U.S Federal Agency Hacked – Attackers Exploited Telerik Vulnerability in IIS Server

A joint operation conducted by DHS, FCEB, and CISA Identified multiple attempts of a cyber attack on the U.S. Government IIS Server by exploiting a .NET deserialization Telerik Vulnerability.

Multiple hackers group initiated this attack, including APT actors. The successful exploitation of the vulnerability lets attackers execute an arbitrary code remotely on the federal civilian executive branch (FCEB) agency network where the vulnerable Telerik user interface (UI) is presented in the IIS webserver.

The IOC identified by the federal agencies belongs to the exploit that triggers the Telerik UI for ASP.NET AJAX builds before R1 2020 (2020.1.114).

How Does the Vulnerability Was Exploited

The attack was conducted from November 2022 through early January 2023, targeting the .NET deserialization vulnerability (CVE-2019-18935) in the RadAsyncUpload function, leading attackers to exploit the exposure when the encryption keys are known due to the presence of CVE-2017-11317.

FCEB agency’s Microsoft IIS server is configured with Telerik UI for ASP.NET AJAX Q2 2013 SP1 (version 2013.2.717), and the vulnerability, upon the successful remote code execution, lets attackers gain interactive access to the web server.

FCEB agency has an appropriate plug-in to detect this vulnerability CVE-2019-18935. However, the detection failed due to the Telerik UI software being installed in a file path that doesn’t have access to scan and find the vulnerability.

Threat Actors Activities

CISA and the other joined agencies identified scanning & reconnaissance activities from multiple threat actors known as cybercriminal actor XE Group and the other group TA2. The successful attempt of scanning led to exploiting the vulnerability.

Once the vulnerability gets triggered and exploited, Threat actors upload malicious dynamic-link library (DLL) files to the C:WindowsTemp directory.

The files mimic PNG and are executed with the help of w3wp.exe process—a legitimate process that runs on IIS servers to handle requests sent to web servers and deliver content.

“CISA and authoring organizations confirmed that some malicious files dropped on the IIS server are consistent with a previously reported file naming convention that threat actors commonly use when exploiting CVE-2019-18935.”

In this case, CISA observed that TA1 named XE Group, started their system enumeration beginning in August 2022 and they were able to upload malicious DLL files to the C:WindowsTemp directory and then achieve remote code execution, executing the DLL files via the w3wp.exe process.

CISA received 18 files for analysis from a forensic analysis engagement conducted at a Federal Civilian Executive Branch (FCEB) agency.

Mitigations

In order to minimize the threat of other attacks targeting this vulnerability, CISA, the FBI, and MS-ISAC recommend a number of mitigation measures:-

• After proper testing of all Telerik UI ASP.NET AJAX instances, you should upgrade all instances to the latest version.
• Using Microsoft IIS and remote PowerShell, monitor and analyze activity logs generated by these servers.
• The permissions that can be granted to a service account should be kept at a minimum in order to run the service.
• It is imperative that vulnerabilities on systems that are exposed to the internet are remedied as soon as possible.
• Implementing a patch management solution is an efficient and effective way to ensure that your systems are always up-to-date in terms of security patches.
• It is very important to ensure that vulnerability scanners are configured in such a way as to cover a comprehensive range of devices and locations.
• In order to separate network segments according to a user’s role and function, network segmentation should be implemented.

Malicious actors exploited a vulnerability in the Microsoft Internet Information Services (IIS) web server used by a federal civilian executive branch agency (FCEB) and were able to execute remote code on the server successfully.

As a result of this advisory, the CISA, FBI, and MS-ISAC encourage you to continuously test your security program in a production environment for optimum performance versus the MITRE ATT&CK techniques.

