Threat actors exploited a three-year-old Progress Telerik UI flaw to compromise a server at a federal civilian executive branch agency, CISA said in a joint security advisory Wednesday.
Multiple threat actors, including an advanced persistent threat (APT), compromised a Microsoft Internet Information Services (IIS) web server belonging to an unnamed federal civilian executive branch (FCEB) agency. The advisory was authored by CISA, the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC) and includes extensive technical details as well as indicators of compromise.
Authoring organizations assessed that threat actors successfully exploited CVE-2019-18935, a critical .NET deserialization vulnerability first disclosed in December 2019 that affects certain instances of user interface development tool Progress Telerik UI for ASP.NET AJAX. The advisory said the threat activity within the FCEB began as early as November 2022 and until January 2023. Exploitation of the flaw can result in remote code execution, which CISA said occurred on the vulnerable server.
Two threat actors were noted in the advisory's reporting, an unnamed APT group and a second threat actor suspected to be XE Group, a known cybercrime gang that had previously targeted Telerik UI vulnerabilities.
CISA said the central flaw was likely chained with other Telerik UI vulnerabilities on the IIS server -- CVE-2017-11357 and CVE-2017-11317 -- though forensic analysis was unable to conclusively determine which of the two was used or even if they were used at all.
The advisory noted that builds prior to version 2020.1.114 are vulnerable to CVE-2019-18935; the agency's instance was version 2013.2.717.
"Though the agency's vulnerability scanner had the appropriate plugin for CVE-2019-18935, it failed to detect the vulnerability due to the Telerik UI software being installed in a file path it does not typically scan," the advisory said. "This may be the case for many software installations, as file paths widely vary depending on the organization and installation method."
Similarly the 2017 Equifax breach occurred in part due to a vulnerability scan for a critical Apache Struts flaw missing an older system, which was later compromised by threat actors.
CISA, the FBI and MS-ISAC recommended organizations utilize central log collection and monitoring as well as implement process monitoring to gain "visibility into file system and application process activity." The advisory also included a CISA-developed YARA rule for CVE-2019-18935.
Progress CISO Richard Barretto told TechTarget Editorial in an email that "the security of our customers is one of our highest priorities, and we continue to distribute periodic reminders on the importance of implementing patches and applying software upgrades." He also shared a link to the flaw's dedicated article on Progress' knowledge base.
"As we do with all critical vulnerabilities found in our products, we issued notification and remediation guidance to our customers in 2019 when the vulnerability was discovered," Barretto said. "Due to the severity of the vulnerability, we provided technical support as needed to all customers regardless of their license status."
CISA has not responded to TechTarget Editorial's request for comment at press time.
Alexander Culafi is a writer, journalist and podcaster based in Boston.