Multiple Hacker Groups Exploit 3-Year-Old Vulnerability to Breach U.S. Federal Agency
Multiple
threat
actors,
including
a
nation-state
group,
exploited
a
critical
three-year-old
security
flaw
in
Progress
Telerik
to
break
into
an
unnamed
federal
entity
in
the
U.S.
The
disclosure
comes
from
a
joint
advisory
issued
by
the
Cybersecurity
and
Infrastructure
Security
Agency
(CISA),
Federal
Bureau
of
Investigation
(FBI),
and
Multi-State
Information
Sharing
and
Analysis
Center
(MS-ISAC).
“Exploitation
of
this
vulnerability
allowed
malicious
actors
to
successfully
execute
remote
code
on
a
federal
civilian
executive
branch
(FCEB)
agency’s
Microsoft
Internet
Information
Services
(IIS)
web
server,”
the
agencies
said.
The
indicators
of
compromise
(IoCs)
associated
with
the
digital
break-in
were
identified
from
November
2022
through
early
January
2023.
Tracked
as
CVE-2019-18935
(CVSS
score:
9.8),
the
issue
relates
to
a
.NET
deserialization
vulnerability
affecting
Progress
Telerik
UI
for
ASP.NET
AJAX
that,
if
left
unpatched,
could
lead
to
remote
code
execution.
It’s
worth
noting
here
that
CVE-2019-18935
has
previously
found
a
place
among
some
of
the
most
commonly
exploited
vulnerabilities
abused
by
various
threat
actors
in
2020
and
2021.
CVE-2019-18935,
in
conjunction
with
CVE-2017-11317,
has
also
been
weaponized
by
a
threat
actor
tracked
as
Praying
Mantis
(aka
TG2021)
to
infiltrate
the
networks
of
public
and
private
organizations
in
the
U.S.
Last
month,
CISA
also
added
CVE-2017-11357
–
another
remote
code
execution
bug
affecting
Telerik
UI
–
to
the
Known
Exploited
Vulnerabilities
(KEV)
catalog,
citing
evidence
of
active
exploitation.
Threat
actors
are
said
to
have
leveraged
the
flaw
to
upload
and
execute
malicious
dynamic-link
library
(DLL)
files
masquerading
as
PNG
images
via
the
w3wp.exe
process.
The
DLL
artifacts
are
designed
to
gather
system
information,
load
additional
libraries,
enumerate
files
and
processes,
and
exfiltrate
the
data
back
to
a
remote
server.
WEBINAR
Discover
the
Hidden
Dangers
of
Third-Party
SaaS
Apps
Are
you
aware
of
the
risks
associated
with
third-party
app
access
to
your
company’s
SaaS
apps?
Join
our
webinar
to
learn
about
the
types
of
permissions
being
granted
and
how
to
minimize
risk.
Another
set
of
attacks,
observed
as
early
as
August
2021
and
likely
mounted
by
a
cybercriminal
actor
dubbed
XE
Group,
entailed
the
use
of
aforementioned
evasion
techniques
to
sidestep
detection.
These
DLL
files
dropped
and
executed
reverse
(remote)
shell
utilities
for
unencrypted
communications
with
a
command-and-control
domain
to
drop
additional
payloads,
including
an
ASPX
web
shell
for
persistent
backdoor
access.
The
web
shell
is
equipped
to
“enumerate
drives;
to
send,
receive,
and
delete
files;
and
to
execute
incoming
commands”
and
“contains
an
interface
for
easily
browsing
files,
directories,
or
drives
on
the
system,
and
allows
the
user
to
upload
or
download
files
to
any
directory.”
To
counter
such
attacks,
it’s
recommended
that
organizations
upgrade
their
instances
of
Telerik
UI
ASP.NET
AJAX
to
the
latest
version,
implement
network
segmentation,
and
enforce
phishing-resistant
multi-factor
authentication
for
accounts
that
have
privileged
access.