Threat Actors Use CVE-2019-18935 to Deliver Reverse Shells and JuicyPotatoNG

Jan. 31, 2025, 2:07 p.m.

Description

In early January 2025, a threat actor was observed exploiting CVE-2019-18935 in Progress Telerik UI for ASP.NET AJAX. The attacker used the IIS worker process to load a reverse shell and execute reconnaissance commands. The infection process involved confirming the availability of the file upload handler and exploiting the vulnerability to upload and execute a remote shell. The reverse shell, a mixed-mode .NET assembly, connected to a C2 server and redirected cmd.exe input/output to the attacker. Post-exploitation activities included user enumeration and the deployment of the JuicyPotatoNG privilege escalation tool. The attack highlights the continued exploitation of older vulnerabilities and emphasizes the importance of timely patching and robust security measures.

Date

  • Created: Jan. 31, 2025, 11:54 a.m.
  • Published: Jan. 31, 2025, 11:54 a.m.
  • Modified: Jan. 31, 2025, 2:07 p.m.

Indicators

  • e8e15194429c7e6f3c5d4020d659a918e3065ffed4edb7e6953b1b03c826e831
  • b971bf43886e3ab1d823477826383dfaee1e2935788226a285c7aebeabee7348
  • 1fc715d2224ad09ed43d0a21ea36067618cf8c54f3bb76290081185744e09f6c
  • 602dbcf4008c585582d5e5d5c8ddb1932fdee07a14308e9cbf937904f31df1f7

Attack Patterns

  • T1505.003
  • T1021.001
  • T1548.002
  • T1059.003
  • T1562.001
  • T1082
  • T1083
  • T1190
  • CVE-2019-18935