Earlier today Australian Cyber Security Centre (ACSC) released an advisory regarding a cyber campaign targeting Australian networks. The campaign is dubbed ‘Copy-paste compromises’ due to the threat actor’s heavy usage of proof-of-concept exploit code from open source.
What are the issues?
1. Telerik UI Arbitrary code execution vulnerability (CVE-2019-18935)
A vulnerability in Telerik UI for ASP.NET could allow for arbitrary code execution. ASP.NET is an open-source server-side web-application framework designed for web development to produce dynamic web pages. Successful exploitation of this vulnerability could allow for remote code execution within the context of a privileged process. Depending on the privileges associated with this application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of this vulnerability could have less impact than if it was configured with administrative rights.
2. CVE-2019-0604 - Microsoft SharePoint Remote Code Execution Vulnerability
A remote code execution vulnerability was discovered in Microsoft SharePoint when the software fails to check the source markup of an application package. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account. Exploitation of this vulnerability requires that a user uploads a specially crafted SharePoint application package to an affected version of SharePoint.
3. Vulnerability in Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance (CVE-2019-19781)
A vulnerability in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway formerly known as NetScaler Gateway that, if exploited, could allow an unauthenticated attacker to perform arbitrary code execution.
The scope of this vulnerability includes Citrix ADC and Citrix Gateway Virtual Appliances (VPX) hosted on any of Citrix Hypervisor (formerly XenServer), ESX, Hyper-V, KVM, Azure, AWS, GCP or on a Citrix ADC Service Delivery Appliance (SDX).
4. Deserialization vulnerability in Microsoft IIS
A deserialization vulnerability exists in versions of Microsoft’s Internet Information Services (IIS) using the .NET framework (.NET). The vulnerability exploits the service’s VIEWSTATE parameter to allow for remote code execution by unauthorized users. A specially crafted VIEWSTATE parameter with malicious content is required for actors to successfully exploit this vulnerability. The contents of this parameter are protected by Message Authentication Code (MAC) validation on upto date installs of .NET on IIS and an actor must obtain the IIS server Machine Key to exploit this vulnerability.
5. Downloader and Malware Payloads
There are reports of malware downloader payloads including malicious documents distributed as an attachment via spear phishing campaigns. These attached documents are weaponized with above exploits leading to the download of PowerShell Empire, HTTPCore, or HTTPotato payloads for C&C communication.
What can you do to protect yourself?
All the vulnerabilities exploited in this campaign have been publicly disclosed previously and corresponding patches/mitigations were provided by the product developers. It is important to have updated security software and the latest software patches applied to the endpoints. As always, avoid opening suspicious emails containing attachments or links that come from any unknown sources. And disable macros in Office programs. Do not enable them unless it is essential to do so.
Zscaler ThreatLabZ is actively monitoring this campaign and has ensured coverage for all known threat indicators and payloads.
Details related to these threat signatures can be found in the Zscaler Threat Library.
ACSC has previously reported about these attacks here: