Threat Watch

Blue Mockingbird Malware Infects Thousands of Servers

The cloud security firm Red Canary recently reported a cluster of malware threat activity tracked as Blue Mockingbird that is thought to have been active since December 2019. In that time, Red Canary reports that at least 1,000 servers have been infected with this malware, which consists of a webshell used to gain access to a network along with XMRig used to mine the Monero crypto currency on infected servers. The exploit used by this group to gain a foothold on the systems is none other than the infamous Telerik UI vulnerability (CVE-2019-18935), which has been listed by the US National Security Agency (NSA) and the Australian Cyber Security Centre (ACSC) as one of the most exploited vulnerabilities used to plant web shells on servers recently.

ANALYST NOTES

Because the vulnerable Telerik UI may exist in current ASP.Net applications running on their latest versions, companies are recommended to block all CVE-2019-18935 attempts at the firewall level. If that is not an option, Red Canary has released a list of IOCs to look out for on servers in the event of compromise:
https://redcanary.com/blog/blue-mockingbird-cryptominer/

https://www.zdnet.com/article/thousands-of-enterprise-systems-infected-by-new-blue-mockingbird-malware-gang/