Joint Cybersecurity Advisory – Threat Actors Exploited Progress Telerik Vulnerability in U.S. Government IIS Server

Yesterday, CISA, the FBI, and MS-ISAC released a joint Cybersecurity Advisory (CSA) concerning the successful exploitation of a .NET deserialization vulnerability in the Progress Telerik user interface (UI) software (CVE-2019-18935). Successful exploitation of the vulnerability provided threat actors with remote code execution capabilities on a federal network.

This is another incident that highlights the importance of timely patching in IT networks, as this was a vulnerability from 2019 and has been included in CISAs Known Exploited Vulnerabilities since the catalog’s inception in November 2021.The authoring agencies concluded that multiple threat actors, including an Advanced Persistent Threat (APT) actor, exploited a .NET deserialization vulnerability in Progress Telerik user interface for ASP.NET AJAX. Exploitation of this vulnerability allowed malicious actors to successfully execute remote code on a federal civilian executive branch (FCEB) agency’s Microsoft Internet Information Services (IIS) web server.

This joint CSA provides network defenders with tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and methods to detect and protect against similar, successful CVE-2019-18935 exploitation. The authoring agencies encourage network defenders to review the CSA and apply the included mitigations. To report suspicious or criminal activity related to information found in advisory, contact your local FBI field office, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937, or by e-mail at Cy*****@*bi.gov. If you have any further questions, or to request incident response resources or technical assistance related to these threats, contact CISA at CI*************@******hs.gov. Access the full advisory at CISA.