Thursday, March 28, 2024

Blue Mockingbird Hacker Group Attack Windows Machines at Multiple Organizations to Deploy cryptocurrency-mining Malware

Security researchers from Red Canary discovered potential hacker group Blue Mockingbirddeploying Monero cryptocurrency-mining payloads deployed on the Internet-facing Windows machines at multiple organizations.

The group found to be active since December 2019 and they use several techniques to bypass security technologies.

Blue Mockingbird Campaign

To gain initial access attackers exploit public-facing web applications those specifically using Telerik UI for ASP.NET AJAX.

Telerik UI is a suite of user interface components that helps in the web development process, 2019.3.1023 version affected with deserialization vulnerability(CVE-2019-18935).

This vulnerability found to be exploited by Blue Mockingbird to gain initial access to the system and to escalate privileges they use the JuicyPotato technique.

Once they gain full access to the system they deploy a popular version of Monero-mining tool XMRIG packaged as a DLL.

To maintain persistence the hacker group uses a novel “COR_PROFILER COM hijack to execute a malicious DLL and restore items removed by defenders.”

As the COR_PROFILER method was configured every process that loads the Microsoft .NET Common Language Runtime would establish persistence.

In some cases, the actor even created a new service to perform the same actions as the COR_PROFILER payload, reads Red Canary blog post.

By using the JuicyPotato exploit the hacker group escalates privileges from an IIS Application Pool Identity virtual account to the NT Authority\SYSTEM account.

Blue Mockingbird uses these techniques to move laterally and distribute mining payloads across the enterprise.

Once they escalate the privilege to NT Authority\SYSTEM, attackers use RDP to deploy payload on the remote systems, in some cases the tasks were created remotely.

To mitigate the attacks, it is recommended to patching web servers, web applications, and dependencies of the applications. Red Canary published a detailed report with indicators Indicators of compromise.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Website

Latest articles

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...

Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

A critical vulnerability in Ray, an open-source AI framework that is widely utilized across...

Chinese Hackers Attacking Southeast Asian Nations With Malware Packages

Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two...

CISA Warns of Hackers Exploiting Microsoft SharePoint Server Vulnerability

Cybersecurity and Infrastructure Security Agency (CISA) has warned about a critical vulnerability in Microsoft...

Microsoft Expands Edge Bounty Program to Include WebView2!

Microsoft announced that Microsoft Edge WebView2 eligibility and specific out-of-scope information are now included...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles