Blog

Cybersecurity

Rising Malware infections as New Blue Mocking Bird Malware hits

Blue Mocking bird cryptocurrency mining malware has infected thousands of systems, and it still continues to spread. The malware was discovered by a team of Red Canary cloud security firm analysts. Blue Mocking bird has shown its prominence in the month of May 2020 however the analysts believe that its activity started in December 2019. Target computer system servers are those powering ASP.NET applications with the Telerik framework UI component. The new Blue Mocking bird hackers attack web servers by planting a web shell which exploits the CVE-2019-18935 Vulnerability. They can also gain admin-level access, modify the server settings, and achieve system re-boot persistence. After the hackers get their hands on vulnerable systems they then download XMRRig, a popular app used for cryptocurrency mining, install it and use it to run their malicious activity on the background.
Some Blue Mocking Bird malware attacks target internal network servers
The same analysts from Red Canary say that the hackers can also use public facing IIS servers to infiltrate the internal network in a company. Weak SMB (Server Message Block) or RDP (Remote Desktop Protocol) connections can facilitate its spread across these internal networks. Red Canary has since issued a report stating that they have no clear framework of these hacker’s activities as the attack is still fresh. They have so far observed an average 1000 infections on victim organizations and this is said to have happened within short time. This figures may change as the number of affected companies could be higher, not forgetting that the infections keep spreading by the day.
Telerik negligence
The ASP.NET app users with Telerik UI component have more reason to worry because the version in use is obsolete. This negligence by Telerik UI is exposing its customers to huge risks, with some being ignorant of the fact that it is part of their applications. This negligence by Telerik UI and the unsuspecting nature of their ignorant customers gives hacker and upper hand when exploiting various ASP.NET applications. The United States National Security Agency mentioned Telerik UI in their late April advisory as one of the most exploited progress software. Australian Cyber Security center also mentioned Telerik UI in their April advisory claiming that most hacker attacks launched in Australia were made possible by its vulnerability.
As this negligence problem persists, ASP.NET customers especially those using Telerik UI component to power their applications need to act against any exploitation on an individual level. They should adhere to regular app upgrades and use firewall to block malicious entry into their servers. Companies operating without firewall can take precaution by searching for compromised areas on their workstations and servers. Red Canary experts in their monthly report have unveiled a possible way to mitigate the crisis.
“Blue Mocking Bird malware is smart in technique and can easily bypass most white listed technologies. To counter this, companies with vulnerable servers are advised to inhibit the malware’s initial access.”
Also create a baseline for windows scheduled tasks to identify the regular flow of activities across your system.