US federal agency hacked using old Telerik bug to steal data

Last year, a U.S. federal agency's Microsoft Internet Information Services (IIS) web server was hacked by exploiting a critical .NET deserialization vulnerability in the Progress Telerik UI for ASP.NET AJAX component.

According to a joint advisory issued today by CISA, the FBI, and MS-ISAC, the attackers had access to the server between November 2022 and early January 2023 based on indicators of compromise (IOCs) found on the unnamed federal civilian executive branch (FCEB) agency's network.

At least two threat actors (one of them the Vietnamese XE Group) accessed the unpatched server by exploiting this bug (CVE-2019-18935) to gain remote code execution.

After hacking into the unnamed federal civilian executive branch (FCEB) agency's server, they deployed malicious payloads in the C:\Windows\Temp\ folder to collect and exfiltrate information to attacker-controlled command and control servers.

The malware installed on the compromised IIS server could deploy additional payloads, evading detection by deleting its traces on the system, and opening reverse shells to maintain persistence.

It could also be used to drop an ASPX web shell that provides an interface for browsing the local system, downloading and uploading files, and executing remote commands.

However, as detailed in the advisory, "no webshells were observed to be dropped on the target system, likely due to the abused service account having restrictive write permissions."

More information on the malware installed on the hacked Microsoft IIS servers can be found in this malware analysis report also published today by CISA.

The CVE-2019-18935 Telerik UI vulnerability was also included in the NSA's top 25 security bugs abused by Chinese hackers and the FBI's list of top targeted vulnerabilities.

Microsoft IIS server left exposed to attacks

CISA added the CVE-2019-18935 Progress Telerik UI security vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog in November 2021.

According to the binding operational directive (BOD 22-01) issued in November 2021, which requires federal agencies to CISA's KEV list to apply recommended actions, it should have been patched until May 3, 2022.

However, based on the IOCs linked to this breach, the U.S. federal agency failed to secure its Microsoft IIS server until the due date was reached.

CISA, the FBI, and MS-ISAC advise applying multiple mitigation measures to protect against other attacks targeting this vulnerability, with some of the highlights including:

• Upgrade all instances of Telerik UI ASP.NET AJAX to the latest version after appropriate testing.
• Monitor and analyze activity logs generated from Microsoft IIS and remote PowerShell.
• Limit service accounts to the minimum permissions necessary to run services.
• Prioritize remediation of vulnerabilities on internet-facing systems.
• Implement a patch management solution to ensure compliance with the latest security patches.
• Ensure vulnerability scanners are configured to scan a comprehensive scope of devices and locations.
• Implement network segmentation to separate network segments based on role and functionality.

"In addition to applying mitigations, CISA, FBI, and MS-ISAC recommend exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory," the three organizations also recommended.

"CISA, FBI, and MS-ISAC recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory."