Today, CISA, the Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC) released an update for joint Cybersecurity Advisory (CSA) Threat Actors Exploit Progress Telerik Vulnerability in U.S. Government IIS Server.
This iteration of the CSA—now renamed Threat Actors Exploit Progress Telerik Vulnerabilities in Multiple U.S. Government IIS Servers—is based on the forensic analysis and identified exploitation of CVE-2017-9248 at an additional FCEB agency. Activity identified at this agency is separate from the CVE-2019-18935 exploitation listed in the original publication; analysis is provided as context for existing vulnerabilities within Telerik UI for ASP.NET AJAX. Further, this update provides a timetable and context of unattributed APT actor activity that highlights events, including identified malicious files.
CISA, FBI, and MS-ISAC encourage network defenders to review this update and refer to the accompanying Malware Analysis Report, MAR-10443863-1.v1 CVE-2017-9248 Exploitation in U.S. Government IIS Server for analysis of the newly identified malicious files.