Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Vulnerability in Popular Survey Tool Exploited in Possible Chinese Attacks on U.S.

A recently disclosed vulnerability affecting a popular survey creation tool has been exploited by a threat group that may be linked to China against organizations in the United States.

A recently disclosed vulnerability affecting a popular survey creation tool has been exploited by a threat group that may be linked to China against organizations in the United States.

Cybersecurity consulting and incident response solutions provider Sygnia on Tuesday published a report detailing attacks launched by a threat actor against “high-profile public and private entities” in the United States. Sygnia does not mention China in its report, but the company said it found some links to attacks that were previously attributed to the Chinese government.

The attacks involve CVE-2021-27852, a deserialization-related code execution vulnerability affecting Checkbox Survey, an ASP.NET tool designed for adding survey functionality to websites.

The Checkbox Survey vulnerability can be exploited remotely without authentication and it impacts version 6 of the application. The flaw does not exist in version 7.0 (released in 2019), but older versions are no longer supported and they will not receive patches.

When it disclosed the vulnerability in May, the CERT Coordination Center (CERT/CC) at Carnegie Mellon University warned that it had been exploited in the wild, but it did not share any information about the attacks. It’s unclear if the CERT/CC advisory refers to the attacks detailed by Sygnia, but the company told SecurityWeek that it reported its findings to CERT/CC at around the same time the advisory was published. CERT/CC credited an anonymous researcher for reporting the flaw.

Checkbox Survey says its products are used by many organizations worldwide. Its website lists hundreds of high-profile customers, including NATO, NASA, the U.S. Army, the Secret Service, the State Department, and the Nuclear Regulatory Commission.

Sygnia has found some links to attacks that targeted government and private sector organizations in Australia last year. Those attacks were described by an Australian cybersecurity agency as “Copy-Paste Compromises” and at the time they were unofficially linked to China.

Sygnia has found similarities between the malware used in the Australia attacks and the one involved in the attacks analyzed by its experts. However, the company noted that the activity described by the Australian agency is “wider” and consists of other TTPs that were not seen in the attacks it observed.

Sygnia tracks the threat actor as TG1021 and Praying Mantis, and describes it as a highly capable and persistent group that uses deserialization exploits aimed at internet-exposed Windows IIS servers and web applications for initial access into an organization’s network.

The malware used by TG1021 includes custom-made tools specifically designed for IIS servers, a stealthy backdoor, as well as several post-exploitation modules that enable the attackers to perform reconnaissance, elevate privileges and move laterally within the network.

The malware has been described as “volatile” — it is loaded into the compromised device’s memory in an effort to avoid leaving a trace.

“The nature of the activity and general modus-operandi suggest TG1021 to be an experienced stealthy actor, highly aware of OPSEC,” Sygnia said in its report. “The malware used by TG1021 shows a significant effort to avoid detection, both by actively interfering with logging mechanisms, successfully evading commercial EDRs and by silently awaiting incoming connections, rather than connecting back to a C2 channel and continuously generating traffic. Furthermore, the threat actor actively removed all disk-resident tools after using them, effectively giving up on persistency in exchange for stealth.”

Related: Chinese Cyberspies Target Telecom Companies in America, Asia, Europe

Related: U.S., Allies Officially Accuse China of Microsoft Exchange Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.