Thousands of enterprise systems infected by new Blue Mockingbird malware gang

blue-mockingbird.png

Thousands of enterprise systems are believed to have been infected with a cryptocurrency-mining malware operated by a group tracked under the codename of Blue Mockingbird.

Discovered earlier this month by malware analysts from cloud security firm Red Canary, the Blue Mockingbird group is believed to have been active since December 2019.

Researchers say Blue Mockingbird attacks public-facing servers running ASP.NET apps that use the Telerik framework for their user interface (UI) component.

Hackers exploit the CVE-2019-18935 vulnerability to plant a web shell on the attacked server. They then use a version of the Juicy Potato technique to gain admin-level access and modify server settings to obtain (re)boot persistence.

Coinbase 2

Once they gain full access to a system, they download and install a version of XMRRig, a popular cryptocurrency mining app for the Monero (XMR) cryptocurrency.

Some attacks pivot to internal networks

Red Canary experts say that if the public-facing IIS servers are connected to a company’s internal network, the group also attempts to spread internally via weakly-secured RDP (Remote Desktop Protocol) or SMB (Server Message Block) connections.

In an email interview earlier this month, Red Canary told ZDNet that they don’t have a full view of this botnet’s operations, but they believe the botnet made at least 1,000 infections so far, just from the limited visibility they had.

“Like any security company, we have limited visibility into the threat landscape and no way of accurately knowing the full scope of this threat,” a Red Canary spokesperson told us.

“This threat, in particular, has affected a very small percentage of the organizations whose endpoints we monitor. However, we observed roughly 1,000 infections within those organizations, and over a short amount of time.”

However, Red Canary says the number of companies impacted could be much higher, and even companies who believe to be safe are at risk of attack.

The dangerous Telerik UI vulnerability

This is because the vulnerable Telerik UI component might be part of ASP.NET applications that are running on their latest versions, yet, the Telerik component might be many versions out of date, still exposing companies to attacks.

Many companies and developers may not even know if the Telerik UI component is even part of their applications, which, again, leaves companies exposed to attacks.

And this confusion has been ruthlessly exploited by attacks over the past year, ever since details about the vulnerability became public.

For example, in an advisory published in late April, the US National Security Agency (NSA) listed the Telerik UI CVE-2019-18935 vulnerability as one of the most exploited vulnerabilities used to plant web shells on servers.

In another security advisory published last week, the Australian Cyber Security Centre (ACSC) also listed the Telerik UI CVE-2019-18935 vulnerability as one of the most exploited vulnerabilities to attack Australian organizations in 2019 and 2020.

In many cases, organizations may not have an option to update their vulnerable apps. In these cases, many companies would need to ensure that they block exploitation attempts for CVE-2019-18935 at their firewall level.

In case they don’t have a web firewall, companies need to look for signs of a compromise at the server and workstation level. Here, Red Canary has released a report with indicators of compromise that companies can use to scan servers and systems for signs of a Blue Mockingbird attack.

“As always, our primary purpose in publishing information like this is to help security teams develop detection strategies for threat techniques that are likely to be used against them. In this way, we think that it’s important for security to evaluate their ability to detect things like COR_PROFILER-based persistence and initial access via Telerik vulnerability exploitation,” Red Canary told ZDNet.

Thousands of enterprise systems infected by new Blue Mockingbird malware gang 1
blank
About the author

E-Crypto News was developed to assist all cryptocurrency investors in developing profitable cryptocurrency portfolios through the provision of timely and much-needed information. Investments in cryptocurrency require a level of detail, sensitivity, and accuracy that isn’t required in any other market and as such, we’ve developed our databases to help fill in information gaps.

