Multiple criminals, including at least potentially one nation-state group, broke into a US federal government agency’s Microsoft Internet Information Services web server by exploiting a critical three-year-old Telerik bug to achieve remote code execution.
The snafu happened between November 2022 and early January, according to a joint alert from the FBI, CISA, and America’s Multi-State Information Sharing and Analysis Center (MS-ISAC) this week.
The Feds became aware of the intrusion after spotting warning signs at a federal civilian executive branch agency, the advisory said. It did not name the federal agency.
“Analysts determined that multiple cyber threat actors, including an APT actor, were able to exploit a .NET deserialization vulnerability (CVE-2019-18935) in Progress Telerik user interface (UI) for ASP.NET AJAX, located in the agency’s Microsoft Internet Information Services (IIS) web server,” the joint advisory said.
Serialization is the process of turning a data structure in memory into a series of bytes for storage or transmission. Deserialization reverses this and turns a data stream back into an object in memory.
Deserialization vulnerabilities affect multiple programming languages and applications, and, as Mandiant explains, are essentially the “result of applications placing too much trust in data that a user (or attacker) can tamper with.”
This particular Telerik bug, which received a 9.8 out of 10 CVSS severity score, was first discovered in 2019 and is especially popular with Beijing-backed criminals. In 2020 made the list of the top 25 computer security vulnerabilities Chinese government hackers are using to break