CISA: US agency breached by cybercriminals, gov’t hackers

Cybercriminals and a government-backed hacking group had access to the systems of an unnamed federal civilian executive branch agency from August 2022 to January 2023.

In a report released Wednesday by the Cybersecurity and Infrastructure Security Agency (CISA), FBI and other agencies, officials said hackers used several vulnerabilities affecting products from Bulgarian software developer Progress Telerik.

The hackers primarily exploited CVE-2019-18935 – a vulnerability that several cybersecurity agencies across the globe ranked as one of the most exploited security flaws throughout 2020 and 2021.

The vulnerability has been used mainly by an APT group named “Praying Mantis” – which Australian researchers have claimed is based in China. The report released Wednesday did not name Praying Mantis.

CISA described an attack pattern identical to one highlighted by Syngia and several other cybersecurity companies in 2021. CISA said the vulnerability affects all versions of Progress Telerik software made before 2020 and gave attackers a foothold in the agency’s Microsoft Internet Information Services (IIS) web server, which is used for hosting material online.

“This exploit, which results in interactive access with the web server, enabled the threat actors to successfully execute remote code on the vulnerable web server,” CISA said.

The agency explained that its vulnerability scanner failed to detect the issue because the Progress Telerik tool was installed in an area of the system that they do not scan.

“This may be the case for many software installations, as file paths widely vary depending on the organization and installation method,” CISA added.

The version of the Progress Telerik tool that was exploited also has several other vulnerabilities that were used by the hackers, including CVE-2017-11357, CVE-2017-11317, and CVE-2017-9248.

CISA explained that the main vulnerability was exploited in conjunction with either CVE-2017-11357 or CVE-2017-11317 – vulnerabilities “present in older, unpatched versions of Telerik released between 2007 and 2017.”

The advisory notes that there is no forensic evidence to definitively confirm whether CVE-2017-11357 or CVE-2017-11317 were involved in the attacks.

In addition to the government-backed hacking group that used the vulnerability, a cybercriminal actor known as XE Group was also seen conducting reconnaissance and scanning activities through the bug.

Cybersecurity firm Volexity said in 2021 the group is based in Vietnam and made a name for itself through its compromise of Progress Telerik products. They have launched credit card skimming attacks against travel, restaurants and non-profit websites.

“XE Group's credit card skimming operation has been ongoing since at least early 2020, using a relatively limited set of infrastructure. The attacker primarily focuses on compromising IIS environments and uses their access to deploy credit card skimming JavaScript code on affected websites,” the company said.

CISA noted that the actors used malware to remove files that made it difficult for a forensic analysis to be conducted after the fact. But they confirmed that there was no evidence that the hackers escalated their privileges or moved laterally within the network.

CISA did not respond to requests for comment about whether data was stolen during the incident. Google’s Threat Analysis Group (TAG) helped the agencies with some of the report, according to CISA.

“CISA, FBI, and MS-ISAC [Multi-State Information Sharing and Analysis Center] recommend that organizations utilize a centralized log collection and monitoring capability, as well as implement or increase logging and forensic data retention. Longer retention policies improve the availability of data for forensic analysis and aid thorough identification of incident scope,” the advisory explained.