Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Vulnerability in Popular Survey Tool Exploited in Possible Chinese Attacks on U.S.

A recently disclosed vulnerability affecting a popular survey creation tool has been exploited by a threat group that may be linked to China against organizations in the United States.

A recently disclosed vulnerability affecting a popular survey creation tool has been exploited by a threat group that may be linked to China against organizations in the United States.

Cybersecurity consulting and incident response solutions provider Sygnia on Tuesday published a report detailing attacks launched by a threat actor against “high-profile public and private entities” in the United States. Sygnia does not mention China in its report, but the company said it found some links to attacks that were previously attributed to the Chinese government.

The attacks involve CVE-2021-27852, a deserialization-related code execution vulnerability affecting Checkbox Survey, an ASP.NET tool designed for adding survey functionality to websites.

The Checkbox Survey vulnerability can be exploited remotely without authentication and it impacts version 6 of the application. The flaw does not exist in version 7.0 (released in 2019), but older versions are no longer supported and they will not receive patches.

When it disclosed the vulnerability in May, the CERT Coordination Center (CERT/CC) at Carnegie Mellon University warned that it had been exploited in the wild, but it did not share any information about the attacks. It’s unclear if the CERT/CC advisory refers to the attacks detailed by Sygnia, but the company told SecurityWeek that it reported its findings to CERT/CC at around the same time the advisory was published. CERT/CC credited an anonymous researcher for reporting the flaw.

Checkbox Survey says its products are used by many organizations worldwide. Its website lists hundreds of high-profile customers, including NATO, NASA, the U.S. Army, the Secret Service, the State Department, and the Nuclear Regulatory Commission.

Sygnia has found some links to attacks that targeted government and private sector organizations in Australia last year. Those attacks were described by an Australian cybersecurity agency as “Copy-Paste Compromises” and at the time they were unofficially linked to China.

Sygnia has found similarities between the malware used in the Australia attacks and the one involved in the attacks analyzed by its experts. However, the company noted that the activity described by the Australian agency is “wider” and consists of other TTPs that were not seen in the attacks it observed.

Advertisement. Scroll to continue reading.

Sygnia tracks the threat actor as TG1021 and Praying Mantis, and describes it as a highly capable and persistent group that uses deserialization exploits aimed at internet-exposed Windows IIS servers and web applications for initial access into an organization’s network.

The malware used by TG1021 includes custom-made tools specifically designed for IIS servers, a stealthy backdoor, as well as several post-exploitation modules that enable the attackers to perform reconnaissance, elevate privileges and move laterally within the network.

The malware has been described as “volatile” — it is loaded into the compromised device’s memory in an effort to avoid leaving a trace.

“The nature of the activity and general modus-operandi suggest TG1021 to be an experienced stealthy actor, highly aware of OPSEC,” Sygnia said in its report. “The malware used by TG1021 shows a significant effort to avoid detection, both by actively interfering with logging mechanisms, successfully evading commercial EDRs and by silently awaiting incoming connections, rather than connecting back to a C2 channel and continuously generating traffic. Furthermore, the threat actor actively removed all disk-resident tools after using them, effectively giving up on persistency in exchange for stealth.”

Related: Chinese Cyberspies Target Telecom Companies in America, Asia, Europe

Related: U.S., Allies Officially Accuse China of Microsoft Exchange Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.