Security News > 2022 > June > Hackers exploit three-year-old Telerik flaws to deploy Cobalt Strike
A threat actor known as 'Blue Mockingbird' targets Telerik UI vulnerabilities to compromise servers, install Cobalt Strike beacons, and mine Monero by hijacking system resources.
The flaw leveraged by the attacker is CVE-2019-18935, a critical severity deserialization that leads to remote code execution in the Telerik UI library for ASP.NET AJAX. The same threat actor was seen targeting vulnerable Microsoft IIS servers that used Telerik UI in May 2020, by which time a year had passed since security updates were made available by the vendor.
To exploit CVE-2019-18935, the attackers must acquire the encryption keys that protect Telerik UI's serialization on the target.
The payload used in the recent attacks is a Cobalt Strike beacon, a stealthy, legitimate penetration testing tool Blue Mockingbird abuses for executing encoded PowerShell commands.
The script uses common AMSI-bypassing techniques to evade Windows Defender detection to download and load a Cobalt Strike DLL onto memory.
The deployment of Cobalt Strike opens the way to easy lateral movement within the compromised network, data exfiltration, account takeover, and deployment of more potent payloads such as ransomware.
News URL
Related news
- Russian Hackers Exploit Microsoft OAuth to Target Ukraine Allies via Signal and WhatsApp (source)
- Hackers Exploit Critical Craft CMS Flaws; Hundreds of Servers Likely Compromised (source)
- Hackers Exploit Samsung MagicINFO, GeoVision IoT Flaws to Deploy Mirai Botnet (source)
- Hackers exploit OttoKit WordPress plugin flaw to add admin accounts (source)
- Chinese Hackers Exploit SAP RCE Flaw CVE-2025-31324, Deploy Golang-Based SuperShell (source)
- Hackers exploit VMware ESXi, Microsoft SharePoint zero-days at Pwn2Own (source)
- Russian Hackers Exploit Email and VPN Vulnerabilities to Spy on Ukraine Aid Logistics (source)
- Chinese Hackers Exploit Ivanti EPMM Bugs in Global Enterprise Network Attacks (source)
- Chinese Hackers Exploit Trimble Cityworks Flaw to Infiltrate U.S. Government Networks (source)
- Mimo Hackers Exploit CVE-2025-32432 in Craft CMS to Deploy Cryptominer and Proxyware (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-12-11 | CVE-2019-18935 | Deserialization of Untrusted Data vulnerability in Telerik UI for Asp.Net Ajax Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. | 9.8 |