Recently, a critical security flaw in Progress Telerik was exploited by multiple threat actors, including a nation-state group, to gain unauthorized access to an unnamed federal entity in the U.S.
The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC) jointly issued an advisory, revealing that the vulnerability allowed the malicious actors to execute remote code on a federal civilian executive branch (FCEB) agency’s Microsoft Internet Information Services (IIS) web server.
The vulnerability, known as CVE-2019-18935, is related to a .NET deserialization flaw in Progress Telerik UI for ASP.NET AJAX, which could lead to remote code execution if left unpatched. The issue was identified through indicators of compromise (IoCs) associated with the digital break-in between November 2022 and early January 2023.
It’s important to note that CVE-2019-18935 was previously among the most commonly exploited vulnerabilities in 2020 and 2021 by various threat actors. Another flaw, CVE-2017-11357, affecting Telerik UI, was also added to the Known Exploited Vulnerabilities (KEV) catalog by CISA last month, citing evidence of active exploitation.
Threat actors are leveraging the flaw to upload and execute malicious dynamic-link library (DLL) files disguised as PNG images via the w3wp.exe process, designed to gather system information, enumerate files and processes, and exfiltrate the data back to a remote server.
To counter such attacks, organizations should upgrade their instances of Telerik UI ASP.NET AJAX to the latest version, implement network segmentation, and enforce phishing-resistant multi-factor authentication for accounts with privileged access. The attacks are also observed to drop and execute reverse (remote) shell utilities for unencrypted communications with a command-and-control domain to drop additional payloads, including an ASPX web shell for persistent backdoor access.
The web shell can “enumerate drives, send, receive, and delete files, and execute incoming commands.” In August 2021, another set of attacks by a cybercriminal actor dubbed XE Group also utilized evasion techniques to avoid detection.