The cybersecurity landscape continues to witness sophisticated attacks targeting critical infrastructure. In a concerning development, whilst a few months ago, multiple U.S. Government IIS servers have fallen victim to cyber-attacks exploiting vulnerabilities in Progress Telerik software. In this article, I aim to provide a comprehensive overview of the attacks, technical details, threat actor activity, and actionable steps to mitigate the risks. By understanding the nature of these attacks, organisations can learn from the weaknesses which allowed this happen and strengthen their own defenses against similar threats.
Overview of Attacks. Between November 2022 and early January 2023, cyber threat actors launched a series of targeted attacks against U.S. Government IIS servers. These attacks were orchestrated through the exploitation of a vulnerability found in Progress Telerik user interface (UI) for ASP.NET AJAX. This particular vulnerability, identified as CVE-2019-18935, enabled the threat actors to achieve remote code execution on the compromised servers. The attacks were not limited to a single agency but affected multiple federal civilian executive branch (FCEB) entities.
Technical Details. The attackers leveraged the .NET deserialisation vulnerability in Progress Telerik UI for ASP.NET AJAX, which allowed them to inject and execute malicious code on the vulnerable IIS servers. By exploiting this vulnerability, the attackers gained interactive access to the servers, compromising their integrity and potentially compromising the entire infrastructure they supported.
The investigation also uncovered additional vulnerabilities within Telerik UI for ASP.NET AJAX, including CVE-2017-11357, CVE-2017-11317, and CVE-2017-9248. These vulnerabilities further highlighted the importance of keeping software up to date and prioritising patch management practices.
Threat Actor Activity. The attacks involved various threat actors, including an advanced persistent threat (APT) actor referred to as Threat Actor 1 (TA1) and a cybercriminal actor known as Threat Actor 2 (TA2), potentially associated with the XE Group. These actors exhibited distinct tactics, techniques, and procedures (TTPs) during their exploitation campaigns.
TA1 exploited CVE-2019-18935 to upload malicious DLL files, disguised as portable network graphics (PNG) files, into the C:\Windows\Temp\ directory. Through the legitimate w3wp.exe process running on the IIS servers, the threat actors executed these malicious files. The malware communicated with command and control (C2) servers, allowing the attackers to collect and transmit sensitive system and network data.
TA2, suspected to be the XE Group, also exploited CVE-2019-18935. Their approach involved uploading unique DLL files to the C:\Windows\Temp\ directory, which were subsequently executed via the w3wp.exe process. The malware maintained communication with C2 servers, enabling further commands and potential data exfiltration.
Mitigations and Best Practices. To strengthen defenses against similar attacks, organisations should consider implementing the following measures:
- Patch Management: Regularly update and apply the latest security patches for all software, including Progress Telerik products. Prioritize patching vulnerabilities that are actively exploited.
- User Authentication: Implement strong and multifactor authentication (MFA) mechanisms to protect user accounts from unauthorised access.
- Network Segmentation: Divide the network into isolated segments based on functionality, limiting lateral movement for threat actors and reducing the potential impact of breaches.
- Log Analysis and Monitoring: Establish a centralised log collection and analysis system to detect anomalous activities. Regularly review logs to identify any signs of intrusion or compromise.
- Employee Training and Awareness: Conduct cybersecurity training programs for employees to educate them about phishing, social engineering, and other common attack vectors. Encourage reporting of suspicious activities or potential security incidents.
- Incident Response Planning: Develop a robust incident response plan to ensure a swift and effective response in the event of a cyber-attack. Regularly test and update the plan based on emerging threats and organisational changes.
The exploitation of Progress Telerik vulnerabilities in U.S. Government IIS servers highlights the persistent threat posed by cyber actors seeking to compromise critical infrastructure. As I always say, by proactively addressing vulnerabilities, adopting best practices in patch management, implementing strong authentication mechanisms, and enhancing network segmentation, organisations can fortify their defenses against similar attacks. It is imperative to stay informed, remain vigilant, and consistently adapt cybersecurity measures to combat evolving threats, through actions to protect your organisation or business.
Note: For additional technical details and resources, refer to the original sources provided in the article found here.