Created on 2025-02-03 13:12 and updated on 2025-02-03 13:12.
Description
Threat Actors Use CVE-2019-18935 to Deliver Reverse Shells and…
BY eSentire Threat Response Unit (TRU)
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.
Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.
In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.
Here’s the latest from our TRU Team… What did we find?
In early January 2025, the eSentire Threat Response Unit (TRU) identified an unknown threat actor(s) exploiting the now six year old vulnerability, CVE-2019-18935, in Progress Telerik UI for ASP.NET AJAX.
TRU observed threat actor(s) using the w3wp.exe (IIS worker process) to load a reverse shell and run follow up commands for reconnaissance through cmd.exe. Reverse shells were dropped in the C:\Windows\Temp directory matching [10 digits].[6 digits].dll and [10 digits].[7 digits].dll.
The infection process begins when the threat actor(s) send a specific request to the IIS server to determine if the file upload handler is available. This can be seen in IIS logs as shown below:
2025-01-03 10:25:51 10.22.12.20 GET /Telerik.Web.UI.WebResource.axd type=rau 443 - - - 200 0 0 171
After confirming the file upload handler is available and determining the software version is vulnerable, the threat actor(s) made use of a customized version of the PoC here to upload and execute a remote shell.
The reverse shell is simple and is a mixed mode .NET assembly containing a routine that serves to connect to the C2 at 213.136.75[.]130 via Windows Sockets. The legitimate windows binary cmd.exe is started and the input/output/error handles are redirected to threat actor control. Figure 1 – Decompiled reverse shell Figure 1 – Decompiled reverse shell
After the threat actor(s) established connection via the reverse shell, they executed several commands to get information about users on the system. The figure below contains the parent/child relationships and subsequent commands executed through the reverse shell to enumerate users via net.exe and net1.exe. Figure 2 – Remote shell loaded by w3wp.exe IIS worker process leading to recon commands Figure 2 – Remote shell loaded by w3wp.exe IIS worker process leading to recon commands
The following Yara rule can be used for detecting the reverse shell. This Yara rule is also available for download here.
rule TCP_Reverse_Shell_Windows_x64 { meta: description = "Detects Windows based 64-bit TCP reverse shell" author = "YungBinary" hash = "b971bf43886e3ab1d823477826383dfaee1e2935788226a285c7aebeabee7348" strings: $winsock_2_0 = { 66 B? 02 00 FF 15 } $winsock_2_1 = { 66 B? 02 01 FF 15 } $winsock_2_2 = { 66 B? 02 02 FF 15 } $winsock_1_0 = { 66 B? 01 00 FF 15 } $winsock_1_1 = { 66 B? 01 01 FF 15 }
$socket_params = {
41 B8 06 00 00 00
BA 01 00 00 00
B9 02 00 00 00
}
$cmd = {
48 C7 44 24 ?? 00 00 00 00
48 C7 44 24 ?? 00 00 00 00
C7 44 24 ?? 00 00 00 00
C7 44 24 ?? (01 | 00) 00 00 00
45 33 C9
45 33 C0
48 8D 15 ?? ?? ?? ??
33 C9
FF 15
}
$wait = {
BA FF FF FF FF
48 8B 4C ?? ??
FF 15
}
condition:
uint16(0) == 0x5a4d and ((1 of ($winsock*)) and $socket_params and $cmd and $wait)
}
Figure 3 – Yara rule to detect Windows TCP reverse shell
TRU also observed the threat actor(s) dropping the open-source privilege escalation tool JuicyPotatoNG on the host under various file names:
C:\Users\Public\PingCaler.exe
C:\Users\Public\JuicyPotatoNG.exe
The following batch files were also dropped on the host but the purpose of these files is not known at this time:
C:\Users\Public\rdp.bat
C:\Users\Public\user.bat
C:\Users\Public\All.bat
The following diagram provided by Telerik can be used to determine if your specific version of Telerik UI for ASP.NET AJAX is vulnerable. Figure 4 – Vulnerable version decision tree diagram, source Figure 4 – Vulnerable version decision tree diagram, source. What did we do?
Our team of 24/7 SOC Cyber Analysts proactively isolated the affected host to contain the infection on the customer’s behalf.
We communicated what happened with the customer and helped them with incident remediation efforts.
What can you learn from this TRU Positive?
While the vulnerability in Progress Telerik UI for ASP.NET AJAX is several years old, it continues to be a viable entry point for threat actors.
This highlights the importance of patching systems, especially if they are going to be exposed to the internet.
Recommendations from the Threat Response Unit (TRU):
Implement a comprehensive vulnerability management service with robust patch management solution and process to ensure systems are up to date with the latest security patches before exposing them to the Internet.
Use an Endpoint Detection and Response (EDR) solution and ensure it is deployed across all workstations and servers.
Indicators of Compromise
You can access the Indicators of Compromise here. References
https://www.esentire.com/security-advisories/active-exploitation-of-cve-2019-18935
https://bishopfox.com/blog/cve-2019-18935-remote-code-execution-in-telerik-ui
https://www.telerik.com/products/aspnet-ajax/documentation/knowledge-base/common-allows-javascriptserializer-deserialization
https://github.com/noperator/CVE-2019-18935
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-074a
https://github.com/antonioCoco/JuicyPotatoNG
Vulnerabilities included in this bundle
Author
Alexandre DulaunoyCombined sightings
| Author | Vulnerability | Source | Type | Date |
|---|