{"uuid": "a4c1e6ab-1786-4631-8cc9-dfa00c7171a6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "name": "Threat Actors Use CVE-2019-18935 to Deliver Reverse Shells and\u2026", "description": "From: [https://www.esentire.com/blog/threat-actors-use-cve-2019-18935-to-deliver-reverse-shells-and-juicypotatong-privilege-escalation-tool](https://www.esentire.com/blog/threat-actors-use-cve-2019-18935-to-deliver-reverse-shells-and-juicypotatong-privilege-escalation-tool)\n\n# Threat Actors Use CVE-2019-18935 to Deliver Reverse Shells and\u2026\n\nBY eSentire Threat Response Unit (TRU)\n\n\nAdversaries don\u2019t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.\n\nWe have discovered some of the most dangerous threats and nation state attacks in our space \u2013 including the Kaseya MSP breach and the more_eggs malware.\n\nOur Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit \u2013 the TRU team.\n\nIn TRU Positives, eSentire\u2019s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.\n\nHere\u2019s the latest from our TRU Team\u2026\nWhat did we find?\n\nIn early January 2025, the eSentire Threat Response Unit (TRU) identified an unknown threat actor(s) exploiting the now six year old vulnerability, CVE-2019-18935, in Progress Telerik UI for ASP.NET AJAX.\n\nTRU observed threat actor(s) using the w3wp.exe (IIS worker process) to load a reverse shell and run follow up commands for reconnaissance through cmd.exe. Reverse shells were dropped in the C:\\Windows\\Temp directory matching [10 digits].[6 digits].dll and [10 digits].[7 digits].dll.\n\nThe infection process begins when the threat actor(s) send a specific request to the IIS server to determine if the file upload handler is available. This can be seen in IIS logs as shown below:\n\n2025-01-03 10:25:51 10.22.12.20 GET /Telerik.Web.UI.WebResource.axd type=rau 443 - - - 200 0 0 171\n\nAfter confirming the file upload handler is available and determining the software version is vulnerable, the threat actor(s) made use of a customized version of the PoC here to upload and execute a remote shell.\n\nThe reverse shell is simple and is a mixed mode .NET assembly containing a routine that serves to connect to the C2 at 213.136.75[.]130 via Windows Sockets. The legitimate windows binary cmd.exe is started and the input/output/error handles are redirected to threat actor control.\nFigure 1 \u2013 Decompiled reverse shell\nFigure 1 \u2013 Decompiled reverse shell\n\nAfter the threat actor(s) established connection via the reverse shell, they executed several commands to get information about users on the system. The figure below contains the parent/child relationships and subsequent commands executed through the reverse shell to enumerate users via net.exe and net1.exe.\nFigure 2 \u2013 Remote shell loaded by w3wp.exe IIS worker process leading to recon commands\nFigure 2 \u2013 Remote shell loaded by w3wp.exe IIS worker process leading to recon commands\n\nThe following Yara rule can be used for detecting the reverse shell. This Yara rule is also available for download here.\n\nrule TCP_Reverse_Shell_Windows_x64 { \n    meta: \n        description = \"Detects Windows based 64-bit TCP reverse shell\" \n        author = \"YungBinary\" \n        hash = \"b971bf43886e3ab1d823477826383dfaee1e2935788226a285c7aebeabee7348\" \n    strings:\n        $winsock_2_0 = { 66 B? 02 00 FF 15 } \n        $winsock_2_1 = { 66 B? 02 01 FF 15 } \n        $winsock_2_2 = { 66 B? 02 02 FF 15 } \n        $winsock_1_0 = { 66 B? 01 00 FF 15 } \n        $winsock_1_1 = { 66 B? 01 01 FF 15 } \n\n        $socket_params = { \n            41 B8 06 00 00 00 \n            BA 01 00 00 00  \n            B9 02 00 00 00  \n        } \n\n\n        $cmd = { \n            48 C7 44 24 ?? 00 00 00 00 \n            48 C7 44 24 ?? 00 00 00 00 \n            C7 44 24 ?? 00 00 00 00 \n            C7 44 24 ?? (01 | 00) 00 00 00 \n            45 33 C9 \n            45 33 C0 \n            48 8D 15 ?? ?? ?? ?? \n            33 C9 \n            FF 15 \n        } \n\n        $wait = { \n            BA FF FF FF FF \n            48 8B 4C ?? ?? \n            FF 15 \n        } \n\n    condition: \n        uint16(0) == 0x5a4d and ((1 of ($winsock*)) and $socket_params and $cmd and $wait) \n} \n        \n\nFigure 3 \u2013 Yara rule to detect Windows TCP reverse shell\n\nTRU also observed the threat actor(s) dropping the open-source privilege escalation tool JuicyPotatoNG on the host under various file names:\n\n    C:\\Users\\Public\\PingCaler.exe\n    C:\\Users\\Public\\JuicyPotatoNG.exe\n\nThe following batch files were also dropped on the host but the purpose of these files is not known at this time:\n\n    C:\\Users\\Public\\rdp.bat\n    C:\\Users\\Public\\user.bat\n    C:\\Users\\Public\\All.bat\n\nThe following diagram provided by Telerik can be used to determine if your specific version of Telerik UI for ASP.NET AJAX is vulnerable.\nFigure 4 \u2013 Vulnerable version decision tree diagram, source\nFigure 4 \u2013 Vulnerable version decision tree diagram, source.\nWhat did we do?\n\n    Our team of 24/7 SOC Cyber Analysts proactively isolated the affected host to contain the infection on the customer\u2019s behalf.\n    We communicated what happened with the customer and helped them with incident remediation efforts.\n\nWhat can you learn from this TRU Positive?\n\n    While the vulnerability in Progress Telerik UI for ASP.NET AJAX is several years old, it continues to be a viable entry point for threat actors.\n    This highlights the importance of patching systems, especially if they are going to be exposed to the internet.\n\nRecommendations from the Threat Response Unit (TRU):\n\n    Implement a comprehensive vulnerability management service with robust patch management solution and process to ensure systems are up to date with the latest security patches before exposing them to the Internet.\n    Use an Endpoint Detection and Response (EDR) solution and ensure it is deployed across all workstations and servers.\n\nIndicators of Compromise\n\nYou can access the Indicators of Compromise here.\nReferences\n\n    https://www.esentire.com/security-advisories/active-exploitation-of-cve-2019-18935\n    https://bishopfox.com/blog/cve-2019-18935-remote-code-execution-in-telerik-ui\n    https://www.telerik.com/products/aspnet-ajax/documentation/knowledge-base/common-allows-javascriptserializer-deserialization\n    https://github.com/noperator/CVE-2019-18935\n    https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-074a\n    https://github.com/antonioCoco/JuicyPotatoNG\n\n", "creation_timestamp": "2025-02-03T13:12:08.204190+00:00", "timestamp": "2025-02-03T13:12:08.204190+00:00", "related_vulnerabilities": ["CVE-2019-18935"], "author": {"login": "adulau", "name": "Alexandre Dulaunoy", "uuid": "c933734a-9be8-4142-889e-26e95c752803"}}