Guess what happened to this US agency using outdated software?

Infosec in brief Remember earlier this year, when we found out that a bunch of baddies including at least one nation-state group broke into a US federal government agency's Microsoft Internet Information Services (IIS) web server by exploiting a critical three-year-old Telerik bug to achieve remote code execution?

It turns out that this same gang of government-backed hackers used a different – and even older – Telerik flaw to break into another US federal agency's Microsoft IIS web server, access the Document Manager component, upload webshells and other files, and establish persistence on the government network.

The US Cybersecurity and Infrastructure Security Agency and FBI warned about the first intrusion into a federal civilian executive branch agency's Microsoft IIS web server back in March, and said the snafu happened between November 2022 and early January.

"Multiple cyber threat actors, including an APT actor, were able to exploit a .NET deserialization vulnerability (CVE-2019-18935) in Progress Telerik user interface (UI) for ASP.NET AJAX, located in the agency's Microsoft Internet Information Services (IIS) web server," the joint advisory revealed.

But wait, there's more. On Thursday, the feds updated the March alert and said a forensic analysis of a different federal civilian executive branch agency "identified exploitation of CVE-2017-9248 in the agency's IIS server by unattributed APT actors – specifically within the Telerik UI for ASP.NET AJAX DialogHandler component."

This separate break-in, exploiting an almost six-year-old vulnerability, occurred in April. The agency was running an outdated version of the software, and a proof-of-concept exploit has been publicly available since January 2018, according to the feds.

"It should be noted that Telerik UI for ASP.NET AJAX versions prior to 2017.2.621 are considered cryptographically weak; this weakness is in the RadAsyncUpload function that uses encryption to secure uploaded files," CISA added.

On April 14, the nation-state criminals used a brute force attack against the encryption key and gained unauthorized access to the Document Manager component within Telerik UI for ASP.NET AJAX.

After breaking in, they uploaded malicious scripts, downloaded and deleted sensitive files, made unauthorized modifications, and uploaded webshells to backdoor and remotely access the server.

"CISA and authoring organizations were unable to identify privilege escalation, lateral movement, or data exfiltration," according to the alert. "However, the presence of webshells and file uploads indicated APT actors maintained access and had the potential to conduct additional malicious activity."

And it also underscores the importance of patching.

Fake security researchers target real ones on GitHub

Criminals posing as legit security researchers on GitHub and Twitter are pushing malicious repositories claiming to be proof-of-concept exploits for zero-day vulnerabilities.

Spoiler alert: these aren't real PoCs but rather malware that infects Windows and Linux machines.

Security researchers at VulnCheck spotted the first malicious GitHub repository claiming to be a Signal zero-day in May. They reported the scam to GitHub, and it was taken down. The next day, VulnCheck discovered "an almost" identical repository purporting to be a WhatsApp zero-day.

This continued throughout May, with the researchers finding the fake repos, and GitHub removing them.

• LockBit suspect's arrest sheds more light on 'trustworthy' gang
• US government hit by Russia's Clop in MOVEit mass attack
• Chinese spies blamed for data-harvesting raids on Barracuda email gateways
• Decision to hold women-in-cyber events in abortion-banning states sparks outcry

Apparently, the takedowns also forced the miscreants to put more effort into spreading malware. "The attacker has created half a dozen GitHub accounts and a handful of associated Twitter accounts," VulnCheck researcher Jacob Baines said in a blog about the scam. "The accounts all pretend to be part of a non-existent security company called High Sierra Cyber Security."

The accounts include profile pictures – at least one used a real headshot belonging to a Rapid7 employee – and had followers, Twitter handles, and (dead) links to the (fake) security company's website.

The accounts attempt to trick real security researchers into downloading malicious binaries by tagging an exploit for a popular product like Chrome, Exchange, Discord, Signal or WhatsApp.

And while the Windows binary has a high detection rate on VirusTotal (43/71), VulnCheck notes that the Linux binary is stealthier (3/62), but "contains some very obvious strings indicating its nature."

VulnCheck includes a list of seven phoney GitHub accounts, seven GitHub repositories, and four Twitter accounts, and cautions that if you've interacted with any of them, you may have been compromised.

Malware: hot. Botnets, backdoors: not

Ransomware is the most widespread malware-as-a-service (MaaS), accounting for 58 percent of all malware families between 2015 and 2022.

This is according to Kaspersky researchers, who based their latest report on 97 malware families circulating on the dark web.

Coming in second, infostealers made up 24 percent. The remaining 18 percent were split between botnets, loaders, and backdoors.

"Despite the fact that most of the malware families detected were ransomware, the most frequently mentioned families in dark web communities were infostealers," the report indicates. "Ransomware ranks second in terms of activity on the dark web, showing an increase since 2021."

Meanwhile, botnet, backdoor and loader mentions are on the decline. ®