Cyber Incident Victim: Vulnerable Telerik UI systems
Date:
Jun 2022
Location:
United States of America
Summary
A threat actor exploited a critical deserialization vulnerability in Telerik UI for ASP.NET AJAX to achieve remote code execution, deploying Cobalt Strike beacons for command execution and lateral movement capabilities. Attackers acquired encryption keys through auxiliary vulnerabilities or application weaknesses, then leveraged a proof-of-concept exploit to compile malicious DLLs executed via web processes. Persistence mechanisms included Group Policy Objects creating scheduled tasks with encoded PowerShell scripts that evaded detection to load in-memory payloads. The operation culminated in deploying cryptocurrency miners to hijack resources for Monero mining, mirroring previous campaigns by the same group. While the primary focus remained cryptojacking, the Cobalt Strike infrastructure introduced potential for expanded network compromise, including data exfiltration or ransomware deployment.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In June 2022, cybersecurity researchers observed the threat actor Blue Mockingbird exploiting CVE-2019-18935, a critical remote code execution vulnerability (CVSS v3.1: 9.8) in Progress Telerik UI for ASP.NET AJAX, to compromise Microsoft IIS servers. The vulnerability, patched in 2019 but still present in outdated or abandoned web applications, involved insecure deserialization that allowed attackers to execute arbitrary code when combined with the system’s encryption keys. Blue Mockingbird acquired these keys either by exploiting other vulnerabilities in the target web application or leveraging older Telerik UI flaws (CVE-2017-11317 and CVE-2017-11357). Once the keys were obtained, the attackers compiled a malicious DLL and executed it within the ‘w3wp.exe’ process using a publicly available proof-of-concept exploit, which automated encryption and DLL compilation. The initial payload deployed was a Cobalt Strike beacon, a legitimate penetration testing tool repurposed to execute encoded PowerShell commands. Persistence was established through Active Directory Group Policy Objects (GPOs) that created scheduled tasks via a new registry key containing base64-encoded PowerShell scripts. These scripts employed Anti-Malware Scan Interface (AMSI) bypass techniques to evade Windows Defender and load the Cobalt Strike DLL into memory.
The second-stage payload, an executable named ‘crby26td.exe’, was identified as XMRig, an open-source Monero cryptocurrency miner. This aligned with Blue Mockingbird’s 2020 campaign objectives, indicating a continued focus on hijacking system resources for cryptojacking. The deployment of Cobalt Strike provided capabilities for lateral movement, data exfiltration, and potential ransomware deployment, but Sophos researchers confirmed the threat actor exclusively pursued Monero mining during these incidents. The attack impacted organizations running unpatched Telerik UI versions, particularly those with discontinued or unmaintained web applications. Consequences included unauthorized resource consumption for mining, reduced system performance, and exposure to secondary compromises due to the persistent Cobalt Strike foothold. No specific victim organizations or containment actions were detailed in the reporting, though the campaign underscored the risk of unpatched third-party components in enterprise environments.