Cyber Attack

U.S Federal Agency Hacked – Attackers Exploited Telerik Vulnerability in IIS Server

by Esmeralda McKenzie
written by Esmeralda McKenzie
U.S Federal Agency Hacked – Attackers Exploited Telerik Vulnerability in IIS Server

U.S Federal Agency Hacked – Attackers Exploited Telerik Vulnerability in IIS Server

U.S Federal Agency Hacked

A joint operation performed by DHS, FCEB, and CISA Identified a pair of attempts of a cyber attack on the U.S. Authorities IIS Server by exploiting a .NET deserialization Telerik Vulnerability.

A few hackers group initiated this attack, collectively with APT actors. The successful exploitation of the vulnerability lets attackers pause an arbitrary code remotely on the federal civilian govt department (FCEB) agency community where the prone Telerik user interface (UI) is provided within the IIS webserver.

The IOC acknowledged by the federal agencies belongs to the exploit that triggers the Telerik UI for ASP.NET AJAX builds sooner than R1 2020 (2020.1.114).

How Does the Vulnerability Was Exploited

The attack became once performed from November 2022 thru early January 2023, focusing on the .NET deserialization vulnerability (CVE-2019-18935) within the RadAsyncUpload operate, leading attackers to take advantage of the exposure when the encryption keys are known as a consequence of the presence of CVE-2017-11317.

FCEB agency’s Microsoft IIS server is configured with Telerik UI for ASP.NET AJAX Q2 2013 SP1 (version 2013.2.717), and the vulnerability, upon the successful far away code execution, lets attackers build interactive access to the catch server.

FCEB agency has an acceptable bound-in to detect this vulnerability CVE-2019-18935. Nonetheless, the detection failed as a consequence of the Telerik UI tool being put in in a file direction that doesn’t agree with access to scan and secure the vulnerability.

Risk Actors Activities

CISA and the opposite joined agencies acknowledged scanning & reconnaissance actions from a pair of likelihood actors is known as cybercriminal actor XE Crew and the opposite group TA2. The successful try of scanning ended in exploiting the vulnerability.

Once the vulnerability gets introduced about and exploited, Risk actors add malicious dynamic-hyperlink library (DLL) recordsdata to the C:WindowsTemp itemizing.

The recordsdata mimic PNG and are done with the support of w3wp.exe task—a official task that runs on IIS servers to contend with requests despatched to net servers and lift converse.

“CISA and authoring organizations confirmed that some malicious recordsdata dropped on the IIS server are in step with a beforehand reported file naming convention that likelihood actors recurrently say when exploiting CVE-2019-18935.”

In this case, CISA seen that TA1 named XE Crew, started their intention enumeration starting up attach in August 2022 and so they were able so that you could add malicious DLL recordsdata to the C:Home windowsTemp itemizing after which build far away code execution, executing the DLL recordsdata by strategy of the w3wp.exe task.

CISA bought 18 recordsdata for diagnosis from a forensic diagnosis engagement performed at a Federal Civilian Govt Branch (FCEB) agency.

Mitigations

In negate to scale back the specter of different assaults focusing on this vulnerability, CISA, the FBI, and MS-ISAC imply a replace of mitigation measures:-

  • After dazzling testing of all Telerik UI ASP.NET AJAX cases, you ought to tranquil upgrade all cases to the most modern version.
  • Utilizing Microsoft IIS and much away PowerShell, computer screen and analyze task logs generated by these servers.
  • The permissions that may also be granted to a carrier account ought to tranquil be kept at a minimum in negate to flee the carrier.
  • It is imperative that vulnerabilities on programs which may be exposed to the suggestions superhighway are remedied as soon as conceivable.
  • Implementing a patch administration resolution is an ambiance friendly and effective solution to be dawdle that that your programs are consistently up-to-date by strategy of security patches.
  • It is extremely important to be dawdle that that vulnerability scanners are configured in this form of procedure as to conceal a comprehensive vary of devices and locations.
  • In negate to separate community segments according to a user’s role and operate, community segmentation ought to tranquil be implemented.

Malicious actors exploited a vulnerability within the Microsoft Internet Files Companies and products (IIS) net server extinct by a federal civilian govt department agency (FCEB) and were able to pause far away code on the server efficiently.

Because this advisory, the CISA, FBI, and MS-ISAC inspire you to consistently take a look at your security program in a producing ambiance for optimum efficiency versus the MITRE ATT&CK tactics.

