Thousands of enterprise systems are thought to have been infected with a crypto-currency-mining malware operated by a group tracked under Blue Mockingbird’s codename.
Discovered earlier this month by cloud security firm Red Canary malware researchers, it is assumed the Blue Mockingbird community has been operating since December 2019.
Researchers say that Blue Mockingbird attacks servers running ASP.NET apps which use the Telerik framework for their component user interface ( UI).
Hackers exploit the vulnerability of CVE-2019-18935 to plant a web shell on the server which has been targeted. They then use a variant of the Juicy Potato technique to gain access at admin-level and change server settings to obtain persistence (re)boot.
Once they have full access to a system, they will download and install a version of XMRRig, the popular Monero (XMR) cryptocurrency mining app.
Some attacks are crucial against internal networks
Red Canary experts claim that if the public-facing IIS servers are connected to the internal network of a organization, the group often attempts to spread internally through RDP (Remote Desktop Protocol) or SMB (Server Message Block) connections that are weakly secured.
In an email interview earlier this month, Red Canary told ZDNet they don’t have a full view of the activities of this botnet, but they assume the botnet has made at least 1,000 infections so far, only because of the limited visibility they have.
“We have limited visibility in the threat landscape like any security company and no way to reliably know the full scope of this threat,” a spokesperson for Red Canary told us.
“In particular, this threat has affected a relatively limited percentage of organizations whose endpoints we control. However, we have detected about 1,000 infections within these organizations and over a short period of time.”
Red Canary, however, says the number of companies that have been affected could be much higher and even companies that believe they are safe are at risk of attack.
Dangerous vulnerability in the Telerik UI
This is because the vulnerable Telerik UI component may be part of ASP.NET applications running on their new updates, but the Telerik component may be other obsolete versions, often exposing businesses to attacks.
Many companies and developers may not even know whether the aspect of the Telerik UI is even part of their applications, again leaving companies exposed to attacks.
And this uncertainty has been exploited ruthlessly over the past year by attacks, ever since information about the vulnerability became public.
For example, the US National Security Agency ( NSA) listed the Telerik UI vulnerability CVE-2019-18935 as one of the most exploited vulnerabilities used to plant web shells on servers in an advisory published late April.
The Australian Cyber Security Center (ACSC) also identified the Telerik UI vulnerability CVE-2019-18935 as one of the most exploited vulnerabilities to target Australian organizations in 2019 and 2020, in another security advisory released last week.
Organizations may not in certain cases have the option of upgrading their insecure devices. For these situations, several businesses will have to ensure that they at their firewall level block the exploitation attempts for CVE-2019-18935.
If they don’t have a cloud firewall, businesses need to search for server- and workstation-level signs of a compromise. Here, Red Canary has published a report with compromising indications that businesses can use to search servers and networks for signs of a Blue Mockingbird attack.
“As always, our primary aim in releasing information like this is to help security teams establish threat detection techniques that are likely to be used against them. In this way, we believe it is important for security to determine their ability to detect persistence based on COR PROFILER and initial access through Telerik vulnerability exploitation,” Red Canary told.
Gartner predicts Cloud Security failures
Gartner has issued a latest cloud security report in which the research organization states that mismanagement of identities, access and privilege will prove as the number one reasons for cloud security failures in next three years.
Managing Privileged Access in Cloud Infrastructure of Gartner claims that by the year 2023 over 50% of incidents will revolve around the above-stated problems.
As more and more firms are adopting cloud platforms for their workloads, defending cloud infrastructure will become a crucial concern for MSPs in near future said Gartner.
“Unless cloud admins deploy proper security and risk management tools, effective management of such cloud platforms is not possible,”, says Paul Mezzera, the author of Gartner’s Managing Privileged Access in Cloud Infrastructure report.
To counter such situations, the only solution left for CSPs is to employ specialized cloud infrastructure management tools which are “Identity Centric”.
In the previous year, 4 in every five businesses suffered a data breach via cloud platforms says a report released by Ermetic, a company offering security Identity solutions for data hosted in cloud platforms.
Based on the response of over 300 CISOs, Ermetic concluded in its report that 80% of firms could not identify security vulnerabilities that were caused by excess access to critical data on IaaS and PaaS cloud platforms.
Note– Founded in 1979, Gartner is a research company that provides information, advice and tools to companies related to IT, Finance, HR, Customer service and support along with Communications, legal and Compliance and marketing & sales.
