Preface: Both ransomware and malware are powerful cyber attack tools. This is equivalent to the army entering a hostile country.

Background: On yesterday 21st Oct 2019, NSA and NCSC release joint advisory on Turla Group Activities article. The attack target is the aspx shell. It appeared to use these ASPX shells to preparing 2nd round of cyber attack.

We seen the trend for cyber attack in future will be target to the web API. The hacker still maintain interest on Microsoft product especially .Net framework. Traditionally, ASP.NET Web API does not utilize the request validation feature to sanitize user input. You will need to add this protection manually if any input will be used in HTML output. Apart from that, there are more and more Microsoft SharePoint deployment is also one of the factor.

Quite a lot of web programming feature lure the cyber attacker put their interest into software programming side (see below).

• User-mode rootkits run in Ring 3, along with other applications as user, rather than low-level system processes. And therefore it does not require elevation of privileges.
• A ring 0 rootkit in this instance would be a kernel mode driver (*.sys file) that also requires administrator privileges when installing.
• Query parameter text is not checked before saving in user cookie NameValueCollection request = Request.QueryString
• Adding cookies to the response Response.Cookies[“userName”] Value = request [“text”]

Here comes along with the cyber attack in continuous way.

Technical article for reference: https://media.defense.gov/2019/Oct/18/2002197242/-1/-1/0/NSA_CSA_TURLA_20191021%20VER%203%20-%20COPY.PDF