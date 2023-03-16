



At least two hacking groups were able to gain access to at least one federal agency server through an old vulnerability in a software development and design product, according to a cybersecurity notice issued on Wednesday. According to an alert issued by the Cybersecurity and Infrastructure Security Agency, or CISA, hackers were able to access and execute unauthorized code on a federal agency server, although they were unable to gain privileged access or move deeper into the network. The malicious activity was observed between November 2022 and early January, although the initial compromise dates back to August 2021. Hackers used a vulnerability in older versions of Telerik UI, a software development kit for building apps, which when exploited allows hackers to execute code. The vulnerability was discovered in 2019 and builds on previous vulnerabilities discovered in 2017 that allow malicious actors to gain privileged access and successfully execute code remotely on the vulnerable web server. The National Vulnerability Database maintained by the National Institute of Standards and Technologyconsiders this to be a critical vulnerabilitywith a score of 9.8 out of 10. As early as August 2021, threat actors used this vulnerability to upload malware often disguised as PNG image files to the servers of affected agencies. These images were actually dynamic link library files, or DLLs, which when executed executed code written by the hackers. However, through comprehensive analysis of packet data capture and reverse engineering of malicious DLL files, no indication of additional malicious activity or sub-processes was found running, says technical analysis . In fact, CISA observed error messages sent to the command and control (C2) server of threat actors when permission restrictions prevented the service account from running malicious DLLs and writing new files, and investigators found no evidence of privilege escalation or lateral movement that indicates hackers penetrated deeper into agency networks. An analysis of the breach showed that the affected agency uses a vulnerability scanner which included a plugin to prevent hackers from exploiting the 2019 vulnerability. However, the Telerik UI software was installed in a file path [the scanner] usually does not scan, the alert says. This can be the case for many software installations, as file paths vary widely depending on organization and installation method. The alert also notes that an optional setting introduced in software version 2019.3.1023 makes the exploit impossible, a setting that was set by default in version 2020.1.114 and beyond. But the agency was using a much older version of the software: 2013.2.717. Analysts have determined that multiple threat actors, including an APT [advanced persistent threat] actor, were able to exploit a vulnerability in Progress Telerik’s user interface, according to the alert. The alert mentions two threat actors, one identified as likely XE Group, a criminal organization based in Vietnam. CISA, the FBI and the Multi-State Information Sharing and Analysis Center, or MS-ISAC, issued the alert, urging users to fix the software and limit unnecessary permissions associated with the service. The alert does not mention which or how many federal agencies were affected. CISA did not immediately respond to requests for comment.

