‘Multiple Threat Actors’ Used Old Exploit to Access Federal Agency Servers

At least two hacking groups were able to gain access to at least one federal agency’s servers through an old vulnerability in a software development and design product, according to a cybersecurity advisory issued Wednesday.

According to an alert issued by the Cybersecurity and Infrastructure Security Agency, or CISA, hackers were able to gain access to and run unauthorized code on a federal agency’s server, though they were not able to gain privileged access or move deeper into the network. The malicious activity was observed between November 2022 and early January, though the initial compromise goes as far back as August 2021.

Hackers used a vulnerability in old versions of Telerik UI, a software developer kit for designing apps, which, when exploited, allows hackers with access to execute code. The vulnerability was discovered in 2019 and builds on previous vulnerabilities discovered in 2017 that allow bad actors to gain privileged access and “successfully execute remote code on the vulnerable web server.”

The National Vulnerability Database—managed by the National Institute of Standards and Technology—rates this a critical vulnerability, with a score of 9.8 out of 10.

As early as August 2021, threat actors used this vulnerability to upload malware—often disguised as PNG image files—to the affected agency’s servers. Those images were actually dynamic-link library, or DLL, files that, when executed, would run code written by the hackers.

However, “Through full packet data capture analysis and reverse engineering of malicious DLL files, no indications of additional malicious activity or sub-processes were found executed,” the technical analysis states.

In fact, “CISA observed error messages being sent to the threat actors’ command and control (C2) server when permission restraints prevented the service account from executing the malicious DLLs and writing new files,” and investigators found no evidence “of privilege escalation or lateral movement” that would indicate the hackers got deeper into the agency’s networks.

An analysis of the breach showed the impacted agency uses a vulnerability scanner that included a plugin to prevent hackers from exploiting the 2019 vulnerability. However, the Telerik UI software was “installed in a file path [the scanner] does not typically scan,” the alert states. “This may be the case for many software installations, as file paths widely vary depending on the organization and installation method.”

The alert also notes an optional setting introduced in version 2019.3.1023 of the software makes the exploit impossible—a setting that was made a default in version 2020.1.114 and beyond. But the agency was running a much older version of the software: 2013.2.717.

“Analysts determined that multiple threat actors, including an APT [advanced persistent threat] actor, were able to exploit a … vulnerability in Progress Telerik user interface,” according to the alert.

The alert mentions two threat actors, one identified as likely to be XE Group, a Vietnam-based criminal organization.

CISA, the FBI and the Multi-State Information Sharing and Analysis Center, or MS-ISAC, issued the alert, urging users to patch the software and limit unnecessary permissions associated with the service.

The alert does not mention which or how many federal agencies were affected. CISA did not immediately respond to requests for comment.