US Federal Agency Hacked 

Multiple cyber criminal gangs, including a nation state-backed hacking group, have been hacking and exploiting a four-year-old software vulnerability to compromise a US federal government agency. 

An alert from the Cybersecurity and Infrastructure Security Agency (CISA) released on March 15th reveals that hackers from multiple hacking groups have successfully exploited known vulnerabilities in Telerik, a user interface tool for web servers. 

This software, designed for building components and themes for web applications, was running on the US agency’s Internet-facing web server. According to the CISA advisory it looks like the vulnerability went undetected for almost four years. 

Two hacking groups exploited a code-execution vulnerability tracked as CVE-2019-18935 in a developer tool known as the Telerik user interface (UI) for ASP.NET AJAX, which was located in the agency’s Microsoft Internet Information Services (IIS) web server.  The Telerik UI for ASP.NET AJAX is sold by a US software company, Progress. The tool bundles more than 100 UI components that developers can use to reduce the time it takes to create custom Web applications. 

In late 2019, Progress released version 2020.1.114, which patched CVE-2019-18935, an insecure de-serialisation vulnerability that made it possible to remotely execute code on vulnerable servers. The vulnerability carried a severity rating of 9.8 out of a possible 10.

In 2020, the US National Security Agency (NSA) warned that the vulnerability was being used by Chinese state-sponsored actors.

According to CISA “This exploit, which results in interactive access with the web server, enabled the threat actors to successfully execute remote code on the vulnerable web server... Though the agency’s vulnerability scanner had the appropriate plugin for CVE-2019-18935, it failed to detect the vulnerability due to the Telerik UI software being installed in a file path it does not typically scan... This may be the case for many software installations, as file paths widely vary depending on the organisation and installation method.”

Unpatched Vulnerabilities

To successfully exploit CVE-2019-18935, hackers must first know about the encryption keys used with a component known as the Telerik RadAsyncUpload. Federal investigators suspect the threat actors exploited one of 2 vulnerabilities discovered in 2017 that also remained unpatched on the agency server. Attacks from both groups used a technique known as DLL side loading, which involves replacing legitimate dynamic-link library files in Microsoft Windows with malicious ones. Some of the DLL files the group uploaded were disguised as PNG images. 

The malicious files were then executed using a legitimate process for IIS servers called w3wp.exe. A review of antivirus logs identified that some of the uploaded DLL files were present on the system as early as August 2021.
The CISA advisory does not identify the nation-state-sponsored threat group which is only referred to as TA1. Investigators identified nine DLL files used to explore the server and evade security defences. The files communicated with a control server with an IP address of 137.184.130[.]162 or 45.77.212[.]12. The traffic to these IP addresses used unencrypted Transmission Control Protocol (TCP) over port 443.

The hackers’ malware was able to load additional libraries and delete DLL files to hide malicious activity on the network.

CISA also referred to a second group as TA2 which has been identified as XE Group, which researchers from security firm Volexity said is likely based in Vietnam. Both Volexity and Malwarebytes have reported this group as specialising in payment-card skimming. “Similar to TA1, TA2 exploited CVE-2019-18935 and was able to upload at least three unique DLL files into the C:\Windows\Temp\ directory that TA2 executed via the w3wp.exe process,” saye the CISA the advisory stated. 

The breach is most likely the consequence of the unnamed Federal agency failing to install a patch that had been available for years. Tools that scan systems for vulnerabilities often limit their searches to a certain set of pre-defined file paths.  If this can happen in a US government organisation, it can happen inside many other organisations. 

Cyber criminals typically focus on targets that can get them the highest return with the least amount of effort. This is often determined by their ability to scale attacks, and therefore on how prevalent a vulnerability or target system is. Anyone using the Telerik UI for ASP.NET AJAX should carefully read the CISA advisory  to ensure they’re not exposed. 

To counter such attacks, it's recommended that organisations upgrade their instances of Telerik UI ASP.NET AJAX to the latest version, implement network segmentation, and enforce phishing-resistant multi-factor authentication for accounts that have privileged access.

CISA:   Telerik:    Ars Technica:   Malwarebytes:    Volexity:   Techcrunch:    Hacker News

You Might Also Read:

Perfectly Coded APIs Can Be Susceptible To Attack:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« AI Is Creating New Mobile Scamming Threats   
Britain Pledges To Invest £2.5bn In Quantum Computing »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

InformationWeek

InformationWeek

InformationWeek is the world's most trusted online community for business technology professionals like you.

CERT-In

CERT-In

CERT-In is a functional organisation of the Ministry of Information & Electronics Technology, Government of India, with the objective of securing Indian cyber space.

Zymr

Zymr

Zymr specialize in cloud computing solutions including Cloud Security, Cloud Mobility, Cloud Apps, Cloud Infrastructure and Cloud Orchestration.

CFC Underwriting

CFC Underwriting

CFC is a specialist insurance provider and a pioneer in emerging risk, including cyber insurance.

AdNovum Informatik

AdNovum Informatik

AdNovum Informatik provides a full set of IT services, ranging from consulting, the conception and implementation of customized business and security solutions to maintenance and support.

Aspen Insurance

Aspen Insurance

Aspen is a leading diversified specialty insurance and reinsurance company. Products offered include cyber insurance.

Gradiant

Gradiant

Gradiant’s mission is to contribute to the growth and competitive improvement of Galician businesses through technology development and innovation using ICT.

Callsign

Callsign

Callsign’s mission is to seamlessly power the identification of every web, mobile and physical interaction.

GulfTalent

GulfTalent

GulfTalent is the leading job site for professionals in the Middle East and Gulf region covering all sectors and job categories, including cybersecurity.

SIRP Labs

SIRP Labs

SIRP is a Risk-based Security Orchestration, Automation and Response (SOAR) platform that fuses essential cybersecurity information to enable a unified cyber response.

Research Institute in Secure Hardware and Embedded Systems (RISE)

Research Institute in Secure Hardware and Embedded Systems (RISE)

The UK Research Institute in Secure Hardware and Embedded Systems (RISE) seeks to identify and address key issues that underpin our understanding of Hardware Security.

Kainos

Kainos

Kainos is a leading provider of Digital Services and Platforms. Our services include Digital Transformation, Cyber Security, Cloud, AI, IoT and more.

Moonlock

Moonlock

Cybersecurity tech for humans. At Moonlock, we make software that seamlessly protects you and has your back as you live your life.

CyberXpert

CyberXpert

CyberXpert is your cybersecurity partner for the public and private sector in Belgium.

Domotz

Domotz

Domotz enables IT teams to monitor and manage their networks remotely, while ensuring that the security and the operational efficiency of their organizations are properly maintained.

Price Forbes

Price Forbes

Building on more than 100 years of specialist insurance broking, Price Forbes partner with clients around the world who are looking to understand and balance today’s risk and plan for the future.