The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) notes that actors have attempted to use this exploit against a number of federal and state government agencies.
The ACSC is aware that sophisticated actors are actively exploiting a deserialisation vulnerability existing in all versions of Microsoft’s Internet Information Services (IIS) using the .NET framework (.NET). The vulnerability exploits the service’s VIEWSTATE parameter to allow for remote code execution by unauthorised users.
For actors to successfully exploit this vulnerability, they need to craft a VIEWSTATE parameter with malicious content. On up-to-date installs of .NET on IIS, the contents of this parameter are protected by Message Authentication Code (MAC) validation and an actor must obtain the IIS server Machine Key to exploit this vulnerability.
The ACSC has observed active targeting of organisations that have been previously compromised, implying that configuration files and associated keys may have been exfiltrated while the actor was present on systems running IIS.
The ACSC has also observed active targeting of organisations running other vulnerable software components, such as Telerik, that can also provide access to the required key material to perform decryption. For more information on this malicious use of Telerik, please refer to ACSC Advisory 2020-004: Targeting of Telerik CVE-2019-18935 and ACSC Advisory 2019-126: Vulnerable version of Telerik UI being actively exploited by APT actor.
The ACSC has not observed the activity detailed in this advisory targeting Microsoft Exchange Servers, however, the ACSC is aware of CVE-2020-0688 which would allow an actor to know the Machine Key for Microsoft Exchange Servers without gaining access to the key on the server. It is important to note that patches outlined in Microsoft advisory CVE-2020-0688 address the static Machine Key and do not mitigate the deserialisation vulnerability if the Machine Key becomes known.
This advisory provides indicators of the activity ACSC has observed and details proactive advice on detecting and mitigating potential exploitation of this vulnerability.