ACSC warns of Telerik UI attacks

The Australian Cyber Security Centre (ACSC) has warned of a new remote code execution attack campaign involving “sophisticated actors” targeting unpatched versions of the Telerik user interface for the AJAX extensions of the ASP.NET web application framework.

The Telerik UI for ASP.NET AJAX was developed by Bulgaria’s Telerik for Microsoft’s AJAX extensions.

Attackers are actively scanning for and attempting to exploit the vulnerability discovered in a number of Telerik products November 2019, which was the subject of a previous ACSC advisory.

The remote code execution attack requires knowledge of Telerik RadAsyncUpload encryption keys, which can be accessed via exploitation of vulnerabilities present in unpatched versions of Telerik software released between 2007 and 2017, the ACSC said.

The agency has urged all Australian organisations using Telerik installations by identifying DLLS within web application root directories using software asset management or host-based inspection software.

Use of Telerik can also be detected by inspecting Internet Information Service (IIS) web server logs or — less effectively — using through network vulnerability scanners.

Any unpatched installations should be updated ASAP and organisations should apply the recommended mitigations from Telerik.

Meanwhile, organisations that have used vulnerable versions of Telerik should look for signs of compromise by scanning for requests to the vulnerable resource — in this case HTTP POST requests to Telerik.Web.UI.WebResource.axd?type=rau. Organisations should also scan IIS web request and other web application logs for suspicious requests.

The ACSC is also urging organisations to implement complementary security controls such as segregating internet facing servers whenever possible and implementing other components of the Australian Signals Directorate's Essential Eight threat mitigation strategies.

Image credit: ©stock.adobe.com/au/robsonphoto