Thousands of enterprise systems are thought to have been infected with a crypto-currency-mining malware operated by a group tracked under Blue Mockingbird’s codename.
Discovered earlier this month by cloud security firm Red Canary malware researchers, it is assumed the Blue Mockingbird community has been operating since December 2019.
Researchers say that Blue Mockingbird attacks servers running ASP.NET apps which use the Telerik framework for their component user interface ( UI).
Hackers exploit the vulnerability of CVE-2019-18935 to plant a web shell on the server which has been targeted. They then use a variant of the Juicy Potato technique to gain access at admin-level and change server settings to obtain persistence (re)boot.
Once they have full access to a system, they will download and install a version of XMRRig, the popular Monero (XMR) cryptocurrency mining app.
Some attacks are crucial against internal networks
Red Canary experts claim that if the public-facing IIS servers are connected to the internal network of a organization, the group often attempts to spread internally through RDP (Remote Desktop Protocol) or SMB (Server Message Block) connections that are weakly secured.
In an email interview earlier this month, Red Canary told ZDNet they don’t have a full view of the activities of this botnet, but they assume the botnet has made at least 1,000 infections so far, only because of the limited visibility they have.
“We have limited visibility in the threat landscape like any security company and no way to reliably know the full scope of this threat,” a spokesperson for Red Canary told us.
“In particular, this threat has affected a relatively limited percentage of organizations whose endpoints we control. However, we have detected about 1,000 infections within these organizations and over a short period of time.”
Red Canary, however, says the number of companies that have been affected could be much higher and even companies that believe they are safe are at risk of attack.
Dangerous vulnerability in the Telerik UI
This is because the vulnerable Telerik UI component may be part of ASP.NET applications running on their new updates, but the Telerik component may be other obsolete versions, often exposing businesses to attacks.
Many companies and developers may not even know whether the aspect of the Telerik UI is even part of their applications, again leaving companies exposed to attacks.
And this uncertainty has been exploited ruthlessly over the past year by attacks, ever since information about the vulnerability became public.
For example, the US National Security Agency ( NSA) listed the Telerik UI vulnerability CVE-2019-18935 as one of the most exploited vulnerabilities used to plant web shells on servers in an advisory published late April.
The Australian Cyber Security Center (ACSC) also identified the Telerik UI vulnerability CVE-2019-18935 as one of the most exploited vulnerabilities to target Australian organizations in 2019 and 2020, in another security advisory released last week.
Organizations may not in certain cases have the option of upgrading their insecure devices. For these situations, several businesses will have to ensure that they at their firewall level block the exploitation attempts for CVE-2019-18935.
If they don’t have a cloud firewall, businesses need to search for server- and workstation-level signs of a compromise. Here, Red Canary has published a report with compromising indications that businesses can use to search servers and networks for signs of a Blue Mockingbird attack.
“As always, our primary aim in releasing information like this is to help security teams establish threat detection techniques that are likely to be used against them. In this way, we believe it is important for security to determine their ability to detect persistence based on COR PROFILER and initial access through Telerik vulnerability exploitation,” Red Canary told.
