Rewterz Threat Alert – COVID-19 GuLoader Spike
May 26, 2020Rewterz Threat Advisory – ICS: Schneider Electric EcoStruxure Operator Terminal Expert
May 26, 2020Rewterz Threat Alert – COVID-19 GuLoader Spike
May 26, 2020Rewterz Threat Advisory – ICS: Schneider Electric EcoStruxure Operator Terminal Expert
May 26, 2020Severity
High
Analysis Summary
Thousands of enterprise systems are believed to have been infected with a cryptocurrency-mining malware operated by a group tracked under the codename of Blue Mockingbird. Discovered earlier this month by malware analysts from cloud security firm Red Canary, the Blue Mockingbird group is believed to have been active since December 2019. Researchers say Blue Mockingbird attacks public-facing servers running ASP.NET apps that use the Telerik framework for their user interface (UI) component. Hackers exploit the CVE-2019-18935 vulnerability to plant a web shell on the attacked server. They then use a version of the Juicy Potato technique to gain admin-level access and modify server settings to obtain (re)boot persistence.
CVE-2019-18935
Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploiting .NET JavaScriptSerializer Deserialization issue through RadAsyncUpload can lead to executing malicious code on the server in the context of the w3wp.exe process.(As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.)
Blue Mockingbird is the name given to a cluster of similar activity observed involving Monero cryptocurrency-mining payloads in dynamic-link library (DLL) form on Windows systems. They achieve initial access by exploiting public-facing web applications, specifically those that use Telerik UI for ASP.NET, followed by execution and persistence using multiple techniques During at least one incident, the adversary used proxying software and experimented with different kinds of reverse shell payloads to connect to external systems.
Affected Products
Progress Telerik
Indicators of Compromise
SHA-256
- d388c309a540d4619169a07a4b64707f4c44953511875b57ad7cfa3e097115af
- 14e3c16ca940244bea9b6080fa02384ebb4818572cef7092f90d72ae210b330d
- 5377c69c05817a0e18f7b0ebbeed420f9ab8d1e81b439f439b42917fbe772dfb
- c957d007824ee8173c67122a1843c979c818614eeed7db03dea3ba7fede43eba
- 5d7116f04e10e968de64c4201fc7374fa84b364e90f8e4eba0fbc41afeaf468c
- 909495884627e2e74d07d729b5e046f3ae01cabd9f0a5a99c74d46046a677f7c
- ab698a35dc5263f0ca460f09dcbc9f8a4aeb7643365a1e7fa122581ef72c34b6
- 60504228b3fc524287bf2a260db933a408639b2f1a29af7538c61b00c4a44c86
- 1d30d3cafdcc43b2f9a593983ad096c2c3941025fb4e91257e2dcf0919ed24ba
- 968b324be2b89f1a8ee4743d946723c1ffdca16ccfbbbbb68e5b9f60e0bff4c9
- 018a02fd0dbc63e54656b8915d71cd8a2ce4409608ae4dff6ec196ffa8743ba1
- b31f7152a547fa41c31f9c96177b2cd7131a93f7c328bf6da360dc1586ba18dc
- 9a432ea16e74b36c55ec5faa790937fe752ff2561cef83e44856fd1e72398309
- de6c061aafc5d86e692bec45f69b2ea18639abd540b59c2c281717a054a48dd5
Remediation
Block all threat indicators at your respective controls.
For remediation of CVE-2019-18935 please follow the instruction provided by vendor at below mentioned link.
https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization