U.S. authorities said that several attackers (including government hackers) gained access to the network of an unnamed U.S. federal agency using a four-year-old bug that remained unpatched.
私たちもそう書いたことを思い出させてください Chinese Government Hackers Successfully Spy on Organizations in Europe, Australia and Southeast Asia, そしてそれも BMW と Hyundai have been hacked by Ocean Lotus.
The US Infrastructure and Cybersecurity Agency (CISA) writes that one group exploited the vulnerability as early as August 2021, and a second hack group exploited the bug in August 2022. 結果として, from November last year until the beginning of January 2023, の server showed signs of compromise.
The bug exploited by the attackers is the deserialization vulnerability CVE-2019-18935 の中に Telerik ASP.NET AJAX UI component, which allows remote code execution on vulnerable servers. As it turned out, の Microsoft Internet Information Services (IIS) web server of an unnamed federal agency was vulnerable to this problem.
This issue was fixed by the developers back in 2019 when Progress 解放された バージョン 2020.1.114. The bug scored 9.8 out of 10 on the CVSS vulnerability rating scale, and in 2020, NSA experts warned that Chinese government hackers were actively exploiting the problem.
To exploit CVE-2019-18935, hackers had to obtain the encryption keys used by the Telerik RadAsyncUpload component. Experts write that to do this, the attackers probably applied one of two vulnerabilities discovered in 2017, which also remained unpatched on the state server.
Both factions ended up using CVE-2019-18935 to download and execute malicious DLLs masquerading as PNG images through the w3wp.exe process. These DLLs were designed to collect system information, load additional libraries, enumerate files, processes, bypass protections, create reverse shells, and transfer data to remote servers.
Checking the logs showed that some of the downloaded DLLs were present on the system as early as August 2021.
While the government hack group appears only under the identifier TA1 in the experts’ report, the second group (TA2) also appears to be known as the XE Group. The activities of these attackers in 2021 were described in detail by experts from the information security company Volexity. According to them, the group is based in Vietnam and “made a name for itself” precisely on the compromise of Progress Telerik products.
メディアもそう書いたことを思い出させてください Microsoft linked Vietnamese government hackers Bismuth to mining campaigns.
According to マルウェアバイト, this is a financially motivated group that is mainly engaged in web skimming of bank cards.
コメントを残す