A recently disclosed vulnerability affecting a popular survey creation tool has been exploited by a threat group that may be linked to China against organizations in the United States.
Cybersecurity consulting and incident response solutions provider Sygnia on Tuesday published a report detailing attacks launched by a threat actor against “high-profile public and private entities” in the United States. Sygnia does not mention China in its report, but the company said it found some links to attacks that were previously attributed to the Chinese government.
The attacks involve CVE-2021-27852, a deserialization-related code execution vulnerability affecting Checkbox Survey, an ASP.NET tool designed for adding survey functionality to websites.
The Checkbox Survey vulnerability can be exploited remotely without authentication and it impacts version 6 of the application. The flaw does not exist in version 7.0 (released in 2019), but older versions are no longer supported and they will not receive patches.
When it disclosed the vulnerability in May, the CERT Coordination Center (CERT/CC) at Carnegie Mellon University warned that it had been exploited in the wild, but it did not share any information about the attacks. It’s unclear if the CERT/CC advisory refers to the attacks detailed by Sygnia, but the company told SecurityWeek that it reported its findings to CERT/CC at around the same time the advisory was published. CERT/CC credited an anonymous researcher for reporting the flaw.
Checkbox Survey says its products are used by many organizations worldwide. Its website lists hundreds of high-profile customers, including NATO, NASA, the U.S. Army, the Secret Service, the State Department, and the Nuclear Regulatory Commission.
Sygnia has found some links to attacks that targeted government and private sector organizations in Australia last year. Those attacks were described by an Australian cybersecurity agency as “Copy-Paste Compromises” and at the time they were unofficially linked to China.
Sygnia has found similarities between the malware used in the Australia attacks and the one involved in the attacks analyzed by its experts. However, the company noted that the activity described by the Australian agency is “wider” and consists of other TTPs that were not seen in the attacks it observed.
Sygnia tracks the threat actor as TG1021 and Praying Mantis, and describes it as a highly capable and persistent group that uses deserialization exploits aimed at internet-exposed Windows IIS servers and web applications for initial access into an organization’s network.
The malware used by TG1021 includes custom-made tools specifically designed for IIS servers, a stealthy backdoor, as well as several post-exploitation modules that enable the attackers to perform reconnaissance, elevate privileges and move laterally within the network.
The malware has been described as “volatile” — it is loaded into the compromised device’s memory in an effort to avoid leaving a trace.
“The nature of the activity and general modus-operandi suggest TG1021 to be an experienced stealthy actor, highly aware of OPSEC,” Sygnia said in its report. “The malware used by TG1021 shows a significant effort to avoid detection, both by actively interfering with logging mechanisms, successfully evading commercial EDRs and by silently awaiting incoming connections, rather than connecting back to a C2 channel and continuously generating traffic. Furthermore, the threat actor actively removed all disk-resident tools after using them, effectively giving up on persistency in exchange for stealth.”