Security News > 2023 > March > Hands up who DIDN'T exploit this years-old flaw to ransack a US govt web server...

Hands up who DIDN'T exploit this years-old flaw to ransack a US govt web server...
2023-03-15 23:00

Multiple criminals, including at least potentially one nation-state group, broke into a US federal government agency's Microsoft Internet Information Services web server by exploiting a critical three-year-old Telerik bug to achieve remote code execution.

"Analysts determined that multiple cyber threat actors, including an APT actor, were able to exploit a.NET deserialization vulnerability in Progress Telerik user interface for ASP.NET AJAX, located in the agency's Microsoft Internet Information Services web server," the joint advisory said.

Deserialization vulnerabilities affect multiple programming languages and applications, and, as Mandiant explains, are essentially the "Result of applications placing too much trust in data that a user can tamper with."

Top tip, everyone: Chinese hackers are hitting these 25 vulns, so make sure you patch them ASAP, says NSA US House reps, staff health data swiped in cyber-heist US Marshals Service leaks 'law enforcement sensitive information' in ransomware incident Pair accused of breaking into US law enforcement database, posing as cops.

The latest security alert follows a series of high-profile US government break ins and data theft.

In late February, the US Marshals Service admitted a "Major" breach of its information security defenses led to a ransomware infection and exfiltration of "Law-enforcement sensitive information." .


News URL

https://go.theregister.com/feed/www.theregister.com/2023/03/15/cisa_us_microsoft_hacked/