Cybercriminals, APT Exploited Telerik Vulnerability in Attacks on US Government Agency

Advanced persistent threat (APT) actors and financially motivated cybercriminals have been spotted exploiting an old Telerik vulnerability as part of an attack that impacted a US government agency, according to a joint alert released on Wednesday by CISA, the FBI, and MS-ISAC.

An investigation revealed that a Microsoft Internet Information Services (IIS) web server belonging to a federal civilian executive branch (FCEB) agency hosted a vulnerable instance of the Telerik UI for ASP.NET AJAX application development library.

Progress Software’s Telerik application development solutions are used by major companies around the world, making vulnerabilities in these products highly valuable to threat actors.

According to CISA, an investigation conducted between November 2022 and January 2023 showed that threat actors exploited the Telerik vulnerability tracked as CVE-2019-18935 for remote code execution. 

The impacted agency had been using a vulnerability scanner that should have detected the presence of a component vulnerable to CVE-2019-18935, but it failed to do so due to the software being installed in a path not checked by the scanner. 

It’s believed that CVE-2019-18935 was chained with one of two even older Telerik vulnerabilities tracked as CVE-2017-11357 and CVE-2017-11317. Exploitation of CVE-2017-11357 or CVE-2017-11317 can be used to obtain encryption keys that are needed to exploit CVE-2019-18935.

CISA has not named the APT actor whose presence was detected on the government agency’s IIS server, but it did reveal that exploitation by a cybercrime gang known as XE Group was also observed on the same machine. In both cases, the flaw was leveraged to deliver DLL files that allowed the attackers to perform various activities. 

In the case of the APT, the group apparently exploited the security hole starting in August 2022. The malware they delivered was capable of collecting system information, writing files, and helping the attackers cover their tracks. 

As for XE Group, the earliest activity on the server was traced to August 2021. The hackers delivered DLL files that enabled them to collect system information and deploy additional components on the compromised system.

XE Group is a cybercrime gang that is believed to be operating out of Vietnam. The group has been around since at least 2013 and it has been known to target websites hosted on IIS servers in payment card skimming attacks. 

The hackers have been known to exploit the Telerik UI vulnerability tracked as CVE-2017-9248.

CVE-2019-18935 has been in CISA’s known exploited vulnerabilities catalog since November 2021, when the catalog was launched. One of the 2017 CVEs was added to the catalog in April 2022 and the other in January 2023. 

In 2020, the NSA listed CVE-2019-18935 as one of the most commonly exploited vulnerabilities by Chinese state-sponsored hackers.

In April 2022, cybersecurity agencies in the US, Canada, UK, Australia and New Zealand included CVE-2019-18935 in a list of commonly exploited security holes. Ransomware groups have also been known to target the flaw in their operations. 

The government alert published on Wednesday includes technical details, indicators of compromise (IoCs) and recommendations on how companies can prevent hackers from exploiting these vulnerabilities. 

Related: Dozens of Exploited Vulnerabilities Missing From CISA ‘Must Patch’ List

Related: CISA Warns of Two Mitel Vulnerabilities Exploited in Wild