A U.S. federal agency fell victim to a cyberattack last year after threat actors exploited a critical vulnerability in the Progress Telerik UI for ASP.NET AJAX component. The attackers used the CVE-2019-18935 bug to access the agency's Microsoft Internet Information Services (IIS) web server.
According to a joint advisory issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC), the attackers had access to the server between November 2022 and early January 2023. Indicators of compromise (IOCs) discovered on the agency's network showed that at least two threat actors, one of them being the Vietnamese XE Group, were responsible for the breach.
The advisory says that after gaining access to the IIS server, the attackers deployed malicious payloads in the C:\Windows\Temp\ folder to collect and exfiltrate information to attacker-controlled command and control servers.
The malware installed on the compromised server could deploy additional payloads, evade detection by deleting its traces on the system, and open reverse shells to maintain persistence. It could also be used to drop an ASPX web shell that provides an interface for browsing the local system, downloading and uploading files, and executing remote commands.
However, the attackers were unable to drop any webshells on the target system, likely due to the restrictive write permissions of the abused service account. Nevertheless, the attackers had access to sensitive information, and their activities remained undetected for several months.
The CVE-2019-18935 Telerik UI vulnerability was also included in the NSA's top 25 security bugs abused by Chinese hackers and the FBI's list of top targeted vulnerabilities. Despite being added to CISA's Known Exploited Vulnerabilities (KEV) Catalog in November 2021, the U.S. federal agency failed to secure its Microsoft IIS server until May 3, 2022, when the patch was due.
CISA, the FBI, and MS-ISAC are recommending several mitigation measures to protect against future attacks targeting this vulnerability, including:
- Upgrade all instances of Telerik UI ASP.NET AJAX to the latest version after appropriate testing
- Prioritize remediation of vulnerabilities on internet-facing systems.
- Implement a patch management solution
- Ensure vulnerability scanners are configured to scan a comprehensive scope of devices and locations
- Validate output from patch management and vulnerability scanning solutions against running services
- Implement network segmentation to separate network segments based on role and functionality
- Isolate similar systems and implement micro-segmentation with granular access and policy restrictions
Organizations are also encouraged to exercise, test, and validate their security programs against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework to ensure optimal performance against the MITRE ATT&CK techniques identified in the advisory. By implementing these measures, organizations can mitigate the risk of falling victim to similar attacks in the future.
For more information, see the cybersecurity advisory, Threat Actors Exploit Progress Telerik Vulnerability in U.S. Government IIS Server.