The “Blue Mockingbird” group has targeted Telerik UI vulnerabilities to compromise servers. The threat actor installed the Cobalt Strike beacon and mined Monero.
The flaw leveraged by the attacker is CVE-2019-18935, a critical severity that leads to remote code execution in the Telerik UI library for ASP.NET AJAX.
The attackers must acquire the encryption keys that protect Telerik UI’s serialization on the target. This is possible either by exploiting another vulnerability in the target web app or using CVE-2017-11317 and CVE-2017-11357.
Telerik UI is a popular web application graphical interface development too. The vulnerability exists due to insecure input validation when processing serialized data in the “RadAsyncUpload” function. A remote attacker can pass specially crafted data to the application, execute arbitrary code and take a full control over system. The flaw was routinely exploited throughout 2020 and 2021 by various threat actors including the Netwalker ransomware gang.
To exploit CVE-2019-18935, the attackers must acquire the encryption keys that protect Telerik UI’s serialization on the victim’s system. This is when other two old bugs may come in handy.
Once the keys have been obtained, the attackers can assemble a malicious DLL containing the deserialization code. Later it launch it in the context of the ‘w3wp.exe’ process.
However , Blue Mockingbird uses proof-of-concept (PoC) vulnerability to handle the encryption logic and automate DLL compilation in recent strikes discovered by Sophos.
On the other hand, Cobalt Strike allows for simple lateral movement within a compromised network, data exfiltration, account takeover, and the deployment of more powerful payloads like ransomware.