Multiple threat actors – one working on behalf of a nation-state – gained access to a US federal agency’s network by exploiting a four-year-old vulnerability that remained unpatched, the US government has warned.
Exploitation activities by one group likely began in August 2021 and last August by the other, according to an advisory released jointly by the Cybersecurity and Infrastructure Security Agency, the FBI and the Multistate Intelligence Sharing and Analysis Center. From last November to early January, the server showed signs of compromise.
The vulnerability went undetected for 4 years
Both groups exploited a code execution vulnerability tracked as CVE-2019-18935 in a developer tool known as the Telerik User Interface (UI) for ASP.NET AJAX, which resided on the Microsoft Internet Information Services (IIS) web server. the company’s. The advisory did not identify the agency other than that it was a Federal Civil Enforcement Agency under CISA authority.
Telerik UI for ASP.NET AJAX is sold by a company called Progress, which is based in Burlington, Massachusetts and Rotterdam, Netherlands. The tool brings together more than 100 user interface elements that developers can use to reduce the time it takes to build custom web applications. In late 2019, Progress released version 2020.1.114, which fixes CVE-2019-18935, an insecure deserialization vulnerability that allowed remote code execution on vulnerable servers. The vulnerability had a severity score of 9.8 out of a possible 10. In 2020, the NSA warned that the vulnerability was being exploited by Chinese government figures.
“This exploit, which results in interactive access with the web server, allowed threat actors to successfully execute remote code on the vulnerable web server,” Thursday’s advisory explained. “Although the company’s vulnerability scanner had the appropriate plug-in for CVE-2019-18935, it failed to detect the vulnerability due to Telerik’s user interface software being installed in a file path that it does not normally scan. This can be the case for many software installations, as file paths vary widely depending on the organization and installation method.”
More unpatched vulnerabilities
To successfully exploit CVE-2019-18935, hackers must first know the encryption keys used with a component known as Telerik RadAsyncUpload. Federal investigators suspect that threat actors exploited one of two vulnerabilities discovered in 2017 that also remained unpatched on the agency’s server.
Attacks from both groups used a technique known as DLL sideloading, which involves replacing legitimate dynamic link library files in Microsoft Windows with malicious ones. Some of the DLLs uploaded by the team were disguised as PNG images. The malicious files were then executed using a legitimate process for IIS servers called w3wp.exe. A review of the antivirus logs found that some of the uploaded DLLs were present on the system as early as August 2021.
The advisory said little about the nation-state-sponsored threat group, other than identifying the IP addresses it used to host command-and-control servers. The team, referred to as TA1 in Thursday’s advisory, began using CVE-2019-18935 last August to target systems within the agency’s network. The researchers identified nine DLL files used to explore the server and evade security defenses. The files were communicating with a control server with IP address 137.184.130[.]162 or 45.77.212[.]12. Traffic to these IP addresses used unencrypted Transmission Control Protocol (TCP) over port 443. The threat actor’s malware was able to load additional libraries and delete DLL files to hide the malicious activity on the network.
The advisory referred to the other group as TA2 and identified it as XE Group, which researchers from security firm Volexity said was likely based in Vietnam. Both Volexity and fellow security firm Malwarebytes said the financially motivated group is engaged in skimming payment cards.
“Similar to TA1, TA2 exploited CVE-2019-18935 and was able to upload at least three unique DLL files to the C:\Windows\Temp\ directory that TA2 executed through the w3wp.exe process,” the advisory said. “These DLLs drop and execute reverse (remote) shell utilities for unencrypted communication with C2 IP addresses associated with the malicious domains.”
The breach is the result of someone at the anonymous service failing to install a patch that has been available for years. As mentioned earlier, tools that scan systems for vulnerabilities often limit their searches to a specific set of predefined file paths. If this can happen within one federal agency, it likely can happen in other agencies as well.
Anyone using the Telerik UI for ASP.NET AJAX should carefully read Thursday’s warning as well as the one Progress published in 2019 to ensure they are not exposed.