Preloader Close

U.S Federal Agency Hacked

  Source : |     Balaji N |      Published on: Mar 17, 2023   

U.S Federal Agency Hacked – Attackers Exploited Telerik Vulnerability in IIS Server

A joint operation conducted by DHS, FCEB, and CISA Identified multiple attempts of a cyber attack on the U.S. Government IIS Server by exploiting a .NET deserialization Telerik Vulnerability.

Multiple hackers group initiated this attack, including APT actors. The successful exploitation of the vulnerability lets attackers execute an arbitrary code remotely on the federal civilian executive branch (FCEB) agency network where the vulnerable Telerik user interface (UI) is presented in the IIS webserver.

FCEB agency has an appropriate plug-in to detect this vulnerability CVE-2019-18935. However, the detection failed due to the Telerik UI software being installed in a file path that doesn’t have access to scan and find the vulnerability.


How Does the Vulnerability Was Exploited

The attack was conducted from November 2022 through early January 2023, targeting the .NET deserialization vulnerability (CVE-2019-18935) in the RadAsyncUpload function, leading attackers to exploit the exposure when the encryption keys are known due to the presence of CVE-2017-11317.

FCEB agency’s Microsoft IIS server is configured with Telerik UI for ASP.NET AJAX Q2 2013 SP1 (version 2013.2.717), and the vulnerability, upon the successful remote code execution, lets attackers gain interactive access to the web server.

Through this logging, the malicious operator controlling the program can see what you're typing into your device, which gives them the potential to steal a lot of data.

Examples of well-known keyloggers include Spyrix, Ardamax, and, of course, Snake Keylogger.

Snake Keylogger is a modular malware program that was created using the .NET developer platform. It was first discovered in the wild in November 2020 and is known to steal credentials, clipboard data, and other kinds of information. Both individuals and organizations are at risk of being targeted by Snake Keylogger, which can be bought on malicious marketplaces, such as hacking forums.


Threat Actors Activities

CISA and the other joined agencies identified scanning & reconnaissance activities from multiple threat actors known as cybercriminal actor XE Group and the other group TA2. The successful attempt of scanning led to exploiting the vulnerability.

Once the vulnerability gets triggered and exploited, Threat actors upload malicious dynamic-link library (DLL) files to the C:\Windows\Temp\ directory.

The files mimic PNG and are executed with the help of w3wp.exe process—a legitimate process that runs on IIS servers to handle requests sent to web servers and deliver content.

In this case, CISA observed that TA1 named XE Group, started their system enumeration beginning in August 2022 and they were able to upload malicious DLL files to the C:\Windows\Temp\ directory and then achieve remote code execution, executing the DLL files via the w3wp.exe process.

CISA received 18 files for analysis from a forensic analysis engagement conducted at a Federal Civilian Executive Branch (FCEB) agency.



In order to minimize the threat of other attacks targeting this vulnerability, CISA, the FBI, and MS-ISAC recommend a number of mitigation measures:-

  • After proper testing of all Telerik UI ASP.NET AJAX instances, you should upgrade all instances to the latest version.
  • Using Microsoft IIS and remote PowerShell, monitor and analyze activity logs generated by these servers.
  • The permissions that can be granted to a service account should be kept at a minimum in order to run the service.
  • It is imperative that vulnerabilities on systems that are exposed to the internet are remedied as soon as possible.
  • Implementing a patch management solution is an efficient and effective way to ensure that your systems are always up-to-date in terms of security patches.
  • It is very important to ensure that vulnerability scanners are configured in such a way as to cover a comprehensive range of devices and locations.
  • In order to separate network segments according to a user’s role and function, network segmentation should be implemented.
  • Malicious actors exploited a vulnerability in the Microsoft Internet Information Services (IIS) web server used by a federal civilian executive branch agency (FCEB) and were able to execute remote code on the server successfully.

    As a result of this advisory, the CISA, FBI, and MS-ISAC encourage you to continuously test your security program in a production environment for optimum performance versus the MITRE ATT&CK techniques.


The information is provided solely for general informational and educational purposes and is not intended to be a substitute for professional advice. As a result, before acting on such information, we recommend that you consult with the appropriate professionals.