A vulnerability that was discovered three years ago has been exploited by various threat actors, including a nation-state group, to breach an unnamed federal agency in the United States. The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC) recently disclosed the issue, revealing that the vulnerability allowed malicious actors to execute remote code on the federal agency’s Microsoft Internet Information Service (IIS) Web server.
The vulnerability, tracked as CVE-2019-18935, relates to a .NET deserialization vulnerability affecting Progress Telerik UI for ASP.NET AJAX and has a CVSS score of 9.8. The Praying Mantis (aka TG2021) threat actor has been found to weaponize this vulnerability along with CVE-2017-11317 to infiltrate public and private U.S. organizations’ networks.
In August 2022, threat actors used the vulnerability to upload malicious DLL files disguised as PNG images via the w3wp.exe process. Analysis showed that the DLL artifacts were used for system information gathering, additional library loading, file and process enumeration, and data theft to a remote server.
The attackers also executed a shell utility to enable unencrypted communications with a command-and-control domain and to facilitate the dropping of additional payload with an ASPX web shell for persistent backdoor access. The web shell permits file receiving, sending, deletion, and incoming commands execution, along with the availability of an interface for easy file and directories access.
It also allows easy upload and download of files from known and unknown directories. To mitigate the issue, organizations are advised to upgrade the Telerik UI ASP.NET AJAX instance, ensure network segmentation, and encourage phishing-resistant multi-factor authentication for authenticated accounts.
