A new threat actor is targeting Microsoft Windows web servers, suggesting that users should patch .NET deserialisation vulnerabilities and look for suspicious activity on web-facing Microsoft Internet Information Services servers, according to cybersecurity technology and services provider Sygnia.
Tel Aviv-based Sygnia recently issued a report stating that researchers found “an advanced memory-resident attack commonly associated with nation-state actors.”
The hacker, which Sygnia is calling “Praying Mantis” or “TG1021,” uses “a variety of deserialisation exploits targeting Windows IIS servers and vulnerabilities targeting web applications” and “a completely volatile and custom malware framework tailor-made for IIS servers.”
IIS (Internet Information Services) is a web server on the Microsoft .NET platform on the Windows operating system.
Microsoft representatives did not return requests for comment from CRN USA on Monday.
The malware intercepts and handles HTTP requests the server receives, adding backdoor and post-exploitation modules for network reconnaissance, credential harvesting and moving laterally inside of networks, among other activities, according to the report. Praying Mantis is seemingly “highly familiar with the Windows IIS software and equipped with zero-day exploits.” Sygnia has dubbed the malware “NodellSWeb.”
Praying Mantis uses similar tactics, techniques and procedures to the “Copy-Paste Compromises” state-sponsored hacker, which were disclosed by the Australian Cyber Security Centre in June 2020, according to Sygnia. That attacker targeted Australian public and private sector organizations. The Cyber Security Centre deemed the activity “the most significant, coordinated cyber-targeting against Australian institutions the Australian Government has ever observed.”
Praying Mantis has targeted unidentified “high-profile public and private entities” in two major Western markets, according to the report. The discovery of this latest threat actor follows a spate of attacks targeting commercial organizations and allegedly sponsored by other nations.
Even with Microsoft’s large portfolio of security products and services, channel partners must turn to other vendors for redundancy and providing the high level of protection customers need today, said Phil Walker, CEO of US-based Network Solutions Provider, in an interview with CRN USA.
“Now we’re dealing with customers on the internet for banking, retail,” said Walker. “There is a level of protection that everyone needs.”
Even if cybersecurity tools and protecting client systems appear to have more costs and headaches compared with the revenue partners can generate from doing so, having a robust cybersecurity portfolio and not overpromising what one’s portfolio can deliver for customers are requirements for managed service providers in 2021, Walker said.
“We’re an involuntary force,” Walker said of MSPs. “Because of what we’re protecting, we have to be more cybersecurity functional.”
Microsoft products have seen a flurry of high-profile attacks this year. In March, Chinese hackers reportedly took advantage of four Microsoft Exchange Server vulnerabilities to steal emails from at least 30,000 organisations across the United States. In July, hackers attempted to use Synnex to gain access to customer applications within the Microsoft cloud environment in an attack possibly tied to the Kaseya ransomware campaign.
The tech giant and its customers have also continued to feel the effects of last year’s massive SolarWinds hack, which ensnared Microsoft’s platforms in numerous ways.
Still, Microsoft is seeing “accelerated demand” for its “end-to-end” cybersecurity solutions, which have gained recognition from analysts in more categories than any other vendor, CEO Satya Nadella said last week during the company’s quarterly call with analysts.
Microsoft’s momentum around security is “reflected in our sales growth – with annual revenue continuing to increase 40 percent year over year,” Nadella said.