CTI Roundup: US Federal Agency Hacked Using Telerik
Hackers used the Telerik bug to breach a US federal agency, a suspected Chinese actor used the Fortinet zero-day along with custom malware to engage in cyberespionage, and the Tick advanced persistent threat (APT) group targeted the customers of an East Asian data loss prevention (DLP) company.
First, CTI covers a joint advisory from CISA, the FBI, and MS-ISAC about last year’s compromise of an unnamed federal civilian executive branch (FCEB) agency’s network. Next, CTI dives into a recent joint report from Mandiant and Fortinet on a series of attacks targeting government organizations, during which the attackers engaged in the exploitation of a Fortinet zero-day vulnerability (CVE-2022-41328) to deploy two new strains of malware. Finally, CTI wraps things up with a look at a new campaign attributed to the advanced persistent threat (APT) group Tick, which has reportedly targeted an East Asian company specializing in the development of data loss prevention (DLP) software.
1. US federal agency hacked using old Telerik bug to steal data
According to a joint advisory issued by CISA, the FBI, and MS-ISAC, a US federal agency’s Microsoft Internet Information Services (IIS) web server was hacked in 2022 when the attacker exploited a critical .NET deserialization vulnerability (CVE-2019-18935) impacting the Progress Telerik UI for ASP.NET AJAX component.
As the joint advisory explains, the attackers had access to the server between November 2022 and early January 2023 based on indicators of compromise (IOCs) found on the unnamed federal civilian executive branch (FCEB) agency’s network.
From BleepingComputer:
After hacking into the unnamed federal civilian executive branch (FCEB) agency’s server, they deployed malicious payloads in the C:\Windows\Temp\ folder to collect and exfiltrate information to attacker-controlled command and control servers.
The malware installed on the compromised IIS server could deploy additional payloads, evading detection by deleting its traces on the system, and opening reverse shells to maintain persistence.
The malware in question could also be used to drop an ASPX web shell, providing the attackers with an interface which aided in browsing the local system, downloading/uploading files, and executing commands remotely. However, as detailed in the advisory, “no webshells were observed to be dropped on the target system, likely due to the abused service account having restrictive write permissions.”
The malware installed on the compromised IIS servers is explored in further detail in a malware analysis report, published concurrently by CISA.
Vulnerabilities involved
As reported by CISA, CVE-2019-18935, a .NET deserialization vulnerability contained within an instance of Telerik UI for AJAX Q2 2013 SP1 (version 2013.2.717) running on an FCEB agency’s Microsoft IIS server was successfully exploited during the attack.
The exploit involved provided the attackers with interactive access to the web server and enabled them to successfully execute remote code on the vulnerable web server.
From CISA:
Though the agency’s vulnerability scanner had the appropriate plugin for CVE-2019-18935, it failed to detect the vulnerability due to the Telerik UI software being installed in a file path it does not typically scan.
CISA added the CVE-2019-18935 Progress Telerik UI security vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog in November 2021. The advisory goes on to state that other vulnerabilities may have played a part in the incident.
Threat actors, tradecraft involved
According to BleepingComputer, at least two threat actors — one being the Vietnamese XE Group — were able to access the unpatched server and gain remote code execution by exploiting the CVE-2019-18935 bug. The operation’s key takeaways are as follows:
- XE Group was observed conducting a type of reconnaissance and scanning activity consistent with the successful exploitation of CVE-2019-18935 in the agency’s IIS server.
- During the vulnerability’s exploitation, the threat actors were observed uploading malicious DLL files disguised as PNG files to the C:\Windows\Temp\ directory.
- The malicious files were then executed from the C:\Windows\Temp\ directory via the w3wp.exe process — a legitimate process that runs on IIS servers. This process is routine for handling requests sent to web servers and delivering content. The review of antivirus logs identified that some DLL files were created and detected as early as August 2021, according to CISA.
Furthermore, the malicious files dropped on the compromised IIS server displayed a file naming convention consistent with previous reporting which states that threat actors commonly leverage such a schema when exploiting CVE-2019-18935.
From CISA:
The threat actors name the files in the Unix Epoch time format and use the date and time as recorded on the target system. The file naming convention follows the pattern [10 digits].[7 digits].dll (e.g., a file created on October 31, 2022, could be 1667203023.5321205.dll).
In multiple instances, artifacts one would expect to find during an investigation of such activity were unavailable for analysis because of the threat actors’ malware deleting them. The malware in question reportedly looks for and removes files with the .dll file extension from the C:\Windows\Temp\ directory.
Analyst comments from Tanium’s Cyber Threat Intelligence Team
“Aside from regularly patching software, it’s equally important to ensure that DLLs are linked to file paths that security measures/AV/endpoint solutions regularly scan for anomalous files, and anything else out of place. It’s equally important to ensure that defensive mechanisms are configured to scan file paths that threat actors commonly leverage.”
From BleepingComputer:
CISA, the FBI, and MS-ISAC advise applying multiple mitigation measures to protect against other attacks targeting this vulnerability, with some of the highlights including:
- Upgrade all instances of Telerik UI ASP.NET AJAX to the latest version after appropriate testing.
- Monitor and analyze activity logs generated from Microsoft IIS and remote PowerShell.
- Limit service accounts to the minimum permissions necessary to run services.
- Prioritize remediation of vulnerabilities on internet-facing systems.
- Implement a patch management solution to ensure compliance with the latest security patches.
- Ensure vulnerability scanners are configured to scan a comprehensive scope of devices and locations.
- Implement network segmentation to separate network segments based on role and functionality.’
