CISA Warns of Telerik Vulnerability; Kimsuky Steal Gmail Emails

On March 15, 2023, the Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory (AA23-074A) warning of a vulnerability in the Telerik user interface, a third-party software component used in various web applications, including some used by US government agencies. The vulnerability, tracked as CVE-2019-18935, allows remote code execution and can be exploited by attackers to take control of vulnerable systems (1). 

The report notes that threat actors are actively exploiting this vulnerability in the wild, targeting US government web servers running Internet Information Services (IIS) with a vulnerable version of Telerik UI installed. Attackers leverage the vulnerability to install web shells and other malware on the compromised servers to give them persistent access to the victim network. 

CISA recommends that all organizations using Telerik UI immediately apply the latest security updates from the vendor to mitigate the risk of exploitation. The advisory also includes additional recommendations for organizations to improve their security posture. 

The report emphasizes the importance of maintaining up-to-date software and patching vulnerabilities as soon as possible to prevent exploitation by threat actors. 

The German Federal Office for the Protection of the Constitution (BfV) and the National Intelligence Service of the Republic of Korea (NIS) have issued a joint cybersecurity advisory warning about the Kimsuky threat actor, a North Korean group, using Chrome extensions and Android applications to steal Gmail emails from targets such as diplomats, journalists, and politicians. Although the current campaign is focused on South Korea, the advisory notes that the techniques used by Kimsuky can be applied globally (2). 

Kimsuky uses spear-phishing emails to persuade victims to install a malicious Chrome extension named 'AF', which can also be installed on Chromium-based browsers. The extension activates when victims visit Gmail and steals their email content, and sending it to the attacker's server using the Devtools API. This method has been used before by Kimsuky, and the extension is only visible in the extensions list if the user enters a specific address in the browser's address bar. 

The Clop ransomware syndicate claims to have stolen data from over 130 organizations by exploiting a zero-day vulnerability, tracked as CVE-2023-0669, in the GoAnywhere MFT secure file transfer tool (3,4).  

The vulnerability allows attackers to gain remote code execution on unpatched instances of the tool with exposed administrative consoles. The Clop ransomware group said they stole data over ten days but did not deploy ransomware. While Clop did not provide proof of their claims, Huntress Threat Intelligence Manager Joe Slowik linked the attacks to the threat group TA505, which is known for deploying Clop ransomware. The vulnerability was added to the Known Exploited Vulnerabilities Catalog by CISA (5). 

In December 2020, Clop used a similar tactic when they exploited a zero-day vulnerability in the Accellion FTA to steal data from approximately 100 companies.