NewsSecurity

Critical vulnerability in Oracle WebLogic is already under attack

Photo of Daniel Zimmermann Daniel ZimmermannOctober 30, 2020
0 50 1 minute read

Earlier this month, the company patched over 400 vulnerabilities in its products, including a critical vulnerability in Oracle WebLogic ID CVE-2020-14882, which scored 9.8 out of 10 on the CVSS vulnerability rating scale.

This vulnerability is associated with Oracle WebLogic (versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0) and, in fact, allows hacking vulnerable systems using a simple HTTP request GET. Since the problem is extremely easy to operate, information security specialists expected that hackers would soon take it on board. And so it happened.

Honeypots (special traps) created by experts from the SANS Institute have already discovered the first attacks on the vulnerability, since an exploit for CVE-2020-14882 has recently appeared in the public domain.

“Just about a week ago, as part of a massive quarterly “Critical Patch Update” (aka “CPU”), Oracle patched CVE-2020-14882 in WebLogic. Oracle at the time assigned it a CVSS score of 9.8. We are now seeing active exploitation of the vulnerability against our honeypot after PoC exploits had been published”, — according to the researchers from SANS Institute.

According to experts, attacks come from the following IP addresses:

  • 114.243.211.182 (China Unicom, China);
  • 139.162.33.228 (Linode, USA);
  • 185.225.19.240 (MivoCloud, Moldova);
  • 84.17.37.239 – (DataCamp Ltd, Hong Kong).

So far, most of the attacks are simple pings of potential targets and search for vulnerable systems, although hackers operating from the MivoCloud IP address have already tried to execute the cmd/c command.

At the same time, SANS specialists cannot provide more detailed information about subsequent requests, since decoy systems are configured in such a way as not to respond with the correct answer.

The exploit that the hackers used for these attacks appears to be based on a Vietnamese cybersecurity researcher who posted a lengthy blog post on the issue this week.

There are over 3,000 Oracle WebLogic servers currently available on the network, and, according to Spyse, potentially vulnerable to CVE-2020-14882.

As a reminder, another Oracle WebLogic exploit was also popular among attackers last year.

We also wrote that Sophos specialists found that Ragnar Locker malware operators use Oracle VirtualBox to hide their presence in an infected system and launch the ransomware in a “safe” environment.

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)
Tags
Photo of Daniel Zimmermann Daniel ZimmermannOctober 30, 2020
0 50 1 minute read
Photo of Daniel Zimmermann

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Microsoft talks about Nobelium

Microsoft said that since May 2021, the Nobelium group hacked at least 14 IT companies

October 26, 2021
Methbot botnet manager

Methbot botnet manager sentenced to 10 years in prison

November 12, 2021
npm referral packages

Npm Repository Flooded with over 15,000 Referral Packages

February 28, 2023
marriott

Marriott hotel chain fined $123 million for major data breach

July 11, 2019

Leave a Reply

Your email address will not be published. Required fields are marked *

Sending

This site uses Akismet to reduce spam. Learn how your comment data is processed.

© Copyright 2024, All Rights Reserved  | Adware.Guru;
Back to top button