Zero-day in Oracle WebLogic exploited for dropping ransomware on servers

Cisco Talos' security researchers report about critical zero-day vulnerability discovered and exploited more than a week for contaminating servers having Oracle's WebLogic, using two-or more strains of ransomware. This was devoid of end-users either clicking on any given link or making any other interaction.

A team from Schultz released a report stating that attackers abused zero-day vulnerability namely CVE-2019-2725 existing within two components -WLS-WSAT and WLS9-ASYNC of the widely used WebLogic. The discoverer of the vulnerability is KnownSec 404 a cyber-security company in China which detected the security flaw on Sunday 21st April. Initially the attackers searched online to find flawed WebLogic servers after which they merely verified the efficacy of 0-day. Nevertheless, in the week of April 22, when the related proof-of-concept was much widely obtainable, the attackers even began contaminating servers having Oracle's WebLogic using real malicious software.

According to Talos researchers, they first identified one hackers' group installing one fresh ransomware strand called Sodinokibi, whilst within subsequent assaults, they as well loaded the GandCrab ransom software, at times hacking into servers earlier contaminated with Sodinokibi merely a few hours before. Schultz says there is no hard data available for establishing why the attackers carried out the hack. Perhaps they realized that time was getting shorter for allowing the exploitation of the zero-day in Oracle WebLogic, therefore they sought for profiting to the maximum extent possible within the said limited period, Schultz explains. www.zdnet.com posted this, April 30, 2019.

Now for exploitation of the vulnerability all that is necessary is acquiring admission into HTTP of one flawed WebLogic server. Subsequently for executing the attack one POST command must be sent to the flawed server, the command which carries one PowerShell command initiating the download of an executable file named radm.exe and then running it.

The hackers issued a ransom note to victims stating they have to pay Bitcoins valuing $2,500 in 2 days if they want the decryption code for releasing their locked data-files. If delayed the ransom amount would be doubled to $5,000.

Organizations utilizing WebLogic are recommended towards loading Friday's security patch as per most urgent.

» SPAMfighter News - 5/7/2019