CYBER NEWS

CVE-2019-18935: Blue Mockingbird Hackers Attack Enterprise Networks

Enterprise company networks are under attack by a criminal collective known as Blue Mockinbird, a code name used to refer to them. The campaign has just been detected however it has been active since at least December 2019. The hackers are exploiting a weakness in servers running ASP.NET software that have been programmed in the Telerik framework.




Blue Mockinbird Hackers Take Advantage of The CVE-2019-18935 Exploit To Break Into Enterprise Networks

Enteprise company networks are being targeted by a dangerous hacking group known as Blue Mockingbird. The attack campaign orchestrated by them has been active since December last year and discovered just now, a fact showing that they have used a complex approach in subverting security systems. Their approach relies on the exploitation of a vulnerability found in servers running on the ASP. NET technology. These are usually online web services or internal company programs. If they are not regularly updated weaknesses in the supported services can arise. According to the conducted research the weak spot was identified in software created in the Telerik framework, a popular tool used to create the graphical user interfaces.

Related:
Tracked as CVE-2020-3956, the flaw triggers code injection that allows authenticated attackers to send malicious traffic to Cloud Director.
CVE-2020-3956: RCE Vulnerability in VMware Cloud Director

In this particular case the Blue Mockingbird hackers have focused on gaining access to the company networks using a security weakness identified in the CVE-2019-18935 advisory. The actual security issue is identified in one of the functions which are run when apps are are run. When this weakness is targeted by criminals the resulting code will lead to remote code execution. The hacking group will then implant a shell access to on the servers. Using a technique known as Juicy Potato they will gain administrative privileges and will be able to change important settings on the systems. Possible malicious actions that can be run include the following:

  • System Configuration Changes — The settings that can be modified may include important files, Windows Registry values and preferences. This can lead to performance issues, data loss and errors when using applications and services.
  • Network Propagation — The hackers can spread various malware through connected network shares, removable devices and other connected computers.
  • Botnet Recruitment — The contaminated computers can be recruited to a worldwide botnet network which can be used for criminal purposes.
  • Malware Infections — The web servers and other contaminated computers and devices can be infected with different types of viruses. This can include cryptocurrency miners, Trojans and ransomware.

An analysis of the targeted networks reveals that only a small percentage of the organizations hae actually been affected. However details about the attack campaign reveals that the individual campaigns are being organized in a short period of time until the next one is planned and executed.

Avatar

Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts - Website

Follow Me:
TwitterGoogle Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...