Analysis
Attacks and Vulnerabilities
CISA
Critical infrastructure
Malware, Phishing & Ransomware
News

CISA, FBI, MS-ISAC warn of hackers breaching Progress Telerik vulnerability in US government IIS server

June 16, 2023
US agencies warn of hackers exploiting Progress Telerik vulnerability in US government IIS web server

U.S. agencies updated Thursday a March 2023 cybersecurity advisory warning  of hackers exploiting the Progress Telerik vulnerability in government IIS web server. The update includes technical details on APT actors identified during analysis at an additional federal agency that was targeted by the exploitation of another known vulnerability (CVE-2017-9248) in their Telerik user interface (UI) for ASP[dot]NET. It also includes a timeline of the hacker’s activity, new tactics, techniques, and procedures identified in new analysis, and a malware analysis report. 

“Analysts determined that multiple cyber threat actors, including an APT actor, were able to exploit a [dot}NET deserialization vulnerability (CVE-2019-18935) in Progress Telerik user interface (UI) for ASP[dot]NET AJAX, located in the agency’s Microsoft Internet Information Services (IIS) web server,” the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC), wrote in their Thursday advisory. “Successful exploitation of this vulnerability allows for remote code execution. According to Progress Software, Telerik UI for ASP[dot]NET AJAX builds before R1 2020 (2020.1.114) are vulnerable to this exploit.”

The notice comes in the midst of reports that ‘several’ U.S. federal agencies have been affected in a global cyberattack, wherein Clop hackers have likely exploited Progress’ MOVEit software vulnerability, according to reliable sources.

According to available details of the CVE-2019-18935 vulnerability, Progress Telerik UI for ASP[dot]NET AJAX through 2019.3.1023 contains a [dot]NET deserialization vulnerability in the ‘RadAsyncUpload’ function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution. 

The agencies also assess that, beginning as late as November 2022, threat actors exploited a [dot]NET deserialization vulnerability ( CVE-2019-18935) in an instance of Telerik UI for ASP[dot]NET AJAX Q2 2013 SP1 (version 2013.2.717) running on an federal civilian executive branch (FCEB) agency’s Microsoft IIS server. “This exploit, which results in interactive access with the web server, enabled the threat actors to successfully execute remote code on the vulnerable web server,” they added.  

Though the agency’s vulnerability scanner had the appropriate plugin for CVE-2019-18935, it failed to detect the vulnerability due to the Telerik UI software being installed in a file path it does not typically scan. This may be the case for many software installations, as file paths widely vary depending on the organization and installation method.

Apart from the CVE-2019-18935 version, “this version (2013.2.717) of Telerik UI for ASP[dot]NET AJAX contains the following known vulnerabilities: CVE-2017-11357, CVE-2017-11317, and CVE-2017-9248,” the advisory disclosed. “Analysis suggests that cyber threat actors exploited CVE-2019-18935 in conjunction with either CVE-2017-11357 or CVE-2017-11317.” 

Australian Cyber Security Centre (ACSC) Advisory 2020-004 assesses that exploitation of CVE-2019-18935 is only possible with knowledge of Telerik RadAsyncUpload encryption keys. “Threat actors can obtain these keys through either prior knowledge or exploitation of vulnerabilities—CVE-2017-11357 or CVE-2017-11317—present in older, unpatched versions of Telerik released between 2007 and 2017. Forensic evidence is not available to definitively confirm exploitation of either CVE-2017-11357 or CVE-2017-11317,” it added.

The advisory said that the agencies have observed multiple cyber threat actors, including an APT actor, referred to as Threat Actor 1 (TA1); and known cybercriminal actor XE Group, referred to as Threat Actor 2 (TA2), conducting reconnaissance and scanning activities that correlate to the successful exploitation of CVE-2019-18935 in the agency’s IIS server running Telerik UI for ASP[dot]NET AJAX. 

When exploiting the vulnerability, the threat actors uploaded malicious dynamic-link library (DLL) files (some masqueraded as portable network graphics [PNG] files) to the C:\Windows\Temp\directory, the advisory revealed. “The malicious files were then executed from the C:\Windows\Temp\ directory via the w3wp[dot]exe process—a legitimate process that runs on IIS servers. This process is routine for handling requests sent to web servers and delivering content. The review of antivirus logs identified that some DLL files were created and detected as early as August 2021.”

CISA and authoring organizations confirmed that some malicious files dropped on the IIS server are consistent with a previously reported file naming convention that threat actors commonly use when exploiting CVE-2019-18935.

CISA, FBI, and MS-ISAC recommend that organizations utilize a centralized log collection and monitoring capability, as well as implement or increase logging and forensic data retention. Longer retention policies improve the availability of data for forensic analysis and aid thorough identification of incident scope. 

The agencies identified that centralized log collection and monitoring allows for the discovery of webshell and other exploit activity; and access- and security-focused firewall logs can be collected and stored for use in both detection and forensic analysis activities.

The advisory called upon organizations to upgrade all instances of Telerik UI ASP[dot]NET AJAX to the latest version after appropriate testing; prioritize remediation of vulnerabilities on internet-facing systems; implement a patch management solution; ensure vulnerability scanners are configured to scan a comprehensive scope of devices and locations; and validate output from patch management and vulnerability scanning solutions against running services to check for discrepancies and account for all services.

Additionally, organizations must implement network segmentation to separate network segments based on role and functionality; and isolate similar systems and implement micro-segmentation with granular access and policy restrictions to modernize cybersecurity and adopt zero trust principles for both network perimeter and internal devices. They also suggest limiting service accounts to the minimum permissions necessary to run services.

CISA also published Thursday an alert that Progress Software has released a security advisory for a privilege escalation vulnerability in managed file transfer software MOVEit Transfer. “A cyber threat actor could exploit this vulnerability to take control of an affected system,” the agency identified. The advisory identifies that Progress has discovered a vulnerability in MOVEit Transfer that could lead to escalated privileges and potential unauthorized access to the environment.

Earlier this week, global cybersecurity agencies released a joint cybersecurity advisory (CSA) to help organizations understand and defend against threats from hackers using LockBit, a globally-used and prolific Ransomware-as-a-Service (RaaS), in 2022 and 2023. The document outlined that the use of the RaaS model enabled affiliates to conduct ransomware attacks using LockBit ransomware tools and infrastructure.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Claroty’s Team82 details exploitation of classic deserialization vulnerability in Siemens EnMPro line
Claroty’s Team82 details exploitation of classic deserialization vulnerability in Siemens EnMPro line
Microsoft debuts ICSpector framework to enable examining information and configurations of industrial PLCs
Microsoft debuts ICSpector framework to enable examining information and configurations of industrial PLCs
TXOne’s Portable Security Pro works towards improving security in ICS environments
TXOne Networks presents SageOne, its new CPS protection platform
Critical Start
Critical Start introduces managed detection and response services for OT environments
Shift5
Shift5 debuts GPS integrity module to combat GPS spoofing risks
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness