A new malware gang is exploiting a few servers to gain admin-level access. This is to use the machine for minting Monero cryptocurrency and transport back to hackers. The new malware, called Blue Mockingbird, is exploiting a known vulnerability in servers using the Telerik UI framework. Researchers say the authors of this malware have already compromised at least 1,000 servers of such.

Contents show

For Cryptojacking Purposes

High-end resourceful computers are the desired machines for any crypto-miner. As they’re equipped with massive computational power, they can mint more coins in less time than those compared with least powered ones. And in this case, the servers. These have enough power to be targeted by hackers for cryptocurrency mining. So did the new malware gang, Blue Mockingbird.

Blue Mockingbird - Thousands of Enterprise Servers Exploited For CryptojackingResearchers from Red Canary discovered this new group exploiting internet-facing servers, that run on ASP.NET apps using the Telerik framework as their UI component. This group’s been exploiting this known vulnerability (CVE-2019-18935) since December last year, and could have compromised at least 1,000 servers to date, researchers say. They further add that the number is estimated from the limited visibility they had. Actual compromised numbers could’ve been more.

Hackers exploiting this vulnerability are planting web shells in the servers and practice the Juicy Potato method to gain admin-level access, and modify settings to attain reboot persistence. Upon comprising, they then download and install an XMRRig, a mining app for Monero cryptocurrency. This leverages the server’s computational powers to mint coins for the hacker.

Learn and block at first level

Researchers also said that, if this vulnerable server is also connected to a company’s internal network, hackers could’ve penetrated that too. This can be achieved by exploiting any weak RDP or SMB protocols. Sadly, the vulnerability is existing in the Telerik UI component isn’t known widely. Developers or system administrators might not be even knowing a component of such would exist, making it hard to learn amidst attacks.

So, researchers advised us to learn about the vulnerability and block the attempts at their firewall level. There are advisories posted by the Australian Cyber Security Center and US National Security Agency in the past, calling it one of the highly exploited server vulnerabilities.

Via: ZDNet

RECOMMENDED ARTICLESMORE FROM AUTHOR

LEAVE A REPLY

Please enter your comment!
Please enter your name here