US Federal Agency Hacked 

Multiple cyber criminal gangs, including a nation state-backed hacking group, have been hacking and exploiting a four-year-old software vulnerability to compromise a US federal government agency. 

An alert from the Cybersecurity and Infrastructure Security Agency (CISA) released on March 15th reveals that hackers from multiple hacking groups have successfully exploited known vulnerabilities in Telerik, a user interface tool for web servers. 

This software, designed for building components and themes for web applications, was running on the US agency’s Internet-facing web server. According to the CISA advisory it looks like the vulnerability went undetected for almost four years. 

Two hacking groups exploited a code-execution vulnerability tracked as CVE-2019-18935 in a developer tool known as the Telerik user interface (UI) for ASP.NET AJAX, which was located in the agency’s Microsoft Internet Information Services (IIS) web server.  The Telerik UI for ASP.NET AJAX is sold by a US software company, Progress. The tool bundles more than 100 UI components that developers can use to reduce the time it takes to create custom Web applications. 

In late 2019, Progress released version 2020.1.114, which patched CVE-2019-18935, an insecure de-serialisation vulnerability that made it possible to remotely execute code on vulnerable servers. The vulnerability carried a severity rating of 9.8 out of a possible 10.

In 2020, the US National Security Agency (NSA) warned that the vulnerability was being used by Chinese state-sponsored actors.

According to CISA “This exploit, which results in interactive access with the web server, enabled the threat actors to successfully execute remote code on the vulnerable web server... Though the agency’s vulnerability scanner had the appropriate plugin for CVE-2019-18935, it failed to detect the vulnerability due to the Telerik UI software being installed in a file path it does not typically scan... This may be the case for many software installations, as file paths widely vary depending on the organisation and installation method.”

Unpatched Vulnerabilities

To successfully exploit CVE-2019-18935, hackers must first know about the encryption keys used with a component known as the Telerik RadAsyncUpload. Federal investigators suspect the threat actors exploited one of 2 vulnerabilities discovered in 2017 that also remained unpatched on the agency server. Attacks from both groups used a technique known as DLL side loading, which involves replacing legitimate dynamic-link library files in Microsoft Windows with malicious ones. Some of the DLL files the group uploaded were disguised as PNG images. 

The malicious files were then executed using a legitimate process for IIS servers called w3wp.exe. A review of antivirus logs identified that some of the uploaded DLL files were present on the system as early as August 2021.
The CISA advisory does not identify the nation-state-sponsored threat group which is only referred to as TA1. Investigators identified nine DLL files used to explore the server and evade security defences. The files communicated with a control server with an IP address of 137.184.130[.]162 or 45.77.212[.]12. The traffic to these IP addresses used unencrypted Transmission Control Protocol (TCP) over port 443.

The hackers’ malware was able to load additional libraries and delete DLL files to hide malicious activity on the network.

CISA also referred to a second group as TA2 which has been identified as XE Group, which researchers from security firm Volexity said is likely based in Vietnam. Both Volexity and Malwarebytes have reported this group as specialising in payment-card skimming. “Similar to TA1, TA2 exploited CVE-2019-18935 and was able to upload at least three unique DLL files into the C:\Windows\Temp\ directory that TA2 executed via the w3wp.exe process,” saye the CISA the advisory stated. 

The breach is most likely the consequence of the unnamed Federal agency failing to install a patch that had been available for years. Tools that scan systems for vulnerabilities often limit their searches to a certain set of pre-defined file paths.  If this can happen in a US government organisation, it can happen inside many other organisations. 

Cyber criminals typically focus on targets that can get them the highest return with the least amount of effort. This is often determined by their ability to scale attacks, and therefore on how prevalent a vulnerability or target system is. Anyone using the Telerik UI for ASP.NET AJAX should carefully read the CISA advisory  to ensure they’re not exposed. 

To counter such attacks, it's recommended that organisations upgrade their instances of Telerik UI ASP.NET AJAX to the latest version, implement network segmentation, and enforce phishing-resistant multi-factor authentication for accounts that have privileged access.

CISA:   Telerik:    Ars Technica:   Malwarebytes:    Volexity:   Techcrunch:    Hacker News

You Might Also Read:

Perfectly Coded APIs Can Be Susceptible To Attack:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« AI Is Creating New Mobile Scamming Threats   
Britain Pledges To Invest £2.5bn In Quantum Computing »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Perforce Software

Perforce Software

Perforce helps companies build complex software products more collaboratively, securely, and efficiently.

National Centre of Incident Readiness & Strategy for Cybersecurity (NISC) - Japan

National Centre of Incident Readiness & Strategy for Cybersecurity (NISC) - Japan

NISC was established as a secretariat of the Cybersecurity Strategy Headquarters in collaboration with the public and private sectors to create a "free, fair and secure cyberspace" in Japan.

Astra Security

Astra Security

Astra's website security solution provides real-time protection against malware, hackers, SQLi, XSS, DDoS, LFI and RFI.

HyTrust

HyTrust

HyTrust specialises in security, compliance and control software for virtualization and cloud environments.

ThreatHunter.ai

ThreatHunter.ai

ThreatHunter.ai (formerly Milton Security) is a business that tracks down and mitigates attacks in real time using our ARGOS Platform and our Elite Threat Hunters.

Indusface

Indusface

Indusface offers best website security, web application firewall and SSL certificate to keep your online business much safer.

Synelixis Solutions

Synelixis Solutions

Synelixis Solutions is a high-tech company founded to provide complete telecommunications, networking, security, control and automation solutions.

Gospel Technology

Gospel Technology

Gospel presents a totally new way of accessing and controlling data which is enterprise grade scalable, highly resilient, and secure.

InterVision

InterVision

InterVision is a leading Strategic Services Provider, assisting businesses in driving value and gaining a competitive edge by helping IT Leaders solve the most crucial challenges they face.

Sixgill

Sixgill

Sixgill, an IoT sensor platform company, builds the universal data service and smart process automation software allowing any organization to effectively govern its IoE assets.

Area 1 Security

Area 1 Security

Area 1 is the only Pay-per-Phish solution in cyber security. And the only technology that blocks phishing attacks before they damage your business.

LiveAction

LiveAction

LiveAction provides end-to-end visibility of network and application performance from a single pane of glass.

Cyvatar

Cyvatar

Cyvatar is a technology-enabled cyber security as a service (CSaaS) provider delivering smarter managed security to help you achieve compliance and security faster and more efficiently.

Eunetic

Eunetic

Eunetic IT security solutions - we secure your websites, emails, domains and data.

Bluerydge

Bluerydge

Bluerydge specialises in cyber security and technology, focusing on the delivery of innovative sovereign solutions through trusted, cleared and experienced professionals.

iTRUSTXForce

iTRUSTXForce

iTRUSTXForce is a global provider of DigitalX (cybersecurity, privacy, and digital trust) services. We offer comprehensive services that focus on delivering outcomes for our clients.