The US Federal Agency has been helpless in the face of hacker attacks for several years
Completely different cybercriminals have been exploiting weaknesses in the same software for a long time.
Several independent hacker groups exploited a three-year-old critical vulnerability in Progress Telerik to infiltrate the systems of the US federal civilian executive agency. This is stated in joint security bulletin published CISAthe FBI, and the Interstate Information Exchange and Analysis Center (MS-ISAC).
“Exploitation of this vulnerability allowed attackers to remotely execute malicious code on the IIS server of the Federal Civil Executive Agency (FCEB),” the departments said.
The indicators of compromise (IoC) associated with the hack show that hackers had access to the system from November 2022 to early January 2023.
Vulnerability CVE-2019-18935 (CVSS: 9.8) affects the Progress Telerik user interface for ASP.NET AJAX and allows attackers to remotely execute code. The vulnerability was discovered at the end of 2019 and was often exploited by cybercriminals in 2020-2021.
Telerik UI for ASP.NET AJAX is a set of tools for developing web applications on the ASP.NET AJAX platform. It includes many pre-made UI components such as buttons, charts, tables, dropdowns and more. These components help simplify the development process and reduce the time it takes to build web applications.
Previously, CVE-2019-18935 was used in conjunction with CVE-2017-11317 by Praying Mantis (aka TG2021) to infiltrate networks of public and private organizations in the United States.
Last month, CISA also listed another vulnerability as actively exploited – CVE-2017-11357, which allows remote code execution and affects the Telerik user interface.
During an intrusion filed against the FCEB agency in August 2022, attackers reportedly used CVE-2019-18935 to download and execute malware DLL-files disguised as PNG images.
These DLLs drop and run reverse (remote) shell utilities to communicate unencrypted with the C2 server to deliver additional payloads , including an ASPX web shell for persistent access. The web shell is specially designed for convenient file handling and easy execution of various malicious commands.
To counter these attacks, it is recommended that organizations update their Telerik ASP.NET AJAX UI instances to the latest version, implement network segmentation, and apply anti-phishing multi-factor authentication for privileged access accounts.