16 June 2022

Cybercriminals attack servers using old Telerik UI vulnerabilities


Cybercriminals attack servers using old Telerik UI vulnerabilities

Cybercriminals exploit a chain of a three old Telerik UI vulnerabilities to attack servers, install Cobalt Strike beacons and deploy cryptomining malware.

Telerik UI is a popular web application graphical interface development tool with more than 120 components for building applications.

The main vulnerability leveraged by the hackers in this campaign affects Telerik UI library for ASP.NET AJAX (CVE-2019-18935). It’s a high-risk deserialization flaw that can lead to remote code execution. The vulnerability exists due to insecure input validation when processing serialized data in the "RadAsyncUpload" function. A remote attacker can pass specially crafted data to the application, execute arbitrary code and take a full control over the vulnerable system. The flaw was routinely exploited throughout 2020 and 2021 by various threat actors including the Netwalker ransomware gang.

Two years ago, cybersecurity firm Sophos also observed a series of attacks leveraging this vulnerability conducted by Blue Mockingbird hackers. While CVE-2019-18935 bug has been fixed since then, it looks like Blue Mockingbird gang is still exploiting it in its campaigns.

According to Sophos, in the new campaign the threat actors use this flaw to deliver a Cobalt Strike beacon (in the form of a DLL payload) to disk. This beacon is needed to execute encoded PowerShell commands for downloading additional malware – such as Monero miner – and establish persistence on the target servers.

To exploit CVE-2019-18935, the attackers must acquire the encryption keys that protect Telerik UI’s serialization on the victim’s system. This is when other two old bugs may come in handy.

«The bug is a little more complex than it first appears, though. Serialization within the upload handler in Telerik UI is protected by encryption keys, and an attacker needs to know them before they can exploit the vulnerability. They can abuse earlier bugs in Telerik UI – CVE-2017-11317 and CVE-2017-11357 – to do just that, although this requires finding a host that’s still vulnerable. Or an attacker could get the keys through some other means – for example, exploiting another vulnerability in a web application,» reads the Sophos report.

Back to the list

Latest Posts

Zero Day Initiative cuts some vulnerability disclosure timelines

Zero Day Initiative cuts some vulnerability disclosure timelines

The new approach is aimed at forcing vendors take a quicker action when it comes to ineffective patches.
17 August 2022
Ransomware gang target UK water supplier but send ransom demand to the wrong company

Ransomware gang target UK water supplier but send ransom demand to the wrong company

The threat actors claimed to have access to water treatment SCADA systems and “these systems which control chemicals in water.”
17 August 2022
Argentina's Judiciary of Cordoba targeted with ransomware

Argentina's Judiciary of Cordoba targeted with ransomware

The incident described as “worst attack on public institutions in history” impacted the agency’s website, digital services and databases.
16 August 2022