The cybersecurity spectrum once again is making headlines with Monero, a cryptocurrency mining campaign, exploiting a known vulnerability in public-facing web apps built on ASP.NET open-source framework.

The details

Analysts at Red Canary who detected this operation have named it Blue Mockingbird. In this campaign, cybercriminals are found manipulating a deserialization vulnerability, CVE-2019-18935, which allows code execution. This bug is found in the Progress Telerik UI front-end offering for ASP.NET AJAX.

What experts say about the scam

  • Red Canary analysts explain, “Each payload comes combined with a standard list of commonly used Monero-mining domains along with a Monero wallet address.”
  • It is speculated that the Blue Mockingbird operation might be experimenting with several tools to create SOCKS proxies for pivoting.
  • Two wallet addresses have been identified.

More information

  • At present, the campaign is exposing unpatched versions of Telerik UI for ASP.NET.
  • It is essential to understand that the vulnerability lies in the RadAsyncUpload function.
  • Even though the campaign is making a difference, the toolkit is still a developing one.

The remedy

  • Patch web servers and apps.
  • Avoid threats by patching dependencies of apps to evade initial access.