Multiple threat actors—one working on behalf of a nation-state—gained access to the network of a US federal agency by exploiting a four-year-old vulnerability that remained unpatched, the US government warned.
Exploit activities by one group likely began in August 2021 and last August by the other, according to an advisory jointly published by the Cybersecurity and Infrastructure Security Agency, the FBI, and the Multi-State Information Sharing and Analysis Center. From last November to early January, the server exhibited signs of compromise.
Both groups exploited a code-execution vulnerability tracked as CVE-2019-18935 in a developer tool known as the Telerik user interface (UI) for ASP.NET AJAX, which was located in the agency’s Microsoft Internet Information Services (IIS) web server. The advisory didn’t identify the agency other than to say it was a Federal Civilian Executive Branch Agency under the CISA authority.
The Telerik UI for ASP.NET AJAX is sold by a company called Progress, which is headquartered in Burlington, Massachusetts, and Rotterdam in the Netherlands. The tool bundles more than 100 UI components that developers can use to reduce the time it takes to create custom Web applications. In late 2019, Progress released version 2020.1.114, which patched CVE-2019-18935, an insecure deserialization vulnerability that made it possible to remotely execute code on vulnerable servers. The vulnerability carried a severity rating of 9.8 out of a possible 10. In 2020, the NSA warned that the vulnerability was being exploited by Chinese state-sponsored actors.