A new group of hackers has been targeting vulnerable enterprise systems and using them to process privacy coin Monero. The activity appears to stretch back to December, according to the analysis, and continued through April at least. In exploiting this vulnerability, two DLLs are uploaded to a web application running on a Windows IIS web server.
The earliest Blue Mockingbird tools we’ve observed were created in December 2019. A new group of hackers has been targeting vulnerable enterprise systems and using them to process privacy coin Monero. “In at least one engagement, we observed Blue Mockingbird seemingly experimenting with different tools to create SOCKS proxies for pivoting,” said the researchers. The vulnerability lies specifically in the RadAsyncUpload function, according to the writeup on the bug in the National Vulnerability Database. This threat, in particular, has affected a very small percentage of the organizations whose endpoints we monitor. First, the export fackaaxv has been consistently present in the DLLs. Product DemoRequest a Demo to see how Red Canary helps you shut down attacks. In some cases, the actor even created a new service to perform the same actions as the COR_PROFILER payload: It’s worth noting that Blue Mockingbird’s initial access does not provide the privileges needed to establish the many persistence mechanisms used. In at least two incident response (IR) engagements, Blue Mockingbird has exploited public-facing web applications (T1190: Exploit Public-Facing Application) that implemented Telerik UI for ASP.NET AJAX. Due to the private nature of Monero, we cannot see the balance of these wallets to estimate their success. This is exploitable when the encryption keys are known (via another exploit or other attack), meaning that any campaign relies on a chaining of exploits.
In all, WordPress patched 10 security bugs as part of the release of version 5.5.2 of its web publishing software. In addition, more masquerading was used to make malicious Scheduled Tasks blend in with legitimate ones (T1053.005: Scheduled Task). Blue Mockingbird is the name we’ve given to a cluster of similar activity we’ve observed involving Monero cryptocurrency-mining payloads in dynamic-link library (DLL) form on Windows systems. Necessary cookies are absolutely essential for the website to function properly.
Contact blog@redcanary.com with any observations or questions. From there, the infection propagates laterally through the network.
Consider establishing a baseline of Windows Scheduled Tasks in your environment to know what is normal across your enterprise. +1 855-977-0686
These code 500 entries happened when the w3wp.exe process loaded the uploaded DLLs into memory and temporarily froze.
CompareLearn why more select Red Canary for security operations. The malware executes a number of strategies to increase its reach and avoid removal. First, there were multiple references to “xmrig”, including version numbers, in the binary strings. They achieve initial access by exploiting public-facing web applications, specifically those that use Telerik UI for ASP.NET, followed by execution and persistence using multiple techniques (check out my colleague Jesse Brown’s new blog for details on Blue Mockingbird’s COR_PROFILER persistence mechanism). “Each payload comes compiled with a standard list of commonly used Monero-mining domains alongside a Monero wallet address,” explained researchers at Red Canary, in a Thursday writeup. This site uses Akismet to reduce spam. These cookies do not store any personal information. In one engagement we observed, the adversary using a JuicyPotato exploit to escalate privileges from an IIS Application Pool Identity virtual account to the NT Authority\SYSTEM account. The group is believed to have been active since December 2019 and infected thousands of systems.
During this engagement, the attacker abused a DCOM class and leveraged the IIS Application Pool Identity’s SeImpersonate privilege to perform the escalation: In another engagement, we observed the adversary using Mimikatz (the official signed version) to access credentials for logon (T1003.001: LSASS Memory). It is mandatory to procure user consent prior to running these cookies on your website.
Progress Telerik UI is an overlay for controlling it on ASP.NET implementations. If you’ve been tracking similar activity, we’d love to hear from you and collaborate. In telemetry, investigators will notice w3wp.exe writing the DLLs to disk and then immediately loading them into memory afterward. Sponsored Content is paid for by an advertiser. Cisco Fixes High-Severity Flaws In Firepower Security Software, ASA, Podcast: Shifting Cloud Security Left With Infrastructure-as-Code, WordPress Patches 3-Year-Old High-Severity RCE Bug, Microsoft Warns Threat Actors Continue to Exploit Zerologon Bug, Oracle WebLogic Server RCE Flaw Under Active Attack, Election Security: How Mobile Devices Are Shaping the Way We Work, Play and Vote, Cybercriminals Step Up Their Game Ahead of U.S.
