US Federal Agency Hacked 

Uploaded on 2023-03-22 in TECHNOLOGY--Hackers, GOVERNMENT-National, FREE TO VIEW

Multiple cyber criminal gangs, including a nation state-backed hacking group, have been hacking and exploiting a four-year-old software vulnerability to compromise a US federal government agency. 

An alert from the Cybersecurity and Infrastructure Security Agency (CISA) released on March 15th reveals that hackers from multiple hacking groups have successfully exploited known vulnerabilities in Telerik, a user interface tool for web servers. 

This software, designed for building components and themes for web applications, was running on the US agency’s Internet-facing web server. According to the CISA advisory it looks like the vulnerability went undetected for almost four years. 

Two hacking groups exploited a code-execution vulnerability tracked as CVE-2019-18935 in a developer tool known as the Telerik user interface (UI) for ASP.NET AJAX, which was located in the agency’s Microsoft Internet Information Services (IIS) web server.  The Telerik UI for ASP.NET AJAX is sold by a US software company, Progress. The tool bundles more than 100 UI components that developers can use to reduce the time it takes to create custom Web applications. 

In late 2019, Progress released version 2020.1.114, which patched CVE-2019-18935, an insecure de-serialisation vulnerability that made it possible to remotely execute code on vulnerable servers. The vulnerability carried a severity rating of 9.8 out of a possible 10.

In 2020, the US National Security Agency (NSA) warned that the vulnerability was being used by Chinese state-sponsored actors.

According to CISA “This exploit, which results in interactive access with the web server, enabled the threat actors to successfully execute remote code on the vulnerable web server... Though the agency’s vulnerability scanner had the appropriate plugin for CVE-2019-18935, it failed to detect the vulnerability due to the Telerik UI software being installed in a file path it does not typically scan... This may be the case for many software installations, as file paths widely vary depending on the organisation and installation method.”

Unpatched Vulnerabilities

To successfully exploit CVE-2019-18935, hackers must first know about the encryption keys used with a component known as the Telerik RadAsyncUpload. Federal investigators suspect the threat actors exploited one of 2 vulnerabilities discovered in 2017 that also remained unpatched on the agency server. Attacks from both groups used a technique known as DLL side loading, which involves replacing legitimate dynamic-link library files in Microsoft Windows with malicious ones. Some of the DLL files the group uploaded were disguised as PNG images. 

The malicious files were then executed using a legitimate process for IIS servers called w3wp.exe. A review of antivirus logs identified that some of the uploaded DLL files were present on the system as early as August 2021.
The CISA advisory does not identify the nation-state-sponsored threat group which is only referred to as TA1. Investigators identified nine DLL files used to explore the server and evade security defences. The files communicated with a control server with an IP address of 137.184.130[.]162 or 45.77.212[.]12. The traffic to these IP addresses used unencrypted Transmission Control Protocol (TCP) over port 443.

The hackers’ malware was able to load additional libraries and delete DLL files to hide malicious activity on the network.

CISA also referred to a second group as TA2 which has been identified as XE Group, which researchers from security firm Volexity said is likely based in Vietnam. Both Volexity and Malwarebytes have reported this group as specialising in payment-card skimming. “Similar to TA1, TA2 exploited CVE-2019-18935 and was able to upload at least three unique DLL files into the C:\Windows\Temp\ directory that TA2 executed via the w3wp.exe process,” saye the CISA the advisory stated. 

The breach is most likely the consequence of the unnamed Federal agency failing to install a patch that had been available for years. Tools that scan systems for vulnerabilities often limit their searches to a certain set of pre-defined file paths.  If this can happen in a US government organisation, it can happen inside many other organisations. 

Cyber criminals typically focus on targets that can get them the highest return with the least amount of effort. This is often determined by their ability to scale attacks, and therefore on how prevalent a vulnerability or target system is. Anyone using the Telerik UI for ASP.NET AJAX should carefully read the CISA advisory  to ensure they’re not exposed. 

To counter such attacks, it's recommended that organisations upgrade their instances of Telerik UI ASP.NET AJAX to the latest version, implement network segmentation, and enforce phishing-resistant multi-factor authentication for accounts that have privileged access.

CISA:   Telerik:    Ars Technica:   Malwarebytes:    Volexity:   Techcrunch:    Hacker News

You Might Also Read:

Perfectly Coded APIs Can Be Susceptible To Attack:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« AI Is Creating New Mobile Scamming Threats   
Britain Pledges To Invest £2.5bn In Quantum Computing »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

NCX Group

NCX Group

NCX Group is committed to helping customers identify and mitigate the risks inherent in today’s interconnected environments and business processes.

Shavlik Protect

Shavlik Protect

Shavlik Protect is an easy-to-use security software solution that discovers missing patches and deploys them to the entire organization.

Organization for Security and Co-operation in Europe (OSCE)

Organization for Security and Co-operation in Europe (OSCE)

OSCE is the world's largest security-oriented intergovernmental organization. Areas of activity include Cyber/ICT security.

OpenSphere

OpenSphere

OpenSphere is an IT company providing security consultancy, information system risk management and security management services.

Redjack

Redjack

Redjack is a cutting-edge network analytics company focused on enterprise and ISP security and intelligence solutions.

SIGA

SIGA

SIGA provides cyber security solutions for Industrial Control Systems SCADA systems used in critical infrastructures and industrial processes.

FoxGuard

FoxGuard

FoxGuard develops customized cyber security, compliance and industrial computing solutions for critical infrastructure entities and control system vendors.

Momentum Cyber

Momentum Cyber

Momentum Cyber provides world-class M&A and strategic advice combined with unparalleled senior-level access to the Cybersecurity ecosystem.

Oznet Cyber Security

Oznet Cyber Security

Oznet Cyber Security is dedicated to offering integral solutions oriented to the support and security of information.

Inpher

Inpher

Inpher has pioneered cryptographic Secret Computing® that enables advanced analytics and machine learning while keeping data private, secure, and distributed.

Talon Cyber Security

Talon Cyber Security

Talon delivers the leading enterprise browser designed to bring security to managed and unmanaged devices, regardless of location, device type or operating system.

Siege Technologies

Siege Technologies

Siege Technologies is a pioneer of multi-purpose cybersecurity products and services that enable customers to leverage both offensive and defensive technologies.

Nerds On Site

Nerds On Site

Nerds On Site provide on-site & in-home IT and technical support, managed IT services, and cyber security through our collaborative team of highly-trained IT and Security professionals.

Northern Computer

Northern Computer

Northern Computer provides comprehensive IT solutions that streamline your operations and help you achieve your business goals.

Assetnote

Assetnote

The Assetnote platform enables organizations to effectively map and continuously monitor their external attack surface.

DuckDuckGoose

DuckDuckGoose

DuckDuckGoose offer advanced solutions to protect against manipulated videos, images, voices and texts.