U.S. authorities said that several attackers (including government hackers) gained access to the network of an unnamed U.S. federal agency using a four-year-old bug that remained unpatched.
Déjame recordarte que también escribimos que Hackers del gobierno chino espían con éxito organizaciones en Europa, Australia y el sudeste asiático, y tambien eso BMW y Hyundai have been hacked by Ocean Lotus.
The US Infrastructure and Cybersecurity Agency (CISA) writes that one group exploited the vulnerability as early as August 2021, and a second hack group exploited the bug in August 2022. Como resultado, from November last year until the beginning of January 2023, el server showed signs of compromise.
The bug exploited by the attackers is the deserialization vulnerability CVE-2019-18935 en el Telerik ASP.NET AJAX UI component, which allows remote code execution on vulnerable servers. Como se vio despues, el Microsoft Internet Information Services (IIS) web server of an unnamed federal agency was vulnerable to this problem.
This issue was fixed by the developers back in 2019 when Progress released version 2020.1.114. The bug scored 9.8 out of 10 on the CVSS vulnerability rating scale, and in 2020, NSA experts warned that Chinese government hackers were actively exploiting the problem.
To exploit CVE-2019-18935, hackers had to obtain the encryption keys used by the Telerik RadAsyncUpload component. Experts write that to do this, the attackers probably applied one of two vulnerabilities discovered in 2017, which also remained unpatched on the state server.
Both factions ended up using CVE-2019-18935 to download and execute malicious DLLs masquerading as PNG images through the w3wp.exe proceso. These DLLs were designed to collect system information, load additional libraries, enumerate files, processes, bypass protections, create reverse shells, and transfer data to remote servers.
Checking the logs showed that some of the downloaded DLLs were present on the system as early as August 2021.
While the government hack group appears only under the identifier TA1 in the experts’ informe, the second group (TA2) also appears to be known as the XE Group. The activities of these attackers in 2021 were described in detail by experts from the information security company Volexity. segun ellos, the group is based in Vietnam and “made a name for itself” precisely on the compromise of Progress Telerik products.
Permítanme recordarles que los medios también escribieron que Microsoft linked Vietnamese government hackers Bismuth to mining campaigns.
According to Malwarebytes, this is a financially motivated group that is mainly engaged in web skimming of bank cards.
Deja un comentario