reports that web servers are being compromised by threat actor Blue Mockingbird with the exploitation of a three-year-old security vulnerability in the Telerik UI library for ASP.NET AJAX to facilitate Cobalt Strike beacon deployment and Monero mining
, two years after the same flaw, tracked as CVE-2019-18935, has been used to target unpatched Microsoft IIS servers with Telerik UI two years ago.
Sophos security researchers discovered that Blue Mockingbird's new attacks involved the use of an available proof-of-concept exploit, which enables DLL compilation automation. Blue Mockingbird establishes persistence through Active Directory Group Policy Objects. Moreover, Windows Defender is bypassed through typical AMSI-evading approaches before downloading the Cobalt Strike DLL. Meanwhile, an XMRig Miner dubbed "crby26td.exe" would be deployed as a second-stage executable for Monero mining. While Blue Mockingbird's new attacks were similarly financially-motivated as its intrusions in 2020, its recent use of Cobalt Strike may hasten data exfiltration and ransomware deployment, according to researchers.