Exploit Tools and Targets: Threat Actors Exploit Progress Telerik Vulnerability (CVE-2019-18935) in U.S. Government IIS Server
On March 15, 2023, the Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory (AA23-074A) warning of a vulnerability in the Telerik user interface, a third-party software component used in various web applications, including some used by US government agencies. The vulnerability, tracked as CVE-2019-18935, allows remote code execution and can be exploited by attackers to take control of vulnerable systems (1).
The report notes that threat actors are actively exploiting this vulnerability in the wild, targeting US government web servers running Internet Information Services (IIS) with a vulnerable version of Telerik UI installed. Attackers leverage the vulnerability to install web shells and other malware on the compromised servers to give them persistent access to the victim network.
CISA recommends that all organizations using Telerik UI immediately apply the latest security updates from the vendor to mitigate the risk of exploitation. The advisory also includes additional recommendations for organizations to improve their security posture.
The report emphasizes the importance of maintaining up-to-date software and patching vulnerabilities as soon as possible to prevent exploitation by threat actors.
Malware: North Korean hackers using Chrome extensions to steal Gmail emails
The German Federal Office for the Protection of the Constitution (BfV) and the National Intelligence Service of the Republic of Korea (NIS) have issued a joint cybersecurity advisory warning about the Kimsuky threat actor, a North Korean group, using Chrome extensions and Android applications to steal Gmail emails from targets such as diplomats, journalists, and politicians. Although the current campaign is focused on South Korea, the advisory notes that the techniques used by Kimsuky can be applied globally (2).
Kimsuky uses spear-phishing emails to persuade victims to install a malicious Chrome extension named 'AF', which can also be installed on Chromium-based browsers. The extension activates when victims visit Gmail and steals their email content, and sending it to the attacker's server using the Devtools API. This method has been used before by Kimsuky, and the extension is only visible in the extensions list if the user enters a specific address in the browser's address bar.
Threat Actors: Clop Ransomware Group Claimed It Compromised 130 Organizations via Remote Code Execution Vulnerability in GoAnywhere MFT
The Clop ransomware syndicate claims to have stolen data from over 130 organizations by exploiting a zero-day vulnerability, tracked as CVE-2023-0669, in the GoAnywhere MFT secure file transfer tool (3,4).
The vulnerability allows attackers to gain remote code execution on unpatched instances of the tool with exposed administrative consoles. The Clop ransomware group said they stole data over ten days but did not deploy ransomware. While Clop did not provide proof of their claims, Huntress Threat Intelligence Manager Joe Slowik linked the attacks to the threat group TA505, which is known for deploying Clop ransomware. The vulnerability was added to the Known Exploited Vulnerabilities Catalog by CISA (5).
In December 2020, Clop used a similar tactic when they exploited a zero-day vulnerability in the Accellion FTA to steal data from approximately 100 companies.
Structured Data
Find the Analyst Prompt and earlier editions in our public TAXII collection for easy use in your security stack: TAXII v1 Discovery services.
Please refer to our support page for guidance on how to access the feeds.
About EclecticIQ Intelligence and Research
EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Intelligence and Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.
We would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com or fill in the EclecticIQ Audience Interest Survey to drive our research toward your priority area.
You might also be interested in:
Cybercriminals Exploit SVB’s Collapse; Emotet Returns & BatLoader Abuses Google Ads
DeFi Hack Recovers Stolen Funds; Blacklotus Bypasses Windows Secure Boot
Dark Pink APT Group Strikes Government Entities in South Asian Countries
Appendix
1. https://www.cisa.gov/sites/default/files/2023-03/aa23-074a-threat-actors-exploit-telerik-vulnerability-in-us-government-iis-server_1.pdf
2. https://www.verfassungsschutz.de/SharedDocs/publikationen/EN/prevention/2023-03-20-joint-cyber-security-advisory-korean.html;jsessionid=5F54A73439C826897C132E375AB684F2.intranet252
3. https://www.pingsafe.com/blog/fortra-goanywhere-mft-rce-vulnerability
4. https://www.darkreading.com/endpoint/massive-goanywhere-rce-exploit
5. https://www.huntress.com/blog/investigating-intrusions-from-intriguing-exploits
