Unit 42 experts notified about increasing number of attacks on Oracle WebLogic servers. Criminals exploit CVE-2019-2725 vulnerability and intercept control over attacked systems.Initially, this gap was known at the end of April when virus analysts fixed multiply cases of attacks on Oracle WebLogic servers. As it was revealed, one of program packets in the composition of this solution erroneously processed SOAP-requests with XML- and – tags. This leads to incorrect deserialization of data that threatens to execute third-party code.
Problem is present in Oracle WebLogic 10.3.6.0.0 and 188.8.131.52.0. According to specialists’ assessment, these versions are installed on several thousands hosts. Oracle developers emergently released a patch; however, as demonstrate researchers, threat is still actual.
So, after publication of PoC exploit applied new extortionist Sodinokibi and Botnet Muhstik operators, that are used for cryptojacking and DDoS- attacks. Later vulnerability became a base of GandGrab and PowerShell-downloader campaigns when victims were installed with XMRig miner. In the latter case attackers also switch off Oracle updates service on the impaired machines, and user becomes unable to install saver software version.
“Preliminary indicators reveal over 600 exploitation attempts targeting CVE-2019-2725 on Palo Alto Networks soak sites and we expect this number to increase rapidly”, — Ryan Olson, vice president of threat intelligence for Unit 42 told.
Analysts expect that number of attack will stable increase. As exploit does not demand any manual operations, cybercriminals can automatize search and attacks of new victims. This gives opportunity to participate in malware campaigns for attackers without advanced technical knowledge.
“With this many publicly available WebLogic instances on the internet, as well as an unknown number of private instances in enterprise environments, we expect an escalation of exploitation attempts in the coming days and weeks”, — said Ryan Olson.
Experts say that corporate networks are under special risk. If criminals find access point to company’s IT-infrastructure, consequences of attack may be disastrous.