Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label FCEB. Show all posts

Threat Actors Hack US Federal Agency Using Telerik Bug to Steal Data


In a joint security advisory on Wednesday, CISA reported that the threat actors have exploited a three-year-old Progress Telerik UI flaw in order to compromise a server at a federal civilian executive branch agency. 

An unidentified federal civilian executive branch (FCEB) agency's Microsoft Internet Information Services (IIS) web server was compromised by a number of threat actors, including an advanced persistent threat (APT). The advisory, which includes in-depth technical information and indicators of the breach, was created by CISA, the FBI, and the Multi-State Information Sharing and Analysis Center (MS-ISAC). 

Apparently, a critical.NET deserialization flaw in the Progress Telerik UI for ASP.NET AJAX component allowed hackers to compromise a Microsoft Internet Information Services (IIS) web server used by a U.S. government agency last year. 

As per the advisory, the threat actors acquired access to the servers between November 2022 and early January 2023 based on indicators of compromise (IOCs) found on the unidentified FCEB agency’s network. To acquire remote code execution, at least two threat actors (among them the Vietnamese XE Group) accessed the unpatched server. 

According to CISA, the central vulnerability was linked with the Telerik UI flaw on the IIS server – CVE-2017-11357 and CVE-2017-11317 – However, the forensic investigation was unable to conclusively verify which of the two was utilized, or even whether they were. 

The agency's instance was version 2013.2.717; the advisory stated that builds prior to version 2020.1.114 are vulnerable to CVE-2019-18935. "Though the agency's vulnerability scanner had the appropriate plugin for CVE-2019-18935, it failed to detect the vulnerability due to the Telerik UI software being installed in a file path it does not typically scan[…]This may be the case for many software installations, as file paths widely vary depending on the organization and installation method," the advisory noted. 

Similar to the 2017 Equifax hack, it was caused in part by a vulnerability assessment for a severe Apache Struts flaw that overlooked an earlier system that was subsequently infiltrated by threat actors. 

CISA, the FBI, and MS-ISAC advised companies to use central log collection and monitoring. Moreover, it has been recommended to implement process monitoring in order to gain "visibility into file system and application process activity." The advisory also included a CISA-developed YARA rule for CVE-2019-18935. 

Progress CISO Richard Barretto wrote in an email to TechTarget Editorial "the security of our customers is one of our highest priorities, and we continue to distribute periodic reminders on the importance of implementing patches and applying software upgrades," he also included a link to Progress' knowledge base's specific article about the problem. 

"As we do with all critical vulnerabilities found in our products, we issued notification and remediation guidance to our customers in 2019 when the vulnerability was discovered[…]Due to the severity of the vulnerability, we provided technical support as needed to all customers regardless of their license status," he added.  

Concerns About Supply Chain Risks Need Strategies

 


It is common for the security industry to get disturbed when new vulnerabilities are discovered in software. Two new vulnerabilities were reported in OpenSSL in late October and early November 2022, which overwhelmed news feeds. This never-ending vulnerability cycle begins with the discovery and disclosure of vulnerabilities. The impact of a cyber-attack is felt acutely by those who work on the front lines of information technology, as the need for remediation is harsh. 

To filter some of the noise from new vulnerabilities, consider the impact on supply chains and take the necessary steps to secure their assets, security leaders must maintain an effective cybersecurity strategy. 

Supply Chain Attacks Aren't Going Away 

There have been several severe vulnerabilities in Log4j, Spring Framework, and OpenSSL components in the last year which have caused us to lose significant amounts of data. As long as implementations are misconfigured or rely on known vulnerable dependencies, it is also certain those older vulnerabilities will be exploited in the future. It was learned in November 2022 that a state-sponsored Iranian operation had been mounted against the Federal Civilian Executive Branch (FCEB), which was attributed to an attack campaign launched against it by the Iranian regime. In this case, a United States federal entity ran VMware Horizon infrastructure. This infrastructure contained the Log4Shell vulnerability, which was the initial attack vector. This vulnerability allowed an attacker to gain access to the network. There was a series of attacks on FCEB. This attack chain included lateral movements, credential compromises, system compromises, network persistence, endpoint protection bypasses, and crypto-jacking in the course of a single attack. 

After security incidents involving vulnerable packages like OpenSSL or Log4j, organizations are likely to wonder why they are consuming open-source software at all. According to a recent report, supply chain attacks continue to be on the rise because suppliers and partners are reusing components. 

Instead of building systems from scratch, the team of strategic planners for cybersecurity at Sysdig repurposes existing code. As a result, engineering effort will be reduced, operational scalability will be achieved, and delivery will be fast. In general, open-source software (OSS) has a high reputation for reliability due to the public scrutiny it receives due to its open-source nature. Software is, of course, a constantly changing field, and problems can arise as a result of coding errors or dependency problems. Moreover, the improvement of testing and exploitation techniques also enables the discovery of new issues over time. 

Supply Chain Vulnerabilities: How to Address Them

To secure the modern design of an organization, it must have the appropriate tools and processes in place. In this rapidly changing environment, traditional approaches based on vulnerability management or point-in-time assessments cannot be relied upon alone. Even though these approaches may still be permitted by regulations, they perpetuate the division between "secure" and "compliance." Most organizations aim to reach some level of maturity in DevOps. There are several characteristics of DevOps practices that are common to both continuous and automated processes. Processes related to security should not be different from other processes. The security strategist must ensure that they maintain a steady focus on security throughout the phases of development, testing, and deployment, and during runtime. 

Continuously scan code in CI/CD: In addition to following the best security practices (e.g., shift left), you need to recognize that you will not be able to scan all the code and nested code. Several factors can limit the success of shift-left approaches scanner effectiveness, correlation of scanner output, automation of release decisions, and scanner completion within the release timeframes. Using the right tool can help you prioritize the risks associated with your findings. Your architecture may not be able to exploit all found vulnerabilities, and some vulnerabilities may not be exploitable in the first place. 

Continuous scanning during delivery: it is essential to prevent component compromises and environment drifts from happening. The digital supply chain, which is the process by which applications, infrastructure, and workloads are sourced from registries, and repositories, and booted up from them, need to be scanned in case something has been compromised along the way. 

Continually scan at runtime: To protect against cyber threats, most organizations are looking to continually scan at runtime, and security monitoring is the backbone of their efforts. As part of your system architecture, you need mechanisms to collect, correlate, and interpret telemetric data from all types of systems, including cloud environments, containers, and Kubernetes deployments. Insights collected during the runtime should feed back into the earlier stages of the build and delivery process. In the context of identity and services, there is an interaction between them.

Secure strategy and cybersecurity preparedness are essential in the wake of the latest OpenSSL vulnerability and Log4Shell. CVE-IDs are merely identifiers of vulnerability issues that are known to exist in publicly available software or hardware. Many vulnerabilities remain unreported, particularly those rooted in undocumented code or those resulting from environmental misconfiguration or homegrown code. Modern designs are based on distributed and diverse technologies, and cybersecurity strategies must take this into consideration. The technology you need to manage vulnerabilities requires a modern tool that uses runtime insights so that engineering teams can prioritize remediation tasks based on the information they have. Additionally, for you to avoid sudden attacks, you need to have the ability to detect and respond to threats across a wide range of environments.