CISA says hackers had access to federal agency for months

Representational image of a cybercriminal

Image Credit: Pixabay (Image credit: Pixabay)

An unnamed U.S. civilian executive branch has unintentionally been feeding intel to cybercriminals and state-sponsored threat actors for six months, a new report from the country’s law enforcement and intelligence agencies claims.

Earlier this week, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), as well as other agencies, published a joint report claiming hackers have had unabated access to this organization’s systems from August 2022 to January 2023.

They accessed the target network using multiple vulnerabilities discovered in programs used by the agency built by Progress Telerik, a software development company from Bulgaria.

Praying Mantis and XE Group

The key vulnerability being used is CVE-2019-18835, a four-year-old flaw present in versions of Progress Telerik software since 2020. It can lead to remote code execution when chained with two other vulnerabilities: CVE-2017-11317 or CVE-2017-11357.

While the report does not name specific threat actors, The Record reported that Praying Mantis - a group allegedly based in China - is the threat actor most known for abusing this particular flaw. The same source adds that a threat actor known as XE Group was also observed using the flaw to run reconnaissance and scanning activities.

CISA said that the flaw gave the attackers access to the agency’s Microsoft Internet Information Services (IIS) web server, which the organization used to store various material:

> Multiple US agencies could have been hacked due to Ivanti flaws

> Microsoft says it has identified over 40 victims of SolarWinds hack

> These are the best endpoint protection services at the moment

“This exploit, which results in interactive access with the web server, enabled the threat actors to successfully execute remote code on the vulnerable web server,” CISA said.

Older vulnerabilities are usually known and thus any malware using it gets picked up by antivirus programs. It turns out, though, that the vulnerable Progress Telerik tools were installed in places where the antivirus software did not scan.

“This may be the case for many software installations, as file paths widely vary depending on the organization and installation method,” CISA added.

Check out the best firewalls right now

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.