Nation-State Hackers Exploit Telerik Vulnerability to Infiltrate US Federal Agency

The United States government has cautioned that multiple cybercrime syndicates, including a nation-state-backed hacker organization, have exploited a four-year-old software vulnerability to compromise a federal agency. A joint alert issued on Wednesday by CISA, the Federal Bureau of Investigation, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) indicates that hackers from various groups have leveraged a known vulnerability in the web server user interface tool Telerik.

This software, designed to construct components and themes for web applications, operates on internet-facing network servers across several American agencies.

Photo by Max Bender on Unsplash

CISA refrained from disclosing the full name of the infiltrated Federal Civil Executive Branch (FCEB) agency, but the list encompasses the Department of Homeland Security, the Treasury Department, and the Federal Trade Commission.

Tracked as CVE-2019-18935, the Telerik vulnerability possesses a severity rating of 9.8 (out of 10.0) and is ranked among the most frequently exploited vulnerabilities in 2020 and 2021. Discovered initially in 2019, the National Security Agency had previously warned that nation-state-backed hackers were actively exploiting the vulnerability to target computer networks harboring “sensitive intellectual property, economic, political, and military information.”

CISA asserts that the vulnerability enables malicious attackers to “successfully execute remote code” on the agency’s network server, thereby exposing access to the agency’s internal network. The advisory notes that the agency’s vulnerability scanner failed to detect the vulnerability since Telerik’s software was installed in a location typically unscanned by the scanner.

According to CISA’s consultation, the cybersecurity agency observed multiple hacker organizations exploiting this vulnerability from November 2022 to early January 2023, including a nation-state-backed hacker group and a credit card skimming actor linked to Vietnam, dubbed XE Group.

CISA has released intrusion prevention guidance and urges organizations running the vulnerable Telerik software to ensure the application of security patches.

This week, CISA also added an Adobe ColdFusion vulnerability to its known exploited vulnerabilities list, warning that the vulnerability – tracked as CVE-2023-26360 with a severity score of 8.6 – could be leveraged to enable attackers to achieve arbitrary code execution.