December 11, 2023

The US CISA has reported that the threat actors are seen exploited a vulnerability that was first documented in 2019 that allows remote code execution (RCE) to access a federal agency’s web server over a roughly three-month period.

In an advisory this week, CISA said threat actors including an unnamed APT group, as well as the Vietnam-based cybercriminal group known as the XE Group — exploited a Progress Telerik vulnerability tracked asCVE-2019-18935 with a CVSS of 9.8 to access the federal executive branch agency’s Microsoft Internet Information Services web server.

The advisory did not identify which agency had its web server compromised, but said the activity began in November and continued through early January.

Advertisements

The alert code AA23-074A advisory said CVE-2019-18935 was likely used in conjunction with other known Progress Telerik vulnerabilities to exploit the agency. The advisory also said analysts did not observe evidence of privilege escalation or lateral movement, but antivirus logs identified that some DLL files were created and detected as early as August 2021.

The APT was able to use CVE-2019-18935 to upload malicious DLL files to load additional libraries; enumerate the system, processes, files directories and write files. Other samples analyzed of the APT can delete DLL files to hide additional malicious activity and to communicate with a command-and-control server.

Indicators of Compromise

  • 137.184.130[.]162
  • 45.77.212[.]12
  • 104.225.129[.]102
  • 149.28.85[.]24
  • 185.186.245[.]72
  • 193.8.172[.]113
  • 193.8.172[.]13
  • 216.120.201[.]12
  • 5.34.178[.]246
  • 79.133.124[.]242
  • 92.38.169[.]193
  • 92.38.176[.]109
  • 92.38.176[.]130
  • 12bbee9b-e179-42de-aa5c-c5ea199fb462
  • 82fab066-b66b-446b-aac3-6839695aee67
  • 21d0f623-3988-4182-8b9f-aae3d183eb20
  • 28852f6a-c26f-4388-a6c6-c82fb53f04da
  • 5ff90812-1152-4303-a1df-96320253b29f
  • e537fa26-ada0-45c3-ba1a-85567927d775
  • f0daf421-bc25-4a70-b036-51f57701d746
  • cff6e4d8-9d96-46d5-967c-e04cceb349ca
  • 33e14bcd-69a9-4092-a0db-d00814d52dfe
  • 73d12a2b-0527-45fd-a732-be121aed2b5d
  • f13bb772-22c4-47a2-abfd-c1d38ec01b1f
  • 39241225-9aac-41f2-9534-fb8ad8bbb680
  • 028f2171-e6b7-4cdc-92d2-91feee6c41e6
  • 291aae42-80ca-41ef-90be-f7d8dfe63b64
  • 71b4cd48-7505-44bb-a220-3dbbac77a4ef
  • 5929681b-ee05-4acb-bee2-777a703fa333
  • 78c1cd7c-1320-4a8f-b858-7b897cc602dc
Tags:

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

You may have missed

TheCyberThrone Security Week In Review – December 2nd & 10th, 2023

December 10, 2023

5Ghoul Vulnerabilities affects 5G devices

December 10, 2023

Microsoft EDGE Browser Critical Sandbox Escape Vulnerability – CVE-2023-35618

December 9, 2023

WordPress POP CMS Vulnerability

December 9, 2023

Apache Struts fixes Critical Vulnerability – CVE-2023-50164

December 8, 2023

Meta enables Messenger with E2EE by Default

December 8, 2023 2
%d