Nation-state hackers exploited a years-old bug to breach a US federal agency

by Ana Lopez

The US government has warned that multiple cybercrime gangs, including a state-backed hacking group, exploited a four-year-old software vulnerability to compromise a US federal government agency.

a joint alarm Released by the CISA, the FBI and the Multi-State Information Sharing and Analysis Center (known as MS-ISAC) on Wednesday, hackers from multiple hacking groups exploited known vulnerabilities in Telerik, a web server user interface tool. This software, designed for building components and themes for web applications, ran on the US agency’s internet-facing web server.

CISA did not name the violated federal civilian executive (FCEB), a list that includes the Department of Homeland Security, the Department of the Treasury and the Federal Trade Commission.

When reached by email, CISA spokesman Zee Zaman declined to answer’s questions.

The Telerik vulnerability, followed as CVE-2019-18935 with a vulnerability score of 9.8 out of 10.0, is among the most exploited vulnerabilities in 2020 and 2021. The bug was first discovered in 2019 and the US National Security Agency previously warned that it had been actively exploited by Chinese state-sponsored hackers to target computer networks containing “sensitive intellectual property, economic, political and military information”.

CISA said the bug allowed the malicious attackers to “successfully execute remote code” on the agency’s web server, exposing access to the agency’s internal network. The advisory noted that the compromised agency’s vulnerability scanner failed to detect the bug because Telerik’s software was installed in a place where the scanner normally doesn’t scan.

Per CISA’s advisory, the cybersecurity agency said it observed multiple hacking groups exploiting the flaw from November 2022 to early January 2023, including the state-backed hacking group and a Vietnam-linked credit card skimming actor known as XE Group.

CISA has released indicators of compromise and has urged organizations with vulnerable Telerik software to ensure security patches are applied.

Progress Software, which acquired Telerik in 2014, has not responded to our questions.

CISA also this week added an Adobe ColdFusion bug to its list of known exploited vulnerabilities, warning that the flaw — tracked as CVE-2023-26360 with a severity score of 8.6 — can be exploited to allow attackers to execute arbitrary code.

Related Posts