Nation-State Hacking Group and Criminal Gang Hacked Federal Civilian Agency

A recent joint alert released by the Cybersecurity and Infrastructure Security Agency, the FBI and the Multi-State Information Sharing and Analysis Center stated that multiple attackers were able to compromise a system at one unnamed Federal civilian executive branch agency from November 2022 to January 2023, and advised other organizations to take action to mitigate any similar vulnerability.

By

As the volume and sophistication of cyber threats continue to rise, it is becoming increasingly critical that federal civilian agencies do all they can to protect their systems from malicious actors. Unfortunately, these efforts have not been enough in some cases—as evidenced by a recent joint alert released by the Cybersecurity and Infrastructure Security Agency, the FBI and the Multi-State Information Sharing and Analysis Center. The alert stated that multiple attackers were able to compromise a system at one unnamed Federal civilian executive branch agency from November 2022 to January 2023, and advised other organizations to take action to mitigate any similar vulnerability.

In light of this breach, we must consider how such sophisticated attacks were able to infiltrate government networks and what can be done moving forward in mitigating similar infiltration attempts in the future. According to the report, “the threat actors successfully exploited a .NET deserialization vulnerability (CVE-2019-18935) in an instance of Telerik UI for ASP.NET AJAX Q2 2013 SP1 (version 2013.2.717) running on an FCEB agency’s Microsoft IIS server.” The advisory states, “Though the agency’s vulnerability scanner had the appropriate plugin for CVE-2019-18935, it failed to detect the vulnerability due to the Telerik UI software being installed in a file path it does not typically scan,” It was found that attackers were able to gain access to sensitive data by exploiting this particular vulnerability which allowed them to gain unauthorized access of certain systems within the unnamed federal agency.

It is clear that attacks such as this one can have devastating effects on organizations if they do not take precautions against known vulnerabilities or monitor their systems closely for any suspicious activity or unauthorized access attempts. Per CISA and NIST’s advice, there are steps we can take to protect our own organizations against similar attacks in the future, such as:

Manage Vulnerabilities and Configurations 

  • Upgrade all instances of Telerik UI ASP.NET AJAX to the latest version after appropriate testing. Keep all software up to date and prioritize patching to known exploited vulnerabilities (KEVs).
  • Prioritize remediation of vulnerabilities on internet-facing systems.
  • Implement a patch management solution to ensure compliance with the latest security patches.
  • Ensure vulnerability scanners are configured to scan a comprehensive scope of devices and locations.
  • Validate output from patch management and vulnerability scanning solutions against running services to check for discrepancies.

Segment Networks Based on Function.

  • Implement network segmentation to separate network segments based on role and functionality.
  • Isolate similar systems and implement micro-segmentation with granular access and policy restrictions

Other Best Practice Mitigation Recommendations 

  • Implement phishing-resistant multi factor authentication (MFA) for as many services possible
  • Monitor and analyze activity logs generated from Microsoft IIS and remote PowerShell. Evaluate user permissions.
  • Limit service accounts to the minimum permissions necessary to run services.
  • Maintain a robust asset management policy.

Related Content