Long-standing vulnerability leads to multiple hacker groups breaching US federal agency.
TL;DR Summary
Multiple threat actors, including one working for a nation-state, gained access to a US federal agency's network by exploiting a four-year-old vulnerability that remained unpatched. Both groups exploited a code-execution vulnerability tracked as CVE-2019-18935 in a developer tool known as the Telerik user interface (UI) for ASP.NET AJAX. The vulnerability was not detected for four years, and the agency's vulnerability scanner failed to detect it due to the Telerik UI software being installed in a file path it does not typically scan. The breach is the result of someone in the unnamed agency failing to install a patch that had been available for years.
- Federal agency hacked by 2 groups thanks to flaw that went unpatched for 4 years Ars Technica
- Multiple Hacker Groups Exploit 3-Year-Old Vulnerability to Breach U.S. Federal Agency The Hacker News
- Nation state hackers exploited years-old bug to breach a US federal agency TechCrunch
- Telerik Bug Exploited to Steal Federal Agency Data, CISA Warns DARKReading
- US Government IIS Server Breached via Telerik Software Flaw Infosecurity Magazine
Reading Insights
Total Reads
0
Unique Readers
0
Time Saved
3 min
vs 4 min read
Condensed
86%
759 → 104 words
Want the full story? Read the original article
Read on Ars Technica