AdvisoriesCISAAA23-074AMarch 15, 2023
March 15, 2023
Between November 2022 and January 2023, the Cybersecurity and Infrastructure Security Agency (CISA) and other organizations discovered indicators of compromise (IOCs) at a federal civilian executive branch (FCEB) agency. They found that multiple cyber threat actors, including an advanced persistent threat (APT) actor, exploited a vulnerability in the Progress Telerik user interface (UI) for ASP.NET AJAX, which is used in the agency's Microsoft Internet Information Services (IIS) web server. This vulnerability, known as CVE-2019-18935, allowed for remote code execution. Additionally, in April 2023, another FCEB agency found exploitation of CVE-2017-9248 in the Telerik UI for ASP.NET AJAX DialogHandler component.
March 15, 2023
There are two insights to pull out of this advisory: First, if you use Progress Telerik, a toolbox of developer utilities found in Windows Server environments, you should ensure it has been upgraded to the latest version. Second, the threat actors seen exploiting these Telerik vulnerabilities were also observed evading endpoint defenses through tradecraft. The technique applied was the the injection of malicious libraries (DLL) into PNG files and executing them from the TEMP directory. This type of obfuscation, or simply renaming the DLL with a .png extension, is popular with attackers trying to sneak malicious code past EDR and antivirus protections. Defenses should be validated against this technique.
Be immediately notified of new advisories and associated security tests
AdvisoryCISAAA24-207AJuly 25, 2024
