Cyber Defense Center

Threat Actor successfully probes PHP RCE payload towards website protected by AWS WAF & ALB

Detection: Incident driven security assessment led to detecting PHP RCE Probing Attempts on a Non-PHP Nginx Web Server disclosing and mitigating a critical security risk allowing bypass of defense layers.  

Description: While reviewing client’s security posture, SecurityHQ’s Incident Response team identified malicious traffic attempting to exploit a PHP Remote Code Execution (RCE) vulnerability against a web application hosted on Nginx, which does not run any PHP components. The attacker’s objective appeared to be reconnaissance — specifically, probing for server behavior and response codes. Because the affected webserver was not yet integrated with SIEM, initial 404 responses generated by Nginx were not visible to the Monitoring Team. A deeper investigation, combined with consultation with the application team, revealed that these 404 responses were originating from the web tier behind the AWS WAF and Application Load Balancer (ALB). 

Recommendations: To strengthen the overall security posture and reduce unnecessary traffic reaching the application backend, we recommended enabling all default AWS Managed Rule Groups within AWS WAF. These rule sets help block common exploit attempts—including PHP-based probes—at the edge, preventing them from being forwarded to the ALB and ultimately to the webserver. This proactive hardening step aligns with AWS best practices and significantly minimizes exposure to widespread vulnerability scanners and exploit attempts. 

Critical Vulnerability in Fortinet FortiWeb Exploited in the Wild

Detection: Critical FortiWeb Zero-Day Alert: Path Traversal Exploit Enables Remote Authentication Bypass

SHQ Detection Pack – Relevant Use Cases

  1. Suspicious Web Requests Identified in Audit, System Logs
  2. Administrative Logins to the management interface
  3. Configuration Changes Executed

Description: SecurityHQ’s Incident Response team successfully responded to the incident involving CVE-2025-64446 – a critical vulnerability impacting Fortinet’s FortiWeb Web Application Firewall. The issue combines a relative path traversal flaw with an authentication bypass, allowing remote, unauthenticated attackers to access internal management endpoints. As per Vendor, Multiple FortiWeb versions are affected, including 7.0.0–7.0.11, 7.2.0–7.2.11, 7.4.0–7.4.9, 7.6.0–7.6.4, and 8.0.0–8.0.1, as confirmed by FortiGuard Labs and CISA. Exploitation requires no valid credentials. Attackers can send crafted HTTP(S) requests that leverage the pathtraversal weakness to reach protected CGI components on the management interface. Successful exploitation enables complete authentication bypass, allowing threat actors to create new administrative accounts and gain full control of the FortiWeb device. This poses a significant risk to environments relying on FortiWeb as a frontline security control.

Mitigation Actioned:

  • Restricted Management Access to trusted internal
  • networks only.
  • Keys, Credentials and certificates were rotated.

Lessons Learnt: Organizations should have a strong proactive patching regime, restrict management access to internal networks, and enable key WAF protections to block exploitation attempts. Post-patch, review admin accounts and logs for unauthorized activity and ensure full SIEM visibility for ongoing monitoring.

Threat Detection Engineering

Key Detection Engineering Highlights for November

Azure Hound Probes

Threat Actors widely use Azure Hound or similar tools to map users, groups, and roles within Microsoft 365 or Entra ID as part of early enumerations. Often used by Red teamers to identify gaps in cloud security. Here is a short example of this Attack method: A lowprivilege account suddenly produces a burst of signins from an unusual application pattern.

The tool rapidly queries directory information, attempting to identify privileged roles, access paths, and high-value accounts.

Why it matters: This type of reconnaissance helps attackers understand your cloud environment, find weak points, and plan privilege escalation. Detecting these early signals reduces the chance of further compromise.

Rule Name: Azure Hound User Agent Detected (P2) Detection Scope: Microsoft 365 and Entra ID Rationale: Reconnaissance tools generate directory queries and sign-in patterns that differ from normal user activity. Identifying these anomalies allows early detection before attackers escalate privileges or move deeper into the environment.

BloodHound – Behavioral Detection:

An attacker runs a BloodHound/SharpHound collector from a compromised workstation to rapidly enumerate Active Directory. BloodHound enumeration creates rapid, large-scale directory queries that differ from normal user or admin behavior. Tracking abnormal spikes in object-access events helps identify reconnaissance before privilege escalation or lateral movement occurs.

