A Monero cryptocurrency mining campaign has made the headlines exploiting a known vulnerability in public-facing web apps. These web apps are built on the ASP.NET open-source framework.
What is happening?
The campaign has been named Blue Mockingbird by Red Canary analysts who detected this operation. The threat actors have been found to exploit a deserialization vulnerability, CVE-2019-18935, that permits remote code execution. The bug is found in the Progress Telerik UI front-end offering for ASP.NET AJAX.