Multiple attackers, including a nation-state group, exploited a critical three-year-old security flaw in Progress Telerik to compromise an unnamed federal agency in the United States.
This disclosure is a joint advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC).
“By exploiting this vulnerability, a malicious attacker was able to successfully execute remote code on the Microsoft Internet Information Services (IIS) web server of the Federal Civil Administration (FCEB),” the agency said. says.
Indicators of Compromise (IoCs) related to the digital breach were identified between November 2022 and early January 2023.
This issue, tracked as CVE-2019-18935 (CVSS score: 9.8), is related to a .NET deserialization vulnerability affecting the Progress Telerik UI for ASP.NET AJAX and will not be patched Doing so could lead to remote code execution.
It should be noted here that CVE-2019-18935 was among the most commonly exploited vulnerabilities exploited by various threat actors in 2020 and 2021.
CVE-2019-18935, along with CVE-2017-11317, has been weaponized by an actor tracked as Praying Mantis (aka TG2021) to infiltrate the networks of public and private organizations in the United States.
Last month, CISA added CVE-2017-11357 (another remote code execution bug affecting Telerik UI) to their Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
Attackers are said to have used this vulnerability to upload and execute a malicious dynamic link library (DLL) file disguised as a PNG image through the w3wp.exe process.
DLL artifacts are designed to collect system information, load additional libraries, enumerate files and processes, and send data back to remote servers.
Discover the hidden dangers of third-party SaaS apps
Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions granted and how to minimize the risks.
reserve a seat
Another series of attacks, observed as early as August 2021 and likely mounted by a cybercriminal called XE Group, used the aforementioned evasion techniques to avoid detection.
These DLL files drop and run a reverse (remote) shell utility for unencrypted communication with the command and control domain and additional payloads including an ASPX web shell for persistent backdoor access. Dropped.
The web shell “enumerates drives, sends, receives and deletes files, executes receive commands” and “includes an interface to easily browse files, directories, or drives on the system. and users upload or download files to any directory.”
To combat such attacks, organizations should upgrade their instances of Telerik UI ASP.NET AJAX to the latest version, implement network segmentation, and enforce phishing-resistant multi-factor authentication for accounts with privileged access. is recommended.
