‘Blue Mockingbird’, a threat actor, targets Telerik UI vulnerabilities to compromise servers, install Cobalt Strike beacons, and mine Monero by hijacking system resources.
The attacker leverages the CVE-2019-18935 flaw, a critical severity (CVSS v3.1: 9.8) deserialisation that leads to remote code execution in the Telerik UI library for ASP.NET AJAX.
In May 2020, the same threat actor was observed targeting vulnerable Microsoft IIS Servers that used Telerik UI.
Sophos researchers reported this week that, according to their detection data, Blue Mockingbird is still using the same flaw to launch cyberattacks.
To exploit CVE-2019-18935, the attackers require the encryption keys that protect Telerik UI’s serialisation on the target. This information can be obtained by using CVE-2017-11317 and CVE-2017-11357 or by exploiting another vulnerability in the target web app.
Many web apps were projects that embedded the Telerik UI framework version available at time of development and then were forgotten about or discontinued. This means that there are still valid targets available for exploitation.
Once acquired, the attackers can compile a malicious DLL containing the code to be executed during desealisation and run it within the context of the ‘w3wp.exe’ process.
Sophos spotted that Blue Mockingbird employs a readily available proof-of-concept (PoC) exploit, which automates the DLL compilation and handles the encryption logic.
The payload used in the recent attacks is a Cobalt Strike beacon, a legitimate penetration testing tool Blue Mockingbird abuses for executing encoded PowerShell commands.
Persistence is established via Active Directory Group Policy Objects (GPOs), which create scheduled tasks written in a new registry key containing base64-encoded PowerShell.
In order to evade Wind ..
Support the originator by clicking the read the rest link below.
