Headline
Telerik Bug Exploited to Steal Federal Agency Data, CISA Warns
An unpatched Microsoft Web server allowed multiple cybersecurity threat groups to steal data from a federal civilian executive branch.
Multiple threat groups were able breach a federal agency and steal data by exploiting a years-old Progress Telerik vulnerability in an unpatched Microsoft Internet Information Services (IIS) Web server — and the Cybersecurity and Infrastructure Security Agency (CISA) wants other IT security teams to be on the lookout for similar exposure.
The Federal Civilian Executive Branch (FCEB) was compromised from last November to January 2023 after threat actors were able to exploit a .NET deserialization Telerik vulnerability from 2019 (CVE-2019-18935) in the agency’s Microsoft Internet Information Services (IIS) Web server, CISA reported.
CISA, along with the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC), has issued indicators of compromise and warn teams running Telerik UI for ASP.NET Ajax builds from earlier than 2020 who are concerned about unpatched servers to immediately:
- Implement a patch management solution to ensure compliance with the latest security patches.
- Validate output from patch management and vulnerability scanning against running services to check for discrepancies and account for all services.
- Limit service accounts to the minimum permissions necessary to run services.
Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
Subscribe
Related news
The China-linked threat actor known as Earth Lusca has been observed targeting government entities using a never-before-seen Linux backdoor called SprySOCKS. Earth Lusca was first documented by Trend Micro in January 2022, detailing the adversary's attacks against public and private sector entities across Asia, Australia, Europe, North America. Active since 2021, the group has relied on
Sitecore Experience Platform (XP) v9.3 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the component /Applications/Content%20Manager/Execute.aspx?cmd=convert&mode=HTML.
Cybersecurity researchers have unmasked the identity of one of the individuals who is believed to be associated with the e-crime actor known as XE Group. According to Menlo Security, which pieced together the information from different online sources, "Nguyen Huu Tai, who also goes by the names Joe Nguyen and Thanh Nguyen, has the strongest likelihood of being involved with the XE Group." XE
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through...
By Deeba Ahmed According to a joint advisory from the US CISA (Cybersecurity and Infrastructure Security Agency), the FBI (Federal Bureau… This is a post from HackRead.com Read the original post: APT Actors Exploited Telerik Vulnerability in Govt IIS Server – CISA
Multiple threat actors, including a nation-state group, exploited a critical three-year-old security flaw in Progress Telerik to break into an unnamed federal entity in the U.S. The disclosure comes from a joint advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC).
The health, manufacturing, and energy sectors are the most vulnerable to ransomware.
Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution. (As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.)