Cyber Incident Victim: Blue Mockingbird
Date:
Jun 2022
Location:
United States of America
Summary
The Blue Mockingbird threat actor exploited a critical deserialization vulnerability in Telerik UI to deploy Cobalt Strike beacons and XMRig cryptocurrency miners. By leveraging encryption keys and a proof-of-concept exploit, attackers executed remote code to establish persistence through Group Policy Objects and scheduled tasks, evading detection with AMSI bypass techniques. While the primary objective involved hijacking system resources for Monero mining, the deployment of Cobalt Strike facilitated potential lateral movement, data exfiltration, and further payload delivery within compromised networks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In mid-2022, the threat actor Blue Mockingbird exploited CVE-2019-18935, a critical deserialization vulnerability in Progress Telerik UI for ASP.NET AJAX, to compromise servers and deploy malicious payloads. This flaw, first patched in 2019, allowed remote code execution via improper validation of serialized data, requiring attackers to first obtain Telerik UI’s encryption keys through auxiliary vulnerabilities like CVE-2017-11317 or CVE-2017-11357, or via other web application weaknesses. Blue Mockingbird leveraged a publicly available proof-of-concept exploit to automate the compilation and execution of a malicious DLL within the ‘w3wp.exe’ process, targeting outdated or abandoned web applications that embedded vulnerable Telerik UI versions. Upon successful exploitation, the attackers deployed Cobalt Strike beacons—a legitimate penetration testing tool repurposed to execute encoded PowerShell commands—establishing persistence through Active Directory Group Policy Objects. These GPOs created scheduled tasks that wrote base64-encoded PowerShell scripts to registry keys, employing Anti-Malware Scan Interface (AMSI) bypass techniques to evade Windows Defender detection and load the Cobalt Strike DLL directly into memory.
The Cobalt Strike beacon facilitated the delivery of a secondary payload, ‘crby26td.exe’, identified as the XMRig Monero miner, which hijacked system resources for cryptocurrency mining. This objective mirrored Blue Mockingbird’s 2020 campaign tactics, indicating consistent operational goals centered on cryptojacking. The deployment of Cobalt Strike introduced potential secondary risks, including lateral movement, credential theft, data exfiltration, and future ransomware deployment, though Sophos researchers confirmed the group remained exclusively focused on Monero mining as of June 2022. Attacks resulted in unauthorized server access, computational resource theft, and potential system instability due to sustained high CPU usage. Detection relied on behavioral analysis of the GPO modifications, scheduled task creation, and memory-resident Cobalt Strike activity, with no documented containment or remediation actions provided in the source material. The incident underscored the persistent threat of unpatched vulnerabilities in discontinued software components, particularly in enterprise environments using third-party frameworks like Telerik UI.