As a result of the joint effort of CISA, FBI and MS-ISAC, an open tip was recently distributed.
This Open Tip claims that from November 2022 to early January 2023, attackers accessed the helpless server of the US government organization Telerik.
Common CSA has provided all the TTPs used for IT and framework guardians to differentiate and protect from abuse a comparable and effective
CVE-2019-18935.
At least two on-screen adventurers have abused the inability of this Telerik user interface (CVE-2019-18935) to gain more control over the unpatched server.
Dangerous theatrical artist movement
Potentially dangerous theater artists have been honored by CISA and writing organizations as part of the progress review process.
Matching characters on screen include a group called the Dangerous Characters on Screen 1 (TA1) and a group with a history of cybercrime with the name XE Bunch.
Risky characters on the screen appear to transfer malicious records from dynamic link libraries (DLLs) to the C:/Windows/Temp registry by abusing the helpless feature.
Although the characters on the screen risk not naming the records in the Unix-era chronological arrangement, they also use the date and time recorded on the target system to identify the records.
According to the security researchers' investigation into the complete crawling and design of malicious DLL records, the w3wp.exe handler does not execute any harmful forms or subprocesses. other.
A CISA review observed that false messages were sent to the Dangerous Performer Command and Control Server when permission restrictions dictated that the Benefit Account was running files DLL and create unused logs.
The IIS server has been removed from the attacks
Please note that the official operational mission (BOD 22-01) was issued in November 2021.
Despite this, organizations Government agencies still need to implement the proposed activities based on the CISA KEV recent list of UI security incompetence CVE-2019-18935 Advance Telerik UI.
Patches must be released no later than May 3, 2022, which is the earliest date imaginable.
Either way, it turns out that the US government organization was unable to secure their Microsoft IIS servers by the due date because, based on the IOCs involved in the breach, the server security deadline had passed. . Mitigation
To reduce the risk of subsequent attacks focusing on this helplessness, CISA, FBI and MS-ISAC suggest several mitigations:-
After testing appropriate all occurrences of Telerik UI ASP. NET AJAX, you should fix all occasions in the latest form.
Using Microsoft IIS and PowerShell cannot access, filter, and analyze the action logs generated by these servers.
Rights can be granted as a result of the joint effort of CISA, FBI and MS-ISAC, a public announcement was made recently.
This public advisory claims that from November 2022 to early January 2023, attackers gained access to the server from the Federal Agency AmericaA Telerik vulnerability.
Regular CSA made all used TTPs available to IT and infrastructure defenders so they can attack and defend against similar exploits, hit CVE-2019-18935 .
At least threat actors have exploited this Telerik UI vulnerability (CVE-2019-18935) to obtain remote manipulation on an unpatched server.
Threat Agent Activity
APT threat agents have been diagnosed by CISA and the authors' association as part of ongoing research.
APT agents include a collection called Threat Agent 1 (TA1) and a collection with a profile of cybercrime under the name XE Group.
Threat agents were shown to upload malicious Dynamic Hyperlink Library (DLL) documents to the C:/Windows/Temp list while exploiting a security vulnerability.
Although threat actors no longer just call documents in the Unix Epoch time format, they also use dates and times that can be stored on the target utility to read the documents.
According to the security researchers' assessment of fully capturing package statistics and reverse engineering of malicious DLL documents, the w3wp.exe technique no longer executes any procedures. or any other harmful side procedure.
CISA research revealed that false messages were sent to the threat agent's command and manipulation server while permission restrictions prevented the moderator account from running malicious DLLs and create a new document.
IIS Server Hacked
It should be clarified that the Binding Operations Directive (BOD 22-01) was issued in Nov 2021. for the recent list of CISA KEVs there is a CVE UI security vulnerability. -2019-18935 Progress Telerik added.
Patch is expected to be released no later than May 3, 2022, which is the first viable date.
However, it appears that the US federal institution has not stabilized its Microsoft IIS server until the expiration date because, mainly based on the IOCs involved in the breach, the machine security expiration date owner passed. Mitigation
To limit the risk of various attacks focusing on this vulnerability, CISA, FBI, and MS-ISAC recommend the following mitigations:-
After trying it right every time Telerik UI ASP.NET AJAX, you have to upgrade everytime to the stylish version.
Using Microsoft IIS and PowerShell remotely, reveal and inspect the interest logs generated through these servers.
The permissions that can be granted to the operator account must be minimally registered while the operator is running.
It is essential that structural vulnerabilities that can be discovered on the network be fixed as quickly as possible.
Patch Control Response Deployment is an efficient and powerful way to ensure that your frameworks are regularly updated with security patches.
It can be very important to ensure that vulnerability scanners are configured to cover all devices and locations.
To segment community segments based on user location and function, community segmentation must be implemented.
Malicious actors exploited a vulnerability in the Microsoft Internet Information Services (IIS) web server used by the Federal Civil Government Organization (FCEB) and were able to successfully execute remote code on the server .
Because of this advice, CISA, FBI, and MS-ISAC encourage you to continuously test your security software in a production environment for maximum overall performance instead of MITER ATT&CK techniques.
Comments
Post a Comment