U.S Federal Agency Hacked – Attackers Exploited Telerik Vulnerability in IIS Server
A joint operation conducted by DHS, FCEB, and CISA Identified multiple attempts of a cyber attack on the U.S. Government IIS Server by exploiting a .NET deserialization Telerik Vulnerability.
Multiple hackers group initiated this attack, including APT actors. The successful exploitation of the vulnerability lets attackers execute an arbitrary code remotely on the federal civilian executive branch (FCEB) agency network where the vulnerable Telerik user interface (UI) is presented in the IIS webserver.
FCEB agency has an appropriate plug-in to detect this vulnerability CVE-2019-18935. However, the detection failed due to the Telerik UI software being installed in a file path that doesn’t have access to scan and find the vulnerability.
How Does the Vulnerability Was Exploited
The attack was conducted from November 2022 through early January 2023, targeting the .NET deserialization vulnerability (CVE-2019-18935) in the RadAsyncUpload function, leading attackers to exploit the exposure when the encryption keys are known due to the presence of CVE-2017-11317.
FCEB agency’s Microsoft IIS server is configured with Telerik UI for ASP.NET AJAX Q2 2013 SP1 (version 2013.2.717), and the vulnerability, upon the successful remote code execution, lets attackers gain interactive access to the web server.
Through this logging, the malicious operator controlling the program can see what you're typing into your device, which gives them the potential to steal a lot of data.
Examples of well-known keyloggers include Spyrix, Ardamax, and, of course, Snake Keylogger.
Snake Keylogger is a modular malware program that was created using the .NET developer platform. It was first discovered in the wild in November 2020 and is known to steal credentials, clipboard data, and other kinds of information. Both individuals and organizations are at risk of being targeted by Snake Keylogger, which can be bought on malicious marketplaces, such as hacking forums.
Threat Actors Activities
CISA and the other joined agencies identified scanning & reconnaissance activities from multiple threat actors known as cybercriminal actor XE Group and the other group TA2. The successful attempt of scanning led to exploiting the vulnerability.
Once the vulnerability gets triggered and exploited, Threat actors upload malicious dynamic-link library (DLL) files to the
The files mimic PNG and are executed with the help of w3wp.exe process—a legitimate process that runs on IIS servers to handle requests sent to web servers and deliver content.
In this case, CISA observed that TA1 named XE Group, started their system enumeration beginning in August 2022 and they were able to upload malicious DLL files to the C:\Windows\Temp\ directory and then achieve remote code execution, executing the DLL files via the w3wp.exe process.
CISA received 18 files for analysis from a forensic analysis engagement conducted at a Federal Civilian Executive Branch (FCEB) agency.
In order to minimize the threat of other attacks targeting this vulnerability, CISA, the FBI, and MS-ISAC recommend a number of mitigation measures:-
Malicious actors exploited a vulnerability in the Microsoft Internet Information Services (IIS) web server used by a federal civilian executive branch agency (FCEB) and were able to execute remote code on the server successfully.
As a result of this advisory, the CISA, FBI, and MS-ISAC encourage you to continuously test your security program in a production environment for optimum performance versus the MITRE ATT&CK techniques.
The information is provided solely for general informational and educational purposes and is not intended to be a substitute for professional advice. As a result, before acting on such information, we recommend that you consult with the appropriate professionals.