A US federal agency's Microsoft Internet Information Services (IIS) web server was hacked by exploiting a critical .NET deserialization vulnerability in the Progress Telerik UI for ASP.NET AJAX component (CVE-2019-18935). According to a joint advisory issued by CISA, the FBI, and MS-ISAC, the attackers had access to the server between November 2022 and early January 2023. The attackers deployed malicious payloads in the C:WindowsTemp folder to collect and exfiltrate information to attacker-controlled command and control servers.
CISA added the CVE-2019-18935 Progress Telerik UI security vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog in November 2021. However, the U.S. federal agency failed to secure its Microsoft IIS server until the due date was reached. CISA, the FBI, and MS-ISAC advise applying multiple mitigation measures to protect against other attacks targeting this vulnerability. As stated in the advisory, "In addition to applying mitigations, CISA, FBI, and MS-ISAC recommend exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory."
The three organizations also recommend, "CISA, FBI, and MS-ISAC recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory."