US Federal Agency Hacked 

Multiple cyber criminal gangs, including a nation state-backed hacking group, have been hacking and exploiting a four-year-old software vulnerability to compromise a US federal government agency. 

An alert from the Cybersecurity and Infrastructure Security Agency (CISA) released on March 15th reveals that hackers from multiple hacking groups have successfully exploited known vulnerabilities in Telerik, a user interface tool for web servers. 

This software, designed for building components and themes for web applications, was running on the US agency’s Internet-facing web server. According to the CISA advisory it looks like the vulnerability went undetected for almost four years. 

Two hacking groups exploited a code-execution vulnerability tracked as CVE-2019-18935 in a developer tool known as the Telerik user interface (UI) for ASP.NET AJAX, which was located in the agency’s Microsoft Internet Information Services (IIS) web server.  The Telerik UI for ASP.NET AJAX is sold by a US software company, Progress. The tool bundles more than 100 UI components that developers can use to reduce the time it takes to create custom Web applications. 

In late 2019, Progress released version 2020.1.114, which patched CVE-2019-18935, an insecure de-serialisation vulnerability that made it possible to remotely execute code on vulnerable servers. The vulnerability carried a severity rating of 9.8 out of a possible 10.

In 2020, the US National Security Agency (NSA) warned that the vulnerability was being used by Chinese state-sponsored actors.

According to CISA “This exploit, which results in interactive access with the web server, enabled the threat actors to successfully execute remote code on the vulnerable web server... Though the agency’s vulnerability scanner had the appropriate plugin for CVE-2019-18935, it failed to detect the vulnerability due to the Telerik UI software being installed in a file path it does not typically scan... This may be the case for many software installations, as file paths widely vary depending on the organisation and installation method.”

Unpatched Vulnerabilities

To successfully exploit CVE-2019-18935, hackers must first know about the encryption keys used with a component known as the Telerik RadAsyncUpload. Federal investigators suspect the threat actors exploited one of 2 vulnerabilities discovered in 2017 that also remained unpatched on the agency server. Attacks from both groups used a technique known as DLL side loading, which involves replacing legitimate dynamic-link library files in Microsoft Windows with malicious ones. Some of the DLL files the group uploaded were disguised as PNG images. 

The malicious files were then executed using a legitimate process for IIS servers called w3wp.exe. A review of antivirus logs identified that some of the uploaded DLL files were present on the system as early as August 2021.
The CISA advisory does not identify the nation-state-sponsored threat group which is only referred to as TA1. Investigators identified nine DLL files used to explore the server and evade security defences. The files communicated with a control server with an IP address of 137.184.130[.]162 or 45.77.212[.]12. The traffic to these IP addresses used unencrypted Transmission Control Protocol (TCP) over port 443.

The hackers’ malware was able to load additional libraries and delete DLL files to hide malicious activity on the network.

CISA also referred to a second group as TA2 which has been identified as XE Group, which researchers from security firm Volexity said is likely based in Vietnam. Both Volexity and Malwarebytes have reported this group as specialising in payment-card skimming. “Similar to TA1, TA2 exploited CVE-2019-18935 and was able to upload at least three unique DLL files into the C:\Windows\Temp\ directory that TA2 executed via the w3wp.exe process,” saye the CISA the advisory stated. 

The breach is most likely the consequence of the unnamed Federal agency failing to install a patch that had been available for years. Tools that scan systems for vulnerabilities often limit their searches to a certain set of pre-defined file paths.  If this can happen in a US government organisation, it can happen inside many other organisations. 

Cyber criminals typically focus on targets that can get them the highest return with the least amount of effort. This is often determined by their ability to scale attacks, and therefore on how prevalent a vulnerability or target system is. Anyone using the Telerik UI for ASP.NET AJAX should carefully read the CISA advisory  to ensure they’re not exposed. 

To counter such attacks, it's recommended that organisations upgrade their instances of Telerik UI ASP.NET AJAX to the latest version, implement network segmentation, and enforce phishing-resistant multi-factor authentication for accounts that have privileged access.

CISA:   Telerik:    Ars Technica:   Malwarebytes:    Volexity:   Techcrunch:    Hacker News

You Might Also Read:

Perfectly Coded APIs Can Be Susceptible To Attack:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« AI Is Creating New Mobile Scamming Threats   
Britain Pledges To Invest £2.5bn In Quantum Computing »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

ON-DEMAND WEBINAR: Harnessing the power of Security Information and Event Management (SIEM)

ON-DEMAND WEBINAR: Harnessing the power of Security Information and Event Management (SIEM)

Join our experts as they give the insights you need to power your Security Information and Event Management (SIEM).

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Red Hat

Red Hat

Red Hat is a leader in open source software development. Our software security team proactively identifies weaknesses before they become problems.

Secure360

Secure360

Secure360 focuses on the following key areas: governance, risk and compliance, information security, physical security, business continuity management, and professional development.

Yubico

Yubico

Yubico sets new global standards for simple and secure access to computers, mobile devices, servers, and internet accounts.

PartnerRe

PartnerRe

PartnerRe Ltd. provides multi-line reinsurance to insurance companies on a worldwide basis. Services include Cyber Risk.

Appdome

Appdome

Appdome is the industry's first mobile integration as a service company, providing solutions for enterprise mobility and mobile application security.

Cyber Execs

Cyber Execs

Cyber Execs is a Cyber Security Consultancy & Executive Recruitment firm.

National Cyber Security Authority (NCA) - Saudi Arabia

National Cyber Security Authority (NCA) - Saudi Arabia

The NCA is the government entity in charge of cybersecurity in Saudi Arabia and serves as the national authority on its affairs.

SkillCube

SkillCube

SkillCube is one of the pioneers in India focusing on Cyber Security Skill Development Solutions.

ACM-CCAS

ACM-CCAS

ACM is a UKAS-accredited certification body helping businesses around the world perform to a higher standard. Our certifications include ISO 27001 and ISO 22301.

Onfido

Onfido

Onfido is building the new identity standard for the internet. We digitally prove people’s real identities using a photo ID and facial biometrics.

Cyber Polygon

Cyber Polygon

Cyber Polygon is an annual online exercise which connects various global organisations to train their competencies and exchange best practices.

Eastern Cyber Resilience Centre (ECRC)

Eastern Cyber Resilience Centre (ECRC)

The Eastern Cyber Resilience Centre is part of the national roll out of Cyber Resilience Centres in the UK which began in 2019.

MDSec

MDSec

MDSec is a consultancy with a passion for information security. Our consultants specialise in application, mobile and hardware security and targeted red team attacks.

RealTyme

RealTyme

RealTyme is a secure communication and collaboration platform with privacy and human experience at its core.

SHI International

SHI International

SHI International deliver against your IT and business needs, helping you build strategies and solutions that will drive innovation, collaboration and security.

Smile Identity

Smile Identity

Smile Identity helps businesses confirm the true identity of their users in real-time using any smartphone or computer.