginning as late as November 2022, threat actors successfully exploited a .NET deserialization vulnerability (CVE-2019-18935) in an instance of Telerik UI for ASP.NET AJAX Q2 2013 SP1 (version 2013.2.717) running on an FCEB agency’s Microsoft IIS server.
Log Type: Windows Event Application Logs
Location: -%SystemDrive%\Windows\System32\winevt\logs\Application.evtx
Kroll Artifact Parser and Extractor (KAPE), a forensic artifact collector and parser, was used to extract the Windows event logs from a backup image of the compromised IIS server.[CPG 3.1, 3.2] Evaluate user permissions and maintain separate user accounts for all actions and activities not associated with the administrator role, e.g., for business email, web browsing, etc.
"