Monday, June 24, 2024

US Federal Agency Hacked By Exploiting Telerik Vulnerability in IIS Server

As a result of a joint effort of the CISA, FBI, and MS-ISAC, a public advisory was published recently.

This public advisory claims that between November 2022 and the beginning of January 2023, attackers gained access to the server of the US Federal Agency Telerik vulnerability.

The joint CSA has provided all the TTPs used to IT, and infrastructure defenders, in order for them to detect and protect against similar, successful CVE-2019-18935 exploits.

At least two threat actors have exploited this Telerik UI vulnerability (CVE-2019-18935) to gain remote control over the unpatched server.

Threat Actor Activity

APT threat actors have been identified by CISA and authoring organizations as a part of the ongoing investigation.

The APT actors include a group known as Threat Actor 1 (TA1) and a group with a history of conducting cybercrime under the name XE Group.

It has been shown that threat actors uploaded malicious dynamic-link library (DLL) files to the directory C:/Windows/Temp when exploiting the vulnerability.

While the threat actors do not only name the files in the Unix Epoch time format, but they also use the date and time that are recorded on the target system to identify the files.

According to the security researchers’ analysis of full packet data capture and reverse engineering of malicious DLL files, the w3wp.exe process does not execute any other malicious processes or sub-processes.

A CISA investigation observed that error messages were being sent to the command and control server of the threat actors when permission restraints prevented the service account from executing the malicious DLLs and creating new files.

IIS server left exposed to attacks

It should be noted that the binding operational directive (BOD 22-01) was issued in November 2021.

In spite of this, it still requires federal agencies to apply recommended actions based on the CISA’s KEV list to which recently the CVE-2019-18935 Progress Telerik UI security vulnerability has been added.

The patch should have been released no later than May 3, 2022, which is the earliest possible date.

However, it appears that the U.S. federal agency failed to secure its Microsoft IIS server by the due date because, based on the IOCs associated with the breach, the due date for securing the server had passed.

Mitigations

In order to minimize the threat of other attacks targeting this vulnerability, CISA, the FBI, and MS-ISAC recommend a number of mitigation measures:-

  • After proper testing of all Telerik UI ASP.NET AJAX instances, you should upgrade all instances to the latest version.
  • Using Microsoft IIS and remote PowerShell, monitor and analyze activity logs generated by these servers.
  • The permissions that can be granted to a service account should be kept at a minimum in order to run the service.
  • It is imperative that vulnerabilities on systems that are exposed to the internet are remedied as soon as possible.
  • Implementing a patch management solution is an efficient and effective way to ensure that your systems are always up-to-date in terms of security patches.
  • It is very important to ensure that vulnerability scanners are configured in such a way as to cover a comprehensive range of devices and locations.
  • In order to separate network segments according to a user’s role and function, network segmentation should be implemented.

Malicious actors exploited a vulnerability in the Microsoft Internet Information Services (IIS) web server used by a federal civilian executive branch agency (FCEB) and were able to execute remote code on the server successfully.

As a result of this advisory, the CISA, FBI, and MS-ISAC encourage you to continuously test your security program in a production environment for optimum performance versus the MITRE ATT&CK techniques.

