Multiple criminals, including at least one nation-state group, have broken into a US federal government agency’s Microsoft Internet Information Services web server by exploiting a critical three-year-old Telerik bug to remotely execute code.
The snafu took place between November 2022 and early January, according to a joint alert from the FBI, CISA and the US Multi-State Information Sharing and Analysis Center (MS-ISAC) this week.
The FBI became aware of the break-in after seeing warning signs at a federal civilian executive, the advisory said. It did not name the federal agency.
Analysts determined that multiple cyberthreat actors, including an APT actor, were able to exploit a .NET deserialization vulnerability (CVE-2019-18935) in Progress Telerik user interface (UI) for ASP.NET AJAX, which is located in the agency’s Microsoft Internet environment. Information Services (IIS) web server,” the joint advisory said.
Serialization is the process of converting a data structure in memory into a sequence of bytes for storage or transmission. Deserialization reverses this and turns a data stream back into an object in memory.
Deserialization vulnerabilities affect multiple programming languages and applications, and, as Mandiant explains, are essentially the “result of applications placing too much trust in data for a user (or attacker) to tamper with.”
This particular Telerik bug, which received a CVSS severity score of 9.8 out of 10, was first discovered in 2019 and is particularly popular with Beijing-backed criminals. In 2020, the list of the top 25 computer security vulnerabilities made Chinese government hackers use to break into networks and steal data.
So while the FBI doesn’t identify the Advanced Persistent Threat (APT) player in their alert, we’d bet it’s one of President Xi Jinping’s cyber-goon squads. And it’s clear that someone in the federal government didn’t get the memo about applying security solutions in a timely manner.
According to the advisory, only Telerik UI for ASP.NET AJAX builds prior to R1 2020 (2020.1.114) are vulnerable. And in a separate malware analysis, CISA identified malicious files and other indicators of an attack.
In addition, the cybersecurity firm suggests that organizations stay on top of patching to ensure their software is up to date and limit permissions to the minimum necessary to run services.
The latest security alert follows a string of high-profile US government intrusions and data thefts. Last week, the FBI said it was investigating a breach of DC Health Care Link servers in which scammers stole members of Congress and staff members’ personal information.
DC Health Link is the online marketplace for the Affordable Care Act that manages health care plans for members of Congress, their families, and staff. Some of that stolen data is now being offered for sale on dark web forums.
And in late February, the US Marshals Service admitted that a “major” breach of its information security mechanisms led to a ransomware infection and exfiltration of “law enforcement sensitive information.” ®
Leave a Reply