US Agency Exploited with an Old Progress Telerik RCE
The US CISA has reported that the threat actors are seen exploited a vulnerability that was first documented in 2019 that allows remote code execution (RCE) to access a federal agency’s web server over a roughly three-month period.
In an advisory this week, CISA said threat actors including an unnamed APT group, as well as the Vietnam-based cybercriminal group known as the XE Group — exploited a Progress Telerik vulnerability tracked asCVE-2019-18935 with a CVSS of 9.8 to access the federal executive branch agency’s Microsoft Internet Information Services web server.
The advisory did not identify which agency had its web server compromised, but said the activity began in November and continued through early January.
The alert code AA23-074A advisory said CVE-2019-18935 was likely used in conjunction with other known Progress Telerik vulnerabilities to exploit the agency. The advisory also said analysts did not observe evidence of privilege escalation or lateral movement, but antivirus logs identified that some DLL files were created and detected as early as August 2021.
The APT was able to use CVE-2019-18935 to upload malicious DLL files to load additional libraries; enumerate the system, processes, files directories and write files. Other samples analyzed of the APT can delete DLL files to hide additional malicious activity and to communicate with a command-and-control server.
Indicators of Compromise