A Monero cryptocurrency mining campaign has made the headlines exploiting a known vulnerability in public-facing web apps. These web apps are built on the ASP.NET open-source framework.
What is happening?
The campaign has been named Blue Mockingbird by Red Canary analysts who detected this operation. The threat actors have been found to exploit a deserialization vulnerability, CVE-2019-18935, that permits remote code execution. The bug is found in the Progress Telerik UI front-end offering for ASP.NET AJAX.
What the experts are saying
- The analysts at Red Canary explained, “Each payload comes compiled with a standard list of commonly used Monero-mining domains alongside a Monero wallet address.”
- Two wallet addresses have been identified.
- It is suspected that Blue Mockingbird maybe experimenting with various tools to create SOCKS proxies for pivoting.
- Currently, the campaign is revealing unpatched versions of Telerik UI for ASP.NET.
- The vulnerability especially lies in RadAsyncUpload function.
- Although the campaign is making marks, the toolkit is still a developing one.
What you can do
- Patch web servers and apps.
- Prevent threats by patching dependencies of apps to evade initial access.