March 25, 2023

The US CISA has reported that the threat actors are seen exploited a vulnerability that was first documented in 2019 that allows remote code execution (RCE) to access a federal agency’s web server over a roughly three-month period.

In an advisory this week, CISA said threat actors including an unnamed APT group, as well as the Vietnam-based cybercriminal group known as the XE Group — exploited a Progress Telerik vulnerability tracked asCVE-2019-18935 with a CVSS of 9.8 to access the federal executive branch agency’s Microsoft Internet Information Services web server.

The advisory did not identify which agency had its web server compromised, but said the activity began in November and continued through early January.

Advertisements

The alert code AA23-074A advisory said CVE-2019-18935 was likely used in conjunction with other known Progress Telerik vulnerabilities to exploit the agency. The advisory also said analysts did not observe evidence of privilege escalation or lateral movement, but antivirus logs identified that some DLL files were created and detected as early as August 2021.

The APT was able to use CVE-2019-18935 to upload malicious DLL files to load additional libraries; enumerate the system, processes, files directories and write files. Other samples analyzed of the APT can delete DLL files to hide additional malicious activity and to communicate with a command-and-control server.

Indicators of Compromise

  • 137.184.130[.]162
  • 45.77.212[.]12
  • 104.225.129[.]102
  • 149.28.85[.]24
  • 185.186.245[.]72
  • 193.8.172[.]113
  • 193.8.172[.]13
  • 216.120.201[.]12
  • 5.34.178[.]246
  • 79.133.124[.]242
  • 92.38.169[.]193
  • 92.38.176[.]109
  • 92.38.176[.]130
  • 12bbee9b-e179-42de-aa5c-c5ea199fb462
  • 82fab066-b66b-446b-aac3-6839695aee67
  • 21d0f623-3988-4182-8b9f-aae3d183eb20
  • 28852f6a-c26f-4388-a6c6-c82fb53f04da
  • 5ff90812-1152-4303-a1df-96320253b29f
  • e537fa26-ada0-45c3-ba1a-85567927d775
  • f0daf421-bc25-4a70-b036-51f57701d746
  • cff6e4d8-9d96-46d5-967c-e04cceb349ca
  • 33e14bcd-69a9-4092-a0db-d00814d52dfe
  • 73d12a2b-0527-45fd-a732-be121aed2b5d
  • f13bb772-22c4-47a2-abfd-c1d38ec01b1f
  • 39241225-9aac-41f2-9534-fb8ad8bbb680
  • 028f2171-e6b7-4cdc-92d2-91feee6c41e6
  • 291aae42-80ca-41ef-90be-f7d8dfe63b64
  • 71b4cd48-7505-44bb-a220-3dbbac77a4ef
  • 5929681b-ee05-4acb-bee2-777a703fa333
  • 78c1cd7c-1320-4a8f-b858-7b897cc602dc
Tags:

Leave a Reply

You may have missed

Nexus Android Banking Trojan

Nexus Android Banking Trojan

March 25, 2023
CISA Releases Untitled Goose Tool

CISA Releases Untitled Goose Tool

March 25, 2023
Critical Vulnerability in Woocommerce Payment Plugin

Critical Vulnerability in Woocommerce Payment Plugin

March 25, 2023
Cl0P Ransomware havoc with GoAnywhere MFT Exploit

Cl0P Ransomware havoc with GoAnywhere MFT Exploit

March 25, 2023
CISA Pre Ransomware Notification Initiative

CISA Pre Ransomware Notification Initiative

March 25, 2023
Github seizes Exposed RSA SSH Key

Github seizes Exposed RSA SSH Key

March 24, 2023
%d bloggers like this: