The U.S. government has warned that multiple cybercriminal gangs, including a nation state-backed hacking group, exploited a four-year-old software vulnerability in order to compromise a U.S. federal government agency.
A joint alert released by the CISA, the FBI, and the Multi-State Information Sharing and Analysis Center (known as MS-ISAC) on Wednesday revealed that hackers from multiple hacking groups exploited known vulnerabilities in Telerik, a user interface tool for web servers. This software — designed for building components and themes for web applications — was running on the U.S. agency’s internet-facing web server.
CISA did not name the breached federal civilian executive branch (FCEB) agency, a list that includes the Department of Homeland Security, the Department of the Treasury and the Federal Trade Commission.
When reached by email, CISA spokesperson Zee Zaman declined to answer TechCrunch’s questions.
The Telerik vulnerability, tracked as CVE-2019-18935 with a vulnerability severity rating of 9.8 out of 10.0, is ranked among the most commonly exploited vulnerabilities in 2020 and 2021. The bug was first discovered in 2019 and the U.S. National Security Agency previously warned that it had been actively exploited by Chinese state-sponsored hackers to target computer networks that hold “sensitive intellectual property, economic, political, and military information.”
CISA said the bug allowed the malicious attackers to “successfully execute remote code” on the agency’s web server, exposing access to the agency’s internal network. The advisory noted that the compromised agency’s vulnerability scanner failed to detect the bug because Telerik’s software was installed in a place where the scanner does not typically scan.
According to CISA’s advisory, the cybersecurity agency said it observed multiple hacking groups exploiting the flaw from November 2022 through early-January 2023, including the state-backed hacking group, and a Vietnam-linked credit card skimming actor known as XE Group.
CISA has released indicators of compromise and has urged organizations running vulnerable Telerik software to ensure security patches are applied.
Progress Software, which acquired Telerik in 2014, did not respond to our questions.
CISA this week also added an Adobe ColdFusion bug to its list of known exploited vulnerabilities, warning that the flaw — tracked as CVE-2023-26360 with a severity score of 8.6 — could be exploited to allow attackers to achieve arbitrary code execution.