by Getty Images
Several threat actors — one on behalf of a nation-state — gained access to a US federal agency’s network by exploiting a four-year-old vulnerability that remained unpatched, the US government warned.
One group’s exploit activities likely began in August 2021 and the other last August, according to an advisory published jointly by the Cybersecurity and Infrastructure Security Agency, the FBI, and the Multi-State Information Sharing and Analysis Center. From last November to early January, the server showed signs of being compromised.
Vulnerability not detected for 4 years
Both groups exploited a code execution vulnerability tracked as CVE-2019-18935 in a developer tool called Telerik User Interface (UI) for ASP.NET AJAX, located on the agency’s Microsoft Internet Information Services (IIS) web server. The advisory only named the agency to say it was a Federal Civilian Executive Branch Agency under the CISA agency.
The Telerik UI for ASP.NET AJAX is distributed by a company called Progress, which is headquartered in Burlington, Massachusetts and Rotterdam in the Netherlands. The tool bundles 100+ UI components that developers can use to reduce the time it takes to build custom web applications. In late 2019, Progress released version 2020.1.114, which patched CVE-2019-18935, an insecure deserialization vulnerability that allowed remote code execution on vulnerable servers. The vulnerability was rated with a severity of 9.8 out of 10 possible points. In 2020, the NSA warned that the vulnerability was being exploited by Chinese state-sponsored actors.
“This exploit, which results in interactive access to the web server, allowed threat actors to successfully execute removed code on the vulnerable web server,” Thursday’s advisory said. “Even though the agency’s vulnerability scanner had the appropriate plugin for CVE-2019-18935, it was unable to detect the vulnerability because the Telerik UI software was installed in a file path it does not normally scan. This can be the case with many software installations, as file paths vary greatly by organization and installation method.”
Other unpatched vulnerabilities
To successfully exploit CVE-2019-18935, hackers must first have knowledge of the encryption keys used with a component called Telerik RadAsyncUpload. Federal investigators suspect that the attackers exploited one of two vulnerabilities discovered in 2017 that also remained unpatched on the agency’s server.
Attacks by both groups used a technique known as DLL sideloading, in which legitimate Microsoft Windows dynamic-link library files are replaced with malicious ones. Some of the DLL files uploaded by the group were disguised as PNG images. The malicious files were then executed using a legitimate IIS server process called w3wp.exe. A check of the antivirus logs revealed that some of the uploaded DLL files were already present on the system in August 2021.
The advisory said little about the nation-state-sponsored threat group, other than identifying the IP addresses it used to host command-and-control servers. The group, referred to as TA1 in Thursday’s advisory, began using CVE-2019-18935 to enumerate systems within the agency network last August. Investigators identified nine DLL files that were used to explore the server and bypass security measures. The files communicated with a control server with the IP address 137.184.130[.]162 or 45.77.212[.]12. Traffic to these IP addresses used unencrypted Transmission Control Protocol (TCP) over port 443. The attacker’s malware was able to load additional libraries and delete DLL files to hide malicious activity on the network.
The advisory dubbed the other group TA2 and identified them as the XE Group, which researchers at security firm Volexity say is likely based in Vietnam. Both Volexity and security firm Malwarebytes have said the financially motivated group is engaged in payment card skimming.
“Similar to TA1, TA2 exploited CVE-2019-18935 and was able to upload at least three unique DLL files to the C:\Windows\Temp\ directory, which TA2 executed via the w3wp.exe process,” it said in the recommendation. “These DLL files delete and run reverse (remote) shell utilities for unencrypted communication with C2 IP addresses associated with the malicious domains.”
The breach stems from someone at the unnamed agency failing to install a patch that has been available for years. As previously mentioned, tools that scan systems for vulnerabilities often limit their search to a specific set of predefined file paths. If this can happen within one federal agency, it can probably happen in other organizations as well.
Anyone using the Telerik UI for ASP.NET AJAX should read Thursday’s advisory carefully, as well as the progress published in 2019, to ensure they are not disclosed.
