Threat Group Exploits Telerik Vulnerability in Cryptocurrency-Mining Operation

Summary

Researchers from cloud security firm Red Canary discovered a cyber threat group dubbed Blue Mockingbird that recently infected thousands of enterprise systems. The group conducted a cryptocurrency-mining campaign by targeting public-facing servers running ASP.NET apps using the Telerik framework. By exploiting CVE-2019-18935 , the group was able to install a web shell in the compromised server and then used a privilege escalation tool to gain accesses needed to modify server settings and maintain persistence. Once the group had full system access, they downloaded and installed the XMRig cryptocurrency-mining program. Additionally, if a public-facing Microsoft IIS server was connected to the company’s internal network, Blue Mockingbird also attempted to spread internally on the network via RDP (remote desktop protocol) or SMB (server message block) connections.

Recommendations

The NJCCIC recommends administrators ensure the Telerik UI (user interface) component used in any ASP.NET apps is patched against the CVE-2019-18935 vulnerability. This vulnerability is one of the most commonly exploited vulnerabilities, as recently noted by the NSA and the ACSC. For more information, review the report by Red Canary, which includes indicators of compromise related to this activity, and the ZDnet article.