In early January 2025, eSentire’s Threat Response Unit (TRU) identified a threat actor exploiting the CVE-2019-18935 vulnerability in Progress Telerik UI for ASP.NET AJAX. The attack involved using a reverse shell to execute commands for reconnaissance. The incident emphasizes the importance of patching vulnerabilities, even those that are years old. Affected: Progress Telerik UI for ASP.NET AJAX
Keypoints :
- eSentire operates 24/7 Security Operations Centers (SOCs) with elite threat hunters and cyber analysts.
- TRU provides summaries of threat investigations, including responses and future recommendations.
- The CVE-2019-18935 vulnerability in Progress Telerik UI for ASP.NET AJAX was exploited by an unknown threat actor.
- Threat actors used w3wp.exe to load a reverse shell and execute reconnaissance commands through cmd.exe.
- Reverse shells were dropped in the C:WindowsTemp directory with specific naming conventions.
- eSentire’s SOC team isolated the affected host to contain the infection promptly.
- Recommendations include the importance of patching systems exposed to the internet.
MITRE Techniques :
- T1071.001 – Application Layer Protocol: Application Layer Protocol: The threat actor used HTTP to communicate with the C2 server.
- T1203 – Exploitation for Client Execution: The exploitation of CVE-2019-18935 allowed the threat actor to execute commands remotely.
- T1059.003 – Command and Scripting Interpreter: The threat actor utilized cmd.exe for executing reconnaissance commands.
- T1203 – Exploitation of a vulnerability in Progress Telerik UI for ASP.NET AJAX.
Indicator of Compromise :
- [file name] C:UsersPublicPingCaler.exe
- [file name] C:UsersPublicJuicyPotatoNG.exe
- [file name] C:UsersPublicrdp.bat
- [file name] C:UsersPublicuser.bat
- [file name] C:UsersPublicAll.bat
- Check the article for all found IoCs.
Full Research: https://www.esentire.com/blog/threat-actors-use-cve-2019-18935-to-deliver-reverse-shells-and-juicypotatong-privilege-escalation-tool