Blue Mockingbird hackers cracked thousands of corporate systems

According to Red Canary analysts, recently has been discovered a new hack group, operating under a name Blue Mockingbird. It has been active since the end of 2019 and hackers from the Blue Mockingbird group have already hacked thousands of corporate systems.

Researchers write that Blue Mockingbird attacks Internet-accessible servers running ASP.NET applications that use vulnerable versions of the Telerik framework.

Against such servers hackers exploit the vulnerability CVE-2019-18935 and install web shells on them.

“Next, attackers use Juicy Potato to gain administrator privileges, change server settings and ensure a constant presence in the system. Ultimately, hackers install XMRRig miner on hacked machines to mine Monero (XMR) cryptocurrency”, — say Red Canary researchers.

Red Canary experts note that if publicly accessible IIS servers are connected to the company’s internal network, hackers will try to spread their attack to internal systems using weakly protected RDP and SMB.

Experts admit that currently they cannot make a complete picture of the activity of this botnet, but they believe that the Blue Mockingbird group has already infected at least 1000 systems. As this conclusion is based on the limited data that is available to analysts, the actual number of infections is likely to exceed this forecast.

“Like any information security company, we see only a limited area of the threat landscape, and we cannot know the exact scale of this threat. In particular, this threat has affected only a small percentage of organizations, whose endpoints we are tracking. However, we recorded about 1000 cases of infecting in these organizations during a short period of time”, — write in Red Canary.

The main danger of this malicious campaign is that the vulnerable UI Telerik can be part of ASP.NET applications that work with the latest and current software versions, but the Telerik component itself can be seriously “expired”, thereby putting the company at risk of attacks. Unfortunately, many companies and developers may not be aware that UI Telerik is present in their applications, which again puts them at risk.

Hacker groups may be very inventive, for example, Ragnar Locker ransomware even uses virtual machines to hide their actions.

Let me remind you that the U.S. National Security Agency recently warned about the danger of vulnerability in UI Telerik (CVE-2019-18935), calling it one of the most used problems for installing web shells. Also in May 2020, the Australian Cybersecurity Center included this vulnerability in the list of the most exploited bugs that were used to attack Australian organizations in 2019 and 2020.

Since companies often do not have the ability to update vulnerable applications, they are advised to protect themselves from attempts to operate CVE-2019-18935 at the firewall level.

Recall that recently, hacker groups attacked thousands of Israeli sites.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About James Brown

Technology news writer and part-time security researcher. Author of how-to articles related to Windows computer issue solving.

Check Also

Web skimmers hide in metadata

Hackers hide web skimmers in image metadata

Malwarebytes experts discovered that MageCart hackers use a kind of steganography and hide web skimmers …

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.