The eSentire Threat Response Unit (TRU) revealed that threat actors are actively exploiting a six-year-old IIS vulnerability in Progress Telerik UI for ASP.NET AJAX to gain remote access to systems.<\/p>\n
This vulnerability, identified as CVE-2019-18935, allows attackers to execute arbitrary code on vulnerable servers, posing a significant risk to organizations that have not updated their systems.<\/p>\n
While this security flaw enables threat actors to gain remote access<\/a> to systems running vulnerable versions of the software.<\/p>\n TRU observed the threat actors using w3wp.exe (IIS worker process) to load a reverse shell and run subsequent commands for reconnaissance via cmd.exe.<\/p>\n Cybersecurity analysts at TRU noted<\/a> that the reverse shells were dropped in the C:WindowsTemp directory.<\/p>\n The exploitation process begins when threat actors send a specific request to the IIS server to determine if the file upload handler is available.<\/p>\n Once confirmed, they use a customized proof-of-concept (PoC) to upload and execute a remote shell.<\/p>\n The reverse shell is a mixed-mode .NET assembly that connects to a command and control (C2) server at After establishing a reverse shell, attackers execute commands to gather system information, including user enumeration using TRU also observed the deployment of the open-source privilege escalation<\/a> tool<\/a> JuicyPotatoNG on the host, along with several batch files whose purpose is currently unknown.<\/p>\n To detect such reverse shells, a Yara rule can be used:-<\/p>\n To mitigate these threats, organizations should implement robust patch management and vulnerability management<\/a> services.<\/p>\n Additionally, deploying Endpoint Detection and Response (EDR<\/a>) solutions across all systems can help detect and respond to such attacks.<\/p>\n The post Hackers Exploiting A Six-Year-Old IIS Vulnerability To Gain Remote Access<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nExploitation Process<\/strong><\/h2>\n
213.136.75.130<\/code> via Windows Sockets.<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgaHsAN09_703XysxAcZi1m55ktibCBU6GsCO47OfXdUnzan1wY1gEYqXieVQAdqKdwP2ZPtNTc3aDVTqwTiw9nS_KUOiHmZRPov8he6e-ORXwgB65GRpjFlR5BMuSDGyM31SXQTV-G9o4rSrKoIBMJ9jhes4ySoeG4hcYdR66ogiMBm8RVsbtG6BI0Bo0\/s16000\/Decompiled%2520Reverse%2520Shell%2520%28Source%2520-%2520eSentire%29.webp?ssl=1\")
net.exe<\/code> and net1.exe<\/code>.<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhO4DOa-DITLK_TAbeqKPyxvsHnUPyXu0TpMf3TErJb6v1ATN6XpOWH5MBAaYQTQ2yhdyAFhWHPFoIcU47CmSBsWKyWgK-6rRkvPVbwC5SaAq_5PH-DnlMnN4kJVn_Tu96enJAEEwNVHFRaJq0Qb5kz2zkM9vcnSzSvZytBcdn-qhGVF5_sUUGeirpFLjs\/s16000\/Remote%2520Shell%2520Loaded%2520by%2520w3wp.exe%2520IIS%2520Worker%2520Process%2520Leading%2520to%2520Recon%2520Commands%2520%28Source%2520-%2520eSentire%29.webp?ssl=1\")
rule TCP_Reverse_Shell_Windows_x64 { \n meta: \n description = \"Detects Windows based 64-bit TCP reverse shell\"\n author = \"YungBinary\"\n hash = \"b971bf43886e3ab1d823477826383dfaee1e2935788226a285c7aebeabee7348\"\n strings: \n $winsock_2_0 = { 66 B? 02 00 FF 15 } \n $winsock_2_1 = { 66 B? 02 01 FF 15 } \n $winsock_2_2 = { 66 B? 02 02 FF 15 }\n $winsock_1_0 = { 66 B? 01 00 FF 15 } \n $winsock_1_1 = { 66 B? 01 01 FF 15 } \n $socket_params = { 41 B8 06 00 00 00 BA 01 00 00 00 B9 02 00 00 00 } \n $cmd = { 48 C7 44 24 ?? 00 00 00 00 48 C7 44 24 ?? 00 00 00 00 C7 44 24 ?? 00 00 00 00 C7 44 24 ?? (01 | 00) 00 00 00 45 33 C9 45 33 C0 48 8D 15 ?? ?? ?? ?? 33 C9 FF 15 } \n $wait = { BA FF FF FF FF 48 8B 4C ?? ?? FF 15 } \n condition: \n uint16(0) == 0x5a4d and \n ((1 of ($winsock*)) and $socket_params and $cmd and $wait) \n}<\/code><\/pre>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhNJtEupUhzj82eE_cgzfXKISyVWcxsfm-sK2smRXx5Rt779OnAlfSkcefQrVL3Q3ygWtyi_tjl203SuT6d9qroDftLT1RcCdsy4fk1_ANoXL7D4PKRWjlm9yshmkHTrmUgI6rZMmdBGUhuduldoOmjNAOtAzVmyAmEz-5Yol7yM1NnLr6c47gTztNgpWk\/s16000\/Vulnerable%2520version%2520decision%2520tree%2520%28Source%2520-%2520eSentire%29.webp?ssl=1\")
Investigate Real-World Malicious Links & Phishing Attacks With\u00a0Threat Intelligence Lookup<\/strong>\u00a0-\u00a0Try for Free<\/a><\/code><\/strong><\/p>\n