Categories: SecurityWorkspace

Cryptocurrency-Mining Campaign Hits ‘Thousands’ Of Enterprises

Security researchers have warned of a threat group that has potentially already infected thousands of Windows web servers with cryptocurrency-mining malware.

The malware campaign, which computer security firm Red Canary Intel refers to as Blue Mockingbird, exploits a vulnerability in Telerik, a user interface commonly found in web applications.

Many organisations may not even be aware they are running applications that contain the vulnerable code, and as such may have already been infected, Red Canary said.

The group said companies can see if they are potentially vulnerable by checking web access logs of their Windows IIS servers for mentions of Telerik.

World Password Day: Is the Password Still Fit For Purpose?

Web apps vulnerable

“Searching the IIS access logs for entries like these is a good idea even if you don’t explicitly know whether you use Telerik UI, as some web applications require the suite as a dependency behind the scenes,” Red Canary said in an advisory.

The Blue Mockingbird attacks all have in common that they use the Telerik CVE-2019-18935 vulnerability as a point of entry, the firm said.

The attackers then primarily install the XMRIG tool for mining Monero cryptocurrency. In this case, XMRIG is packaged as two DLL files.

The attackers also use several techniques for ensuring their code remains on the system even in the event of a reboot, Red Canary said.

One common method is to hijack the COM_PROFILER Windows component to execute a malicious DLL and restore items removed by security systems.

In some cases the attackers seem to be using an exploit called JuicyPotato to obtain the privileges required to set up the persistence methods they are using.

Cryptomining

In addition, the attackers are moving across local networks to infect further systems, Red Canary said.

“As with other adversaries that mine cryptocurrency opportunistically, Blue Mockingbird likes to move laterally and distribute mining payloads across an enterprise,” researchers said.

In some cases, Scheduled Tasks are created remotely to ensure the execution of the attackers’ malicious code.

Red Canary said it had observed about 1,000 infections across the organisations it monitors, meaning that there are potentially thousands more infections at other companies.

The firm said companies should focus on keeping their web servers, web applications and application dependencies up to date to block the Telerik UI vulnerability and other flaws that might be used by attackers.

Red Canary said organisations may also consider establishing a baseline of Windows Scheduled Tasks to make it easier to detect malicious Tasks.

Supercomputers across Europe were recently shut down after a campaign targeted them to install Monero-mining software via hacked logins.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

1 day ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

1 day ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

2 days ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

2 days ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

2 days ago