Two Hack Groups at Once Hacked into a Federal Agency in the United States Using a Four-Year-Old Bug

Four-year-old bug
Written by Carina Wilson

U.S. authorities said that several attackers (including government hackers) gained access to the network of an unnamed U.S. federal agency using a four-year-old bug that remained unpatched.

Let me remind you that we also wrote that Chinese Government Hackers Successfully Spy on Organizations in Europe, Australia and Southeast Asia, and also that BMW and Hyundai have been hacked by Ocean Lotus.

The US Infrastructure and Cybersecurity Agency (CISA) writes that one group exploited the vulnerability as early as August 2021, and a second hack group exploited the bug in August 2022. As a result, from November last year until the beginning of January 2023, the server showed signs of compromise.

The bug exploited by the attackers is the deserialization vulnerability CVE-2019-18935 in the Telerik ASP.NET AJAX UI component, which allows remote code execution on vulnerable servers. As it turned out, the Microsoft Internet Information Services (IIS) web server of an unnamed federal agency was vulnerable to this problem.

This issue was fixed by the developers back in 2019 when Progress released version 2020.1.114. The bug scored 9.8 out of 10 on the CVSS vulnerability rating scale, and in 2020, NSA experts warned that Chinese government hackers were actively exploiting the problem.

To exploit CVE-2019-18935, hackers had to obtain the encryption keys used by the Telerik RadAsyncUpload component. Experts write that to do this, the attackers probably applied one of two vulnerabilities discovered in 2017, which also remained unpatched on the state server.

Both factions ended up using CVE-2019-18935 to download and execute malicious DLLs masquerading as PNG images through the w3wp.exe process. These DLLs were designed to collect system information, load additional libraries, enumerate files, processes, bypass protections, create reverse shells, and transfer data to remote servers.

Checking the logs showed that some of the downloaded DLLs were present on the system as early as August 2021.

While the government hack group appears only under the identifier TA1 in the experts’ report, the second group (TA2) also appears to be known as the XE Group. The activities of these attackers in 2021 were described in detail by experts from the information security company Volexity. According to them, the group is based in Vietnam and “made a name for itself” precisely on the compromise of Progress Telerik products.

Let me remind you that the media also wrote that Microsoft linked Vietnamese government hackers Bismuth to mining campaigns.

According to Malwarebytes, this is a financially motivated group that is mainly engaged in web skimming of bank cards.

About the author

Carina Wilson

With over 10 years' experience of writing for online and print media, I'm an expert in delivering clear and compelling copy.

I've written for a leading SEO copywriting agency as well as writing for some of the UK’s best known brands, magazines and newspapers.

Leave a Comment