Date: 05 June 2019
Summary: The Invinsec security operations team have spotted a persistent threat group who are attempting to exploit vulnerabilities in Dede Content Management Systems (CMS). We have been able to identify a combination of attempts, however, the most persistent was the web shell upload attempt.
Web shells are used to obtain unauthorized access and can lead to a complete system compromise and wider network compromise.
Conclusions: The observed probes were looking for a known exploit in the DedeCMS website package, which is popular in a number of Asian countries and may explain why these attacks originated in China.
The vast majority of Invinsec customers will not be using the affected package, however the tactics observed, and resulting advice is common across a number of technologies, and therefore potentially beneficial for all customers to consider how a similar attack targeting a more relevant technology might affect their organisation.
Even though the threat group has been persistently scanning our Customers’ infrastructure, our researchers have concluded that there was no successful exploitation of any vulnerability.
Tactics, Techniques and Procedures: Using network reconnaissance tools, the threat group identifies exploitable vulnerabilities that result in the installation of a web shell.
Once successfully uploaded, the group uses the web shell to leverage other exploitation techniques to escalate privileges and to issue commands remotely. These commands are dependent on the privilege and functionality available to the web server and may include the ability to add, delete, and execute files as well as the ability to run shell commands, further executables, or scripts.
The CMS uses the $GLOBALS global variable which is then further propagated to an SQL query. In several attempts we observed that the attacker tried to create a file called ‘90sec.php’ which is a very simple backdoor PHP shell that allows the attacker to execute any command with a POST HTTP request that contains the command to be executed in the parameter called guige.
The attacker was trying to exploit this vulnerability accompanied with XSS, PHP, and SQL code injections. Additionally, they tried to upload harmful files to the website, and attempted the upload of an ASP web shell.
Web shells can be delivered through several web application exploits or configuration weaknesses including:
- Cross-Site Scripting • SQL Injection
- Vulnerabilities in applications/services (e.g., WordPress or other CMS applications)
- File processing vulnerabilities (e.g., upload filtering or assigned permissions)
- Remote File Include (RFI) and Local File Include (LFI) vulnerabilities
- Exposed Admin Interfaces (possible areas to find vulnerabilities mentioned above).
The above tactics can be and are combined regularly. For example, an exposed admin interface also requires a file upload option, or another exploit method mentioned above, to deliver successfully.
Indicators of Compromise • 113.58.43[.]12
Advice: Invinsec recommend that customers: Employ regular updates to applications and the host operating system to ensure protection against many vulnerabilities and implement a least-privileges policy on the web server to:
- Reduce adversaries’ ability to escalate privileges or pivot laterally to other hosts
- Control creation and execution of files in particular directories Harden web server configurations
- All unnecessary services and ports should be disabled or blocked.
- All necessary services and ports should be restricted where feasible o This can include white listing or blocking external access to administration panels and not using default login credentials
- Block the IP address listed in this report