The Cybersecurity and Infrastructure Security Agency said on March 15 that multiple attackers were able to compromise a system at one unnamed Federal civilian executive branch agency from November 2022 to January 2023, and issued an advisory for other organizations to take action to mitigate any similar vulnerability.
CISA said in the advisory that “beginning as late as November 2022, threat actors successfully exploited a .NET deserialization vulnerability (CVE-2019-18935) in an instance of Telerik UI for ASP.NET AJAX Q2 2013 SP1 (version 2013.2.717) running on an FCEB agency’s Microsoft IIS server.”
“This exploit, which results in interactive access with the web server, enabled the threat actors to successfully execute remote code on the vulnerable web server,” the advisory says.
“Though the agency’s vulnerability scanner had the appropriate plugin for CVE-2019-18935, it failed to detect the vulnerability due to the Telerik UI software being installed in a file path it does not typically scan,” the advisory says. “This may be the case for many software installations, as file paths widely vary depending on the organization and installation method.”
The advisory does not specify what damage the attack caused, if any. It does say that “multiple threat actors, including an APT [Advanced Persistent Threat] actor,” were able to exploit the vulnerability.
“According to Progress Software, Telerik UI for ASP.NET AJAX builds before R1 2020 (2020.1.114) are vulnerable to this exploit,” the advisory says.
The advisory was issued by CISA, the FBI, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) “to provide IT infrastructure defenders with tactics, techniques, and procedures (TTPs), IOCs, and methods to detect and protect against similar exploitation.”