According to a joint alert issued this week by the FBI, CISA and Multi-State Information Sharing and Analysis Center, US Government IIS Server breached via Telerik software flaw, multiple criminals exploited a three-year-old Telerik software flaw to break into a US government agency’s Microsoft Internet Information Services server. This digital invasion took place between November 2022 and January 2023 and involved at least one nation-state group.
CVE-2019-18935
In January 2019, the US Government discovered a Telerik Software Flaw on their network that may have exposed an IIS Server to compromise. CVE-2019-18935 is an issue with Telerik’s RadAsyncUpload function, used for processing file upload requests. With this flaw, an attacker could gain unauthorized access to the IIS web server and, depending on how encryption keys are broken, allow lateral movement of data.
The security community has repeatedly called on organizations to implement updates to their hardware and software as soon as possible. While this can be a daunting task, it is an essential step in avoiding the exploit of critical vulnerabilities.
It is essential to comprehend the tactics, techniques and procedures (TTPs) threat actors use when launching their attacks. One common TTP involves exploiting publicly available proof-of-concept code and exploit scripts in such attacks; attackers copy-paste PoC code from public sources in order to target unpatched vulnerabilities on targeted networks.
This vulnerability can be used to establish a reverse shell on the server and gain unauthorised access to sensitive information like passwords or user-defined fields in databases. Once successful, an attacker can execute additional commands in order to download malware and exfiltrate data.
In addition to applying patch updates, organizations should implement a centralized log collection and monitoring capability to keep an eye on webshell exploit activity on internal web servers. Longer log retention policies increase the availability of forensic data for incident response.
Priority one for mitigating this vulnerability is ensuring all servers running Telerik UI software are patched and upgraded to the most recent version. This step is especially crucial, since threat actors often reuse TTPs (Technically Targeted Programs) and exploit known vulnerabilities to deliver malicious payloads.
Blue Mockingbird used an attack methodology similar to one employed in 2020 for exploiting this vulnerability, suggesting that threat actors are unwilling to devise new methods of breaching Internet-facing systems, but will instead rely on tried-and-true techniques.
CVE-2019-18936
On November 2022, a US Government IIS Server was compromised due to an exploit of CVE-2019-18936 in Telerik software. This flaw allowed malicious actors to execute code on the unprotected system.
CISA noted in its advisory that the affected agency had used a vulnerability scanner that should have identified the issue, but failed to do so due to Telerik UI software being installed in an unusual file path. This issue could have arisen for many software installations due to differences in file paths across organizations and installation methods, CISA noted.
Additionally, this vulnerability was linked to two older Telerik vulnerabilities tracked as CVE-2017-11357 and CVE-2017-11317. These flaws involve RadAsyncUpload encryption keys which could be obtained through prior knowledge or exploitation.
According to the NSA, this flaw was included in its top 25 security bugs exploited by Chinese state-backed hackers and on cybersecurity firms’ lists of most targeted vulnerabilities. Furthermore, it appeared on FBI’s list of most impacted vulnerabilities as well.
Organizations looking to mitigate this vulnerability should make sure they are up-to-date with all patches released to resolve the problem and utilize patch management solutions in order to confirm they are running the latest versions of products. Furthermore, service accounts should only have minimal permissions necessary for running services, and validate output from vulnerability scanners against actual running services in order to detect discrepancies.
Additionally, the CSA suggests organizations implement VPN capabilities and consider deploying standardized protocols on public gateway appliances to require user authentication before connecting to these devices. Doing so can prevent unauthorized access to systems from untrusted sources, according to their advisory.
Organizations should review the security policy of their vendors to determine if they are using encryption keys related to CVE-2019-18935 and other vulnerabilities. This information can help prioritize remediating security flaws on internet-facing systems.
CVE-2019-18937
CISA, the FBI and MS-ISAC recently issued an advisory detailing a US government IIS server compromise due to an exploit of Telerik Software Flaw. Although added to the Known Exploited Vulnerabilities (KEV) catalog in November 2021, no patch was applied until after binding operational directive (BOD 22-01) expired in May 2022.
The CSA notes that their vulnerability scanner had the appropriate plugin for CVE-2019-18935, yet was configured only to scan Windows Installer-installed applications and failed to detect Telerik UI software due to its installation in a file path not typically scanned by the scanner. This issue is common and serves to emphasize the importance of scanning across a wide range of devices and locations.
Furthermore, the agency’s vulnerability scanner was not configured to scan a full file path on its Microsoft Internet Information Services (IIS) web server. Furthermore, Telerik UI software was installed through a continuous integration and delivery pipeline rather than via Windows Installer.
In addition to running remote code, malicious files on IIS servers also drop DLL files that execute reverse shell utilities for unencrypted communication with C2 IP addresses associated with malicious domains. The XEReverseShell[dot]exe executable attempts to pull the C2 IP address and port from either xework[dot]com or xegroups[dot]com but will exit if no address can be located.
To protect against this attack, agencies suggest organizations implement a patch management solution which ensures compliance with the latest security patches and validates output from patch management and vulnerability scanning solutions against running services to check for discrepancies or account for all services. They should also limit service accounts to only what permissions are necessary to run those functions.
To further bolster security, the agencies suggested organizations utilize centralized log collection and monitoring capabilities to detect external connections made from an IIS server to unknown IP addresses. They also advocate for implementing or increasing logging and forensic data retention policies in order to increase data accessibility for forensic analysis.
CVE-2019-18938
CISA (Cybersecurity and Infrastructure Security Agency), the FBI, and MS-ISAC have identified an attack against a US government IIS server that was exploited by financial hackers and Advanced Persistent Threats. These cybercriminals used a three year old Telerik Software flaw to gain remote code execution on the compromised computer system.
This exploit has been identified by the National Security Agency as one of the most frequently exploited security vulnerabilities by Chinese state-backed hackers, and it has been included on cybersecurity firms’ lists of most frequently attacked bugs. CISA added it to their Known Exploited Vulnerabilities (KEV) Catalog in November 2021.
This vulnerability was exploited on a US government IIS server running Telerik Software for ASP.NET AJAX. Indicators of compromise (IOCs) for this digital invasion were discovered beginning in November 2022 and continued through January 2023, carried out by both a financial-motivated hacker and Advanced Persistent Threat actor referred to as TA1 in the advisory.
TA1’s malware uploaded C:WindowsTempDLL files that leveraged the CVE-2019-18935 deserialization flaw to collect and exfiltrate information on the compromised system. Additionally, it dropped a reverse shell utility that could communicate with C2 IP addresses associated with xework.com and xegroups.com in order to maintain persistence and avoid detection.
In addition to exploiting the CVE-2019-18935 flaw, TA1’s malware was able to collect and exfiltrate a vast array of system information. It could write files directly onto a server, delete traces on its system, open reverse shells, and deploy additional malicious payloads for further distribution.
To avoid similar vulnerabilities, organizations should implement a comprehensive vulnerability scanning approach that takes into account all possible installation methods and file paths, as well as validation of output from patch management and vulnerability scanning solutions against running services. For example, in the case of this impacted government organization, its vulnerability scanner failed to detect Telerik Software due to it being installed in an uncommon file path.
To protect against this vulnerability, organizations should implement network intrusion detection systems to monitor traffic for unusual activity such as requests containing suspicious URI sequences or URLs that look like legitimate web addresses. Furthermore, they should review web server logs to detect abnormal activities or changes in behavior that may indicate malicious activity is taking place.
