Threat Actors Exploit Progress Telerik Vulnerability in U.S. Government IIS Server - 20230316004

Overview

Multiple cyber threat actors, including an Advanced Persistent Threat (APT) actor, exploited a .NET deserialization vulnerability in Progress Telerik user interface for ASP.NET AJAX.

Exploitation of this vulnerability allowed malicious actors to successfully execute remote code on a federal civilian executive branch (FCEB) agency’s Microsoft Internet Information Services (IIS) web server.

Actors were then able to upload malicious dynamic-link library (DLL) files (some masqueraded as portable network graphics [PNG] files) to the C:\Windows\Temp\ directory.

What is the vulnerability?

CVE-2019-18935 - CVSS v3 Base Score: 9.8

What is vulnerable?

Telerik UI for ASP.NET AJAX builds before R1 2020 (2020.1.114) are vulnerable to this exploit. Telerik UI for ASP.NET AJAX

What has been observed?

CISA has listed this vulnerability in their Known Exploited Vulnerabilities catalog.

Observed IPs and Timestamps, Resolving Domains and Identified Malicious Files can also be found in this advisory.

Malware Analysis Report has been provided by CISA which includes Indicators of Compromise (IOCs) and Yara rules for detection

Recommendation

• Implement a patch management solution to ensure compliance with the latest security patches.
• Validate output from patch management and vulnerability scanning against running services to check for discrepancies and account for all services.
• Limit service accounts to the minimum permissions necessary to run services.