US-CERT- Threat Actors Exploit Progress Telerik Vulnerabilities in Multiple U.S. Government IIS Servers

[Netwörkheäd]

Threat Actors Exploit Progress Telerik Vulnerabilities in Multiple U.S. Government IIS Servers

[html]

SUMMARY

From November 2022 through early January 2023, the Cybersecurity and Infrastructure Security Agency (CISA) and authoring organizations identified the presence of indicators of compromise (IOCs) at a federal civilian executive branch (FCEB) agency. Analysts determined that multiple cyber threat actors, including an advanced persistent threat (APT) actor, were able to exploit a .NET deserialization vulnerability (https://nvd.nist.gov/vuln/detail/CVE-2019-18935" title="CVE-2019-18935">CVE-2019-18935) in Progress Telerik user interface (UI) for ASP.NET AJAX, located in the agency's Microsoft Internet Information Services (IIS) web server. Successful exploitation of this vulnerability allows for remote code execution. According to Progress Software, Telerik UI for ASP.NET AJAX builds before R1 2020 (2020.1.114) are vulnerable to this exploit.[https://docs.telerik.com/devtools/aspnet-ajax/knowledge-base/common-allows-javascriptserializer-deserialization" title="Allows JavaScriptSerializer Deserialization">1]

Update June 15, 2023:

As of April 2023, forensic analysis conducted at an additional FCEB agency identified exploitation of CVE-2017-9248 in the agency's IIS server by unattributed APT actors—specifically within the Telerik UI for ASP.NET AJAX DialogHandler component. This specific analysis is provided as context for existing vulnerabilities within Telerik UI for ASP.NET AJAX.

Update End

Actions to take today to mitigate malicious cyber activity:

• Implement a patch management solution to ensure compliance with the latest security patches.


• Validate output from patch management and vulnerability scanning against running services to check for discrepancies and account for all services.


• Limit service accounts to the minimum permissions necessary to run services.

CISA, the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint Cybersecurity Advisory (CSA) to provide IT infrastructure defenders with tactics, techniques, and procedures (TTPs), IOCs, and methods to detect and protect against similar exploitation.

Download the PDF version of this report:

   

    https://www.cisa.gov/sites/default/files/2023-06/aa23-074a-Threat%20Actors%20Exploit%20Progress%20Telerik%20Vulnerabilities%20in%20Multiple%20U.S.%20Government%20IIS%20Servers.pdf" class="c-file__link" target="_blank">Threat Actors Exploit Progress Telerik Vulnerabilities in Multiple U.S. Government IIS Servers
    (PDF,       661.68 KB
  )
 

For a downloadable copy of IOCs, see below or the https://www.cisa.gov/sites/default/files/STIX/AA23-074A_Threat_Actors_Exploit_Progress_Telerik_Vulnerabilities_in_Multiple_US_Government_IIS_Servers.stix.json">JSON file.

   

    https://www.cisa.gov/sites/default/files/2023-03/aa23-074a.stix__0.xml" class="c-file__link" target="_blank">AA23-074A STIX XML
    (XML,       30.96 KB
  )
 

For copies of the Malware Analysis Reports (MARs) accompanying this CSA:

• https://www.cisa.gov/news-events/analysis-reports/ar23-074a">MAR-10413062-1.v1 CVE-2019-18935 Exploitation in U.S. Government IIS Server


• Update June 15, 2023: https://www.cisa.gov/news-events/analysis-reports/ar23-166a">MAR-10443863-1.v1 CVE-2017-9248 Exploitation in U.S. Government IIS Server Update End

TECHNICAL DETAILS

Note: This advisory uses the https://attack.mitre.org/versions/v12/matrices/enterprise/" title="Enterprise Matrix">MITRE ATT&CK® for Enterprise framework, version 12. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors' activity mapped to MITRE ATT&CK tactics and techniques with corresponding detection and mitigation recommendations.

Overview

CISA and authoring organizations