Istari

Inside a Sophisticated Cyberattack – “Sygnia, Praying Mantis: An Advanced Memory-Resident Attack”

Back to Spotlight

The Israeli cybersecurity firm Sygnia has helped many clients respond to and recover from serious cyberattacks. Many of those cyberattacks shared similarities, and Sygnia discovered that they were likely performed by an advanced threat actor they refer to as “Praying Mantis”. Sygnia has published a report on the findings that describes the attacker’s tactics, techniques and procedures.  

Summary:

  • The Sygnia team writes that the attackers gained access to a network by “leveraging a variety of de-serialisation exploits targeting Windows IIS servers”.
  • Okay, let’s translate that.
  • A Windows IIS server, in simple terms, is a server that can host a website. For example, when you open your browser and type ebay.com, our request may land on a Windows IIS server that runs the website eBay.
  • Serialisation is the process of turning programming code (something us humans understand) into zeros and ones (something a computer understands) that can be stored in a file or a computer’s memory. De-serialisation, in turn, refers to extracting a data structure from zeros and ones. That computerised process isn’t always secure, and Sygnia detected a vulnerability in a process that was used on a Windows server.
  • So, Praying Mantis gained access to a corporate network by inserting malicious code into a website that was hosted on a Windows server.
  • The attackers then established what is known as a command-and-control channel – think of this as a communication channel that attackers use to send instructions to their malware.
  • Once the attackers gained access to the network and established their command-and-control channel, they were able to record usernames and passwords of people who have logged into the website. The attackers also scouted and explored the corporate network, browsing through files and folders.

Microsoft commented on the Sygnia report, stating that the attack relied on vulnerabilities of third-party software applications.

 

Why does this matter?

This attack technique relied on vulnerabilities in third-parties – software suppliers. As such, this is yet another illustration of the danger of supply chain risk, in this case, the digital supply chain. Digital supply chains are as complex as physical ones, and securing them requires effort, attention, and investment. 

 

View the full article here