blue-mockingbird.png

Thousands of enterprise systems are believed to have been infected with a cryptocurrency-mining malware operated by a group tracked under the codename of Blue Mockingbird.

Discovered earlier this month by malware analysts from cloud security firm Red Canary, the Blue Mockingbird group is believed to have been active since December 2019.

Researchers say Blue Mockingbird attacks public-facing servers running ASP.NET apps that use the Telerik framework for their user interface (UI) component.

Hackers exploit the CVE-2019-18935 vulnerability[1] to plant a web shell on the attacked server. They then use a version of the Juicy Potato technique[2] to gain admin-level access and modify server settings to obtain (re)boot persistence.

Once they gain full access to a system, they download and install a version of XMRRig, a popular cryptocurrency mining app for the Monero (XMR) cryptocurrency.

Some attacks pivot to internal networks

Red Canary experts say that if the public-facing IIS servers are connected to a company's internal network, the group also attempts to spread internally via weakly-secured RDP (Remote Desktop Protocol) or SMB (Server Message Block) connections.

In an email interview earlier this month, Red Canary told ZDNet that they don't have a full view of this botnet's operations, but they believe the botnet made at least 1,000 infections so far, just from the limited visibility they had.

"Like any security company, we have limited visibility into the threat landscape and no way of accurately knowing the full scope of this threat," a Red Canary spokesperson told us.

"This threat, in particular, has affected a very small percentage of the organizations whose endpoints we monitor. However, we observed roughly 1,000 infections within those organizations, and over a short amount of time."

However, Red Canary says the number of companies impacted could be much

Read more from our friends at ZDNet