CISA Alert: 4-Year-Old Software Bug Exploited at US AgencyProgress Telerik UI's .NET Vulnerability Could Lead to Remote Code Execution
Hackers from multiple threat groups, including an unnamed advanced persistent threat group, exploited a 4-year-old software vulnerability left unpatched at a U.S. government agency, America's top cybersecurity agency disclosed.
Hackers were able to successfully execute remote code, the Cybersecurity and Infrastructure Security Agency said Wednesday.
Agency scanning failed to detect the unpatched system since the vulnerable software was located on "a file path it does not typically scan."
Security researchers disclosed the vulnerability, tracked as CVE-2019-18935, in 2019. It resides in a widely used suite of user interface components made by Progress Telerik for the Microsoft asp.net Ajax environment.
CISA declined to identify the government group that was hacked, other than that it is federal civilian executive branch agency that was compromised between November 2022 and early January 2023.
The CVSS score for the vulnerability is 9.8, or critical, because of the potential for remote code execution. Progress Software, which bought Telerik in 2014, could not immediately be reached for comment by Information Security Media Group on Thursday. CISA recommends organizations using the old software implement the latest security patches, validate output from patch management and vulnerability scanning against running services, and "limit service accounts to the minimum permissions necessary to run services."
David Lindner, CISO at Contrast Security, recommended another step: "At this point, if you haven’t patched your systems of this vulnerability or the Telerik vulnerability from 2017, your only option is to utilize runtime protection to protect you from attacks and exploits."
"Runtime application self-protection can prevent many different types of deserialization issues and successful exploits, especially in cases like this specific Telerik vulnerability," Lindner said. "I would recommend finding a RASP product that protects you from deserialization attacks and then work on upgrading your systems to a nonvulnerable version of Telerik."
CISA says as early as 2021, threat actors uploaded malicious DLL files, including some masquerading as PNG files, to the C:WindowsTemp directory. The files were then executed from the C:WindowsTemp directory via the
w3wp.exe process - "a legitimate process that runs on IIS servers. This process is routine for handling requests sent to web servers and delivering content."
In many cases, CISA says, signs of the malware were difficult to find because it looks for and removes files with the
.dll file extension from the Windows Temp directory.
Cybersecurity experts have said the incident with the federal agencies underscores the challenge of keeping up with patches. Lindner said that according to CVE.icu, "There have been about 75 CVEs released per day in 2023 with an average CVSS score of 7.23. Organizations will struggle to maintain timelines and continue to patch systems, and we need extra controls in place while we prioritize and patch."
Dror Liwer, co-founder of cybersecurity company Coro, points out that known vulnerabilities are the "low-hanging fruit in the attackers' universe."
"They represent an easy, well-documented entry point that does not require social engineering, strong technical skills or active monitoring," Liwer said. "Keeping up with known vulnerabilities across all assets is a daunting task, and it is all too common for organizations to overlook an update or skip an update for operational reasons. There is no easy fix. Vulnerability management must be an integral part of any cybersecurity program, as tedious and laborious as it may be."