Multiple cyber threat actors exploited a vulnerability that was first documented in 2019 that allows remote code execution (RCE) to access a federal agency’s web server over a roughly three-month period, the U.S. Cybersecurity and Infrastructure Agency reported.
In a March 15 cybersecurity advisory, CISA said threat actors — including an unnamed advanced persistent threat actor (APT), as well as the Vietnam-based cybercriminal group known as the XE Group — exploited a Progress Telerik vulnerability (CVE-2019-18935) to access the federal executive branch agency’s Microsoft Internet Information Services web server.
The advisory did not identify which agency had its web server compromised, but said the activity began in November and continued through early January.
The critical vulnerability the threat actors successfully exploited has a 9.8 rating, and was first published in NIST’s National Vulnerability Database in December 2019 and updated March 15. CISA details the indicators of compromise (IOCs), as well as mitigation actions and other information in a separate advisory with the alert code AA23-074A.
The alert code AA23-074A advisory said CVE-2019-18935 was likely used in conjunction with other known Progress Telerik vulnerabilities to exploit the agency. The advisory also said analysts did not observe evidence of privilege escalation or lateral movement, but antivirus logs identified that some DLL files were created and detected as early as August 2021.
The APT was able to use CVE-2019-18935 to upload malicious DLL files to load additional libraries; enumerate the system, processes, files directories and write files. Other samples analyzed of the APT can delete DLL files to hide additional malicious activity and to communicate with a command-and-control server.