CISA says hackers had access to federal agency for months

An unnamed U.S. civilian executive branch has unintentionally been feeding intel to cybercriminals and state-sponsored threat actors for six months, a new report from the country’s law enforcement and intelligence agencies claims. 

Earlier this week, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), as well as other agencies, published a joint report claiming hackers have had unabated access to this organization’s systems from August 2022 to January 2023.

They accessed the target network using multiple vulnerabilities discovered in programs used by the agency built by Progress Telerik, a software development company from Bulgaria.

Praying Mantis and XE Group

The key vulnerability being used is CVE-2019-18835, a four-year-old flaw present in versions of Progress Telerik software since 2020. It can lead to remote code execution when chained with two other vulnerabilities: CVE-2017-11317 or CVE-2017-11357.

While the report does not name specific threat actors, The Record reported that Praying Mantis – a group allegedly based in China – is the threat actor most known for abusing this particular flaw. The same source adds that a threat actor known as XE Group was also observed using the flaw to run reconnaissance and scanning activities. 

CISA said that the flaw gave the attackers access to the agency’s Microsoft Internet Information Services (IIS) web server, which the organization used to store various material:

“This exploit, which results in interactive access with the web server, enabled the threat actors to successfully execute remote code on the vulnerable web server,” CISA said.

Older vulnerabilities are usually known and thus any malware using it gets picked up by antivirus programs. It turns out, though, that the vulnerable Progress Telerik tools were installed in places where the antivirus software did not scan.

“This may be the case for many software installations, as file paths widely vary depending on the organization and installation method,” CISA added.

Go to Source