News

New Oracle WebLogic exploit is gaining popularity among attackers

Photo of Daniel Zimmermann Daniel ZimmermannMay 10, 2019
0 80 1 minute read

Unit 42 experts notified about increasing number of attacks on Oracle WebLogic servers. Criminals exploit CVE-2019-2725 vulnerability and intercept control over attacked systems.

Initially, this gap was known at the end of April when virus analysts fixed multiply cases of attacks on Oracle WebLogic servers. As it was revealed, one of program packets in the composition of this solution erroneously processed SOAP-requests with XML- and tags. This leads to incorrect deserialization of data that threatens to execute third-party code.

Problem is present in Oracle WebLogic 10.3.6.0.0 and 12.1.3.0.0. According to specialists’ assessment, these versions are installed on several thousands hosts. Oracle developers emergently released a patch; however, as demonstrate researchers, threat is still actual.

So, after publication of PoC exploit applied new extortionist Sodinokibi and Botnet Muhstik operators, that are used for cryptojacking and DDoS- attacks. Later vulnerability became a base of GandGrab and PowerShell-downloader campaigns when victims were installed with XMRig miner. In the latter case attackers also switch off Oracle updates service on the impaired machines, and user becomes unable to install saver software version.

Ryan Olson, Unit 42

“Preliminary indicators reveal over 600 exploitation attempts targeting CVE-2019-2725 on Palo Alto Networks soak sites and we expect this number to increase rapidly”, — Ryan Olson, vice president of threat intelligence for Unit 42 told.

Analysts expect that number of attack will stable increase. As exploit does not demand any manual operations, cybercriminals can automatize search and attacks of new victims. This gives opportunity to participate in malware campaigns for attackers without advanced technical knowledge.

“With this many publicly available WebLogic instances on the internet, as well as an unknown number of private instances in enterprise environments, we expect an escalation of exploitation attempts in the coming days and weeks”, — said Ryan Olson.

Experts say that corporate networks are under special risk. If criminals find access point to company’s IT-infrastructure, consequences of attack may be disastrous.

Specialists call IT-services not to delay patch installation or, at least, take precaution measures – delete wls9_async_response.war packet and prohibit access to Internet addresses that contain /_async/* and /wls-wsat/*.

Source: https://threatpost.com

Related Posts

Tags
Photo of Daniel Zimmermann Daniel ZimmermannMay 10, 2019
0 80 1 minute read
Photo of Daniel Zimmermann

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

OnePlus update slows apps

OnePlus recent update deliberately slows down 300 apps

July 8, 2021
censorship in Xiaomi smartphones

Lithuanian authorities discovered censorship in Xiaomi smartphones

September 23, 2021

Bitdefender Disables Anti-Exploit Monitoring in Chrome After Google Policy Change

August 27, 2018
Apple holds as hostages

ProtonMail developers say Apple is holding us all as hostages

August 4, 2020

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

© Copyright 2024, All Rights Reserved  | Adware.Guru;
Back to top button