At a glance.
- Telerik exploited, for carding (probably) and other purposes.
- Cloud storage re-up attacks.
- Cybercriminals use new measures to avoid detection of phishing campaigns.
- Don't fear the Reaper.
- "Winter Vivern" seems aligned with Russian objectives.
- Microsoft warns of a possible surge in Russian cyber operations.
- Boss Sandworm.
Telerik exploited, for carding (probably) and other purposes.
Multiple threat actors, including at least one APT group, were able to compromise a US Federal civilian agency via a known Progress Telerik vulnerability in an IIS server, according to a joint advisory released by CISA, the FBI, and the Multi-State Information Sharing and Analysis Center (MS-ISAC). The advisory notes that the vulnerability allowed the attackers to execute code on the agency’s web server:
“CISA and authoring organizations assess that, beginning as late as November 2022, threat actors successfully exploited a .NET deserialization vulnerability (CVE-2019-18935) in an instance of Telerik UI for ASP.NET AJAX Q2 2013 SP1 (version 2013.2.717) running on an FCEB agency’s Microsoft IIS server. This exploit, which results in interactive access with the web server, enabled the threat actors to successfully execute remote code on the vulnerable web server. Though the agency’s vulnerability scanner had the appropriate plugin for CVE-2019-18935, it failed to detect the vulnerability due to the Telerik UI software being installed in a file path it does not typically scan. This may be the case for many software installations, as file paths widely vary depending on the organization and installation method.”
CISA notes that a nation-state actor and a cybercriminal group both exploited the vulnerability. CyberScoop says the criminal gang, known as “XE Group,” is known for card skimming. For more on Telerik exploitation, see CyberWire Pro.