Indicators of Compromise

• 11415ac829c17bd8a9c4cef12c3fbc23095cbb3113c89405e489ead5138384cd (1597974061[.]4531896[.]png)
• 144492284bcbc0110d34a2b9a44bef90ed0d6cda746df6058b49d3789b0f851d (1666006114[.]5570521[.]txt)
• 508dd87110cb5bf5d156a13c2430c215035db216f20f546e4acec476e8d55370 (xesmartshell[.]tmp)
• 707d22cacdbd94a3e6dc884242c0565bdf10a0be42990cd7a5497b124474889b (1665130178[.]9134793[.]dll)
• 72f7d4d3b9d2e406fa781176bd93e8deee0fb1598b67587e1928455b66b73911 (1594142927[.]995679[.]png)
• 74544d31cbbf003bc33e7099811f62a37110556b6c1a644393fddd0bac753730 (1665131078[.]6907752[.]dll)
• 78a926f899320ee6f05ab96f17622fb68e674296689e8649c95f95dade91e933 (1596686310[.]434117[.]png)
• 833e9cf75079ce796ef60fc7039a0b098be4ce8d259ffa53fe2855df110b2e5d (1665128935[.]8063045[.]dll)
• 853e8388c9a72a7a54129151884da46075d45a5bcd19c37a7857e268137935aa (1667466391[.]0658665[.]dll)
• 8a5fc2b8ecb7ac6c0db76049d7e09470dbc24f1a90026a431285244818866505 (1596923477[.]4946315[.]png)
• a14e2209136dad4f824c6f5986ec5d73d9cc7c86006fd2ceabe34de801062f6b (1665909724[.]4648924[.]dll)
• b4222cffcdb9fb0eda5aa1703a067021bedd8cf7180cdfc5454d0f07d7eaf18f (1665129315[.]9536858[.]dll)
• d69ac887ecc2b714b7f5e59e95a4e8ed2466bed753c4ac328931212c46050b35 (1667465147[.]4282858[.]dll)
• d9273a16f979adee1afb6e55697d3b7ab42fd75051786f8c67a6baf46c4c19c2 (SortVistaCompat)
• dedf082f523dfcb75dee0480a2d8a087e3231f89fa34fcd2b7f74866a7b6608f (1665214140[.]9324195[.]dll)
• e044bce06ea49d1eed5e1ec59327316481b8339c3b6e1aecfbb516f56d66e913 (1667465048[.]8995082[.]dll)
• e45ad91f12188a7c3d4891b70e1ee87a3f23eb981804ea72cd23f1d5e331ff5a (1596835329[.]5015914[.]png)
• f5cafe99bccb9d813909876fa536cc980c45687d0f411c5f4b5346dcf6b304e4 (1665132690[.]6040645[.]dll)

Additional Files

• 08375e2d187ee53ed263ee6529645e03ead1a8e77afd723a3e0495201452d415 (small[.]aspx)
• 11d8b9be14097614dedd68839c85e3e8feec08cdab675a5e89c5b055a6a68bad (XEReverseShell[.]exe)
• 1fed0766f564dc05a119bc7fa0b6670f0da23504e23ece94a5ae27787b674cd2 (xesvrs[.]exe)
• 5cbba90ba539d4eb6097169b0e9acf40b8c4740a01ddb70c67a8fb1fc3524570 (small[.]txt)
• 815d262d38a26d5695606d03d5a1a49b9c00915ead1d8a2c04eb47846100e93f (XEReverseShell[.]exe)
• a0ab222673d35d750a0290db1b0ce890b9d40c2ab67bfebb62e1a006e9f2479c (Multi-OS_ReverseShell[.]exe)

Domains

• hivnd[.]com
• xegroups[.]com
• xework[.]com

IPs

• 137[.]184[.]130[.]162
• 144[.]96[.]103[.]245
• 184[.]168[.]104[.]171
• 45[.]77[.]212[.]12

Findings

144492284bcbc0110d34a2b9a44bef90ed0d6cda746df6058b49d3789b0f851d

Network Security Checklist – Download Free E-Book