Threat Actors Use CVE-2019-18935 to Deliver Reverse Shells and JuicyPotatoNG

Jan. 31, 2025, 2:07 p.m.

Description

In early January 2025, a threat actor was observed exploiting CVE-2019-18935 in Progress Telerik UI for ASP.NET AJAX. The attacker used the IIS worker process to load a reverse shell and execute reconnaissance commands. The infection process involved confirming the availability of the file upload handler and exploiting the vulnerability to upload and execute a remote shell. The reverse shell, a mixed-mode .NET assembly, connected to a C2 server and redirected cmd.exe input/output to the attacker. Post-exploitation activities included user enumeration and the deployment of the JuicyPotatoNG privilege escalation tool. The attack highlights the continued exploitation of older vulnerabilities and emphasizes the importance of timely patching and robust security measures.

External References

https://www.esentire.com/blog/threat-actors-use-cve-2019-18935-to-deliver-reverse-shells-and-juicypotatong-privilege-escalation-tool
https://otx.alienvault.com/pulse/679cb9fc031c0517881aa8a2
Tags
privilege escalation
iis
2025-01-31
juicypotatong
CVE-2019-18935

Date

  • Created: Jan. 31, 2025, 11:54 a.m.
  • Published: Jan. 31, 2025, 11:54 a.m.
  • Modified: Jan. 31, 2025, 2:07 p.m.

Indicators

  • e8e15194429c7e6f3c5d4020d659a918e3065ffed4edb7e6953b1b03c826e831
  • b971bf43886e3ab1d823477826383dfaee1e2935788226a285c7aebeabee7348
  • 1fc715d2224ad09ed43d0a21ea36067618cf8c54f3bb76290081185744e09f6c
  • 602dbcf4008c585582d5e5d5c8ddb1932fdee07a14308e9cbf937904f31df1f7
Download all indicators here!

Attack Patterns

  • T1505.003
  • T1021.001
  • T1548.002
  • T1059.003
  • T1562.001
  • T1082
  • T1083
  • T1190
  • CVE-2019-18935