The hacker group code named Blue Mockingbird have infected thousands of enterprise systems by using a cryptocurrency-mining malware.
Malware analysts from cloud security firm Red Canary spotted this malware early this month, but the Blue Mockingbird group has been active since December 2019.
According to the researchers the Blue Mockingbird attacks public-facing servers that run on ASP.NET apps using the Telerik framework for their user interface (UI) component.
The hackers exploited the vulnerability dubbed as CVE-2019-18935 to insert a web shell on the attacked server. A version of the Juicy Potato technique was used to get admin-level access and modify server settings to obtain (re)boot persistence.
On attaining complete access to a system, the gang downloaded and installed a version of XMRRig, which is a popular cryptocurrency mining app for the Monero (XMR) cryptocurrency.
According to the experts at Red Canary, if the public-facing IIS servers are connected to a company’s internal network, the group also tries to spread internally through weakly-secured RDP (Remote Desktop Protocol) or SMB (Server Message Block) connections.
Even though the researchers do not have full details about the botnet’s operations, they believe that the botnet must have made at least 1,000 infections so far.
They say that the number of companies affected could be much higher, and even companies that are considered to be safe are also at risk of attack.
The vulnerable Telerik UI component might be part of ASP.NET applications that are running on their latest versions. But the Telerik component might outdated posing risk to the companies.
Many companies and developers may not be aware that the Telerik UI component is even part of their applications leaving them again exposed to attacks.
The Telerik UI CVE-2019-18935 vulnerability has been listed as one of the most exploited vulnerabilities used to plant web shells on servers.
In cases where the organizations do not have an option to update their vulnerable apps, they must ensure that they block exploitation attempts for CVE-2019-18935 at their firewall level. And if they do not have a web firewall, they must check for a compromise at the server and workstation level.