The U.S. Government has confirmed attempts of cyberattacks from multiple entities, which includes a nation-state-supported hacking group.
One of the Federal agencies had their Microsoft Internet Information Services (IIS) web server hacked by these threat actors.
A coalition of US Federal agencies – CISA, FBI, and MS-ISAC issued a joint advisory stating that the server of an unnamed federal civilian executive branch (FCEB) agency was accessed by the attackers from November 2022 to early January 2023.
This conclusion was drawn based on the indicators of compromise (IOCs) discovered on the agency’s network.
Multiple hacking groups were found to have taken advantage of known vulnerabilities in Telerik, a user interface tool used for developing components and themes for web applications.
This software was being used on the internet-facing web server of a US agency.
The statement mentioned that “CISA and authoring organizations observed multiple cyber threat actors, including an APT actor” along with the infamous Vietnamese hacker group known as the “XE Group”
Ranked among the most frequently exploited vulnerabilities in 2020 and 2021 is the Telerik vulnerability tracked as CVE-2019-18935, which has a severity rating of 9.8 out of 10.0.
CISA stated that “This exploit, which results in interactive access with the web server, enabled the threat actors to successfully execute remote code on the vulnerable web server.”
In November 2021, the CVE-2019-18935 Progress Telerik UI security vulnerability was added by CISA to its Known Exploited Vulnerabilities (KEV) Catalog.
To address this vulnerability, a binding operational directive (BOD 22-01) was issued requiring federal agencies to apply recommended actions and patch their systems by May 3, 2022.
Unfortunately, despite the directive and the severity of the vulnerability, the U.S. federal agency responsible for securing the Microsoft IIS server failed to take appropriate action by the due date.
The breach was confirmed by indicators of compromise (IOCs) linked to the vulnerability.
TechCrunch attempted to reach Progress Software, which acquired Telerik in 2014 but went unanswered.
Indicators of compromise have been released by CISA, along with urging organizations utilizing vulnerable Telerik software to apply security patches promptly.