Oracle WebLogic Vulnerability Used for Cryptomining and Other Attacks
Skybox Blog TeamJul 27, 2018
A critical Oracle WebLogic vulnerability (CVE-2018-2893) is being utilized by attackers three days after the publication of a proof of concept. Since the sample exploit code was released, there has been a rise in its exploitation attempts. The vulnerability has received a “critical” severity level and a score of 9.8 out of 10 on the CVSS v3 severity scale due to potential impact and ease of exploitation and that it can be exploited remotely.
Affected WebLogic versions include 10.3.6.0, 18.104.22.168, 22.214.171.124 and 126.96.36.199.
Oracle Web Logic Vulnerability
The vulnerability affects multiple versions of the Oracle WebLogic server and allows an attacker to gain full control over the entire server. The vulnerability does not require any user interaction, and it can be exploited via the T3 protocol, Oracle’s implementation of the RMI specification used to transport information between WebLogic servers and other types of Java programs.
Initial publication on of the Oracle WebLogic vulnerability was on July 18, part of Oracle’s quarterly scheduled advisory publication. On July 21, the first proof-of-concept code was published. In a matter of hours, the first exploitation attempts began.
Automated Attacks by Iuoxk Group
So far, two separate groups have been observed exploiting the Oracle WebLogic vulnerability by automated means and are conducting these hacks at a large scale.
One group dubbed luoxk — due its campaign’s use of luoxkexp[.]com as its main command and control (C&C) server — have carried out various activities:
- DDoS attack via the use of DSL(Nitol)
- RAT execution via the use of Gh0st
- Cryptomining by using the well-known XMRig cryptominer
- Android malicious APK
- RMI service exploit in a worm style to spread itself through networks
The motive for the attacks seems to be financial. One attack group mined the equivalent of more than $226,000 in Monero cryptocurrency by exploiting a similar flaw (CVE-2017-10271).
Protecting Against the Oracle WebLogic Vulnerability
Server owners are advised to apply the Oracle July 2018 CPU updates, especially the patches for CVE-2018-2893.
Skybox users will be able to detect occurrences of the Oracle WebLogic vulnerability in their environment, as well as prioritize any exposed instances for first-order remediation. Remediation can also be tracked by Skybox to ensure the vulnerability is eliminated from their environment.
Cryptominers Surpass Ransomware as Most Widespread Cybercrime Malware: Report shows malicious cryptominers and ransomware trading places in attack popularity between the last half of 2017 and first half of 2018
Cisco ASA Vulnerabilities See POC and Active Exploits: Cisco confirms limited exploitation in the wild of a recently disclosed Cisco ASA flaw, still cause for concern around EXTRABACON and EPICBANANA
Ransomware Packs a Punch but Malicious Cryptomining Spikes: While ransomware threats have given some ground to malicious cryptomining, the attacks still hit hard