Dubbed as ‘Blue Mockingbird’, it is believed to have been active since December 2019

According to Verizon’s 2020 Data Breach Investigation Report, ransomware attacks are growing at an alarming rate. They analyzed a record total of 157,525 incidents, of which 32,002 met their quality standards and 3,950 were confirmed data breaches. The report confirmed that ransomware accounted for 80% of all cyberattacks suffered, with the data suggesting that 92% of these incidents being motivated by financial reasons.

Privacy-focused cryptocurrency Monero was in the spotlight last year with multiple mining malware infecting computers across the globe — Beapy, Smominru & Norman. All of these were employed by nefarious players to use the infected machines to mine the crypto for them.

Earlier this month, Cloud security firm Red Canary revealed that the Blue Mockingbird group has been actively involved in malware attacks of corporate servers since December 2019. Malware analysts from the firm suggest that Blue Mockingbird attacks public-facing servers running ASP.NET applications — ones that use the Telerik framework for their user interface (UI) component.

“This threat, in particular, has affected a very small percentage of the organizations whose endpoints we monitor. However, we observed roughly 1,000 infections within those organizations, and over a short amount of time.” ~ Red Canary Spokesperson

As reported by ZDNet, Hackers exploit the CVE-2019–18935 vulnerability to plant a web shell on the attacked server. They then use a version of the Juicy Potato technique to gain admin-level access and modify server settings to obtain (re)boot persistence. Once the infected machines restart, the hackers download and install a version of XMRRig — a popular cryptocurrency mining app for the Monero (XMR) cryptocurrency.

Threat analysts at Red Canary point out if these external IIS servers being attacked by malware are connected to the company’s internal network, that becomes vulnerable as well. The malware attempts to spread through a weakly-secured RDP (Remote Desktop Protocol) or SMB (Server Message Block) connections.

Red Canary says that there is no way of accurately knowing the number of infections due to the limited visibility into the threat landscape, but the actual number of companies might be much higher and the companies who presume they are safe from this malware, might be at risk too.

Keep in mind that in two security advisories published in the past few weeks — one by the US National Security Agency (NSA) and the other by the Australian Cyber Security Centre (ACSC) listed Telerik UI CVE-2019–18935 vulnerability as one of the most exploited vulnerabilities.

ZDNet suggests that companies block exploitation attempts for CVE-2019–18935 at their firewall level. In case they don’t have one, signs of compromise need to be seen at the workstation level. Red Canary has published a useful guide on how to scan their servers for a possible Blue Mockingbird attack.

Originally Published on Medium

Medium 📭| Twitter 📜 | LinkedIn 📑| StockTwits 📉 | Telegram 🔗