Thousands of Enterprise systems are found to be infected by a cryptocurrency-mining malware that is operated under a malware gang that can be tracked as Blue Mocking Bird.
The malware was discovered by security analysts from cloud security firm Red Canary a month ago and is believed to be active since December 2019.
Cryptocurrency mining malware is typically a very stealthy malware that hides in the systems and farms the resources of systems, servers, supercomputers, electronic devices to mine online money known as cryptocurrency such as Bitcoin, Monero, etc. for cybercriminals controlling them.
Blue Mockingbird attacks public-facing servers running ASP.NET apps that use the Telerik framework for their user interface (UI) component.
researcher said
The hackers exploited the CVE-2019-18935 vulnerability to plant web shell in the infected server and then uses the Juicy Potato technique to gain admin access and modify the services to gain persistent access.
After gaining full access to the system the attackers install XMRRig, a cryptocurrency mining malware to mine Monero cryptocurrency.
Attack on Internal Network
According to the experts if the public-facing IIS servers are connected to the company’s internal networks then the group tries to infect the internal network via weakly secured RDP (Remote Desktop Protocol) or SMB (Server Message Box).
However, the infected organizations were of very small numbers but around 1,000 of the organizations were infected in a very short amount of time. The infected companies may be much higher.
Telerik UI Vulnerability
This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. If the vulnerability is successfully exploited it could lead to the remote code execution in the infected system.
The Telerik UI CVE-2019-18935 vulnerability is also listed amongst the most commonly exploited vulnerability in Australian organizations.
Also, the Red Canary team has released a report if their systems are infected by the Blue Mockingbird malware or not, and also companies can use scans for signs of a Blue Mockingbird attack.
