December 1, 2023

Thousands of enterprise systems are believed to have been infected with a cryptocurrency-mining malware operated by a group tracked under the codename of Blue Mockingbird.

Discovered earlier this month by malware analysts from cloud security firm Red Canary, the Blue Mockingbird group is believed to have been active since December 2019.

Researchers say Blue Mockingbird attacks public-facing servers running ASP.NET apps that use the Telerik framework for their user interface (UI) component.

Hackers exploit the CVE-2019-18935 vulnerability to plant a web shell on the attacked server. They then use a version of the Juicy Potato technique to gain admin-level access and modify server settings to obtain (re)boot persistence.

Once they gain full access to a system, they download and install a version of XMRRig, a popular cryptocurrency mining app for the Monero (XMR) cryptocurrency.

Some attacks pivot to internal networks
if the public-facing IIS servers are connected to a company’s internal network, the group also attempts to spread internally via weakly-secured RDP (Remote Desktop Protocol) or SMB (Server Message Block) connections.

Crypto Mining

The dangerous Telerik UI vulnerability

This is because the vulnerable Telerik UI component might be part of ASP.NET applications that are running on their latest versions, yet, the Telerik component might be many versions out of date, still exposing companies to attacks.

Many companies and developers may not even know if the Telerik UI component is even part of their applications, which, again, leaves companies exposed to attacks.

And this confusion has been ruthlessly exploited by attacks over the past year, ever since details about the vulnerability became public.

For example, in an advisory published in late April, the US National Security Agency (NSA) listed the Telerik UI CVE-2019-18935 vulnerability as one of the most exploited vulnerabilities used to plant web shells on servers.

In many cases, organizations may not have an option to update their vulnerable apps. In these cases, many companies would need to ensure that they block exploitation attempts for CVE-2019-18935 at their firewall level.

In case they don’t have a web firewall, companies need to look for signs of a compromise at the server and workstation level.

“As always, our primary purpose in publishing information like this is to help security teams develop detection strategies for threat techniques that are likely to be used against them. In this way, we think that it’s important for security to evaluate their ability to detect things like COR_PROFILER-based persistence and initial access via Telerik vulnerability exploitation,”.

Leave a Reply

%d bloggers like this: