Over the past few months, we have seen a large number of hacking attempts against our customer sites using an old Telerik component vulnerability. More specifically, the Telerik Web UI component, widely used in different applications like DotNetNuke, Sitefinity and custom built ASP.NET sites, is being targeted. One codename given to this hack is Blue Mockingbird. Hackers are finding success in compromising sites using this exploit because many site owners never patched their websites. Telerik has even recently blogged about the increase in hacking activity and provides some guidance.
What hackers are doing with compromised sites
There appears to be different individual hackers and hacker groups that are using this exploit and they are doing different things. In our experience, we have seen the following:
- Hacker attempts to compromise the website/database. The hacker
- Creates a webshell file which allows the hacker to do various tasks on the site
- Uploads phishing/malware site which can result in the site getting blocked by anti-virus software and browsers.
- Gains access to the database which could contain sensitive information.
- Installs scripts that attack other systems (e.g., brute force attacks)
- Modifies scripts to skim sensitive information, like credit card numbers.
- Hacker attempts to compromise server in order to
- Install a cryptominer and use the server resources
- Compromise the hosting infrastructure
- Hijack the server and use the server for other attacks
Hacking activity mitigation
Mitigating this vulnerability has proven to be difficult, but we have been observing and learning from all the hacking activities. Now, along with our intrusion prevention detection system, we’ve made security tweaks on our webservers, and trained a diligent team. As a result, we have been able to protect our customers and our infrastructure.
Hacking activity background
We first noticed there was an issue when our intrusion detection system indicated a potentially malicious process being started on one of our servers. Our team immediately investigated and after some work we pinpointed the site that was compromised, determined how the site was compromised, and addressed the hack.
We soon started to notice similar incidents and after further investigation some of the flagged activities turned out to be false positives (legitimate activities), while others were hacking attempts. The attempts started to increase to almost daily at its peak.
Why the hack is nasty
What makes this hack nasty is that it uses built-in functionality of the Telerik control to upload a payload to the compromised site. The control functionality is used by the website so it is extremely difficult to tell which use case is legitimate and which activity is a hacking attempt.
To make things harder to detect, much of the hacking activity uploads a payload that does not interfere with the website and many times the payload appears to do nothing but sit there. Presumably, the payload will “wake up” when the hacker decides to activate it at a future time. Therefore, the website owner would never know they got hacked and the host will never know unless specifically looking for this type of activity.
Another thing we’ve seen recently is a site being compromised but the hacker did not upload anything. The hacker is just probing and logging which sites are “hackable” for some future plan. It’s like if someone breaks into a home using a key, looks around but doesn’t move anything or take anything and leaves. How are you to know someone who should not have access had entered the home?
Windows hosts beware
Windows hosting providers really need to pay attention to this hacking activity going forward. This vulnerability may be old but it’s still very much alive and hackers are exploiting it to compromise Windows servers and leaving virtually no footprint.
What website owners should do
In order to stop this attack from occurring in the first place, website owners must patch the Telerik Web UI component within their application which is typically found within the /bin folder.
You can check the table below on what actions to take depending on the application using the Telerik Web UI Control and where you host your website.
|Application||Website hosted with DiscountASP.NET||Website hosted elsewhere|
|DotNetNuke||Contact our technical support team and we can check if your site is vulnerable and our staff can apply a patch to secure your DNN instance.||You can get more information about DNN and the Telerik vulnerability here and you will need to update your DNN instance.|
|Sitefinity||Contact our technical support team and we can check if your site is vulnerable and our staff can advise you on the next steps.||Check if you are using the insecure Sitefinity versions listed here, If your Sitefinity version is insecure, contact Sitefinity.|
|Custom Application||Contact our technical support team and we can check if your site is vulnerable and provide you with guidance on the next steps.||Check if you are using the insecure Telerik Web UI versions listed here. Check your website files on the server and make sure there are no weird files (that you did not upload). If you own the Telerik license, contact Telerik and patch your site. If your developer owns the Telerik license, have them contact Telerik and patch your site.|
Feedback and Questions
This is a serious security issue and do not hesitate to reach out to provide feedback, comments or ask any questions.