A critical three-year-old security flaw in Progress Telerik was exploited by multiple threat actors, including a nation-state group, to gain access to a federal civilian executive branch agency's Microsoft Internet Information Services web server.
The vulnerability, tracked as CVE-2019-18935, relates to a .NET deserialization vulnerability affecting Progress Telerik UI for ASP.NET AJAX that can lead to remote code execution if left unpatched. This flaw has previously been among the most commonly exploited vulnerabilities abused by various threat actors, including Praying Mantis, who have used it to infiltrate the networks of public and private organizations in the US. The threat actors in the recent attack uploaded and executed malicious DLL files via the w3wp.exe process, masquerading as PNG images, to gather system information, enumerate files and processes, and exfiltrate the data back to a remote server.
To counter such attacks, it is recommended that organizations upgrade their instances of Telerik UI ASP.NET AJAX to the latest version, implement network segmentation, and enforce phishing-resistant multi-factor authentication for accounts that have privileged access. Shlomie Liberow, Principal Hacker Research & Development, Community at HackerOne, shared the threats that old vulnerabilities pose to organizations and how organizations can protect themselves from being a victim of exploitation:
"Years-old software vulnerabilities aren’t as uncommon as you’d think and pose a real risk. A vulnerability like this really highlights the limitations of scanners. Having encountered and exploited this particular bug in the past, there are a couple of tricky edge cases that explain why it was not found immediately. The file upload can land in different system locations depending on the target, which makes escalation harder. Most significantly, there are gaps in common scanner tools that led to this vulnerability being missed in the case of this government agency. Another barrier to exploitation is that it requires setting the specific version of the impacted software, which is not always clear. This can sometimes lead to no clear proof of concept. As a result, it is not seen as a high priority. However, threat actors aren’t just relying on tools. They’re using human intelligence to try everything to exploit this vulnerability, and so the only way to match this level of skill is to engage ethical hackers to test on your behalf. Following the initial release of the patch, ethical hackers reported three different cases of this vulnerability to the U.S. Department of Defense that were subsequently fixed."