Blue Mockingbird Exploiting Web Apps

A Monero cryptocurrency mining campaign has made the headlines exploiting a known vulnerability in public-facing web apps. These web apps are built on the ASP.NET open-source framework.

What is happening?

The campaign has been named Blue Mockingbird by Red Canary analysts who detected this operation. The threat actors have been found to exploit a deserialization vulnerability, CVE-2019-18935, that permits remote code execution. The bug is found in the Progress Telerik UI front-end offering for ASP.NET AJAX.

What the experts are saying

  • The analysts at Red Canary explained, “Each payload comes compiled with a standard list of commonly used Monero-mining domains alongside a Monero wallet address.”
  • Two wallet addresses have been identified.
  • It is suspected that Blue Mockingbird maybe experimenting with various tools to create SOCKS proxies for pivoting.

What else

  • Currently, the campaign is revealing unpatched versions of Telerik UI for ASP.NET. 
  • The vulnerability especially lies in RadAsyncUpload function.
  • Although the campaign is making marks, the toolkit is still a developing one.

What you can do

  • Patch web servers and apps.
  • Prevent threats by patching dependencies of apps to evade initial access.