Deserialization of VIEWSTATE: how an “unpatched” vulnerability plays into the hands of pro-government groups
May 21, 2024, 8:05 a.m.
Tags
Description
At the end of 2023, the Solar 4RAYS team was investigating an attack on a Russian telecom company by an Asian advanced persistent threat (APT) group named Obstinate Mogwai (translated as "Stubborn Demon" in English). This group was persistent, repeatedly infiltrating the network until all entry points were secured. They exploited a well-known vulnerability related to untrusted data deserialization in the VIEWSTATE parameter of the ASP.NET environment, referred to as VIEWSTATE deserialization.
Date
Published: May 20, 2024, 10:05 a.m.
Created: May 20, 2024, 10:05 a.m.
Modified: May 21, 2024, 8:05 a.m.
Indicators
503275fbf9bcd6575a6f8a014c903727eb28f2d77f067082fcf4f60c2ca630f5
4608df9207e6612bcc548d0db39a2d03ed74c9c0f30c696a3a6ef2cc792c250a
06240b9dfb75b8a430c7c34cbb13cd066acf7f0e1d889891f576d7f4bc999c15
77.223.109.165
77.223.109.164
77.223.109.163
77.223.109.162
193.47.34.229
45.12.67.18
Attack Patterns
Obstinate Mogwai
T1055.001
T1055.003
T1059.003
T1059.001
T1140
T1190
Additional Informations
Telecommunications
Russian Federation