The name refers to a cluster of similar activity involving Monero cryptocurrency-mining payloads in dynamic-link library (DLL) form on Windows systems.
“If you have public-facing web servers you should be concerned about this,” said Tony Lambert, intelligence analyst with the Red Canary Cyber Incident Response team.
“The activity observed was not targeted and could occur on any Windows IIS server running a Telerik-supported web app that remains vulnerable to CVE-2019-18935.”
Because of how Telerik is integrated, victims of Blue Mockingbird may not realize they have been attacked.
Lambert said: “Some of the organizations affected by this CVE don’t know they’re vulnerable because Telerik is commonly and inconspicuously built into other web applications, so the best route is to simply check web access logs of IIS web servers for mentions of Telerik.
Red Canary researchers noted that the threat actors achieve initial access “by exploiting public-facing web applications, specifically those that use Telerik UI for ASP.NET, followed by execution and persistence using multiple techniques”.
After gaining access, the bird uses the Remote Desktop Protocol to access privileged systems and then Windows Explorer to disseminate its payloads to the highest possible number of remote systems.
On compromised machines, it persists by abusing legitimate and infrequently leveraged Windows feature, COR_PROFILER.
In one incident, whoever gave the malicious bird wings used proxying software and experimented connecting to external systems with different kinds of reverse shell payloads.
Researchers said that the earliest Blue Mockingbird tools they had observed were formed in December last year. Lambert said the threat was spotted causing problems at “a wide array of enterprises ranging from healthcare to IT service providers”.
Based on the numerous techniques observed, Red Canary researchers said that Blue Mockingbird was more likely to create problems for enterprise networks as opposed to individual consumers. Targeted enterprises will see computing resources drained from infected machines and IT or security teams put under extra strain as they remove the threat from affected environments.