Related Posts

blank

E-Crypto News Executive Interviews


blank

bitcoin
Bitcoin (BTC) $ 37,561.00
ethereum
Ethereum (ETH) $ 2,567.48
tether
Tether (USDT) $ 0.999798
binance-coin
Binance Coin (BNB) $ 325.03
cardano
Cardano (ADA) $ 1.34
xrp
XRP (XRP) $ 0.706905
usd-coin
USD Coin (USDC) $ 0.998596
dogecoin
Dogecoin (DOGE) $ 0.195103
polkadot
Polkadot (DOT) $ 18.16
binance-usd
Binance USD (BUSD) $ 0.991362
USD
EUR
GBP
bitcoinBitcoin (BTC)
$ 37,561.00
ethereumEthereum (ETH)
$ 2,567.48
tetherTether (USDT)
$ 0.999798
bitcoin-cashBitcoin Cash (BCH)
$ 525.84
litecoinLitecoin (LTC)
$ 137.13
bitcoinBitcoin (BTC)
31.593,12
ethereumEthereum (ETH)
2.159,55
tetherTether (USDT)
0,840945
bitcoin-cashBitcoin Cash (BCH)
442,29
litecoinLitecoin (LTC)
115,34
bitcoinBitcoin (BTC)
26,960.72
ethereumEthereum (ETH)
1,842.90
tetherTether (USDT)
0.717640
bitcoin-cashBitcoin Cash (BCH)
377.44
litecoinLitecoin (LTC)
98.43

Automated trading with HaasBot Crypto Trading Bots

Crypto Scams

blank
The World’s Most Infamous Crypto Hacks and Scams
July 31, 2021
Cryptocurrency Exchanges
Cryptocurrency Exchanges and the Plague of Scams and Bans
June 29, 2021
blank
What Role Do Cryptocurrencies Play In The Era Of Ransomware Attacks?
June 9, 2021
Crypto Scams On The Rise As Market Enters Bull Cycle
Crypto Scams On The Rise As Market Enters Bull Cycle
December 22, 2020
Harpreet Singh Sahni perpetrated the Plus Gold Union Coin (PGUC) scam
Sydney Concert Promoter Harpreet Sahni Involved In $50M Crypto PGUC Scam
November 2, 2020

Blockchain/Cryptocurrency Questions and Answers

Short-Sell Cryptocurrency
How to Short-Sell Cryptocurrency: A Brief Overview
July 17, 2021
Klaytn
What Is Klaytn (KLAY) And How Does It Work?
July 16, 2021
Cryptocurrencies
Our Crypto Roundup Interview Asks- Do Cryptocurrencies Have a Future?
July 15, 2021
Solana
What Is Solana (SOL) And How Does It Work?
June 26, 2021
blank
What Is Plethori Platform And How Does It Work?
June 12, 2021


CryptoCurrencyUSDChange 1hChange 24hChange 7d
Bitcoin37,925 0.27 % 3.05 % 5.26 %
Ethereum2,616.8 0.46 % 0.38 % 13.79 %
Tether1.000 0.30 % 0.46 % 0.52 %
Binance Coin327.67 0.01 % 0.71 % 4.45 %
Cardano1.360 0.02 % 0.81 % 5.63 %
XRP0.7109 0.43 % 1.28 % 1.84 %
USD Coin1.000 0.16 % 0.12 % 0.38 %
Dogecoin0.1966 0.26 % 1.75 % 5.67 %
Polkadot18.38 0.31 % 0.31 % 26.40 %
Binance USD1.000 0.38 % 0.21 % 0.09 %

bitcoin
Bitcoin (BTC) $ 37,925.00
ethereum
Ethereum (ETH) $ 2,617.68
tether
Tether (USDT) $ 1.00
binance-coin
Binance Coin (BNB) $ 327.67
cardano
Cardano (ADA) $ 1.35
xrp
XRP (XRP) $ 0.711076
usd-coin
USD Coin (USDC) $ 1.00
dogecoin
Dogecoin (DOGE) $ 0.196607
polkadot
Polkadot (DOT) $ 18.38
binance-usd
Binance USD (BUSD) $ 1.00