Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Cybercriminals, APT Exploited Telerik Vulnerability in Attacks on US Government Agency

Cyberspies and cybercriminals exploited a Telerik vulnerability tracked as CVE-2019-18935 on a government agency’s IIS server.

Advanced persistent threat (APT) actors and financially motivated cybercriminals have been spotted exploiting an old Telerik vulnerability as part of an attack that impacted a US government agency, according to a joint alert released on Wednesday by CISA, the FBI, and MS-ISAC.

An investigation revealed that a Microsoft Internet Information Services (IIS) web server belonging to a federal civilian executive branch (FCEB) agency hosted a vulnerable instance of the Telerik UI for ASP.NET AJAX application development library.

Progress Software’s Telerik application development solutions are used by major companies around the world, making vulnerabilities in these products highly valuable to threat actors.

According to CISA, an investigation conducted between November 2022 and January 2023 showed that threat actors exploited the Telerik vulnerability tracked as CVE-2019-18935 for remote code execution. 

The impacted agency had been using a vulnerability scanner that should have detected the presence of a component vulnerable to CVE-2019-18935, but it failed to do so due to the software being installed in a path not checked by the scanner. 

It’s believed that CVE-2019-18935 was chained with one of two even older Telerik vulnerabilities tracked as CVE-2017-11357 and CVE-2017-11317. Exploitation of CVE-2017-11357 or CVE-2017-11317 can be used to obtain encryption keys that are needed to exploit CVE-2019-18935.

CISA has not named the APT actor whose presence was detected on the government agency’s IIS server, but it did reveal that exploitation by a cybercrime gang known as XE Group was also observed on the same machine. In both cases, the flaw was leveraged to deliver DLL files that allowed the attackers to perform various activities. 

In the case of the APT, the group apparently exploited the security hole starting in August 2022. The malware they delivered was capable of collecting system information, writing files, and helping the attackers cover their tracks. 

Advertisement. Scroll to continue reading.

As for XE Group, the earliest activity on the server was traced to August 2021. The hackers delivered DLL files that enabled them to collect system information and deploy additional components on the compromised system.

XE Group is a cybercrime gang that is believed to be operating out of Vietnam. The group has been around since at least 2013 and it has been known to target websites hosted on IIS servers in payment card skimming attacks. 

The hackers have been known to exploit the Telerik UI vulnerability tracked as CVE-2017-9248.

CVE-2019-18935 has been in CISA’s known exploited vulnerabilities catalog since November 2021, when the catalog was launched. One of the 2017 CVEs was added to the catalog in April 2022 and the other in January 2023. 

In 2020, the NSA listed CVE-2019-18935 as one of the most commonly exploited vulnerabilities by Chinese state-sponsored hackers.

In April 2022, cybersecurity agencies in the US, Canada, UK, Australia and New Zealand included CVE-2019-18935 in a list of commonly exploited security holes. Ransomware groups have also been known to target the flaw in their operations. 

The government alert published on Wednesday includes technical details, indicators of compromise (IoCs) and recommendations on how companies can prevent hackers from exploiting these vulnerabilities. 

Related: Dozens of Exploited Vulnerabilities Missing From CISA ‘Must Patch’ List

Related: CISA Warns of Two Mitel Vulnerabilities Exploited in Wild

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.