Multiple criminals, including at least potentially one nation-state group, broke into a US federal government agency’s Microsoft Internet Information Services web server by exploiting a critical three-year-old Telerik bug to achieve remote code execution.
The snafu happened between November 2022 and early January, according to a joint alert from the FBI, CISA, and America’s Multi-State Information Sharing and Analysis Center (MS-ISAC) this week.
The Feds became aware of the intrusion after spotting warning signs at a federal civilian executive branch agency, the advisory said. It did not name the federal agency.
“Analysts determined that multiple cyber threat actors, including an APT actor, were able to exploit a .NET deserialization vulnerability (CVE-2019-18935) in Progress Telerik user interface (UI) for ASP.NET AJAX, located in the agency’s Microsoft Internet Information Services (IIS) web server,” the joint advisory said.
Serialization is the process of turning a data structure in memory into a series of bytes for storage or transmission. Deserialization reverses this and turns a data stream back into an object in memory.
Deserialization vulnerabilities affect multiple programming languages and applications, and, as Mandiant explains, are essentially the “result of applications placing too much trust in data that a user (or attacker) can tamper with.”
This particular Telerik bug, which received a 9.8 out of 10 CVSS severity score, was first discovered in 2019 and is especially popular with Beijing-backed criminals. In 2020 made the list of the top 25 computer security vulnerabilities Chinese government hackers are using to break into networks and steal data.
So although the Feds don’t identify the advanced persistent threat (APT) player in their alert, we’d be willing to bet it’s one of President Xi Jinping’s cyber-goon squads. And it’s clear someone in the federal government didn’t get the memo about applying security fixes in a timely manner.
According to the advisory, only Telerik UI for ASP.NET AJAX builds before R1 2020 (2020.1.114) are vulnerable. And in a separate malware analysis, CISA identified malicious files and other indicators of compromise.
Additionally, the cybersecurity agency suggests organizations’ stay on top of patching to ensure their software is up to date, and limit permissions to the minimum necessary to run services.
The latest security alert follows a series of high-profile US government break ins and data theft. Last week, the FBI said it was investigating a breach of servers run by DC Health Care Link during which crooks stole members of Congress and staff’s personal information.
DC Health Link is the online marketplace for the Affordable Care Act that administers the healthcare plans for members of Congress as well as their family and staff. Some of that stolen data is now being offered for sale on dark web forums.
And in late February, the US Marshals Service admitted a “major” breach of its information security defenses led to a ransomware infection and exfiltration of “law-enforcement sensitive information.” ®