Last year, a US federal agency’s Microsoft Internet Information Services (IIS) web server was hacked by exploiting a critical .NET deserialization vulnerability in the Progress Telerik UI component for ASP.NET AJAX.
According to a joint advisory released today by the CISA, FBI, and MS-ISAC, the attackers gained access to the server between November 2022 and early January 2023 based on indicators of compromise (IOCs) found on the executive branch. Federal Civil Anonymous (FCEB) agency network.
At least two hackers gained access to the unpatched server by exploiting this bug (CVE-2019-18935) to achieve remote code execution.
After hacking the server of the Federal Civilian Executive Branch (FCEB) Anonymous Agency, they deployed malicious payloads to the C:\Windows\Temp\ folder to collect and exfiltrate information to command and control servers. control controlled by the attacker.
Malware installed on the compromised IIS server could deploy additional payloads, evade detection by deleting its traces on the system, and open reverse shells to maintain persistence.
It can also be used to drop an ASPX web shell which provides an interface for browsing the local system, uploading and downloading files, and running commands remotely.
However, as detailed in the advisory, “no webshell was observed on the target system, likely due to the abused service account having restrictive write permissions.”
More information about malware installed on hacked Microsoft IIS servers can be found in this malware scan report also published today by CISA.
The CVE-2019-18935 Telerik UI vulnerability was also included in top 25 NSA security bugs abused by Chinese hackers and the FBI’s list of top vulnerabilities targeted.
Microsoft IIS server remains exposed to attacks
CISA added the CVE-2019-18935 Progress Telerik UI security vulnerability to its Catalog of Known Exploited Vulnerabilities (KEVs) in November 2021.
According to Binding Operational Directive (BOD 22-01) issued in November 2021, which requires federal agencies on CISA’s KEV list to implement recommended actions, it should have been corrected by May 3, 2022.
However, based on the IOCs related to this breach, the US federal agency failed to secure its Microsoft IIS server until the deadline was reached.
The CISA, FBI, and MS-ISAC advise applying several mitigations to protect against further attacks targeting this vulnerability, with some of the highlights including:
- Upgrade all instances of Telerik UI ASP.NET AJAX to the latest version after appropriate testing.
- Monitor and analyze activity logs generated from Microsoft IIS and remote PowerShell.
- Limit service accounts to the minimum permissions needed to run services.
- Prioritize patching vulnerabilities on Internet-connected systems.
- Implement a patch management solution to ensure compliance with the latest security patches.
- Make sure vulnerability scanners are configured to scan a full range of devices and locations.
- Implement network segmentation to separate network segments based on role and functionality.
“In addition to applying mitigations, CISA, FBI, and MS-ISAC recommend exercising, testing, and validating your organization’s security program against threat behaviors mapped to the MITER ATT&CK for Enterprise framework in this opinion,” said the three organizations also recommended.
“CISA, FBI, and MS-ISAC recommend that you continually test your security program, at scale, in a production environment to ensure optimal performance against the MITER ATT&CK techniques identified in this advisory.”