Cybercriminals exploit a chain of a three old Telerik UI vulnerabilities to attack servers, install Cobalt Strike beacons and deploy cryptomining malware.
Telerik UI is a popular web application graphical interface development tool with more than 120 components for building applications.
The main vulnerability leveraged by the hackers in this campaign affects Telerik UI library for ASP.NET AJAX (CVE-2019-18935). It’s a high-risk deserialization flaw that can lead to remote code execution. The vulnerability exists due to insecure input validation when processing serialized data in the "RadAsyncUpload" function. A remote attacker can pass specially crafted data to the application, execute arbitrary code and take a full control over the vulnerable system. The flaw was routinely exploited throughout 2020 and 2021 by various threat actors including the Netwalker ransomware gang.
Two years ago, cybersecurity firm Sophos also observed a series of attacks leveraging this vulnerability conducted by Blue Mockingbird hackers. While CVE-2019-18935 bug has been fixed since then, it looks like Blue Mockingbird gang is still exploiting it in its campaigns.
According to Sophos, in the new campaign the threat actors use this flaw to deliver a Cobalt Strike beacon (in the form of a DLL payload) to disk. This beacon is needed to execute encoded PowerShell commands for downloading additional malware – such as Monero miner – and establish persistence on the target servers.
To exploit CVE-2019-18935, the attackers must acquire the encryption keys that protect Telerik UI’s serialization on the victim’s system. This is when other two old bugs may come in handy.
«The bug is a little more complex than it first appears, though. Serialization within the upload handler in Telerik UI is protected by encryption keys, and an attacker needs to know them before they can exploit the vulnerability. They can abuse earlier bugs in Telerik UI – CVE-2017-11317 and CVE-2017-11357 – to do just that, although this requires finding a host that’s still vulnerable. Or an attacker could get the keys through some other means – for example, exploiting another vulnerability in a web application,» reads the Sophos report.