Multiple threat actors, including a nation-state group, exploited a critical three-year-old security flaw in Progress Telerik to break into an unnamed federal entity in the U.S.
The disclosure comes from a joint advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC).
Last month, CISA also added CVE-2017-11357 – another remote code execution bug affecting Telerik UI – to the Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
Threat actors are said to have leveraged the flaw to upload and execute malicious dynamic-link library (DLL) files masquerading as PNG images via the w3wp.exe process.
The DLL artifacts are designed to gather system information, load additional libraries, enumerate files and processes, and exfiltrate the data back to a remote server.
Another set of attacks, observed as early as August 2021 and likely mounted by a cybercriminal actor dubbed XE Group, entailed the use of aforementioned evasion techniques to sidestep detection.
The web shell is equipped to “enumerate drives; to send, receive, and delete files; and to execute incoming commands” and “contains an interface for easily browsing files, directories, or drives on the system, and allows the user to upload or download files to any directory.”
To counter such attacks, it’s recommended that organizations upgrade their instances of Telerik UI ASP.NET AJAX to the latest version, implement network segmentation, and enforce phishing-resistant multi-factor authentication for accounts that have privileged access.
Source: https://thehackernews.com/