A joint operation conducted by DHS, FCEB, and CISA Identified multiple attempts of a cyber attack on the U.S. Government IIS Server by exploiting a .NET deserialization Telerik Vulnerability.
Multiple hackers group initiated this attack, including APT actors. The successful exploitation of the vulnerability lets attackers execute an arbitrary code remotely on the federal civilian executive branch (FCEB) agency network where the vulnerable Telerik user interface (UI) is presented in the IIS webserver.
The IOC identified by the federal agencies belongs to the exploit that triggers the Telerik UI for ASP.NET AJAX builds before R1 2020 (2020.1.114).
The attack was conducted from November 2022 through early January 2023, targeting the .NET deserialization vulnerability (CVE-2019-18935) in the RadAsyncUpload function, leading attackers to exploit the exposure when the encryption keys are known due to the presence of CVE-2017-11317.
FCEB agency’s Microsoft IIS server is configured with Telerik UI for ASP.NET AJAX Q2 2013 SP1 (version 2013.2.717), and the vulnerability, upon the successful remote code execution, lets attackers gain interactive access to the web server.
FCEB agency has an appropriate plug-in to detect this vulnerability CVE-2019-18935. However, the detection failed due to the Telerik UI software being installed in a file path that doesn’t have access to scan and find the vulnerability.
CISA and the other joined agencies identified scanning & reconnaissance activities from multiple threat actors known as cybercriminal actor XE Group and the other group TA2. The successful attempt of scanning led to exploiting the vulnerability.
Once the vulnerability gets triggered and exploited, Threat actors upload malicious dynamic-link library (DLL) files to the C:WindowsTemp directory.
The files mimic PNG and are executed with the help of w3wp.exe process—a legitimate process that runs on IIS servers to handle requests sent to web servers and deliver content.
“CISA and authoring organizations confirmed that some malicious files dropped on the IIS server are consistent with a previously reported file naming convention that threat actors commonly use when exploiting CVE-2019-18935.”
In this case, CISA observed that TA1 named XE Group, started their system enumeration beginning in August 2022 and they were able to upload malicious DLL files to the C:WindowsTemp directory and then achieve remote code execution, executing the DLL files via the w3wp.exe process.
CISA received 18 files for analysis from a forensic analysis engagement conducted at a Federal Civilian Executive Branch (FCEB) agency.
In order to minimize the threat of other attacks targeting this vulnerability, CISA, the FBI, and MS-ISAC recommend a number of mitigation measures:-
Malicious actors exploited a vulnerability in the Microsoft Internet Information Services (IIS) web server used by a federal civilian executive branch agency (FCEB) and were able to execute remote code on the server successfully.
As a result of this advisory, the CISA, FBI, and MS-ISAC encourage you to continuously test your security program in a production environment for optimum performance versus the MITRE ATT&CK techniques.
Network Security Checklist – Download Free E-Book
Leave a Reply