The Blue Mockingbird malware gang has infected more than 1,000 business systems with the Monero mining malware since December 2019.
The global scale of the hacker group’s operations was revealed by cloud security firm Red Canary on May 26.
The report outlined the group’s methodology. The malware attacks servers running ASP.NET applications and exploits a vulnerability to install a web shell on the attacked computer and gain administrator-level access to change server settings.
Subsequently, the cybercriminals install the XMRRig application to exploit the resources of the infected machines. Most of the infected computers belong to large companies, although Red Canary has not disclosed any names.
Remote Desktop Protocol vulnerability
As with the recent Trojan-horse ransomware attacks, criminals took advantage of the weakness of the remote desktop protocol in Windows to penetrate systems.
The report notes that although it is difficult to quantify the total number of infections, these attacks occurred in a relatively short amount of time.
Red Canary also warns that companies that believe they are safe from such attacks are actually at a high risk of their security being breached by malware infection.
Speaking with Cointelegraph, Brett Callow, a threat analyst at Emsisoft malware lab, commented on the systems’ current vulnerabilities to such attacks:
“Cybercriminals specifically look for weaknesses in Internet connection systems and, when they find them, exploit them. Businesses can significantly reduce their risk factor by following established best practices like timely patching, using MFA, disabling PowerShell when not needed, etc. If these best practices are not followed and Internet-facing servers remain vulnerable, it is significant that a company is more likely to experience crypto-mining, ransomware, data exfiltration, or other security events. “
Recent attacks related to XMRRig
Using the XMRRig app for unauthorized crypto-mining is a recent phenomenon that has been used by various hacker groups.
Cointelegraph reported in November 2019 that malware targeted vulnerable Docker instances to distribute the Monero mining app.
In the same year, reports published by cybersecurity companies Symantec and BlackBerry Cylance warned of the injection of the XMRRig app into computers via music files.