Indicators of Compromise

  • 11415ac829c17bd8a9c4cef12c3fbc23095cbb3113c89405e489ead5138384cd (1597974061[.]4531896[.]png)
  • 144492284bcbc0110d34a2b9a44bef90ed0d6cda746df6058b49d3789b0f851d (1666006114[.]5570521[.]txt)
  • 508dd87110cb5bf5d156a13c2430c215035db216f20f546e4acec476e8d55370 (xesmartshell[.]tmp)
  • 707d22cacdbd94a3e6dc884242c0565bdf10a0be42990cd7a5497b124474889b (1665130178[.]9134793[.]dll)
  • 72f7d4d3b9d2e406fa781176bd93e8deee0fb1598b67587e1928455b66b73911 (1594142927[.]995679[.]png)
  • 74544d31cbbf003bc33e7099811f62a37110556b6c1a644393fddd0bac753730 (1665131078[.]6907752[.]dll)
  • 78a926f899320ee6f05ab96f17622fb68e674296689e8649c95f95dade91e933 (1596686310[.]434117[.]png)
  • 833e9cf75079ce796ef60fc7039a0b098be4ce8d259ffa53fe2855df110b2e5d (1665128935[.]8063045[.]dll)
  • 853e8388c9a72a7a54129151884da46075d45a5bcd19c37a7857e268137935aa (1667466391[.]0658665[.]dll)
  • 8a5fc2b8ecb7ac6c0db76049d7e09470dbc24f1a90026a431285244818866505 (1596923477[.]4946315[.]png)
  • a14e2209136dad4f824c6f5986ec5d73d9cc7c86006fd2ceabe34de801062f6b (1665909724[.]4648924[.]dll)
  • b4222cffcdb9fb0eda5aa1703a067021bedd8cf7180cdfc5454d0f07d7eaf18f (1665129315[.]9536858[.]dll)
  • d69ac887ecc2b714b7f5e59e95a4e8ed2466bed753c4ac328931212c46050b35 (1667465147[.]4282858[.]dll)
  • d9273a16f979adee1afb6e55697d3b7ab42fd75051786f8c67a6baf46c4c19c2 (SortVistaCompat)
  • dedf082f523dfcb75dee0480a2d8a087e3231f89fa34fcd2b7f74866a7b6608f (1665214140[.]9324195[.]dll)
  • e044bce06ea49d1eed5e1ec59327316481b8339c3b6e1aecfbb516f56d66e913 (1667465048[.]8995082[.]dll)
  • e45ad91f12188a7c3d4891b70e1ee87a3f23eb981804ea72cd23f1d5e331ff5a (1596835329[.]5015914[.]png)
  • f5cafe99bccb9d813909876fa536cc980c45687d0f411c5f4b5346dcf6b304e4 (1665132690[.]6040645[.]dll)
Additional Files
  • 08375e2d187ee53ed263ee6529645e03ead1a8e77afd723a3e0495201452d415 (small[.]aspx)
  • 11d8b9be14097614dedd68839c85e3e8feec08cdab675a5e89c5b055a6a68bad (XEReverseShell[.]exe)
  • 1fed0766f564dc05a119bc7fa0b6670f0da23504e23ece94a5ae27787b674cd2 (xesvrs[.]exe)
  • 5cbba90ba539d4eb6097169b0e9acf40b8c4740a01ddb70c67a8fb1fc3524570 (small[.]txt)
  • 815d262d38a26d5695606d03d5a1a49b9c00915ead1d8a2c04eb47846100e93f (XEReverseShell[.]exe)
  • a0ab222673d35d750a0290db1b0ce890b9d40c2ab67bfebb62e1a006e9f2479c (Multi-OS_ReverseShell[.]exe)
Domains
  • hivnd[.]com
  • xegroups[.]com
  • xework[.]com
IPs
  • 137[.]184[.]130[.]162
  • 144[.]96[.]103[.]245
  • 184[.]168[.]104[.]171
  • 45[.]77[.]212[.]12

Findings

144492284bcbc0110d34a2b9a44bef90ed0d6cda746df6058b49d3789b0f851d

Network Security Checklist – Download Free E-Book

Website

Latest articles

Threat Actor Claiming a 0-day in Linux LPE Via GRUB bootloader

A new threat actor has emerged, claiming a zero-day vulnerability in the Linux GRUB...

LockBit Ransomware Group Claims Hack of US Federal Reserve

The notorious LockBit ransomware group has claimed responsibility for hacking the U.S. Federal Reserve,...

Microsoft Power BI Vulnerability Let Attackers Access Organizations Sensitive Data

A vulnerability in Microsoft Power BI allows unauthorized users to access sensitive data underlying...

Consulting Companies to Pay $11 Million Failing Cybersecurity Requirements

Two consulting companies, Guidehouse Inc. and Nan McKay and Associates, have agreed to pay...

New RAT Malware SneakyChef & SugarGhost Attack Windows Systems

Talos Intelligence has uncovered a sophisticated cyber campaign attributed to the threat actor SneakyChef....

Chinese Winnti Group Intensifies Financially Motivated Attacks

Hackers are increasingly executing financially motivated attacks and all due to the lucrative potential...

PrestaShop Website Under Injection Attack Via Facebook Module

A critical vulnerability has been discovered in the "Facebook" module (pkfacebook) from Promokit.eu for...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles