Telerik UI Vulnerability Exploit Detection: Blue Mockingbird Leverages CVE-2019-18935
Table of contents:
Blue Mockingbird cybercrime group has been on the cybersecurity radar for about two years now. In the current campaign, the threat actor exploits the vulnerabilities discovered in 2019 in a popular Telerik UI suite for ASP.NET AJAX that includes around 120 components. The major vulnerability, tracked as CVE-2019-18935 with a critical severity level of 9.8, is a .NET deserialization flaw. It leads to remote code execution, allowing an attacker to perform a number of malicious actions on the compromised server.
Blue Mockingbird opted for planting Cobalt Strike as the first stage executable to run encoded PowerShell commands. The second stage executable is an XMRig Miner; adversaries used the same payload in their financially-motivated Monero cryptocurrency-mining campaign launched in 2020.
Detect Telerik UI Vulnerability Exploitation Attempts
A Sigma rule developed by a talented member of the SOC Prime developers community Onur Atali helps security professionals to expose suspicious Cobalt Strike or crypto-malware commands executed in the system:
Suspicious Cryptominer / Cobalt Strike Malware Execution by Telerik UI Exploitation (via_filevent)
The rule is aligned with the MITRE ATT&CK® framework v.10. addressing the Execution and Collection tactics with the Command and Scripting Interpreter (T1059) and Data from Local System (T1005) techniques.
This detection has translations for the following SIEM, EDR & XDR platforms: Microsoft Sentinel, Microsoft APT, Elastic Stack, Splunk, Humio, Sumo Logic, ArcSight, QRadar, FireEye, LogPoint, Graylog, Regex Grep, RSA NetWitness, Chronicle Security, Securonix, Qualys, Apache Kafka ksqlDB, Open Distro, and AWS OpenSearch.
To detect other possible security holes within your environment, registered users can access the full list of detection algorithms available in the Threat Detection Marketplace repository of the SOC Prime Platform. The Detect & Hunt button will provide you access to 185,000+ unique hunting queries, parsers, SOC-ready dashboards, Sigma, YARA, Snort curated rules, and Incident Response Playbooks tailored to 25 market-leading SIEM, EDR, and XDR technologies.
Security practitioners without an account can navigate the collection of Sigma rules available via the Cyber Threat Search Engine. Press the Explore Threat Context button to access a one-stop shop for free SOC content.
Detect & Hunt Explore Threat Context
Crafting your own content? Join forces with the world’s largest cyber defense community of 23,000+ experts powered by the Threat Bounty Program to get professional guidance and earn a stable income by sharing your detection content.
Telerik UI Library Exploit Analysis
In 2019 Telerik UI web application framework became a wanted target for adversaries, when it was proved susceptible to a number of vulnerabilities. The most severe one was a deserialization bug tagged as CVE-2019-18935. The vendor has fixed it, but there were reports of exploits throughout 2020 and 2021, with more documented attacks resurfacing in May 2022.
In the current attack campaign, a threat agent known under the moniker Blue Mockingbird is launching cyberattacks, leveraging a known CVE for a Monero cryptocurrency mining. Once the target is breached, hackers move laterally, dropping mining payloads across an organization. However, security researchers warn of other malicious vectors these attacks can take since, this time, adversaries are also infecting targets with a Cobalt Strike beacon.
The bug lies in Telerik UI’s RadAsyncUpload function, which is used to handle file upload requests, affecting Windows servers.
Sign up for free at SOC Prime’s Detection as Code platform for a safer future crafted with the industry’s best practices and shared expertise. The platform enables security practitioners to boost their cyber defense operations by participating in top-tier initiatives, sharing detection content of their creation, and monetizing the input.
