A hacker called ‘Blue Mockingbird’ is exploiting Telerik UI flaws to breach servers, install Cobalt Strike beacons, and deploy cryptomining malware.
The vulnerability tracked as CVE-2019-18935 with a critical severity score (CVSS v3.1: 9.8), impacts the Telerik UI library for ASP.NET AJAX and is a high-risk deserialization security bug that can lead to remote code execution.
Blue Mockingbird was also identified in May 2020 targeting susceptible Microsoft IIS servers that employed Telerik UI, even though it had been a year after the vendor had published security patches.
Earlier this week, Sophos researchers revealed that Blue Mockingbird is leveraging the same flaw to launch new cyberattacks.
To exploit CVE-2019-18935, the hackers must secure the encryption keys that guard Telerik UI’s serialization on the target. This may be done by using CVE-2017-11317 and CVE-2017-11357 or abusing another vulnerability in the target web app.
Since multiple web apps were used as projects that embedded the Telerik UI framework version at the time of development and later were discontinued, they are still legitimate targets accessible for exploitation.
Once the keys are acquired, the hackers can compile a malicious DLL containing the code to be executed during deserialization and launch it in the context of the ‘w3wp.exe’ process.
According to the researchers, in recent assaults, Blue Mockingbird employed a readily available proof-of-concept (PoC) vulnerability to manage the encryption logic and automate the DLL compilation. The payload used in the recent assaults is a Cobalt Strike beacon, a stealthy, legitimate penetration testing tool hacker exploits for executing encoded PowerShell commands.
Persistence is achieved by Active Directory Group Policy Objects (GPOs), which manufacture scheduled tasks in a new registry entry that contains base64-encoded PowerShell. To mitigate Windows Defender detection, the script employs typical AMSI-bypassing methodologies to download and load a Cobalt Strike DLL into memory.
The second-stage program (‘crby26td.exe’) is an XMRig Miner, a common open-source cryptocurrency miner for Monero, one of the least detected cryptocurrencies. Notably, this was the primary goal of the threat actor’s 2020 campaign; therefore, the attack chain, methodologies, and goals haven’t altered significantly.
On the other hand, Cobalt Strike allows for simple lateral movement within an exploited network, data exfiltration, account takeover, and the deployment of more powerful payloads like ransomware. It remains unclear whether Blue Mockingbird is interested in investigating these possibilities; for the time being, or they’re only focused on Monero mining.
