Posted on October 30, 2020 at 3:43 PM
Security researchers at Cisco Talos recently discovered that the Oracle WebLogic Servers have a zero-day vulnerability that makes them prone to ransomware attacks. As a result of the vulnerability, hackers are now taking advantage to install a new strain of ransomware known as Sodinokibi, as well as other versions of the GrandCrab ransomware.
However, the most interesting about the recent discovery is the fact that the Oracle web servers have limited scope for interceptions as they often sit between frontend and backend applications.
The servers act as middleware tools by rerouting web traffic to the front end apps from back end apps.
The researchers noted that the vulnerability is the CVE-2020-14882 found in the console component of the Weblogic server, which has been ranked 9.8 out of 10 on the CVSS scale.
They also warned organizations to update their Oracle WebLogic servers as soon as possible to prevent them from getting compromised.
Oracle also says the attackers are not using a highly complex approach to attack the application, as it doesn’t need any user interaction or privileges to launch the attack. Hackers with HTTP access are capable of launching an attack on the applications, the announcement reads.
The Oracle Weblogic server has become widely known for its use in building and deploying enterprise Java EE applications.
During Oracle’s October Critical Patch Update, the vulnerability was fixed, with 402 patches made across a family of products. While many have updated their apps, Oracle reports that there are still some users who have not yet updated, leaving these people vulnerable to attackers exploits.
Dean of research at SANS Technology Institute revealed that although the vulnerability was fixed on October 21, some bad elements are actively targeting the flaw, based on honeypot observations.
“At this point, we are seeing the scans slow down a bit, but they have reached saturation,” he said in a post yesterday. He further added that users who have still not applied that patch should assume their server has been breached.
Ullrich also stated that a blog post published by Jang in Vietnam could have incited the exploits. The post gave details on how to achieve remote code execution using a single GET request by leveraging the vulnerability.
Ullrich also cited four IP addresses used by hackers to exploit the honeypots.
The security researchers have advised users to update their Oracle WebLogic servers by visiting the Oracle security page provided.
Ullrich and others are urging Oracle WebLogic Server users to update their systems as soon as possible.
One for detection peeps. This Oracle WebLogic bug will get abused, pre-auth RCE via a POST request. https://t.co/y6huXWUuS0— Kevin Beaumont (@GossiTheDog) October 28, 2020
Users can find a patch availability document for WebLogic and other vulnerable Oracle products, available here.
The researchers also pointed out that the hacking campaign has a close resemblance to the campaign that targeted Drupal and Magento websites last year.
They added that such type of attack does not stay for long, as the servers can have packet captures, logs, and backups that can enable cybersecurity teams to analyze them. This limits the level of severity of the attack, the hackers claim.
The Cisco hackers believed that the Sodinokibi ransomware was recently developed by hackers, but the severity of its attack is not known. As a result, the hackers distributed the GanCrab ransomware to raise the threat severity.
More hits on the Oracle WebLogic servers
This is not the first time the Oracle WebLogic servers are exploited by hackers. In May last year, the Oracle researchers said a recently vulnerable WebLogic server was being targeted, as hackers tried to exploit the CVE-2019-2725 vulnerability.
Earlier in May this year, the company told clients to quickly apply an update to a vulnerability on its WebLogic server. The company revealed it received different notifications and proofs to show its web servers are subject to hacking attempts by some ransomware groups.
There was another use of the Sodinokibi” ransomware in June this year. But the Oracle team has continually warned users to regularly apply the updates from its security page to avoid being a victim of ransomware attacks on its servers.