CISA says hackers had access to federal agency for months

Hackers were abusing years-old flaws

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

An unnamed U.S. civilian executive branch has unintentionally been feedingintelto cybercriminals and state-sponsored threat actors for six months, a new report from the country’s law enforcement and intelligence agencies claims.

Earlier this week, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), as well as other agencies, published a joint report claiming hackers have had unabated access to this organization’s systems from August 2022 to January 2023.

They accessed the target network using multiple vulnerabilities discovered in programs used by the agency built by Progress Telerik, a software development company from Bulgaria.

Praying Mantis and XE Group

The key vulnerability being used is CVE-2019-18835, a four-year-old flaw present in versions of Progress Telerik software since 2020. It can lead to remote code execution when chained with two other vulnerabilities: CVE-2017-11317 or CVE-2017-11357.

While the report does not name specific threat actors,The Recordreported that Praying Mantis - a group allegedly based in China - is the threat actor most known for abusing this particular flaw. The same source adds that a threat actor known as XE Group was also observed using the flaw to run reconnaissance and scanning activities.

CISA said that the flaw gave the attackers access to the agency’sMicrosoftInternet Information Services (IIS) web server, which the organization used to store various material:

Multiple US agencies could have been hacked due to Ivanti flaws>Microsoft says it has identified over 40 victims of SolarWinds hack>These are the best endpoint protection services at the moment

“This exploit, which results in interactive access with the web server, enabled the threat actors to successfully execute remote code on the vulnerable web server,” CISA said.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Older vulnerabilities are usually known and thus anymalwareusing it gets picked up by antivirus programs. It turns out, though, that the vulnerable Progress Telerik tools were installed in places where theantivirus softwaredid not scan.

“This may be the case for many software installations, as file paths widely vary depending on the organization and installation method,” CISA added.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

Arcane season 2 act 1 ending explained: who is [SPOILER], when is episode 4 coming out, and your biggest questions answered