Telerik UI breach warning, are your websites vulnerable?
Incident Summary: Attackers are leveraging Telerik UI vulnerabilities to attack websites that have not been adequately secured and protected resulting in system breaches with various objectives. The incidents HALOCK have been involved in has resulted in malware/ransomware, website defacement, credit card scraping, crypto mining, and data exfiltration.
Telerik UI for ASP.NET AJAX is a widely used suite of UI components for web applications. It insecurely deserializes JSON objects in a manner that results in arbitrary remote code execution on the software’s underlying host.
Progress Telerik UI for ASP.NET AJAX through version 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution.
|TESTING FOR THE VULNERABILITY||MITIGATING THE VULNERABILITY|
The vulnerability presence is detectable by the version of Telerik that is in place. Use the instructions located here to check and see if your version is vulnerable.
The remediation for this vulnerability has been available since December of 2019. To mitigate this vulnerability:
Additional Controls that should be Implemented:
WHAT YOU SHOULD DO TO MITIGATE RISKS IN THESE TYPES OF ATTACKS
If you are not able to implement these controls, or need help understanding if you are susceptible to this attack, call HALOCK.
Review your security profile to mitigate your risks and minimize impact of a breach.
- HALOCK forensic incidents