US agencies warn of hackers exploiting Progress Telerik vulnerability in government IIS web server

US agencies warn of hackers exploiting Progress Telerik vulnerability in US government IIS web server

U.S. agencies issued Wednesday a cybersecurity advisory (CSA) that multiple cyber threat actors, including an Advanced Persistent Threat (APT) actor, exploited a [dot]NET deserialization vulnerability in Progress Telerik user interface for ASP[dot]NET AJAX. Exploitation of the vulnerability allowed malicious hackers to execute remote code on a federal civilian executive branch (FCEB) agency’s Microsoft Internet Information Services (IIS) web server.

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC) revealed that from last November through early January this year the vulnerability, which results in interactive access with the web server, enabled the hackers to execute remote code on the vulnerable web server. “Though the agency’s vulnerability scanner had the appropriate plugin for CVE-2019-18935, it failed to detect the vulnerability due to the Telerik UI software being installed in a file path it does not typically scan. This may be the case for many software installations, as file paths widely vary depending on the organization and installation method,” they added.

Apart from the CVE-2019-18935, this version (2013.2.717) of Telerik UI for ASP[dot]NET AJAX contains CVE-2017-11357, CVE-2017-11317, and CVE-2017-9248 vulnerabilities, according to the advisory. Analysis suggests that cyber threat actors exploited CVE-2019-18935 in conjunction with either CVE-2017-11357 or CVE-2017-11317.

The advisory said that the Australian Cyber Security Centre (ACSC) Advisory 2020-004 assesses that exploitation of CVE-2019-18935 is only possible with knowledge of Telerik RadAsyncUpload encryption keys. “Threat actors can obtain these keys through either prior knowledge or exploitation of vulnerabilities—CVE-2017-11357 or CVE-2017-11317—present in older, unpatched versions of Telerik released between 2007 and 2017. Forensic evidence is not available to definitively confirm exploitation of either CVE-2017-11357 or CVE-2017-11317,” it added.

The advisory observed that multiple cyber hackers, including an APT actor, referred to as Threat Actor 1 (TA1), and known cybercriminal actor XE Group, called Threat Actor 2 (TA2), were found to have conducted reconnaissance and scanning activities that correlate to the exploitation of CVE-2019-18935 in the agency’s IIS server running Telerik UI for ASP[dot]NET AJAX.

The agencies confirmed that some malicious files dropped on the IIS server are consistent with a previously reported file naming convention that threat actors commonly use when exploiting CVE-2019-18935. The hackers name the files in the Unix Epoch time format and use the date and time as recorded on the target system, and the names of some of the PNG files were misleading.  

“In many cases, malicious artifacts were not available for analysis because the threat actors’ malware—that looks for and removes files with the .dll file extension—removed files from the C: \Windows\Temp\ directory. Through full packet data capture analysis and reverse engineering of malicious DLL files, no indications of additional malicious activity or sub-processes were found executed by the w3wp[dot]exe process,” the advisory identified. 

“CISA and authoring organizations observed error messages being sent to the threat actors’ command and control (C2) server when permission restraints prevented the service account from executing the malicious DLLs and writing new files,” it added. “Network activity analysis was consistent with the artifacts provided for review. Analysts did not observe evidence of privilege escalation or lateral movement.”

The agencies observed TA1 exploiting CVE-2019-18935 for system enumeration beginning in August 2022, the advisory revealed. “The vulnerability allows a threat actor to upload malicious DLLs on a target system and execute them by abusing a legitimate process, e.g., the w3wp[dot]exe process. In this instance, TA1 was able to upload malicious DLL files to the C:\Windows\Temp \ directory and then achieve remote code execution, executing the DLL files via the w3wp[dot]exe process,” it added.

The advisory added that at least nine DLL files were used for discovery, C2, and defense evasion. All of the analyzed samples have network parameters, including host name, domain name, Domain Name System (DNS) server Internet Protocol (IP) address and machine name, Network Basic Input/Output System (NetBIOS) ID, adapter information, IP address, subnet, gateway IP, and Dynamic Host Configuration Protocol (DHCP) server. 

It also disclosed that analyzed samples communicate this collected data to a C2 server at IP address 137.184.130[.]162 or 45.77.212[.]12. The C2 traffic to these IP addresses uses a non-application layer protocol by leveraging Transmission Control Protocol (TCP) clear text (i.e., unencrypted) over port 443. 

Analysis also identified that some of the analyzed samples can load additional libraries; enumerate the system, processes, files, directories, and write files. Other analyzed samples can delete DLL files ending with the [dot]dll extension in the C: \Windows\Temp\ directory on the server. TA1 may use this capability to hide additional malicious activity on the network.

Moving to TA2 or the XE Group, the advisory identified that as early as August 2021, the agencies observed TA2 delivering malicious PNG files that masqueraded DLL files to avoid detection. Similar to TA1, TA2 exploited CVE-2019-18935 and was able to upload at least three unique DLL files into the C: \Windows\Temp\ directory that TA2 executed via the w3wp[dot]exe process. These DLL files drop and execute reverse (remote) shell utilities for unencrypted communication with C2 IP addresses associated with the malicious domains.

When the TA2 malware is executed a DLL file drops an executable (XEReverseShell[dot]exe) that attempts to pull a C2 IP address and port number from xework[dot]com or xegroups[dot]com. The advisory identified that if no port or IP address is found, the program will exit. Alternatively, if a port and IP address are found, the program will establish a listener and wait for further commands.

The advisory called upon organizations to implement a patch management solution to ensure compliance with the latest security patches. It also suggests validating output from patch management and vulnerability scanning against running services to check for discrepancies and account for all services. Lastly, organizations must limit service accounts to the minimum permissions necessary to run services.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related