Report a cybercrime, cyber security incident or vulnerability.
Report

What are you looking for?

You can search for keywords to find pages that can help you e.g. scam
First published: 22 May 2020
Last updated: 22 May 2020

Content written for

Small & medium business
Large organisations & infrastructure
Government

The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) notes that actors have attempted to use this exploit against a number of federal and state government agencies.

The ASD's ACSC is aware that sophisticated actors are actively exploiting a deserialisation vulnerability existing in all versions of Microsoft’s Internet Information Services (IIS) using the .NET framework (.NET). The vulnerability exploits the service’s VIEWSTATE parameter to allow for remote code execution by unauthorised users.

For actors to successfully exploit this vulnerability, they need to craft a VIEWSTATE parameter with malicious content. On up-to-date installs of .NET on IIS, the contents of this parameter are protected by Message Authentication Code (MAC) validation and an actor must obtain the IIS server Machine Key to exploit this vulnerability.

The ASD's ACSC has observed active targeting of organisations that have been previously compromised, implying that configuration files and associated keys may have been exfiltrated while the actor was present on systems running IIS.

The ASD's ACSC has also observed active targeting of organisations running other vulnerable software components, such as Telerik, that can also provide access to the required key material to perform decryption. For more information on this malicious use of Telerik, please refer to ASD's ACSC Advisory 2020-004: Targeting of Telerik CVE-2019-18935 and ACSC Advisory 2019-126: Vulnerable version of Telerik UI being actively exploited by APT actor.

The ASD's ACSC has not observed the activity detailed in this advisory targeting Microsoft Exchange Servers, however, the ASD's ACSC is aware of CVE-2020-0688 which would allow an actor to know the Machine Key for Microsoft Exchange Servers without gaining access to the key on the server. It is important to note that patches outlined in Microsoft advisory CVE-2020-0688 address the static Machine Key and do not mitigate the deserialisation vulnerability if the Machine Key becomes known.

This advisory provides indicators of the activity ASD's ACSC has observed and details proactive advice on detecting and mitigating potential exploitation of this vulnerability.

Was this information helpful?

Thanks for your feedback!

Optional

Tell us why this information was helpful and we’ll work on making more pages like it