Here is a short example of this Attack method: Host XYZ generated 2,400 “Failure Audit: An operation was performed on an object” events in 45 seconds, each referencing different AD objects (users/groups/ACLs). The source account was a low-privilege user (not a well-known service account) and the requests targeted many high-value OUs.

Why it matters: BloodHound-style enumeration reveals relationships, privileges, and ACEs that attackers use to plan lateral movement and privilege escalation.

Rule Name: Excessive Directory Access Failures Detected (P3)

Detection Scope: Monitor Windows Security audit logs for spikes in object-access events (success & failure) indicating mass AD enumeration; surface SourceHost, Username, and TargetObject; exclude known service/ admin accounts.

Threat Management

SecurityHQ’s Threat Management Team manages various endpoint security, cloud security and network security solutions for customers. Following section highlights some key security insights. 

Account Takeover! Sign-In Activity from malicious useragent “axios/1.13.1”

Detection: The incident trigger was a suspicious user authentication activity with unfamiliar sign-in properties and a detected password spray attack. The alert identified potential unauthorized access attempts originating from an unusual IP address and nonstandard client application.

Investigation: Identity Protection detected an unusual interactive sign-in for the user account originating from external IP address from USA location. The authentication was performed using the atypical user agent “axios/1.13.1”, a tool commonly used for automated HTTP requests rather than legitimate
browser-based logins.

Multiple aspects of the authentication including ASN, browser type, device fingerprint, geographic location, and Tenant IP subnet were all inconsistent with the user’s typical login patterns from users location and device, making the activity highly anomalous. Although MFA was successfully completed via text message to the registered number, the abnormal client and unfamiliar sign-in characteristics raised concerns regarding potential credential compromise or account
takeover.

Subsequent activity from the account included a suspicious URL click event leading to a OneDrive resource. Sandbox analysis confirmed the link redirected to a OneDrive login page, indicative of phishing intent. The URL originated from “cable[.]coromans[.]com”, a domain active since 2010 but potentially abused for malicious purposes. Additionally, a concurrent password spray detection targeting multiple accounts suggested broader credential-stuffing attempts in the environment. Based on these findings, the activity aligns with MITRE ATT&CK T1110 (Brute Force) under TA0001 – Initial Access, consistent with threat actors attempting unauthorized entry via automated or scripted authentication attempts. 

Actions taken: A major incident was raised, and the customer was notified over the phone. Immediate remediation steps were applied to the user’s account, and the identified IOC were blocked by SecurityHQ Team under Manager EDR Service 

Reference: https://www.securityhq.com/blog/adaptive-defense-how-cloud-app-policies-can-blockmalicious-user-agents/

Throughout the year 2025, SecurityHQ Team Raised 300+ Major incidents originating from this axios UserAgent and were successful in preventing further damage in all cases.

Suspicious Remote Command Execution and Lateral Movement Activity.

Detection: An incident was escalated indicating suspicious lateral movement activity and remote command execution on device. The alert identified ‘SuspRemoteCmdCommand’ malware associated with WMI process execution originating from an external IP address. 

Investigation: Microsoft Defender for Endpoint (MDE) detected suspicious WMI-related activity involving the legitimate WmiPrvSE.exe process executed with the unusual command line “-secured -Embedding.” Although WmiPrvSE.exe is commonly used by Windows, the behavior was flagged due to the associated detection of SuspRemoteCmdCommand, suggesting potential remote command execution.

Shortly afterward, a secondary process executed via cmd.exe, running quietly to capture the output of the whoami command to a temporary file—an action typically associated with attacker reconnaissance following lateral movement. The event also correlated with a prior Lateral Movement Detected alert on the same host, reinforcing concerns of unauthorized remote execution.

During behavior monitoring, threat was identified and terminated promptly. This active threat was classified as Behavior:Win32/SuspRemoteCmdCommand.SA operating within the WmiPrvSE.exe process.

Additional telemetry captured WUDFHost.exe activity near the same timeframe, indicating possible chained system operations triggered during the malicious sequence. Threat intelligence enrichment further validated risk indicators, as the external IP, and associated file hash were flagged by multiple security sources, supporting Defender’s classification of the activity as malicious.

Remediation Actions: The malicious process was successfully blocked and terminated by Microsoft Defender. No further suspicious activity was observed. All identified IOC’s wer blocked. Full antivirus scan was performed across the entire host to ensure no residual malware components remain active.

