Threat Actors Use CVE-2019-18935 to Deliver Reverse Shells and JuicyPotatoNG
Jan. 31, 2025, 2:07 p.m.
Description
In early January 2025, a threat actor was observed exploiting CVE-2019-18935 in Progress Telerik UI for ASP.NET AJAX. The attacker used the IIS worker process to load a reverse shell and execute reconnaissance commands. The infection process involved confirming the availability of the file upload handler and exploiting the vulnerability to upload and execute a remote shell. The reverse shell, a mixed-mode .NET assembly, connected to a C2 server and redirected cmd.exe input/output to the attacker. Post-exploitation activities included user enumeration and the deployment of the JuicyPotatoNG privilege escalation tool. The attack highlights the continued exploitation of older vulnerabilities and emphasizes the importance of timely patching and robust security measures.
Tags
Date
- Created: Jan. 31, 2025, 11:54 a.m.
- Published: Jan. 31, 2025, 11:54 a.m.
- Modified: Jan. 31, 2025, 2:07 p.m.
Indicators
- e8e15194429c7e6f3c5d4020d659a918e3065ffed4edb7e6953b1b03c826e831
- b971bf43886e3ab1d823477826383dfaee1e2935788226a285c7aebeabee7348
- 1fc715d2224ad09ed43d0a21ea36067618cf8c54f3bb76290081185744e09f6c
- 602dbcf4008c585582d5e5d5c8ddb1932fdee07a14308e9cbf937904f31df1f7
Attack Patterns
- T1505.003
- T1021.001
- T1548.002
- T1059.003
- T1562.001
- T1082
- T1083
- T1190
- CVE-2019-18935