Summary
Key Points:
- Threat actors exploited a zero-day vulnerability (CVE-2026-5426) in the KnowledgeDeliver learning management system to deploy web shells and backdoors.
- The exploitation allowed attackers to execute commands on compromised systems, leading to the installation of Godzilla web shells and a Cobalt Strike backdoor, affecting numerous deployments primarily in Japan.
- Organizations are advised to rotate machine keys, restrict access to the LMS, and monitor for indicators of compromise (IoCs) associated with this attack.
Technical Details: The vulnerability stems from hardcoded 'machineKey' values in the 'web.config' file, which enabled ViewState deserialization attacks. This allowed attackers to craft malicious payloads that compromised the server.
MITRE ATT&CK Techniques:
- T1203 - Exploitation for Client Execution (Initial Access)
- T1071.001 - Application Layer Protocol: Web Protocols (Command and Control)
- T1047 - Windows Management Instrumentation (Execution)
- T1105 - Ingress Tool Transfer (Command and Control)
IOCs Mentioned: None mentioned.
Join the discussion — sign up to comment, upvote, and save articles.