BLOCKAPT’s Success With The London Office For Rapid Cybersecurity Advancement
BlockAPT announces a major accomplishment in being successful with the London Office for Rapid Cybersecurity Advancement (LORCA) accelerator programme, which is backed by the Department for Digital, Culture, Media & Sport.
LORCA helps scale early-stage cyber companies in the UK and internationally. Reinforcing BlockAPT’s mission to proactively safeguard organisation’s digital assets against persistent cyber threats today and tomorrow, LORCA chose BlockAPT as a result of our unique security centralised management platform, the team’s commitment and track record to provide one of the most advanced and intelligent cyber defence technologies available.
The success will enable BlockAPT to work with LORCA and grow on a number of fronts including new customers, technologists, partners and investors.
Zafar Karim, CEO of BlockAPT said: “We are delighted and proud to have got through LORCA’s stringent and competitive assessment process and be chosen as one of the latest cybersecurity innovators globally. This is testament to our mission to help protect the digital security of both organisations and people through sharing our knowledge, passion and expertise with our industry game changing BlockAPT platform. We look forward to working with LORCA to extend our reach in the UK and abroad over the forthcoming year”.
Saj Huq, LORCA’s director, said: “The arrival of our fifth cohort highlights that there is world-leading talent and cutting-edge technology available to address these challenges and enable secure, societal-wide digital transformation”.
Digital Infrastructure Minister Matt Warman said:
“We are committed to helping our innovative cyber security startups thrive and maintain our position as Europe’s leading tech hub.
“This initiative will see some of the brightest minds from across the country benefit from expert advice to turn their creative ideas into practical business tools and develop the cyber security technology of tomorrow.”
To find out more about BlockAPT, please visit: https://www.blockapt.com/
BlockAPT protects customers’ digital assets by unifying operational technologies against advanced persistent threats. It brings together automated threat intelligence, vulnerability management, device management and incident response management under one platform to help businesses’ Monitor, Manage, Automate and Respond (MMAR) to cyberthreats proactively and in a preventative manner.
Created by Founder and CTO, Marco Essomba, the advanced platform offers deep integration throughout multiple layers of security. The BlockAPT platform can be deployed within hours, in the cloud or on premise, as a single pane of glass solution working seamlessly and intelligently in the background to safeguard businesses digital environments.
Command Injection Vulnerabilities Is Recently Patched By Palo Alto Networks
On Wednesday, Palo Alto Networks told clients that it fixed two high-severity bugs in PAN-OS, the program running on the company’s firewalls.
The more serious of the flaws on the basis of their CVSS score is CVE-2020-2034, which affects the GlobalProtect portal and allows an unauthenticated attacker with network access to the targeted system to execute arbitrary operating system commands with root permissions.
“An attacker would need some level of specific information on an impacted firewall configuration or conduct brute-force attacks to exploit this problem,” the vendor said in his advisory.
The vulnerability can only be exploited by allowing the GlobalProtect feature. Prisma Access services are not affected, the company says, and the PAN-OS versions that patch CVE-2020-2021, a crucial vulnerability that was recently revealed, also address this bug.
The second high-severity vulnerability is identified as CVE-2020-2030 and enables the execution of arbitrary OS commands with root privileges by an attacker with admin access to the PAN-OS management interface
Palo Alto Networks claims that both vulnerabilities were recently found, and there is no evidence of malicious exploitation. One study, however, noted that tens of thousands of devices may be vulnerable to attacks.
— Nate W. | #BlackLivesMatter | #NoJusticeNoPeace (@n0x08) July 8, 2020
The company also told customers that two medium-severity vulnerabilities in PAN-OS have been patched: one that can be exploited by an authenticated attacker with denial-of – service (DoS) privileges, and one related to the use of the obsolete TLS 1.0 protocol for some contact between cloud-based services and PAN-OS.
Such flaws do not seem to be as severe as CVE-2020-2021, which was fixed by Palo Alto Networks in late June and which allows an attacker to circumvent authentication. Soon after publication of a patch, U.S. Cyber Command warned that it’s possible international APTs will try to exploit it soon.
Hackers have exploited a critical vulnerability from F5 Networks that has impacted the BIG-IP application delivery controller (ADC) over the last week. Soon after publication, proof-of – concept (PoC) exploits were made public and a growing number of attacks were spotted. Attackers also provided different payloads, including web shells and DDoS malware.
