Thousands of Enterprise Systems Infected by New Blue Mockingbird Malware Gang

Thousands of enterprise systems are believed to have been infected with a cryptocurrency-mining malware operated by a group tracked under the codename of Blue Mockingbird. From a report: Discovered earlier this month by malware analysts from cloud security firm Red Canary, the Blue Mockingbird group is believed to have been active since December 2019. Researchers say Blue Mockingbird attacks public-facing servers running ASP.NET apps that use the Telerik framework for their user interface (UI) component. Hackers exploit the CVE-2019-18935 vulnerability to plant a web shell on the attacked server. They then use a version of the Juicy Potato technique to gain admin-level access and modify server settings to obtain (re)boot persistence. Once they gain full access to a system, they download and install a version of XMRRig, a popular cryptocurrency mining app for the Monero (XMR) cryptocurrency.

That's a good thing

[Anonymous Coward]

If you're dumb enough to be running windows, the should be some cost involved.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[DontBeAMoran]

Small price to pay for the overall savings of reduced cost of system administration.

That's why we use Macs where I work. We have access to commercial software and it's a UNIX 03-compliant operating system certified by The Open Group.

Re: That's a good thing

[phantomfive]

It doesn't matter who certifies it, it's not truly Unix if it doesn't have systemd!

Re:

[Canberra1]

Mod up. Yes, YOU cannot certify your own software. This is taught in CS101. Notably Microsoft, Boeing and Cisco do. For a while cigarette companies even claimed it was good for your health - smooth - longer - rolls off your tongue. Lots of money can buy anything nowadays.

Re:

[leptons]

It's funny that you think Macs are secure.

Re:That's a good thing

[MightyMartian]

Translation: Windows facilitates idiots managing enterprise systems, so way cheaper! Flip side, you have idiots managing enterprise systems, making malware infections more likely.

Re:

[SnickleFritz]

Can't wait until AI is managing Windows enterprise systems for an even cheaper experience.

Re:That's a good thing

[DontBeAMoran]

My house has seven windows, am I at risk?!

Re: That's a good thing

[Aristos Mazer]

Only if they are public facing. Backyard windows with a privacy fence are fine.

Re:

[Tablizer]

My house has seven windows, am I at risk?!

More so than in a house having 6 windows.

Re:

[DontBeAMoran]

I'm not sure if it's relevant, but in installed my windows in the years 1995, 1998, 1998SE, 2000, XP, 8 and 10.

Re:

[fuzznutz]

Not if you are backed up. I recommend double hung windows. It's the RAID of windows.

Re:

[couchslug]

Not if you delete them!

Re:

[vlad30]

Question is they mine cryptocurrency using stolen resources. Technically the Crypto is stolen, so if you get paid by this crypto you have received stolen goods. When the authorities come knocking can you prove the Crypto you have isn't this stolen Crypto

Re:

[Z00L00K]

And as an extension - those that are behind Monero and other digital currencies - might also be held responsible for the "untraceability" of the transactions.

Define Enterprise

[Canberra1]

Kids on a lemonade stall is an enterprise. Delivering newspapers or junkmail - an enterprise. Buying a software product that purports to be enterprise still a primary school level. Back in 1980, banks defined enterprise as bulletproof, and back then had the clout to punish boeingesque software pushers for being less that 99.9%. The MS wheeled out toy OS's with toy(flawed protocols) and never did a belts and brace audit. Now these intruders are a criminal enterprise, but as we say crooks are dumb, dirt dum

What operating systems are affected?

[couchslug]

:-)=)

Re:

[hcs_$reboot]

We only know that the web server is ASP.NET.
;-)

Call Starfleet for reinforcements

[williamyf]

... Maybe the Excalibur could help.

Upsss

Sorry, wrong franchise.

Monero?

[DNS-and-BIND]

Really? Monero? How much money are they really making from this? I bet it's less than if they just got programming jobs. The virus has proved remote workers are viable, so there's even less excuse than before.

Re:

[DontBeAMoran]

Yeah, I don't get why they're mining Monero. They'll be lucky to mine a coin per day. On the other hand, if they mined Dogecoins, they'd probably mine hundreds per day!

Re: Monero?

[Way Smarter Than You]

And unlike bitcoin and most other *coins, dogecoin is very stable!

Re:

[ArchieBunker]

Because Monero is a privacy based coin. So you can’t track the transaction.

Telerik

[phantomfive]

I spent a year working with Telerik. On the surface it seemed nice because there were a lot of nice looking components. It turned out later that integrating them was kind of a pain, and there were a lot of edge cases that were hard to handle. Eventually I told my manager, "I'm going to write this component myself" and it worked so much better that we gave up on Telerik. If you want your components to look good, you're better off hiring a designer than paying them.

YMMV.

Re: Telerik

[satanicat]

Sorry, it's been a day. Originally i thought you worked with (or for) telerek, but later got the impression you were working with their control product.

The latter interested me more, we work with Infragistics' Ultra controls, and I couldn't agree with you more.

Except that I find them unnessecarily heavy, and almost over polished looking. The software doesnt even remotely resemble anything else on the system, I guess sort of how like a qt app stands out near a bunch of gtk apps.

Re:Telerik

[bobcat7677]

This story has been repeated literally thousands of times. Step 1: Everyone: Oooh, Telerik! [old guy in the back of the room: "This is not a good idea..."] Step 2: Everyone: Maybe this wasn't such a good idea? Step 3: But Telerik gives us so much, and we already invested a ton of time and money in it, lets see if support will help us bend it to our will! Step 4: There is just no way to do what we need to do given the limitations of Telerik...time to refactor...but we are going to have to live with some partial-Telerik bastardization. Step 5: Much weeping and nashing of teeth. Step 6: [old guy in the back of the room: "told you so..."] [now] Step 6a: Virus exploits Telerik framework and hijacks your production servers. [old guy in the back of the room: "I REALLY f*cking told you so..."]

Re:Telerik

[Tablizer]

old guy in the back of the room: "told you so..."

One of the reasons nobody wants to hire old IT people is because the org can't handle real experience with a critical eye. They want co-conspirators in bullshit and eye-candy. After you've seen several rounds of bullshit, you know what it smells like.

I got the middle part

[Joe2020]

I actually got the middle part of the technical explanation: juicy potato.

Re:

[flyingfsck]

The middle - you mean the space between the two words? Yeah, I get that too.

Re:

[Joe2020]

The middle - you mean the space between the two words? Yeah, I get that too.

No, I do get the juicy potato. I have no fucking idea what the rest tastes like.

Re:

[vlad30]

No wonder there are so many people breaking into systems it used to hard to get these exploits or you had to develop them yourself now a quick google with give it to you on git hub.

the dilemma is do you put these up and risk everyone's machine or lock it away until the fix is applied or give notice to the company and give them 14 days to fix it

Title

[StormReaver]

Thousands of Enterprise Systems Infected by New Blue Mockingbird Malware Gang

Man, Kirk is gonna be pissed.

Re:

[hankypooh]

Thousands of Enterprise Systems, I take it in thousands of different Universes?

Re:

[Bert64]

A starship is a very complex machine that has lots of onboard systems, maybe even thousands on a single ship...

Re:

[Tablizer]

Thousands of Enterprise Systems, I take it in thousands of different Universes?

and in none of them do I get a date with that green babe.