China: Following on the heels of last week’s announcement from the Australian government concerning the prolonged cyber-attack, new details have been revealed linking Chinese threat actors to the attacks. A recent update on the investigation has revealed that the attackers were targeting public facing infrastructure with remote code execution exploits, primarily against unpatched versions of Telerik user interface. The Australian Cyber Security Centre (ACSC) has issued four warnings this year involving the exploitation of critical vulnerabilities in Telerik UI (CVE-2019-18935, CVE-2017-9248, CVE-2017-11317, and CVE-2017-11357). The ACSC also stated that the attackers exploited a VIEWSTATE deserialization vulnerability in Microsoft Internet Information Services to upload a web shell, as well as a 2019 SharePoint vulnerability (CVE-2019-0604), and a Citrix vulnerability (CVE-2019-19781). A list of IOCs was provided by the ACSC. Among the IOCs was one sample which was linked to Korplug by ESET, although this particular sample is actually PlugX. The two malware families share a specific DLL side-loading technique. PlugX has been tied to Chinese operations since 2008—however, a builder for PlugX version one has been publicly available for many years, so attribution based on use of one malware family is not definitive.
Unpatched vulnerabilities are like unlocked doors inviting attackers to come in. As more attackers exploit the vulnerabilities and researchers continue to document attacks, more details become available to the public and automated tools allow attackers with lower skill levels to leverage the vulnerabilities as well. It is vitally important to ensure that all Internet facing systems are kept up to date with the latest security patches. It is nearly as important to patch internal systems, because all it takes is one employee opening a malicious document to give attackers the position needed to scan and exploit unpatched internal servers. As tensions between governments grow, the risk is not only borne by government organizations but by organizations of all kinds within those nations. This is especially true for critical infrastructure and companies that rely on research and development to maintain a competitive advantage in the global market. More information on this incident can be found at: https://www.bleepingcomputer.com/news/security/chinese-malware-used-in-attacks-against-australian-orgs/