Deserialization of VIEWSTATE: how an “unpatched” vulnerability plays into the hands of pro-government groups

May 21, 2024, 8:05 a.m.

Description

At the end of 2023, the Solar 4RAYS team was investigating an attack on a Russian telecom company by an Asian advanced persistent threat (APT) group named Obstinate Mogwai (translated as "Stubborn Demon" in English). This group was persistent, repeatedly infiltrating the network until all entry points were secured. They exploited a well-known vulnerability related to untrusted data deserialization in the VIEWSTATE parameter of the ASP.NET environment, referred to as VIEWSTATE deserialization.

External References

https://1-rt--solar-ru.translate.goog/solar-4rays/blog/4329/?_x_tr_enc=1&_x_tr_sl=en&_x_tr_tl=es&_x_tr_hl=en&_x_tr_pto=wapp
https://1-rt--solar-ru.translate.goog/solar-4rays/blog/4329/?_x_tr_enc=1&_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp
https://otx.alienvault.com/pulse/664b208512c797749c634065
Tags
apt
cybercrime
2024-05-20
asp
viewstate
telco

Date

  • Created: May 20, 2024, 10:05 a.m.
  • Published: May 20, 2024, 10:05 a.m.
  • Modified: May 21, 2024, 8:05 a.m.

Indicators

  • 503275fbf9bcd6575a6f8a014c903727eb28f2d77f067082fcf4f60c2ca630f5
  • 4608df9207e6612bcc548d0db39a2d03ed74c9c0f30c696a3a6ef2cc792c250a
  • 06240b9dfb75b8a430c7c34cbb13cd066acf7f0e1d889891f576d7f4bc999c15
  • 77.223.109.165
  • 77.223.109.164
  • 77.223.109.163
  • 77.223.109.162
  • 193.47.34.229
  • 45.12.67.18
Download all indicators here!

Attack Patterns

  • Obstinate Mogwai

Additional Informations

  • Telecommunications
  • Russian Federation