US Cert Alert - Threat Actors Exploit Progress Telerik Vulnerability in U.S. Government IIS Server

This version (2013.2.717) of Telerik UI for ASP.NET AJAX contains the following known vulnerabilities: CVE-2017-11357, CVE-2017-11317, and CVE-2017-9248. Analysis suggests that cyber threat actors exploited CVE-2019-18935 in conjunction with either CVE-2017-11357 or CVE-2017-11317.

Australian Cyber Security Centre (ACSC) Advisory 2020-004 assesses that exploitation of CVE-2019-18935 is only possible with knowledge of Telerik RadAsyncUpload encryption keys. Threat actors can obtain these keys through either prior knowledge or exploitation of vulnerabilities—CVE-2017-11357 or CVE-2017-11317—present in older, unpatched versions of Telerik released between 2007 and 2017. Forensic evidence is not available to definitively confirm exploitation of either CVE-2017-11357 or CVE-2017-11317.

Exploitation of CVE-2019-18935

Threat actors have actively exploited CVE-2019-18935 in targeted attacks. The vulnerability allows attackers to execute remote code by uploading and executing malicious DLL files on vulnerable IIS servers running Telerik UI for ASP.NET AJAX.

Threat Actor Activity and Attack Methods

CISA and authoring organizations observed multiple cyber threat actors, including an APT actor—hereafter referred to as Threat Actor 1 (TA1)—and known cybercriminal actor XE Group—hereafter referred to as Threat Actor 2 (TA2). These actors conducted reconnaissance and scanning activities [T1595.002] that correlated with the successful exploitation of CVE-2019-18935 in an agency’s IIS server.

Techniques Used in the Attack

When exploiting the vulnerability, the threat actors uploaded malicious dynamic-link library (DLL) files (some masqueraded as portable network graphics [PNG] files) [T1105] to the C:\Windows\Temp directory. These malicious files were executed via the w3wp.exe process—a legitimate process that runs on IIS servers to handle web requests.

Review of antivirus logs identified that some DLL files were created [T1055.001] and detected as early as August 2021. Threat actors used a unique Unix Epoch-based file naming convention, such as [10 digits].[7 digits].dll (e.g., 1667203023.5321205.dll). The uncorrelated timestamps suggest the use of timestomping [T1070.006] to obfuscate activity.

Indicators of Compromise (IOCs)

• Malicious files named in Unix Epoch time format.
• Fake PNG files containing executable code.
• Removal of forensic artifacts using malware that deletes .dll files [T1070.004].
• Communication with threat actors’ C2 servers when execution was blocked due to permission restraints.

Threat Actor 1 (TA1) Operations

CISA and authoring organizations observed TA1 exploiting CVE-2019-18935 for system enumeration beginning in August 2022. TA1 successfully uploaded and executed at least nine DLL files for discovery [TA0007], C2 [TA0011], and defense evasion [TA0005].

All analyzed samples collected and communicated network parameters—including host name, domain name, IP address, and NetBIOS ID—to C2 servers at 137.184.130[.]162 or 45.77.212[.]12. C2 traffic used an unencrypted TCP protocol over port 443 [T1095]. Additional analysis revealed that:

• Some samples loaded additional libraries, enumerated system files, and wrote new files [T1083].
• Other samples deleted .dll files from C:\Windows\Temp to erase traces.

Threat Actor 2 (TA2) Operations

TA2—identified as likely the cybercriminal actor XE Group—frequently uses the "xe[word]" naming convention in file names and registered domains. As early as August 2021, TA2 delivered malicious PNG files that were actually DLL files masquerading as images to evade detection [T1036.005].

Similar to TA1, TA2 exploited CVE-2019-18935 to upload at least three unique DLL files to the C:\Windows\Temp directory and execute them via the w3wp.exe process. These DLL files dropped and executed reverse shell utilities to communicate with C2 servers.

Defensive Measures and Mitigation Strategies

To mitigate the risks associated with CVE-2019-18935 and related vulnerabilities, organizations should:

• Patch Telerik UI for ASP.NET AJAX: Apply the latest security updates to eliminate vulnerabilities.
• Restrict File Execution in IIS Directories: Limit execution of untrusted files in C:\Windows\Temp.
• Monitor for IOC Activity: Detect anomalous file creation, timestomping, and C2 traffic.
• Enhance Endpoint Detection & Response (EDR) Capabilities: Implement solutions that identify and block exploitation attempts in real time.
• Use Least Privilege Principles: Restrict service account permissions to limit attackers’ ability to execute malicious code.

Organizations should implement these measures to prevent further exploitation of CVE-2019-18935 and related threats.