Analysts at Red Canary, a cybersecurity firm have discovered a Monero cryptocurrency-mining campaign that exploits a deserialization vulnerability, CVE-2019-18935 in public-facing web applications built on ASP.NET web framework.
They named it "Blue Mockingbird", it uses the decentralized vulnerability found in Progress Telerik UI front-end offering for ASP.NET AJAX for remote code execution. AJAX (Asynchronous JavaScript and XML) is a tool used for adding the script to a webpage to be processed and executed by the browser.
This particular vulnerability CVE-2019-18935 is found in the RadAsyncUpload function, as stated by National Vulnerability Database. It is exploited by knowing the encryption key (by means of another attack or method).
The analyst traced backed the campaign to December and till April. The cybercriminals are using the unpatched versions of Telerik UI for ASP.NET, where the vulnerability has not been fixed and injecting the XMRig Monero-mining payload through the vulnerability and spreading it through the network.
XMRig is open-source and can be accumulated into custom tooling, as per the investigation by the analyst. Red Canary has discovered three unmistakable execution ways: Execution with rundll32.exe expressly calling the DLL trade fackaaxv; execution utilizing regsvr32.exe utilizing the/s command line choice, and execution with the payload arranged as a Windows Service DLL.
"Each payload comes compiled with a standard list of commonly used Monero-mining domains alongside a Monero wallet address,” state researchers at Red Canary, in a writeup. “So far, we’ve identified two wallet addresses used by Blue Mockingbird that are inactive circulation. Due to the private nature of Monero, we cannot see the balance of these wallets to estimate their success.”
To set up persistence, Blue Mockingbird hackers should initially first gain login and hoist their privileges, which they do utilize different strategies; for example, utilizing a JuicyPotato exploit to raise benefits from an IIS Application Pool Personality virtual account to the NT Authority\SYSTEM account. In another case, the Mimikatz apparatus (the authority marked version) was utilized to get login credentials.
After getting these logins and privileges, the Blue Mockingbird used multiple techniques like COR_PROFILER COM to execute DLL.
“To use COR_PROFILER, they used wmic.exe and Windows Registry modifications to set environment variables and specify a DLL payload,” the writeup briefed.
In preventing threats like these that exploit vulnerabilities, patches for web servers, web applications, and dependencies of the applications are the best firewall.
