silversurfer
Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
- Aug 17, 2014
- 10,057
A novel threat that delivers cryptocurrency-mining payloads has been detected by researchers at a US cybersecurity firm.
Red Canary Intel is monitoring a fresh threat which they have dubbed Blue Mockingbird after seeing it carry out opportunistic attacks at multiple organizations.
The name refers to a cluster of similar activity involving Monero cryptocurrency-mining payloads in dynamic-link library (DLL) form on Windows systems.
“If you have public-facing web servers you should be concerned about this," said Tony Lambert, intelligence analyst with the Red Canary Cyber Incident Response team.
"The activity observed was not targeted and could occur on any Windows IIS server running a Telerik-supported web app that remains vulnerable to CVE-2019-18935."
Because of how Telerik is integrated, victims of Blue Mockingbird may not realize they have been attacked.
Lambert said: "Some of the organizations affected by this CVE don’t know they’re vulnerable because Telerik is commonly and inconspicuously built into other web applications, so the best route is to simply check web access logs of IIS web servers for mentions of Telerik.
Red Canary researchers noted that the threat actors achieve initial access "by exploiting public-facing web applications, specifically those that use Telerik UI for ASP.NET, followed by execution and persistence using multiple techniques".