Not many security solutions are able to log command line activities. Having Enterprise EDR solution or command line auditing tool like Sysmon enables defenders and analyst to detect activities happening under the hood.

Threat Hunting

SecurityHQ’ s Threat Hunting team focused on hunting threats in cloud where Malicious or unauthorized activities occurring within the cloud environment mainly due to compromised credentials, misconfigured permissions, or exploitation of vulnerable services, leading to potential privilege escalation, lateral movement, and data exfiltration.

The objective of these hypotheses is to proactively detect, investigate, and respond to suspicious or unauthorized activities across cloud infrastructure that may indicate compromise, privilege escalation, data exfiltration, or other malicious behaviors — thereby reducing risk exposure and improving cloud security posture 

Notable Observations: Large-Scale Role Assumption & Privilege Probing: One of the customer environments showed an extremely high volume of AssumeRole operations, hinting at automation or scripted enumeration.

Key Observations:

  • Unknown external IPs performing API calls with repeated access denials.
  • Attempts to access sensitive resources or enumerate services.
  • Occasional rate-throttling events tied to highvolume API activity, suggesting automation.

Associated Risk: Likely indicators of scripted scanning, misconfigured integrations, or malicious reconnaissance.

EC2 & Compute Irregularities: Most environments showed no compute-based compromise activity, but a
minority revealed abnormalities.

Key Observations:

  • Large EC2 instances running unexpectedly.
  • Rate-limiting and throttling events associated with compute services.

Associated Risks: No confirmed persistence, but compute resources are being probed or misused in some tenants.

Recommendations: Based on the combined threat landscape observed across all customers, the following global recommendations apply:

  • Enforce Strong Authentication Immediately.
  • Remove legacy IAM accounts where possible.
  • Restrict console access by IP through IAM conditions or network controls.
  • Harden IAM Roles & Reduce Privilege Exposure.
  • Limit access to Secrets Manager and KMS to essential roles only.
  • Lock Down S3 Storage by enabling Block Public Access globally.
  • Conduct a Global Access Key Audit.

Incident Response – Success Story

Incident Story: ASP.NET Machine Key Exploitation

One of the Customer of SecurityHQ recently faced a critical web server compromise originating from a longstanding vulnerability in Microsoft’s ASP.NET framework. Threat actors have begun weaponizing publicly exposed ASP.NET machine keys — some of which have been available online since as early as 2003 — to hijack Internet Information Services (IIS) servers and deploy malicious modules.

IR Observations: Attack Narrative
During the investigation, it was discovered that threat actors exploited ASP.NET ViewState deserialization flaws. By obtaining publicly available machine keys, they could tamper with serialized ViewState data — a component used to maintain state information across web requests. Because these machine keys are cryptographic secrets that validate and secure ViewState content, possessing them effectively allowed the attackers to bypass ViewState MAC validation and execute arbitrary code on the targeted servers — all without requiring authentication credentials.

Microsoft had previously identified over 3,000 exposed machine keys across open repositories, forums, and developer sites, creating a wide landscape of potential victims. Many of these keys belonged to applications built on .NET Framework versions prior to 4.5, which lack built-in protection against deserialization abuse. 

Impact Analysis

Once the IIS servers were compromised, attackers loaded malicious IIS modules to maintain persistence and intercept incoming HTTP requests. These modules enabled:

  • Command execution under IIS worker process privileges.
  • Credential harvesting from memory and web traffic.
  • Data exfiltration through legitimate web communications.
  • Possible lateral movement within the network via trusted server accounts.

The stealth of this method made detection difficult, as all activities appeared as legitimate IIS traffic and
processes.

Root Cause

  • Use of outdated ASP.NET versions (< 4.5) lacking secure ViewState handling.
  • Disabled or weak MAC validation for ViewState integrity.
  • Reuse or exposure of machine keys in public repositories and code-sharing platforms.

Conclusion

The exploitation of legacy ASP.NET vulnerabilities through leaked machine keys highlights the persistent risk posed by long-standing insecure configurations and public code exposure. By promptly rotating keys, enabling validation, and upgrading to modern frameworks with AMSI support, Organisation can restore the integrity of its web applications and prevent future exploitation of this vector.  

Reference: https://www.microsoft.com/en-us/security/blog/2025/02/06/code-injection-attacks-using-publicly-disclosed-asp-net-machine-keys/