US Federal Agency Compromised by Old Telerik Vulnerabilities

Category: Threat Actor Activity | Industry: Government | Level: Tactical | Source: CISA

An investigation from the Cybersecurity and Infrastructure Security Agency (CISA) and authoring organizations identified a breach to a federal civilian executive branch (FCEB) agency between November 2022 and early January 2023. Multiple threat actors were involved in the breach, exploiting several Progress Telerik UI vulnerabilities including CVE-2019-18935, CVE-2017-11357, CVE-2017-11317, and CVE-2017-9248. It was determined the exploit of CVE-2019-18935 a .NET deserialization vulnerability was abused by at least two threat actors to enable remote code execution. Once the threat actors obtained access to the unpatched server, they dropped payloads in the Windows TEMP folder to facilitate data collection and exfiltration. Despite webshells being a common intrusion tool, the US agencies did not observe the threat actors deploying them stating "no webshells were observed to be dropped on the target system, likely due to the abused service account having restrictive write permissions."

Anvilogic Scenario:

• AVL_UC13612 - Abuse of Native Processes Leads to Actions on Objectives

Anvilogic Use Cases:

• AVL_UC1056 - Potential Web Shell
• AVL_UC6108 - IIS Worker (W3WP) Spawn Command Line
• AVL_UC9019 - Network Connection with Suspicious Folder

‍