InstantASP Support

Help & Support

Security Advisory for InstantKB 2018-2 and below

Known Issues

Over the last few days the Blue Mockingbird miner has been leveraging an exploit within the Telerik UI for ASP.NET Ajax library to install a cryptocurrency miner on vulnerable systems.

InstantKB version 2018-2 and below leverage a vulnerable version of Telerik UI for ASP.NET Ajax and so any customer running InstantKB 2018-2 or below is vulnerable.

We would strongly advise our customers to take immediate steps to either disable the vulnerable Telerik functionality within InstantKB as detailed below or to upgrade to the latest version of InstantKB to resolve the issue.

How do i know if I'm infected?

As blue mockingbird is a cryptocurrency miner you will typically see 99% CPU utilization.

You will also likely see DLLs with random names within your c:\windows\system32 folder. At the time of writing this post the random DLLs we found where 3,773 kb in size. They will have a recent last modified date.

How to mitigate the attack

All InstantKB 2018-2 and below customers should make the following change to mitigate Blue Mockingbird. Open your InstantKB 2018-2 or below web.config file and ensure the following lines are commented out or removed...

<add path="Telerik.Web.UI.WebResource.axd" type="Telerik.Web.UI.WebResource" verb="*" validate="false" />

Also comment out the line below...

<add name="Telerik_Web_UI_WebResource_axd" path="Telerik.Web.UI.WebResource.axd" type="Telerik.Web.UI.WebResource" verb="*" preCondition="integratedMode" />

After both lines have been commented out they should look like so...

  <add path="Telerik.Web.UI.WebResource.axd" type="Telerik.Web.UI.WebResource" verb="*" validate="false" />


  <add name="Telerik_Web_UI_WebResource_axd" path="Telerik.Web.UI.WebResource.axd" type="Telerik.Web.UI.WebResource" verb="*" preCondition="integratedMode" />

The asynchronous upload functionality is not used by InstantKB so it's safe to comment out these lines. This will ensure the vulnerable Telerik.Web.UI.WebResource.axd endpoint is not available within your InstantKB installation.

Removing Blue Mockingbird

We would advise using an AV solution to proactively detect and remove threats. At the time of writing this post there are no simple manual steps to follow to remove Blue Mockingbird. We've tested with Kaspersky and this will detect and remove Blue Mockingbird.

Can we help?

If you've been affected by this issue please don't hesitate to contact us and we'll always assist as quickly as possible. We apologize for any inconvenience this may cause.

Optionally provide private feedback to help us improve this article...

Thank you for your feedback!

Comments require login or registration.


Product: InstantKB
Type: INFO
Rated 5 stars based on 1 vote
Article has been viewed 2.1K times.
Last Modified: 2 Years Ago
Last Modified By: Ryan Healey


Similar Articles