Kerala gold smuggling case: Govt transfers probe to NIA; ‘serious implications for national security’, says MHA
Wind Power Market Size, Share & Trends Analysis Report By Location, By Application, By Region and Segment Forecasts, 2020 – 2027
A Ford Focus driver wound up with a nearly $1,000 ticket after being clocked at 437 mph by a faulty speed camera
Canadian Stocks Languishing In Negative Territory Despite Paring Some Early Losses
The Global Battery Separator Market is expected to grow from USD 2,690.35 Million in 2019 to USD 5,174.14 Million by the end of 2025 at a Compound Annual Growth Rate (CAGR) of 11.51%
Beat the Extreme Heat with a Delicious Cool Treat
IRES offers free access to Matterport for two months
Sage Intacct Names Alta Vista Technology a Premier Partner
Westland Insurance Group Announces Appointment of Chief Information Officer
CAVU Resourcesâ Sinacori Builders Continues Making Headlines, Secures Key 26,000-Square-Foot Charlotte Site in Multimillion Dollar Deal
Bank of the James Announces Completion of Private Placement of Debt
A day trader on Reddit claimed they made a 3500% gain, and turned $35,000 into $1.25 million during the pandemic
Lockdown in Uttar Pradesh: Yogi Adityanath govt imposes lockdown from tomorrow; what is open, what is closed
Treasury’s Mnuchin backs narrower coronavirus aid package as talks with Congress resume
Supreme Court says Manhattan DA can get Trump’s tax records, but rejects bid by House Democrats
Now, Jio petrol pump: RIL, BP start fuel retailing joint venture under this brand
Lululemon is doing something that it almost never does as the pandemic squeezes its business
United and American Airlines are cancelling flights to Hong Kong over a requirement that crew members get tested for COVID-19 on arrival (UAL, AAL)
GOLDMAN SACHS: Wall Street is bracing for a historically wild stock market as the presidential election nears. Here’s a surprising yet simple strategy for protecting your portfolio — regardless of outcome.
How the pandemic is impacting the advertising business as live sports and events are cancelled and people cut back on spending
Coronavirus live updates: American and United cancel Hong Kong flights, Fauci says new shutdowns may be necessary
US mortgage rates slip to a record low 3.03% for 30-year loans
K Fund’s Jaime Novoa discusses early-stage firm’s focus on Spanish startups
WHO warns the coronavirus is ‘getting worse,’ continues to accelerate
Travelers are sticking close to home for vacations this summer. Here’s how Cambria Hotels locations across the US offer the perfect ‘staycation.’
Logitech pulls support for Harmony Express remote a year after launch
Meet the 25 power players at Instagram who are deciding the future of the wildly popular Facebook-owned app (FB)
Coronavirus relief policies kept 10 million Americans out of poverty. They’re set to expire in July
TCS says deportation of students will restrict tech development in US
Trump ally Roger Stone should go to prison next week, prosecutors tell court
Docker partners with AWS to improve container workflows
The best camping cookware
Peacock will stream over 175 Premier League matches next season
Trump taxes: Supreme Court says New York prosecutors can see records
Creandum backs Amie, a new productivity app from ex-N26 product manager Dennis Müller
News genre witnessed 43% rise in viewership in H12020: BARC-Nielsen Report
Stock market live updates: Tech gives back early gains, Dow falls 400 points, Walgreens drops 8%
Insana: Main Street investors diving into speculative penny stocks and SPACs is disturbing trend
Here are the banks with the best CD rates
When regulators suspended Wirecard’s UK arm, payments to its fintech partner accounts bounced. The suspension has lifted — but for some, the money is still missing.
Business Insider5 days ago
A 17-year-old entrepreneur made nearly $500,000 reselling sneakers during a quarantine. Here’s a look inside his pandemic-proof business model.
Automotive1 week ago
Variables Complicate Safety-Critical Device Verification
Gaming7 days ago
Fortnite Floating Rings Locations: Where To Collect Rings At Lazy Lake
Blockchain1 week ago
Bitcoin Solves This: $2.8 Billion Worth of Gold Counterfeited by Chinese Company from Wuhan
Gaming1 week ago
Rat King – The Last of Us Part 2
AI1 week ago
This Tiny House Is 3D Printed, Floats, and Will Last Over 100 Years
Gaming1 week ago
Nier Creator’s New Game SinoAlice Is Out Now
Gaming7 days ago
Popular gamer Byron ‘Reckful’ Bernstein dead at 31, hours after proposing on Twitter