Headline
Multiple Hacker Groups Exploit 3-Year-Old Vulnerability to Breach U.S. Federal Agency
Multiple threat actors, including a nation-state group, exploited a critical three-year-old security flaw in Progress Telerik to break into an unnamed federal entity in the U.S. The disclosure comes from a joint advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC).
Cyber Attack / Vulnerability
Multiple threat actors, including a nation-state group, exploited a critical three-year-old security flaw in Progress Telerik to break into an unnamed federal entity in the U.S.
The disclosure comes from a joint advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC).
“Exploitation of this vulnerability allowed malicious actors to successfully execute remote code on a federal civilian executive branch (FCEB) agency’s Microsoft Internet Information Services (IIS) web server,” the agencies said.
The indicators of compromise (IoCs) associated with the digital break-in were identified from November 2022 through early January 2023.
Tracked as CVE-2019-18935 (CVSS score: 9.8), the issue related to a .NET deserialization vulnerability affecting Progress Telerik UI for ASP.NET AJAX that, if left unpatched, could lead to remote code execution.
It’s worth noting here that CVE-2019-18935 has previously found a place among some of the most commonly exploited vulnerabilities abused by various threat actors in 2020 and 2021.
CVE-2019-18935, in conjunction with CVE-2017-11317, has also been weaponized by a threat actor tracked as Praying Mantis (aka TG2021) to infiltrate the networks of public and private organizations in the U.S.
Last month, CISA also added CVE-2017-11357 – another remote code execution bug affecting Telerik UI – to the Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
Threat actors are said to have leveraged the flaw to upload and execute malicious dynamic-link library (DLL) files masquerading as PNG images via the w3wp.exe process.
The DLL artifacts are designed to gather system information, load additional libraries, enumerate files and processes, and exfiltrate the data back to a remote server.
WEBINAR
Discover the Hidden Dangers of Third-Party SaaS Apps
Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.
RESERVE YOUR SEAT
Another set of attacks, observed as early as August 2021 and likely mounted by a cybercriminal actor dubbed XE Group, entailed the use of aforementioned evasion techniques to sidestep detection.
These DLL files dropped and executed reverse (remote) shell utilities for unencrypted communications with a command-and-control domain to drop additional payloads, including an ASPX web shell for persistent backdoor access.
The web shell is equipped to “enumerate drives; to send, receive, and delete files; and to execute incoming commands” and “contains an interface for easily browsing files, directories, or drives on the system, and allows the user to upload or download files to any directory.”
To counter such attacks, it’s recommended that organizations upgrade their instances of Telerik UI ASP.NET AJAX to the latest version, implement network segmentation, and enforce phishing-resistant multi-factor authentication for accounts that have privileged access.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Related news
The China-linked threat actor known as Earth Lusca has been observed targeting government entities using a never-before-seen Linux backdoor called SprySOCKS. Earth Lusca was first documented by Trend Micro in January 2022, detailing the adversary's attacks against public and private sector entities across Asia, Australia, Europe, North America. Active since 2021, the group has relied on
Sitecore Experience Platform (XP) v9.3 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the component /Applications/Content%20Manager/Execute.aspx?cmd=convert&mode=HTML.
Cybersecurity researchers have unmasked the identity of one of the individuals who is believed to be associated with the e-crime actor known as XE Group. According to Menlo Security, which pieced together the information from different online sources, "Nguyen Huu Tai, who also goes by the names Joe Nguyen and Thanh Nguyen, has the strongest likelihood of being involved with the XE Group." XE
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through...
By Deeba Ahmed According to a joint advisory from the US CISA (Cybersecurity and Infrastructure Security Agency), the FBI (Federal Bureau… This is a post from HackRead.com Read the original post: APT Actors Exploited Telerik Vulnerability in Govt IIS Server – CISA
An unpatched Microsoft Web server allowed multiple cybersecurity threat groups to steal data from a federal civilian executive branch.
The health, manufacturing, and energy sectors are the most vulnerable to ransomware.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on February 2 added two security flaws to its Known Exploited Vulnerabilities (KEV) Catalog, citing evidence of active exploitation. The first of the two vulnerabilities is CVE-2022-21587 (CVSS score: 9.8), a critical issue impacting versions 12.2.3 to 12.2.11 of the Oracle Web Applications Desktop Integrator product. "Oracle
Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution. (As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.)