Deserialization of VIEWSTATE: how an “unpatched” vulnerability plays into the hands of pro-government groups
Essential information
- Published
- 20/05/2024 10:05
- Modified
- 21/05/2024 08:05
- Tags
- 2024-05-20 apt asp cybercrime telco viewstate
- Related entities
- 9 observables, 1 intrusion sets (apt), 6 techniques (mitre), 2 others
Description
At the end of 2023, the Solar 4RAYS team was investigating an attack on a Russian telecom company by an Asian advanced persistent threat (APT) group named Obstinate Mogwai (translated as "Stubborn Demon" in English). This group was persistent, repeatedly infiltrating the network until all entry points were secured. They exploited a well-known vulnerability related to untrusted data deserialization in the VIEWSTATE parameter of the ASP.NET environment, referred to as VIEWSTATE deserialization.
External references
- https://1-rt--solar-ru.translate.goog/solar-4rays/blog/4329/?_x_tr_enc=1&_x_tr_sl=en&_x_tr_tl=es&_x_tr_hl=en&_x_tr_pto=wapp
- https://1-rt--solar-ru.translate.goog/solar-4rays/blog/4329/?_x_tr_enc=1&_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp
- https://otx.alienvault.com/pulse/664b208512c797749c634065