CISA Alert AA23-074A – Threat actors exploit progress telerik vulnerability in U.S. government IIS server.

This is a CISA Cybersecurity Alert. ID number Alpha Alpha Two Three tack Zero Seven Four Alpha.

Original release date: March 15th, 2023.

CISA, FBI, and the Multi-State Information Sharing and Analysis Center are releasing this joint Cybersecurity Advisory to provide IT infrastructure defenders with TTPs, IOCs, and methods to detect and protect against recent exploitation against Microsoft Internet Information Services web servers.

From November 2022 through early January 2023, CISA identified IOCs at a federal civilian executive branch agency. Analysts determined that multiple cyber threat actors, including an APT actor and a known cybercriminal group, were able to exploit a .NET deserialization vulnerability located in the agency’s Microsoft Internet Information Services web server. Successful exploitation of this vulnerability allows for remote code execution.

When exploiting the vulnerability, the threat actors uploaded malicious DLL files, some masqueraded as PNG files, to the Temp directory. The malicious files were then executed from the directory via a legitimate process that runs on IIS servers. The review of antivirus logs identified that some DLL files were created and detected as early as August 2021.

FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this alert to reduce the likelihood and impact of similar exploitation. The alert documentation linked in the show notes includes additional technical details, IOCs, malicious actor TTPs, recovery guidance, mitigations, and response recommendations. Google’s Threat Analysis group contributed to this advisory.

To report incidents and anomalous activity or to request incident response resources or technical assistance, contact CISA at report@cisa.gov, call (888) 282-0870, or report incidents to your local FBI field office.

This report was written by CISA, the United States Cybersecurity and Infrastructure Security Agency, and edited and adapted for audio by the CyberWire as a public service. Please visit www dot cisa dot gov to read the full report which may include additional details, links, and illustrations. A link to this report can be found in the show notes.

This has been a CISA Cybersecurity Alert.