Enterprise company networks are under attack by a criminal collective known as Blue Mockinbird, a code name used to refer to them. The campaign has just been detected however it has been active since at least December 2019. The hackers are exploiting a weakness in servers running ASP.NET software that have been programmed in the Telerik framework.
Blue Mockinbird Hackers Take Advantage of The CVE-2019-18935 Exploit To Break Into Enterprise Networks
Enteprise company networks are being targeted by a dangerous hacking group known as Blue Mockingbird. The attack campaign orchestrated by them has been active since December last year and discovered just now, a fact showing that they have used a complex approach in subverting security systems. Their approach relies on the exploitation of a vulnerability found in servers running on the ASP. NET technology. These are usually online web services or internal company programs. If they are not regularly updated weaknesses in the supported services can arise. According to the conducted research the weak spot was identified in software created in the Telerik framework, a popular tool used to create the graphical user interfaces.
In this particular case the Blue Mockingbird hackers have focused on gaining access to the company networks using a security weakness identified in the CVE-2019-18935 advisory. The actual security issue is identified in one of the functions which are run when apps are are run. When this weakness is targeted by criminals the resulting code will lead to remote code execution. The hacking group will then implant a shell access to on the servers. Using a technique known as Juicy Potato they will gain administrative privileges and will be able to change important settings on the systems. Possible malicious actions that can be run include the following:
- System Configuration Changes — The settings that can be modified may include important files, Windows Registry values and preferences. This can lead to performance issues, data loss and errors when using applications and services.
- Network Propagation — The hackers can spread various malware through connected network shares, removable devices and other connected computers.
- Botnet Recruitment — The contaminated computers can be recruited to a worldwide botnet network which can be used for criminal purposes.
- Malware Infections — The web servers and other contaminated computers and devices can be infected with different types of viruses. This can include cryptocurrency miners, Trojans and ransomware.
An analysis of the targeted networks reveals that only a small percentage of the organizations hae actually been affected. However details about the attack campaign reveals that the individual campaigns are being organized in a short period of time until the next one is planned and executed.