Explore the latest news and trends  

Sign up for our weekly security newsletter

Be the first to receive important updates on security


Zero-day in Oracle WebLogic exploited for dropping ransomware on servers


Cisco Talos' security researchers report about critical zero-day vulnerability discovered and exploited more than a week for contaminating servers having Oracle's WebLogic, using two-or more strains of ransomware. This was devoid of end-users either clicking on any given link or making any other interaction.


A team from Schultz released a report stating that attackers abused zero-day vulnerability namely CVE-2019-2725 existing within two components -WLS-WSAT and WLS9-ASYNC of the widely used WebLogic. The discoverer of the vulnerability is KnownSec 404 a cyber-security company in China which detected the security flaw on Sunday 21st April. Initially the attackers searched online to find flawed WebLogic servers after which they merely verified the efficacy of 0-day. Nevertheless, in the week of April 22, when the related proof-of-concept was much widely obtainable, the attackers even began contaminating servers having Oracle's WebLogic using real malicious software.


According to Talos researchers, they first identified one hackers' group installing one fresh ransomware strand called Sodinokibi, whilst within subsequent assaults, they as well loaded the GandCrab ransom software, at times hacking into servers earlier contaminated with Sodinokibi merely a few hours before. Schultz says there is no hard data available for establishing why the attackers carried out the hack. Perhaps they realized that time was getting shorter for allowing the exploitation of the zero-day in Oracle WebLogic, therefore they sought for profiting to the maximum extent possible within the said limited period, Schultz explains. www.zdnet.com posted this, April 30, 2019.


Now for exploitation of the vulnerability all that is necessary is acquiring admission into HTTP of one flawed WebLogic server. Subsequently for executing the attack one POST command must be sent to the flawed server, the command which carries one PowerShell command initiating the download of an executable file named radm.exe and then running it.


The hackers issued a ransom note to victims stating they have to pay Bitcoins valuing $2,500 in 2 days if they want the decryption code for releasing their locked data-files. If delayed the ransom amount would be doubled to $5,000.


Organizations utilizing WebLogic are recommended towards loading Friday's security patch as per most urgent.


» SPAMfighter News - 5/7/2019

3 simple steps to update drivers on your Windows PCSlow PC? Optimize your Slow PC with SLOW-PCfighter!Email Cluttered with Spam? Free Spam Filter!

Dear Reader

We are happy to see you are reading our IT Security News.

We do believe, that the foundation for a good work environment starts with fast, secure and high performing computers. If you agree, then you should take a look at our Business Solutions to Spam Filter & Antivirus for even the latest version of Exchange Servers - your colleagues will appreciate it!

Go back to previous page