The cybersecurity spectrum once again is making headlines with Monero, a cryptocurrency mining campaign, exploiting a known vulnerability in public-facing web apps built on ASP.NET open-source framework.
Analysts at Red Canary who detected this operation have named it Blue Mockingbird. In this campaign, cybercriminals are found manipulating a deserialization vulnerability, CVE-2019-18935, which allows code execution. This bug is found in the Progress Telerik UI front-end offering for ASP.NET AJAX.
What experts say about the scam
- Red Canary analysts explain, “Each payload comes combined with a standard list of commonly used Monero-mining domains along with a Monero wallet address.”
- It is speculated that the Blue Mockingbird operation might be experimenting with several tools to create SOCKS proxies for pivoting.
- Two wallet addresses have been identified.
- At present, the campaign is exposing unpatched versions of Telerik UI for ASP.NET.
- It is essential to understand that the vulnerability lies in the RadAsyncUpload function.
- Even though the campaign is making a difference, the toolkit is still a developing one.
- Patch web servers and apps.
- Avoid threats by patching dependencies of apps to evade initial access.