“CISA, the FBI, and MS-ISAC also recommend testing, exercising, and validating security programs against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework mentioned in the advisory.”
2. Suspected Chinese actor uses Fortinet Zero-Day and custom malware in espionage operation
According to Mandiant, a suspected state-sponsored Chinese threat actor has been linked to a series of attacks targeting government organizations during which the attackers engaged in the exploitation of a Fortinet zero-day vulnerability (CVE-2022-41328) to deploy malware.
The zero-day security flaw in question, CVE-2022-41328, was disclosed by Fortinet in a recent advisory stating that:
“A [sic] improper limitation of a pathname to a restricted directory vulnerability (‘path traversal’) [CWE-22] in FortiOS may allow a privileged attacker to read and write arbitrary files via crafted CLI commands…”
Fortinet issued security updates to address the high-severity vulnerability, which could potentially enable threat actors to execute unauthorize code or commands. The advisory made no mention of exploitation of the bug in the wild, but a Fortinet report issued roughly two weeks ago revealed that CVE-2022-41328 exploits had been used to hack and take down multiple FortiGate firewall devices belonging to one of its customers — the same incident at the center of Mandiant’s latest reporting, in which the company acknowledges working with Fortinet to investigate the exploitation and deployment of malware across various Fortinet solutions.
What’s impacted?
According to Fortinet, the following FortiOS versions are affected:
- Version 6.4.0 through 6.4.11
- Version 7.0.0 through 7.0.9
- Version 7.2.0 through 7.2.3
- All versions of FortiOS 6.0 and 6.2
Attack details
Mandiant’s reporting states that the attacks occurred in mid-2022. Analysis of the post-exploitation activity associated with one instance revealed that the malware deployed by the suspected Chinese actor — aided in large part by the exploitation of CVE-2022-41328 — could be used for purposes of cyberespionage, data exfiltration, opening remote shells, and the downloading and writing of files to compromised devices.
The attacks have been highly targeted in nature, with victimology comprised of government networks and large organizations.
Who is UNC3886?
UNC3886 is a group suspected by Mandiant of having a China-nexus and which has been associated with the novel VMware ESXi hypervisor malware framework disclosed in September 2022.
At the time of the ESXi hypervisor compromises, Mandiant observed UNC3886 directly connect from FortiGate and FortiManager devices to VIRTUALPITA backdoors on multiple occasions.
The attackers displayed a significant degree of sophistication and “advanced capabilities.”
“The attack is highly targeted, with some hints of preferred governmental or government-related targets,” Fortinet said. “The exploit requires a deep understanding of FortiOS and the underlying hardware. Custom implants show that the actor has advanced capabilities, including reverse-engineering various parts of FortiOS.”
The targeting associated with the attacks aligns with recent targeting patterns exhibited by China’s state-backed cyber espionage actors.
Analyst comments from Tanium’s Cyber Threat Intelligence Team
“The malicious activity certainly bears all the hallmarks of a state-sponsored operation, and as previously stated, the observed targeting patterns, advanced capabilities, and use of a zero-day exploit could all certainly be indicative of a Chinese APT’s involvement. It sounds as if it was a stroke of luck that alerted investigators to this actor’s presence in the first place. If this is the work of a China-nexus attacker, this is unsurprising, as many of the nation’s state-backed hacking collectives are notoriously stealthy and have proven themselves capable of carrying out multi-year intrusions. CTI will monitor this story closely.”
3. Tick APT targets the high-value customers of East Asian data loss prevention company
ESET claims that a new campaign attributed to the Tick APT group targeted an East Asian company that develops data loss prevention (DLP) software.
According to ESET, the group compromised the company’s internal update servers to deliver malware and trojanized installers of legitimate tools used by the company. The trojanized installers were passed to two of the company’s customers via remote support software.
About Tick
- Tick, also known as Bronze Butler, is a cyberespionage group believed to be of Chinese origins.
- The group is believed to have been active since at least 2006, primarily targeting the APAC region.
- Tick uses a custom malware arsenal designed for persistence, reconnaissance, data exfiltration, and the download of additional tools.
- Tick was previously observed exploiting the ProxyLogon vulnerability.
Attack overview
Around the same time as Tick’s exploitation of the ProxyLogon vulnerability, the operation was seen gaining access to an East Asian software developer company. The campaign leveraged malware and replaced installers of a legitimate application, Q-dir, with trojanized versions to drop a backdoor named ReVBShell.
This activity led to the compromise of two of the company’s customers when the malware was transferred via remote support software. Researchers believe this occurred when the DLP company was providing technical support to these customers.
Attack timeline
In March 2021, the threat actor deployed malware to multiple machines of the DLP company. The malware included variants of the Netboy and Ghostdown families, and a previously undocumented downloader named ShadowPy.
Trojanized copies of the Q-dir installers were then introduced to the network. Months later these trojanized installers were transferred to customers of the DLP company.
Analyst comments from Tanium’s Cyber Threat Intelligence Team
“Whether it was the attackers’ intention or not, this campaign resulted in the transfer of trojanized installers to two of the company’s customers. It’s unclear exactly how this happened, but it’s believed to have occurred during a technical support session which took place between the company and its customers, during which remote support tools like ANYSUPPORT and helpU were used.”
“Researchers don’t believe that a supply-chain style attack was the primary goal of the campaign, but rather an indirect result of their operations. At the end of the day, what matters are the results, and the fact that a supply-chain attack was able to occur (possibly by accident) highlights the fact that such incidents still pose a real threat to enterprises.”
For further reading, catch up on our recent cyber threat intelligence roundups.