Posted on May 26, 2020 at 10:57 AM
Hackers are infiltrating enterprise systems by exploiting a dangerous and difficult to patch the vulnerability. A recent report revealed that hackers have breached and exposed thousands of these enterprise systems which are infected with cryptocurrency malware.
The report indicated that a hacking group known as Blue Mockingbird is responsible for the attack.
The hacking incident was discovered this month by Red Canary, a cloud security company. However, it’s believed that the hacking syndicate has been operational since December last year.
According to the researchers at the security firm, Blue Mockingbird infiltrated public-facing servers that run ASP.NET apps. These apps utilize the Telerik protocol for their user interface (UI) component.
The hacking group planted a web shell on servers
The hacking group took advantage of the CVE-2019-18935 vulnerability and planted a web shell on the victim’s server. After planting the web shell, they utilized the juicy potato hacking method to gain access to the admin level, modified the server settings, and obtained reboot presence.
After gaining full access to the system, they downloaded and installed an edition of the XMRRig, a well-known crypto mining app for the Monero cryptocurrency.
The Red Canary researchers said the hacking syndicate also tried to spread internally through Server Message Block (SMB) or Remote Desktop Protocol (RDP). They said this is possible when the public-facing IIS servers are connected to the internal network of the company.
The researchers also admitted they are not aware of the hackers’ complete operational methods, but they think the botnet sponsored by the hackers infected about 1,000 systems only from the restricted visibility they had.
Number of infected companies could be higher
Red Canary said it doesn’t have full information about the level of threat posed by the Blue Mockingbird malware, just like any other security firm.
Bu the security firm stated that the threat has affected some of the organizations it monitors their endpoints.
“This threat has affected a very small percentage of the organizations whose endpoints we monitor, a spokesperson for the security firm reiterated.
Furthermore, the security firm noted that apart from the 1,000 cases it has confirmed, the number could be more, considering the limited insights it has over the group’s level of operations.
Many developers and companies may not be aware that the Telerik UI module is part of their application. As a result, it further exposes them to attacks. Attackers have taken advantage of this vulnerability to exploit thousands of systems after the detail about the vulnerability was known to the public.
The vulnerability is one of the most common in the USA and Australia
The US National Security Agency (NSA), in an advisory note, published last month, stressed the dangers posed by the Telerik UI CVE-2019-18935 vulnerability. The agency listed it as one of the most exploited vulnerabilities utilized in compromising server shells.
In a similar publication by the Australian Cyber Security Center (ACSC) last week, it mentioned the Telerik vulnerability also as a very common exploited vulnerability that attacks Australian companies from last year.
To prevent hackers from taking advantage of the vulnerability to infect servers, organizations have been warned to patch their vulnerable apps. They need to prevent or stop the exploitation of the vulnerability from the firewall level.
In cases where the organizations do not have a web firewall, they should look for indications of a breach at either the workstation level or the server level.
Companies should scan their systems regularly
Red Canary recently released an advisory for companies to follow when protecting their servers against this type of vulnerability. The security firm gave breach indicators organizations can look into. They can scan the systems and servers with the indicator to quickly discover a Blue Mockingbird attack and immediately get patches.
Red Canary reiterated that its priority is to always help individuals and organizations stay safe against various cyber-attack mediums, even when there are vulnerabilities. As a result, the advisory report is to enable security teams to enforce detection strategies for threat methods that may be used against them.
So, it’s vital for security to constantly do an evaluation of the propensity of attacks, with the ability to detect related ones that take advantage of vulnerabilities, the research firm said.