U.S. authorities said that several attackers (including government hackers) gained access to the network of an unnamed U.S. federal agency using a four-year-old bug that remained unpatched.
우리도 그렇게 썼다는 것을 상기시켜 드리겠습니다. 중국 정부 해커들이 유럽 조직을 성공적으로 감시했습니다, 호주 및 동남아시아, 그리고 그것도 BMW 그리고 Hyundai have been hacked by Ocean Lotus.
The US Infrastructure and Cybersecurity Agency (CISA) writes that one group exploited the vulnerability as early as August 2021, and a second hack group exploited the bug in August 2022. 결과적으로, from November last year until the beginning of January 2023, 그만큼 server showed signs of compromise.
The bug exploited by the attackers is the deserialization vulnerability CVE-2019-18935 에서 Telerik ASP.NET AJAX UI component, which allows remote code execution on vulnerable servers. As it turned out, 그만큼 Microsoft Internet Information Services (IIS) web server of an unnamed federal agency was vulnerable to this problem.
This issue was fixed by the developers back in 2019 when Progress released 버전 2020.1.114. The bug scored 9.8 out of 10 on the CVSS vulnerability rating scale, and in 2020, NSA experts warned that Chinese government hackers were actively exploiting the problem.
To exploit CVE-2019-18935, hackers had to obtain the encryption keys used by the Telerik RadAsyncUpload component. Experts write that to do this, the attackers probably applied one of two vulnerabilities discovered in 2017, which also remained unpatched on the state server.
Both factions ended up using CVE-2019-18935 to download and execute malicious DLLs masquerading as PNG images through the w3wp.exe 프로세스. These DLLs were designed to collect system information, load additional libraries, enumerate files, processes, bypass protections, create reverse shells, and transfer data to remote servers.
Checking the logs showed that some of the downloaded DLLs were present on the system as early as August 2021.
While the government hack group appears only under the identifier TA1 in the experts’ 보고서, the second group (TA2) also appears to be known as the XE Group. The activities of these attackers in 2021 were described in detail by experts from the information security company Volexity. According to them, the group is based in Vietnam and “made a name for itself” precisely on the compromise of Progress Telerik products.
Let me remind you that the media also wrote that Microsoft linked Vietnamese government hackers Bismuth to mining campaigns.
According to Malwarebytes, this is a financially motivated group that is mainly engaged in web skimming of bank cards.
코멘트를 남겨주세요