Multiple threat groups were able breach a federal agency and steal data by exploiting a years-old Progress Telerik vulnerability in an unpatched Microsoft Internet Information Services (IIS) Web server — and the Cybersecurity and Infrastructure Security Agency (CISA) wants other IT security teams to be on the lookout for similar exposure.

The Federal Civilian Executive Branch (FCEB) was compromised from last November to January 2023 after threat actors were able to exploit a .NET deserialization Telerik vulnerability from 2019 (CVE-2019-18935) in the agency’s Microsoft Internet Information Services (IIS) Web server, CISA reported.

“Known vulnerabilities are the low-hanging fruit in the attackers’ universe,” Dror Liwer, co-founder of cybersecurity company Coro, said via email. “They represent an easy, well-documented entry point that does not require social engineering, strong technical skills, or active monitoring. Keeping up with known vulnerabilities across all assets is a daunting task, and it is all too common for organizations to overlook an update, or skip an update for operational reasons. There is no easy fix. Vulnerability management must be an integral part of any cybersecurity program, as tedious and laborious as it may be.”

CISA, along with the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC), has issued indicators of compromise and warn teams running Telerik UI for ASP.NET Ajax builds from earlier than 2020 who are concerned about unpatched servers to immediately:

• Implement a patch management solution to ensure compliance with the latest security patches.
• Validate output from patch management and vulnerability scanning against running services to check for discrepancies and account for all services.
• Limit service accounts to the minimum permissions necessary to run services.