Several criminals, including at least one nation-state group, broke into a US federal agency’s Microsoft Internet Information Services web server by exploiting a critical three-year-old Telerik flaw to achieve remote code execution.
The snafu occurred between November 2022 and early January, according to a joint alert this week from the FBI, CISA and America’s Multi-State Information Sharing and Analysis Center (MS-ISAC).
The Feds became aware of the intrusion after spotting warning signs at a civilian federal executive agency, the adviser said. The federal agency did not name them.
“Analysts determined that multiple cyberthreat actors, including an APT actor, were able to exploit a .NET deserialization vulnerability (CVE-2019-18935) in the Progress Telerik user interface (UI) for ASP.NET AJAX, which spread Information Services (IIS) web server is located on the agency’s Microsoft Internet,” says the joint report.
Serialization is the process of converting a data structure in memory into a series of bytes for storage or transmission. Deserialization reverses this, turning a stream of data back into an object in memory.
Deserialization vulnerabilities affect multiple programming languages and applications and, as Mandiant explains, are essentially the “result of applications placing too much reliance on data for a user (or attacker) to manipulate”.
This particular Telerik bug, which received a CVSS severity score of 9.8 out of 10, was first discovered in 2019 and is particularly popular with Beijing-backed criminals. In 2020, it was included in the list of top 25 computer vulnerabilities used by Chinese government hackers to penetrate networks and steal data.
Although the Fed doesn’t identify the Advanced Persistent Threat (APT) player in its alert, we’d bet it’s one of President Xi Jinping’s Cyber-Goon squads. And it’s clear that someone in the federal government didn’t get the memo about the timely application of security fixes.
According to the advisory, only Telerik UI for ASP.NET AJAX builds prior to R1 2020 (2020.1.114) are vulnerable. And in a separate malware analysis, CISA identified malicious files and other indicators of compromise.
In addition, the cybersecurity agency suggests that companies stay on top of patching to ensure their software is up to date and limit permissions to the minimum required to run services.
The latest security alert follows a string of high-profile intrusions and data thefts by the US government. Last week, the FBI said it was investigating a breach of servers operated by DC Health Care Link in which crooks stole members of Congress and employees’ personal information.
DC Health Link is the online marketplace for the Affordable Care Act, which manages health care plans for congressmen and their families and employees. Some of this stolen data is now for sale on dark web forums.
And in late February, the US Marshals Service acknowledged that a “serious” breach of its information security defenses led to ransomware infection and exfiltration of “sensitive law enforcement information.” ®