Back

Deserialization of VIEWSTATE: how an “unpatched” vulnerability plays into the hands of pro-government groups

May 21, 2024, 8:05 a.m.

Tags

apt
cybercrime
2024-05-20
asp
viewstate
telco

External References

https://1-rt--solar-ru.translate.goog/

https://1-rt--solar-ru.translate.goog/

https://otx.alienvault.com/

Description

At the end of 2023, the Solar 4RAYS team was investigating an attack on a Russian telecom company by an Asian advanced persistent threat (APT) group named Obstinate Mogwai (translated as "Stubborn Demon" in English). This group was persistent, repeatedly infiltrating the network until all entry points were secured. They exploited a well-known vulnerability related to untrusted data deserialization in the VIEWSTATE parameter of the ASP.NET environment, referred to as VIEWSTATE deserialization.

Date

Published Created Modified
May 20, 2024, 10:05 a.m. May 20, 2024, 10:05 a.m. May 21, 2024, 8:05 a.m.

Indicators

503275fbf9bcd6575a6f8a014c903727eb28f2d77f067082fcf4f60c2ca630f5

4608df9207e6612bcc548d0db39a2d03ed74c9c0f30c696a3a6ef2cc792c250a

06240b9dfb75b8a430c7c34cbb13cd066acf7f0e1d889891f576d7f4bc999c15

77.223.109.165

77.223.109.164

77.223.109.163

77.223.109.162

193.47.34.229

45.12.67.18

Attack Patterns

Obstinate Mogwai

T1055.001

T1055.003

T1059.003

T1059.001

T1140

T1190

Additional Informations

Telecommunications

Russian Federation