EXECUTIVE SUMMARY
A threat actor has been observed exploiting a vulnerability in KnowledgeDeliver, a Learning Management System developed by Digital Knowledge, commonly used in Japan. The attackers leveraged a critical ViewState Deserialization Vulnerability, allowing them to inject malicious code into the LMS platform and infect users visiting the site. The ultimate goal of the attack appears to be data theft, with the attackers using a Cobalt Strike BEACON backdoor to gain access to workstations and steal sensitive information. The attackers also used the compromised system to execute further commands and payloads, demonstrating their ability to maintain control and expand the impact of the compromise.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
A threat actor has been observed exploiting a vulnerability in KnowledgeDeliver, a Learning Management System developed by Digital Knowledge, commonly used in Japan. The attackers leveraged a critical ViewState Deserialization Vulnerability, allowing them to inject malicious code into the LMS platform and infect users visiting the site. The ultimate goal of the attack appears to be data theft, with the attackers using a Cobalt Strike BEACON backdoor to gain access to workstations and steal sensitive information. The attackers also used the compromised system to execute further commands and payloads, demonstrating their ability to maintain control and expand the impact of the compromise.[emaillocker id="1283"]
The malware infects systems through a ViewState Deserialization Vulnerability, which stems from the use of identical pre-shared ASP.NET machine keys across multiple customer deployments. Once inside, the malware uses a .NET-based in-memory web shell called BLUEBEAM to execute commands and payloads, making it difficult to detect through traditional file-based scanning. The attackers also used BLUEBEAM to escalate their control over the web server's file system, modifying permissions and JavaScript files to silently load a remote malicious script. This script convinced users to download a fake installer, which led to workstations being infected with a Cobalt Strike BEACON backdoor. The attackers used the compromised system to send encrypted data via HTTP POST request bodies, allowing them to maintain control and execute further commands.
The exploitation of KnowledgeDeliver highlights the severe risks of using shared secrets in deployment templates, with a single leaked key potentially compromising an entire ecosystem of installations. Organisations should monitor for unusual child processes spawned by w3wp.exe, and investigate if any signs of exploitation are identified. To defend against these deserialization attacks, organisations should rotate machine keys, restrict access to the LMS, and implement robust endpoint monitoring. This includes monitoring for unsuccessful ViewState verification attempts, and searching for anomalous User-Agent strings in web request logs. By taking these steps, organisations can prevent these types of attacks and protect their sensitive information.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1190 | Exploit Public-Facing Application | — |
| Initial Access | T1189 | Drive-by Compromise | — |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
REFERENCES:
The following reports contain further technical details:
https://cybersecuritynews.com/knowledgedeliver-lms-zero-day-exploited/
[/emaillocker]