Recent disclosures reveal that a critical vulnerability in Progress Telerik has been exploited by multiple attackers, including state-sponsored groups, to infiltrate an undisclosed federal agency in the United States. According to a joint advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC), this security flaw, which has been present for three years, enabled malicious actors to execute remote code on the agency’s Microsoft Internet Information Services (IIS) web server.
The vulnerability, tracked as CVE-2019-18935, scored 9.8 on the CVSS scale and pertains to a .NET deserialization flaw affecting Progress Telerik UI for ASP.NET AJAX. If left unaddressed, this vulnerability poses a significant risk, as it could allow for remote code execution by attackers seeking unauthorized access to systems. Evidence suggests that this exploitation occurred between November 2022 and early January 2023.
CISA further emphasized the urgency of addressing CVE-2019-18935, noting that it is among the most frequently exploited vulnerabilities, particularly within the context of attacks orchestrated by groups like Praying Mantis. This particular actor has previously utilized both CVE-2019-18935 and CVE-2017-11317 in targeted intrusions against U.S. public and private organizations.
In incidents recorded against the targeted federal agency, threat actors reportedly exploited the vulnerability to upload malicious DLL files disguised as PNG images through the w3wp.exe process, aiming to execute harmful payloads. These compromised DLLs not only gathered system data but also facilitated the loading of additional libraries, file enumeration, and the exfiltration of sensitive information.
Analysts have also noted another series of attacks linked to the XE Group, which employed sophisticated evasion techniques to bypass detection measures. The DLLs deployed during these events executed reverse shell utilities that maintained unencrypted communications with command-and-control domains, thereby allowing attackers to deliver additional malicious payloads, including an ASPX web shell for persistent access.
The web shell provided attackers with capabilities including file management and the execution of incoming commands, significantly enhancing their control over the compromised systems. To mitigate the risks posed by such exploitations, it is crucial for organizations to upgrade their Telerik UI ASP.NET AJAX instances to the latest version, implement network segmentation strategies, and enforce multi-factor authentication that resists phishing attacks on high-privilege accounts.
In light of these developments, businesses must remain vigilant to the evolving threat landscape, ensuring they are equipped to identify and respond to similar vulnerabilities proactively. With the potential for extensive operational impact, cybersecurity measures must prioritize understanding the tactics and techniques highlighted in the MITRE ATT&CK framework, thereby reinforcing the defenses against sophisticated adversaries targeting critical infrastructure.
