Last year, a U.S. federal agency's Microsoft Internet Information Services (IIS) web server was hacked by exploiting a critical .NET deserialization vulnerability in the Progress Telerik UI for ASP.NET AJAX component.
According to a joint advisory issued today by CISA, the FBI, and MS-ISAC, the attackers had access to the server between November 2022 and early January 2023 based on indicators of compromise (IOCs) found on the unnamed federal civilian executive branch (FCEB) agency's network.
At least two threat actors accessed the unpatched server by exploiting this bug (CVE-2019-18935) to gain remote code execution.
After hacking into the unnamed federal civilian executive branch (FCEB) agency's server, they deployed malicious payloads in the C:\Windows\Temp\ folder to collect and exfiltrate information to attacker-controlled command and control servers.
The malware installed on the compromised IIS server could deploy additional payloads, evading detection by deleting its traces on the system, and opening reverse shells to maintain persistence.