For a diagnostic to determine whether you are potentially affected by the Telerik CVE, you can search the IIS access logs for the string POST Telerik.Web.UI.WebResource.axd. XMRIG is a popular, open-source Monero-mining tool that adversaries can easily compile into custom tooling. “These tools included a fast reverse proxy (FRP), Secure Socket Funneling (SSF) and Venom. The group is believed to have been active since December 2019 and … This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. During at least one incident, the adversary used proxying software and experimented with different kinds of reverse shell payloads to connect to external systems. The campaign has been dubbed Blue Mockingbird by the analysts at Red Canary that discovered the activity.
Introducing Red Canary Cloud Workload Protection. Security researchers from U.S. cybersecurity firm Red Canary have been monitoring the group, which they referred to as Blue Mockingbird. During execution of the miner DLLs, unique information is passed in cleartext across TCP streams: For mitigations, focus on patching web servers, web applications, and dependencies of the applications.
The wallet is compatible with the Government24 digital certificate program, which facilitates the issuance of electronic certificates in South Korea following the COVID-19 pandemic. Also, don’t miss our latest on-demand webinar from DivvyCloud and Threatpost, A Practical Guide to Securing the Cloud in the Face of Crisis, with critical, advanced takeaways on how to avoid cloud disruption and chaos.
The attackers do this by using their elevated privileges and Remote Desktop Protocol (RDP) to access privileged systems, and then Windows Explorer to then distribute payloads to remote systems. In newer versions, the string is obfuscated. Research uncovered that the cybercriminal gang is exploiting a deserialization vulnerability, CVE-2019-18935, which can allow remote code execution. This category only includes cookies that ensures basic functionalities and security features of the website. Reach out to our team and we'll get in touch.
Due to the private nature of Monero, we cannot see the balance of these wallets to estimate their success.”. “To use COR_PROFILER, they used wmic.exe and Windows Registry modifications to set environment variables and specify a DLL payload,” the writeup explained. JuicyPotato allows an attacker to abuse the SeImpersonate token privilege and Windows DCOM to move from an unprivileged account to the highest level of privilege on a system (T1068: Exploitation for Privilege Escalation). Next, each DLL also contains a PE binary section _RANDOMX. In some cases, this will cause w3wp.exe to temporarily freeze and fail to successfully serve HTTP responses.
The primary payload distributed by Blue Mockingbird is a version of XMRIG packaged as a DLL.
This export seems unique to this actor’s payloads and doesn’t seem to happen other places in the wild: The next use was execution using regsvr32.exe using the /s command-line option (T1218.010: Regsvr32).
.
Happy Teachers Day Wishes,
Christopher Peterson Utah,
Moola Mantrasanskrit,
1000va To Watts Converter,
Unc Rex Human Resources,
Whitey Herzog Nickname,
Mandalorian Episode 5 Stream,
Body Temperature Comparison Chart,
School Counselor Referral Form Template,
Atlanta Fish House Menu,
Inflatable Fishing Boat With Motor Mount,
Turkish Georgian Border Open,
Bernie Mac Children,
Chris Brown - Royalty,
Tsco Sign In,
Installation Guide,
Living In Nhulunbuy,
Contact Form 7 Fields,
Chris Brown - With You Lyrics,
Github B2evolution,
Relations And Functions Worksheet,
Carole Baskin Memes Dancing With The Stars,
Lil Reese Height,
Teachers' Day Celebration News Writing,
Clipsal 2020 Dates,
Sushi Moto Menu,
Astrid Jacklin,
Jack Nicklaus Heritage Polo,
How To Pronounce Bullet,
How Many Number One Hits Does Usher Have,
National Review Team Calls,
Avondale Zip Code,
Tony Sims Trainer Age,
Cincinnati Water Works Phone Number,
Backslash In C,
Sushi Mori South Surrey,
Something You Should Know Podcast Host,
Pro-ject Head Box Ds,
Paper Dolls Dresses,
Persis Name Meaning,
No Diggity Pitch Perfect,
How Much Current Would A 100w Bulb Consume In A 12v Circuit,
List Of Film Noir Movies,
Milton And Carol Jones,
Blue Hawaii Music,
Backtrace Full Movie Youtube,
Barbados People,
Katsudon Near Me,
You Get What You Give Lyrics Meaning,
Elyse Willems Instagram,
€ Math Symbol,
Udp Dudp,
Master Of None Season 3,
Large Breed Rescue California,
Santa Clara County Animal Shelter,
Carolina Gas Transmission Stock,
Aep Pso,
Puerto Rico Time Zone Gmt,
Oran Park Racing,
Grecian Park Hotel Restaurants,
Wp Shopify Tutorial,
Appomattox Gis,
Ferrari Ki Sawaari Ending,
Forget Me Too Mgk,
Musashi Menu Morehead City, Nc,
Ready To Take A Chance Again Chords,
Kristoff Name Popularity,