Nation-state threat actor ‘Praying Mantis’ attacking organizations

Published 08/04/2021, 9am

An advanced persistent threat (APT) group dubbed Praying Mantis has been attacking high-profile public and private organizations in the United States for the last year, researchers announced last week.

By targeting deserialization implementations in ASP.NET and exploiting internet-facing Microsoft Internet Information Services (IIS) servers, threat actors infiltrate networks and harvest credentials, conduct reconnaissance, and move laterally throughout systems. Believed to be the work of nation-state threat actors, the Praying Mantis attackers avoid detection by using custom malware built specifically to target ISS servers.

Due to the attack’s sophistication level, researchers believe that the attackers are advanced and experienced, with knowledge of operations security.

Next Steps

To secure systems from attacks by Praying Mantis, security researchers recommend:

1. Patching .NET deserialization vulnerabilities.
2. Searching for known indicators of compromise.
3. Scanning internet-facing IIS servers with a set of Yara rules.
4. Hunting for any suspicious activity on internet-facing ISS environments.

To prevent malware infiltration, businesses are also advised to ensure their systems have the latest cloud security, data security, email security and endpoint security solutions. In addition, organizations are encouraged to engage in regular penetration testing to help understand and identify existing malware in an enterprise system.