CISA Alert AA23-074A – Threat actors exploit progress telerik vulnerability in U.S. government IIS server. [CISA Cybersecurity Alerts]

CyberWire Daily

N2K Networks, Inc.

News, Tech News, Daily News, Technology

4.8 • 1.1K Ratings

🗓️ 16 March 2023

⏱️ 3 minutes

🔗️ Recording | iTunes | RSS

🧾️ Download transcript

Summary

CISA, FBI, and the Multi-State Information Sharing and Analysis Center are releasing this joint Cybersecurity Advisory to provide IT infrastructure defenders with TTPs, IOCs, and methods to detect and protect against recent exploitation against Microsoft Internet Information Services web servers. AA23-074A Alert, Technical Details, and Mitigations AA23-074A STIX XML MAR-10413062-1.v1 Telerik Vulnerability in U.S. Government IIS Server Telerik: Exploiting .NET JavaScriptSerializer Deserialization (CVE-2019-18935) ACSC Advisory 2020-004 Bishop Fox CVE-2019-18935: Remote Code Execution via Insecure Deserialization in Telerik UI Volexity Threat Research: XE Group GitHub: Proof-of-Concept Exploit for CVE-2019-18935 Microsoft: Configure Logging in IIS GitHub: CVE-2019-18935 No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment. See CISA Insights Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses for guidance on hardening MSP and customer infrastructure. U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office. Learn more about your ad choices. Visit megaphone.fm/adchoices

Transcript

Click on a timestamp to play from that location

0:00.0	You're listening to the CyberWire Network, powered by N2K.
0:07.0	This is a CISA Cybersecurity Alert.
0:14.0	ID number Alpha Alpha 23-0-74 Alpha.
0:21.0	Original release date, March 15th, 2023.
0:25.0	CISA, FBI, and the Multistate Information Sharing and Analysis Center are releasing this joint
0:33.9	cybersecurity advisory to provide IT infrastructure defenders with TTPs, IOCs, and
0:39.9	methods to detect and protect against recent exploitation against Microsoft Internet information. and January 2023, CISA identified IOCs at a federal civilian executive branch agency.
0:57.0	Analysts determined that multiple cyber threat actors, including an APT actor and a known
1:01.9	cyber criminal group, were able to exploit a dot net deserrealization vulnerability
1:06.2	located in the agency's Microsoft Internet Information Services web server
1:11.6	successful exploitation of this vulnerability allows for remote code execution.
1:17.0	When exploiting the vulnerability, the threat actors uploaded malicious DLL files, some masqueraded as ping files, to the temp directory.
1:25.1	The malicious files were then executed from the directory via a legitimate process that runs
1:29.3	on IIS servers.
1:31.8	The review of antivirus logs identified that some DLL files were
1:35.4	created and detected as early as August 2021.
1:39.4	FBI and CISA encourage organizations to implement the recommendations in the mitigation section of this alert to reduce the likelihood and impact of similar exploitation.
1:49.0	The alert documentation linked in the show notes includes additional technical details
1:53.5	IOCs malicious actor TTPs recovery guidance mitigations and response
1:57.9	recommendations. Google's Threat Analysis Group contributed to this advisory.
2:02.2	To report incidents in a threat analysis group contributed to this advisory.
2:04.0	To report incidents in anomalous activity or to request incident response,
	...

Please login to see the full transcript.

Previous episode | Next episode

Disclaimer: The podcast and artwork embedded on this page are from N2K Networks, Inc., and are the property of its owner and not affiliated with or endorsed by Tapesearch.

Generated transcripts are the property of N2K Networks, Inc. and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.