New Oracle WebLogic exploit is gaining popularity among attackers

Unit 42 experts notified about increasing number of attacks on Oracle WebLogic servers. Criminals exploit CVE-2019-2725 vulnerability and intercept control over attacked systems.

Initially, this gap was known at the end of April when virus analysts fixed multiply cases of attacks on Oracle WebLogic servers. As it was revealed, one of program packets in the composition of this solution erroneously processed SOAP-requests with XML- and tags. This leads to incorrect deserialization of data that threatens to execute third-party code.

Problem is present in Oracle WebLogic and According to specialists’ assessment, these versions are installed on several thousands hosts. Oracle developers emergently released a patch; however, as demonstrate researchers, threat is still actual.

So, after publication of PoC exploit applied new extortionist Sodinokibi and Botnet Muhstik operators, that are used for cryptojacking and DDoS- attacks. Later vulnerability became a base of GandGrab and PowerShell-downloader campaigns when victims were installed with XMRig miner. In the latter case attackers also switch off Oracle updates service on the impaired machines, and user becomes unable to install saver software version.

Ryan Olson, Unit 42

“Preliminary indicators reveal over 600 exploitation attempts targeting CVE-2019-2725 on Palo Alto Networks soak sites and we expect this number to increase rapidly”, — Ryan Olson, vice president of threat intelligence for Unit 42 told.

Analysts expect that number of attack will stable increase. As exploit does not demand any manual operations, cybercriminals can automatize search and attacks of new victims. This gives opportunity to participate in malware campaigns for attackers without advanced technical knowledge.

“With this many publicly available WebLogic instances on the internet, as well as an unknown number of private instances in enterprise environments, we expect an escalation of exploitation attempts in the coming days and weeks”, — said Ryan Olson.

Experts say that corporate networks are under special risk. If criminals find access point to company’s IT-infrastructure, consequences of attack may be disastrous.

Specialists call IT-services not to delay patch installation or, at least, take precaution measures – delete wls9_async_response.war packet and prohibit access to Internet addresses that contain /_async/* and /wls-wsat/*.


Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button