Israeli cybersecurity firm, Sygnia, has identified an Advanced Persistent Threat (APT) which they have nicknamed “Praying Mantis”, or “TG1021”. Praying Mantis has been targeting high-profile public and private entities in the U.S. and exploiting internet-facing servers to infiltrate their networks.
Praying Mantis utilizes a custom malware framework, made specifically for Microsoft Internet Information Servers (IIS), and intercepts and handles any HTTP request received by the server. Researchers say, “the threat actor also uses an additional backdoor and several post-exploitation modules to perform network reconnaissance, elevate privileges, and move laterally within networks.”
The threat actor shows extensive knowledge in OPSEC (Operations Security) and avoids detection by interfering with logging mechanisms, evading commercial Endpoint Detection and Response (EDR) systems, and quietly waiting for incoming connections rather than connecting back to a C2 (Command and Control) channel and continuously generating traffic. Praying Mantis also actively removes all disk-resident tools, indicating stealth is their priority.
The vulnerabilities that have been exploited by the threat actor include:
- Checkbox Survey RCE Exploit (CVE-2021-27852)
- VIEWSTATE Deserialization Exploit
- Altserialization Insecure Deserialization
- Telerik-UI Exploit (CVE-2019-18935 and CVE-2017-11317)
To prevent an attack from Praying Mantis, it is recommended that entities update Telerik to the newest version that is not vulnerable to known CVEs. If ASP.NET session state is used by web applications, make sure that access to the database can only be from legitimate network locations. Blocking unnecessary communications from IIS servers is recommended. IIS servers should only generate traffic matching the set of known rules and these activities should be limited and blocked. .NET web applications that are running with a designated application pool identity with the lowest privileges possible would also create another obstacle for Praying Mantis. Monitoring traffic with a service such as Binary Defenses Managed Detection and Response should be a priority and allows entities to be on the defense.