"Hackers Exploit Three-Year-Old Telerik Flaws to Deploy Cobalt Strike"

A threat actor called 'Blue Mockingbird' is exploiting Telerik UI vulnerabilities to compromise servers, install Cobalt Strike beacons, and mine Monero by taking over system resources. The attacker exploited CVE-2019-18935, a critical severity (CVSS v3.1: 9.8) deserialization flaw in the Telerik UI library for ASP.NET AJAX, which leads to Remote Code Execution (RCE). Attackers must obtain the encryption keys that protect Telerik UI's serialization on the target in order to exploit CVE-2019-18935. This can be done by exploiting another vulnerability in the target web app or by utilizing CVE-2017-11317 and CVE-2017-11357. There are still valid targets available for exploitation as many web apps were projects that embedded the Telerik UI framework version available at the time of their development and then were discontinued or forgotten. Once the keys have been obtained, the attackers can compile a malicious DLL containing the deserialization code and run it in the context of the 'w3wp.exe' process. In the recent attacks, Blue Mockingbird employed a readily available proof-of-concept (PoC) exploit, which handles the encryption logic and automates the DLL compilation. This article continues to discuss findings surrounding the exploitation of Telerik UI vulnerabilities by Blue Mockingbird.

Bleeping Computer reports "Hackers Exploit Three-Year-Old Telerik Flaws to Deploy Cobalt Strike"