Fri, Jul 24, 2020
In May 2020, Kroll began observing an increase in compromises related to vulnerabilities in Telerik user interface (UI) software, a spinoff of Telerik’s web software tools which provides navigation controls. The vulnerability, which is outlined in CVE-2019-18935, involves a .NET deserialization vulnerability in the software that allows for remote code execution. Kroll observed more than a dozen cases in a short span of time in which attackers targeted the Telerik vulnerability to deploy remote access tools or credential harvesting software and then gain remote access to the client’s network. The most often targeted clients observed by Kroll within the sample timeframe were in the healthcare and government sectors (Figure 1).
Figure 1 - Sectors Most Often Impacted by Telerik Exploits
The deserialization attack enabled by CVE-2019-18935 is different from the previously exposed encryption flaw in CVE-2017-11317, which allowed unrestricted file uploads. In the deserialization attack, rather than submitting the expected Telerik.Web.UI.AsyncUploadConfiguration type with rauPostData, an attacker can submit a file upload POST request specifying the type as a remote code execution gadget instead. This gives attackers the ability to execute software, code or webshells indiscriminately within the webservice.
Kroll was able to pinpoint attacks by examining available forensic evidence and most critically, web server access logs, looking specifically for unique user-agent strings and IP addresses previously flagged by our threat intelligence team. Investigating those strings and activity tied to their interactions with internet facing servers revealed suspiciously uploaded files, ranging from .aspx, .js, to .zip content. Kroll’s analysis of identified files revealed a range of capabilities across different impacted systems from code injection and remote access to credential harvesting.
Anthony Knutson, Senior Vice President in Kroll’s Cyber Risk practice, provided more details: “Specifically in the webshells, our engineers were able to recreate what the threat actor would see when traversing specific pages and demonstrate how these webshell files could go undetected by requiring the specific user-agent string we mentioned. Without that user-agent string, the page would load as an HTTP 404 error, and the webshell would not activate.”
Devon Ackerman, Managing Director and Head of North America Incident Response, added: “Like most webshells leveraged by attackers, these shells provided the unauthorized actors with abilities ranging from direct SQL database access, to file read/write capabilities, to operating system-level remote command prompt and PowerShell access.”
In early June, Australia suffered a large volume of state-sponsored attacks related to the Telerik UI vulnerability. The government observed advanced persistent threat (APT) scanning for unpatched versions of the Telerik vulnerability and leveraging publicly available exploits to attempt to exploit these systems. “The actor has been identified leveraging a number of initial access vectors, with the most prevalent being the exploitation of public-facing infrastructure — primarily through the use of remote code execution vulnerabilities in unpatched versions of Telerik UI,” the report stated.
According to recent reporting by the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC), a group dubbed Blue Mockingbird recently infected thousands of computer systems via the Telerik vulnerability. “The group conducted a cryptocurrency mining campaign by targeting public-facing servers running ASP.NET apps using the Telerik framework. By exploiting CVE-2019-18935, the group was able to install a web shell in the compromised server and then used a privilege escalation tool to gain accesses needed to modify server settings and maintain persistence,” the report stated. Devon Ackerman, Managing Director in Kroll’s Cyber Risk practice, added, “In Kroll’s estimation, for the investigations where actor groups have leveraged the Telerik vulnerability to push in cryptocurrency mining operations, the activity was noisy and burdensome to the impacted systems. In every case that Kroll investigated involving this methodology, the client’s IT and security team had already noted the system resource impact tied to the miners—it wasn’t stealthy, it wasn’t a structured attack, but it was noisy, like a thief stumbling through a victim’s home knocking over lamps and cabinets alerting everyone within ear shot of their presence.”
The following recommendations, provided by Kroll experts Michael Quinn and Devon Ackerman, should be taken into consideration to prevent exploits directed at the Telerik vulnerability:
Managing an ever-expanding list of vulnerabilities takes considerable resources and it’s especially hard to determine which vulnerability deserves priority attention. For internal teams burdened with a host of other priorities and a remote workforce, support from dedicated experts who have the frontline expertise, resources and technical skills to assess your exposure can greatly reduce your risk profile. Talk to a Kroll expert today via our 24x7 hotlines or contact form.
The article above was extracted from The Monitor newsletter, a monthly digest of Kroll’s global cyber risk case intake. The Monitor also includes an analysis of the month’s most popular threat types investigated by our cyber experts. Subscription is available below.
Email Address
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Our expertise allows us to identify and analyze the scope and intent of advanced persistent threats to launch a targeted and effective response.
Kroll's computer forensics experts ensure that no digital evidence is overlooked and assist at any stage of an investigation or litigation, regardless of the number or location of data sources.
Kroll's cyber risk assessments deliver actionable recommendations to improve security, using industry best practices & the best technology available.