Indicators of Compromise

  • 11415ac829c17bd8a9c4cef12c3fbc23095cbb3113c89405e489ead5138384cd (1597974061[.]4531896[.]png)
  • 144492284bcbc0110d34a2b9a44bef90ed0d6cda746df6058b49d3789b0f851d (1666006114[.]5570521[.]txt)
  • 508dd87110cb5bf5d156a13c2430c215035db216f20f546e4acec476e8d55370 (xesmartshell[.]tmp)
  • 707d22cacdbd94a3e6dc884242c0565bdf10a0be42990cd7a5497b124474889b (1665130178[.]9134793[.]dll)
  • 72f7d4d3b9d2e406fa781176bd93e8deee0fb1598b67587e1928455b66b73911 (1594142927[.]995679[.]png)
  • 74544d31cbbf003bc33e7099811f62a37110556b6c1a644393fddd0bac753730 (1665131078[.]6907752[.]dll)
  • 78a926f899320ee6f05ab96f17622fb68e674296689e8649c95f95dade91e933 (1596686310[.]434117[.]png)
  • 833e9cf75079ce796ef60fc7039a0b098be4ce8d259ffa53fe2855df110b2e5d (1665128935[.]8063045[.]dll)
  • 853e8388c9a72a7a54129151884da46075d45a5bcd19c37a7857e268137935aa (1667466391[.]0658665[.]dll)
  • 8a5fc2b8ecb7ac6c0db76049d7e09470dbc24f1a90026a431285244818866505 (1596923477[.]4946315[.]png)
  • a14e2209136dad4f824c6f5986ec5d73d9cc7c86006fd2ceabe34de801062f6b (1665909724[.]4648924[.]dll)
  • b4222cffcdb9fb0eda5aa1703a067021bedd8cf7180cdfc5454d0f07d7eaf18f (1665129315[.]9536858[.]dll)
  • d69ac887ecc2b714b7f5e59e95a4e8ed2466bed753c4ac328931212c46050b35 (1667465147[.]4282858[.]dll)
  • d9273a16f979adee1afb6e55697d3b7ab42fd75051786f8c67a6baf46c4c19c2 (SortVistaCompat)
  • dedf082f523dfcb75dee0480a2d8a087e3231f89fa34fcd2b7f74866a7b6608f (1665214140[.]9324195[.]dll)
  • e044bce06ea49d1eed5e1ec59327316481b8339c3b6e1aecfbb516f56d66e913 (1667465048[.]8995082[.]dll)
  • e45ad91f12188a7c3d4891b70e1ee87a3f23eb981804ea72cd23f1d5e331ff5a (1596835329[.]5015914[.]png)
  • f5cafe99bccb9d813909876fa536cc980c45687d0f411c5f4b5346dcf6b304e4 (1665132690[.]6040645[.]dll)
Extra Recordsdata
  • 08375e2d187ee53ed263ee6529645e03ead1a8e77afd723a3e0495201452d415 (shrimp[.]aspx)
  • 11d8b9be14097614dedd68839c85e3e8feec08cdab675a5e89c5b055a6a68bad (XEReverseShell[.]exe)
  • 1fed0766f564dc05a119bc7fa0b6670f0da23504e23ece94a5ae27787b674cd2 (xesvrs[.]exe)
  • 5cbba90ba539d4eb6097169b0e9acf40b8c4740a01ddb70c67a8fb1fc3524570 (shrimp[.]txt)
  • 815d262d38a26d5695606d03d5a1a49b9c00915ead1d8a2c04eb47846100e93f (XEReverseShell[.]exe)
  • a0ab222673d35d750a0290db1b0ce890b9d40c2ab67bfebb62e1a006e9f2479c (Multi-OS_ReverseShell[.]exe)
Domains
  • hivnd[.]com
  • xegroups[.]com
  • xework[.]com
IPs
  • 137[.]184[.]130[.]162
  • 144[.]96[.]103[.]245
  • 184[.]168[.]104[.]171
  • 45[.]77[.]212[.]12

Findings

144492284bcbc0110d34a2b9a44bef90ed0d6cda746df6058b49d3789b0f851d

Network Security Guidelines – Download Free E-Guide

Source credit : cybersecuritynews.com

Related Posts

R0bl0ch0n Rogue TDS Impacted Over 110 Million Internet...

Patchwork Hackers Upgraded Their Arsenal With Advanced PGoShell

8.5 Million Windows Systems Hit by CrowdStrike Faulty...

Hackers Exploits CrowdStrike Issues to Attack Windows System...

Cybercriminals Heavily Preparing For 2024 Paris Olympic Games...

Tools Used By NullBulge Actor, Who Released Disney's...

Hackers Attacking Windows Users With Internet Explorer Zero-Day...

CRYSTALRAY Hackers Exploiting Popular pentesting Tools To Evade...

OilAlpha Hacker Group Attacking Humanitarian & Human Rights...

Hackers Weaponizing Shortcut Files With Zero-day Tricks To...