Telerik vulnerability exploited.

Multiple threat actors, including at least one APT group, were able to compromise a US Federal civilian agency via a known Progress Telerik vulnerability in an IIS server, according to a joint advisory released by CISA, the FBI, and the Multi-State Information Sharing and Analysis Center (MS-ISAC).

Vulnerability scanner failed to detect flaw.

The advisory notes that the vulnerability allowed the attackers to execute code on the agency’s web server:

“CISA and authoring organizations assess that, beginning as late as November 2022, threat actors successfully exploited a .NET deserialization vulnerability (CVE-2019-18935) in an instance of Telerik UI for ASP.NET AJAX Q2 2013 SP1 (version 2013.2.717) running on an FCEB agency’s Microsoft IIS server. This exploit, which results in interactive access with the web server, enabled the threat actors to successfully execute remote code on the vulnerable web server. Though the agency’s vulnerability scanner had the appropriate plugin for CVE-2019-18935, it failed to detect the vulnerability due to the Telerik UI software being installed in a file path it does not typically scan. This may be the case for many software installations, as file paths widely vary depending on the organization and installation method.”

The advisory notes that a nation-state actor and a cybercriminal group both exploited the vulnerability. CyberScoop says the criminal gang, known as “XE Group,” is known for card skimming.

Industry comment.

Dror Liwer, co-founder of cybersecurity company Coro, stated:

“Known vulnerabilities are the low-hanging fruit in the attackers’ universe. They represent an easy, well-documented entry point that does not require social engineering, strong technical skills, or active monitoring. Keeping up with known vulnerabilities across all assets is a daunting task, and it is all too common for organizations to overlook an update, or skip an update for operational reasons. There is no easy fix. Vulnerability management must be an integral part of any cybersecurity program, as tedious and laborious as it may be.”

(Added, 11:00 PM ET, March 16th, 2023. Shlomie Liberow, Principal Hacker Research & Development, Community at HackerOne wrote to explain that exploitation of old vulnerabilities left unpatched is actually common. "Years-old software vulnerabilities aren’t as uncommon as you’d think and pose a real risk. A vulnerability like this really highlights the limitations of scanners. Having encountered and exploited this particular bug in the past, there are a couple of tricky edge cases that explain why it was not found immediately," Liberow wrote. "The file upload can land in different system locations depending on the target, which makes escalation harder. Most significantly, there are gaps in common scanner tools that led to this vulnerability being missed in the case of this government agency. Another barrier to exploitation is that it requires setting the specific version of the impacted software, which is not always clear. This can sometimes lead to no clear proof of concept. As a result, it is not seen as a high priority. However, threat actors aren’t just relying on tools. They’re using human intelligence to try everything to exploit this vulnerability, and so the only way to match this level of skill is to engage ethical hackers to test on your behalf. Following the initial release of the patch, ethical hackers reported three different cases of this vulnerability to the U.S. Department of Defense that were subsequently fixed." 

Anand Revashetti, CTO and co-founder of Lineaje, contextualized the attack. "“This latest incident is a great illustration of how attacks can happen in the software supply chain. Despite the vulnerability being years old and already disclosed, an unnamed government agency was still able to be infiltrated by multiple threat groups via CVE-2019-18935," Revashetti wrote. And the incident also highlighted the limitations of vulnerability scanning. "Vulnerability scanners have inherent limitations, as evidenced by this breach. To help supplement these gaps, organizations must look at their supply chain software bills of materials (SBOMs), which enable discovery of vulnerabilities through a simple search. Modern supply chain software tools provide the ability to look inside a software, irrespective of the deployment topology of software in organizations." The exploitation serves as an object lesson of understanding, thoroughly, one's systems and networks. "For software producers and consumers, this incident should serve as a reminder that even known and disclosed vulnerabilities can be missed — which is why it is so important to know exactly what’s in your software. This knowledge not only helps discover risks, but to be more proactive in mediating the threats they impose. It’s critical to have solutions that help companies analyze the software supply chain and avoid deployment of unknown or potentially harmful components hidden in legitimate software.”