According to a joint advisory from the US CISA (Cybersecurity and Infrastructure Security Agency), the FBI (Federal Bureau of Investigation), and MS-ISAC (Multi-State Information Sharing and Analysis Center), financially motivated hackers and APT threat actors are exploiting a three-year-old Telerik vulnerability.
Reportedly, the attack impacted a US government entity. Indicators of compromise (IoCs) for this digital invasion were discovered in November 2022 and continued until January 2023.
For your information, Telerik application development software is used by many high-profile companies worldwide. Any flaws in these products are pretty valuable to cybercriminals.
The advisory states that multiple threat actors, including a nation-state group, are exploiting this vulnerability. The security flaw was discovered in Progress Software’s Telerik and was exploited to infiltrate federal government agencies in the US.
In August 2022, an intrusion targeting the federal civilian executive branch (FCEB) was observed. Threat actors leveraged the flaw to upload and execute malicious DLL files disguised as PNG images through the w3wp.exe process. These files collect system data, load libraries to the system, and enumerate processes and files to transfer stolen data to a remote server operated by the attacker.
By exploiting this flaw, malicious threat actors can execute remote code on the FCEB’s Microsoft IIS (Internet Information Services) web server. Further probe revealed that the server hosted a vulnerable instance of the Progress Telerik UI for the ASP.NET AJAX app development library.
However, CISA didn’t name the attacker who infiltrated the IIS server but stated that a cybercrime gang identified as XE Group from Vietnam also exploited the same machine. The earliest activity from this group was noticed in August 2021 when the hackers delivered DLL files that collected system data and deployed new components on the hijacked system.
The vulnerability is tracked as CVE-2019-18935 with a CVSS score of 9.8 and is exploited for remote code execution. The issue is related to a .NET deserialization vulnerability that can be dangerous for the company using Telerik software if left unpatched. The same flaw was previously discovered in 2020 and 2021, among other commonly exploited vulnerabilities.
Moreover, in conjunction with another vulnerability tracked as CVE-2017-11317, this flaw was weaponized by the Praying Mantis threat actor to invade the networks of private and public organizations in the US.
CVE-2019-18935 is tied to another vulnerability tracked as CVE-2017-11357. This is an old flaw found in Telerik software, and exploitation can allow an attacker to obtain encryption keys that can facilitate the exploitation of CVE-2019-18935.
In 2020, CVE-2019-18935 was dubbed by the NSA as one of the most commonly exploited flaws by Chinese state-backed actors. In April 2022, cybersecurity firms in the US, UK, Canada, Australia, and New Zealand included it in their lists of commonly exploited security flaws.