"Praying Mantis Threat Group Targeting U.S. Firms in Sophisticated Attacks"
High-profile public and private entities in the U.S. are being targeted in a malicious campaign similar to the one that focused on attacking Australian companies and government entities last year. Researchers at the cyber technology and services company Sygnia, say the threat actor behind the campaign has been launching attacks on Windows Internet Information Services (IIS) environments and Web applications to gain a foothold in a targeted network. The attacks executed by the sophisticated threat actor, tracked as Praying Mantis or TG2021, have been going on since June, and they seem to be part of a cyber-espionage operation for a state-backed entity. According to Sygnia, the full scope of activity remains unknown, but the threat actor's sophistication and highly persistent nature indicate a large operation. Researchers found that the threat actor's main tactic for gaining initial access to target networks is using different deserialization exploits against IIS and Web application vulnerabilities. A deserialization exploit leverages how an application initializes objects that have been serialized. The program can be exploited to execute malicious code on the target if the deserialization process is not secure. For example, the attackers have used a zero-day vulnerability in the Checkbox Survey Web application to exploit IIS servers. This vulnerability stems from an insecure deserialization mechanism in the application and enables remote code execution on the target server. The attackers also exploited two vulnerabilities in a set of user-interface components for Web applications from Telerik. The initial access gained from these exploits has been used to execute a memory-resident malware serving as a backdoor on Internet-facing IIS servers. The malware is designed for IIS servers, only operates in memory, and is difficult to trace on infected systems. This article continues to discuss Praying Mantis' tactics, techniques, and procedures.
Dark Reading reports "Praying Mantis Threat Group Targeting U.S. Firms in Sophisticated Attacks"