Solar 4RAYS has revealed details of the Obstruct Mogwai attack on a telecom company.
In 2023, the Solar 4RAYS team investigated an attack on a Russian telecommunications company organized by the Asian APT group Obstinate Mogwai. Hackers have repeatedly exploited the deserialization vulnerability of untrusted data in the VIEWSTATE parameter ASP.NET which allowed them to return to the compromised network. Despite patches and efforts to fix vulnerabilities, the problem of deserialization remains relevant, as attackers find ways to bypass the protection.
What is VIEWSTATE?
VIEWSTATE in ASP.NET used to save the page state when executing HTTP requests. This allows you to save data between requests in the static HTTP protocol. In ASP.NET To do this, use the ObjectStateFormatter class, which is known for its unreliability and can be used for remote code execution (RCE) during deserialization.
Vulnerability history
The VIEWSTATE deserialization vulnerability has been known since 2014, when Microsoft released patch KB 290524, which includes MAC validation. However, researchers such as Alexander Herzog and Soroush Dalili have shown that the vulnerability remains exploitable under certain conditions, for example, if an attacker gains access to validation keys on the server.
Exploiting the vulnerability
Since 2020, several groups have actively exploited the VIEWSTATE deserialization vulnerability. Examples include attacks using Telerik UI vulnerabilities, CVE-2020-0688 in Microsoft Exchange, and other methods of downloading malicious code. Particularly noteworthy are the attacks of the Praying Mantis and APT41 groups, which used a variety of deserialization methods to penetrate systems.
Current threats
At the end of 2023, the Obscinate Mogwai group used the VIEWSTATE deserialization vulnerability to attack a Russian telecom company. They used powershell commands and uploaded malicious tools to Exchange servers. Despite the removal of web shells, hackers continued to execute commands through VIEWSTATE deserialization, confirmed by logs and events with ID 1316 in Windows.
Detection and mitigation
To detect deserialization attacks, we recommend analyzing events with ID 1316, checking base64-encoded viewstates, and using tools to decode and analyze this data. Patches and updates from Microsoft complicate the exploitation of the vulnerability, but do not eliminate it completely. It is important to keep an eye out for new methods and gadgets, such as ActivitySurrogateDisableTypeCheck, that can be used by attackers.
The VIEWSTATE deserialization vulnerability is a serious threat, especially when it is used by advanced groups for targeted attacks. Continuous system updates, log analysis, and the use of modern security techniques can significantly reduce the risk of compromise. Solar 4RAYS experts recommend that organizations carefully monitor the security of their web applications and use comprehensive approaches to protect against such attacks.
In 2023, the Solar 4RAYS team investigated an attack on a Russian telecommunications company organized by the Asian APT group Obstinate Mogwai. Hackers have repeatedly exploited the deserialization vulnerability of untrusted data in the VIEWSTATE parameter ASP.NET which allowed them to return to the compromised network. Despite patches and efforts to fix vulnerabilities, the problem of deserialization remains relevant, as attackers find ways to bypass the protection.
What is VIEWSTATE?
VIEWSTATE in ASP.NET used to save the page state when executing HTTP requests. This allows you to save data between requests in the static HTTP protocol. In ASP.NET To do this, use the ObjectStateFormatter class, which is known for its unreliability and can be used for remote code execution (RCE) during deserialization.
Vulnerability history
The VIEWSTATE deserialization vulnerability has been known since 2014, when Microsoft released patch KB 290524, which includes MAC validation. However, researchers such as Alexander Herzog and Soroush Dalili have shown that the vulnerability remains exploitable under certain conditions, for example, if an attacker gains access to validation keys on the server.
Exploiting the vulnerability
Since 2020, several groups have actively exploited the VIEWSTATE deserialization vulnerability. Examples include attacks using Telerik UI vulnerabilities, CVE-2020-0688 in Microsoft Exchange, and other methods of downloading malicious code. Particularly noteworthy are the attacks of the Praying Mantis and APT41 groups, which used a variety of deserialization methods to penetrate systems.
Current threats
At the end of 2023, the Obscinate Mogwai group used the VIEWSTATE deserialization vulnerability to attack a Russian telecom company. They used powershell commands and uploaded malicious tools to Exchange servers. Despite the removal of web shells, hackers continued to execute commands through VIEWSTATE deserialization, confirmed by logs and events with ID 1316 in Windows.
Detection and mitigation
To detect deserialization attacks, we recommend analyzing events with ID 1316, checking base64-encoded viewstates, and using tools to decode and analyze this data. Patches and updates from Microsoft complicate the exploitation of the vulnerability, but do not eliminate it completely. It is important to keep an eye out for new methods and gadgets, such as ActivitySurrogateDisableTypeCheck, that can be used by attackers.
The VIEWSTATE deserialization vulnerability is a serious threat, especially when it is used by advanced groups for targeted attacks. Continuous system updates, log analysis, and the use of modern security techniques can significantly reduce the risk of compromise. Solar 4RAYS experts recommend that organizations carefully monitor the security of their web applications and use comprehensive approaches to protect against such attacks.
