Headline
APT Actors Exploited Telerik Vulnerability in Govt IIS Server – CISA
By Deeba Ahmed According to a joint advisory from the US CISA (Cybersecurity and Infrastructure Security Agency), the FBI (Federal Bureau… This is a post from HackRead.com Read the original post: APT Actors Exploited Telerik Vulnerability in Govt IIS Server – CISA
According to a joint advisory from the US CISA (Cybersecurity and Infrastructure Security Agency), the FBI (Federal Bureau of Investigation), and MS-ISAC (Multi-State Information Sharing and Analysis Center), financially motivated hackers and APT threat actors are exploiting a three-year-old Telerik vulnerability.
Reportedly, the attack impacted a US government entity. Indicators of compromise (IoCs) for this digital invasion were discovered in November 2022 and continued until January 2023.
For your information, Telerik application development software is used by many high-profile companies worldwide. Any flaws in these products are pretty valuable to cybercriminals.
The advisory states that multiple threat actors, including a nation-state group, are exploiting this vulnerability. The security flaw was discovered in Progress Software’s Telerik and was exploited to infiltrate federal government agencies in the US.
In August 2022, an intrusion targeting the federal civilian executive branch (FCEB) was observed. Threat actors leveraged the flaw to upload and execute malicious DLL files disguised as PNG images through the w3wp.exe process. These files collect system data, load libraries to the system, and enumerate processes and files to transfer stolen data to a remote server operated by the attacker.
By exploiting this flaw, malicious threat actors can execute remote code on the FCEB’s Microsoft IIS (Internet Information Services) web server. Further probe revealed that the server hosted a vulnerable instance of the Progress Telerik UI for the ASP.NET AJAX app development library.
However, CISA didn’t name the attacker who infiltrated the IIS server but stated that a cybercrime gang identified as XE Group from Vietnam also exploited the same machine. The earliest activity from this group was noticed in August 2021 when the hackers delivered DLL files that collected system data and deployed new components on the hijacked system.
The vulnerability is tracked as CVE-2019-18935 with a CVSS score of 9.8 and is exploited for remote code execution. The issue is related to a .NET deserialization vulnerability that can be dangerous for the company using Telerik software if left unpatched. The same flaw was previously discovered in 2020 and 2021, among other commonly exploited vulnerabilities.
Moreover, in conjunction with another vulnerability tracked as CVE-2017-11317, this flaw was weaponized by the Praying Mantis threat actor to invade the networks of private and public organizations in the US.
CVE-2019-18935 is tied to another vulnerability tracked as CVE-2017-11357. This is an old flaw found in Telerik software, and exploitation can allow an attacker to obtain encryption keys that can facilitate the exploitation of CVE-2019-18935.
In 2020, CVE-2019-18935 was dubbed by the NSA as one of the most commonly exploited flaws by Chinese state-backed actors. In April 2022, cybersecurity firms in the US, UK, Canada, Australia, and New Zealand included it in their lists of commonly exploited security flaws.
- Avast found backdoor in US Federal Agency Network
- Magecart skimming attack hits 8 US government sites
- CISA suggests using ad blockers to fend off malvertising
- Russia targeted 40 agencies including US Nuclear Agency
Related news
The China-linked threat actor known as Earth Lusca has been observed targeting government entities using a never-before-seen Linux backdoor called SprySOCKS. Earth Lusca was first documented by Trend Micro in January 2022, detailing the adversary's attacks against public and private sector entities across Asia, Australia, Europe, North America. Active since 2021, the group has relied on
Sitecore Experience Platform (XP) v9.3 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the component /Applications/Content%20Manager/Execute.aspx?cmd=convert&mode=HTML.
Cybersecurity researchers have unmasked the identity of one of the individuals who is believed to be associated with the e-crime actor known as XE Group. According to Menlo Security, which pieced together the information from different online sources, "Nguyen Huu Tai, who also goes by the names Joe Nguyen and Thanh Nguyen, has the strongest likelihood of being involved with the XE Group." XE
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through...
Multiple threat actors, including a nation-state group, exploited a critical three-year-old security flaw in Progress Telerik to break into an unnamed federal entity in the U.S. The disclosure comes from a joint advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC).
Multiple threat actors, including a nation-state group, exploited a critical three-year-old security flaw in Progress Telerik to break into an unnamed federal entity in the U.S. The disclosure comes from a joint advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC).
Multiple threat actors, including a nation-state group, exploited a critical three-year-old security flaw in Progress Telerik to break into an unnamed federal entity in the U.S. The disclosure comes from a joint advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC).
An unpatched Microsoft Web server allowed multiple cybersecurity threat groups to steal data from a federal civilian executive branch.
The health, manufacturing, and energy sectors are the most vulnerable to ransomware.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on February 2 added two security flaws to its Known Exploited Vulnerabilities (KEV) Catalog, citing evidence of active exploitation. The first of the two vulnerabilities is CVE-2022-21587 (CVSS score: 9.8), a critical issue impacting versions 12.2.3 to 12.2.11 of the Oracle Web Applications Desktop Integrator product. "Oracle
Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution. (As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.)