Oracle WebLogic Vulnerability Used for Cryptomining and Other Attacks

Skybox Blog TeamJul 27, 2018

A critical Oracle WebLogic vulnerability (CVE-2018-2893) is being utilized by attackers three days after the publication of a proof of concept. Since the sample exploit code was released, there has been a rise in its exploitation attempts. The vulnerability has received a “critical” severity level and a score of 9.8 out of 10 on the CVSS v3 severity scale due to potential impact and ease of exploitation and that it can be exploited remotely.

Affected WebLogic versions include,, and

  • Oracle Web Logic Vulnerability

The vulnerability affects multiple versions of the Oracle WebLogic server and allows an attacker to gain full control over the entire server. The vulnerability does not require any user interaction, and it can be exploited via the T3 protocol, Oracle’s implementation of the RMI specification used to transport information between WebLogic servers and other types of Java programs.

Initial publication on of the Oracle WebLogic vulnerability was on July 18, part of Oracle’s quarterly scheduled advisory publication. On July 21, the first proof-of-concept code was published. In a matter of hours, the first exploitation attempts began.

  • Automated Attacks by Iuoxk Group

So far, two separate groups have been observed exploiting the Oracle WebLogic vulnerability by automated means and are conducting these hacks at a large scale.

One group dubbed luoxk — due its campaign’s use of luoxkexp[.]com as its main command and control (C&C) server — have carried out various activities:

  • DDoS attack via the use of DSL(Nitol)
  • RAT execution via the use of Gh0st
  • Cryptomining by using the well-known XMRig cryptominer
  • Android malicious APK
  • RMI service exploit in a worm style to spread itself through networks

The motive for the attacks seems to be financial. One attack group mined the equivalent of more than $226,000 in Monero cryptocurrency by exploiting a similar flaw (CVE-2017-10271).

  • Protecting Against the Oracle WebLogic Vulnerability

Server owners are advised to apply the Oracle July 2018 CPU updates, especially the patches for CVE-2018-2893.

Skybox users will be able to detect occurrences of the Oracle WebLogic vulnerability in their environment, as well as prioritize any exposed instances for first-order remediation. Remediation can also be tracked by Skybox to ensure the vulnerability is eliminated from their environment.

Related Posts

Cryptominers Surpass Ransomware as Most Widespread Cybercrime Malware: Report shows malicious cryptominers and ransomware trading places in attack popularity between the last half of 2017 and first half of 2018

Cisco ASA Vulnerabilities See POC and Active Exploits: Cisco confirms limited exploitation in the wild of a recently disclosed Cisco ASA flaw, still cause for concern around EXTRABACON and EPICBANANA

Ransomware Packs a Punch but Malicious Cryptomining Spikes: While ransomware threats have given some ground to malicious cryptomining, the attacks still hit hard

The Skybox Blog Team is a group of talented, security-conscious writers dedicated to bringing you insights into trending topics, IT security developments, and Skybox solutions.

Recent Posts

Skybox 2021 Vulnerability and Threat Trends Report reveals emerging security challenges and growing need for exposure analysis
Read More
Biden Cybersecurity Executive Order
Read More
CISA Alert – Top routinely exploited vulnerabilities
Read More
3 trends shaping security posture management for 2021
Read More
Skybox Q&A: CRO Rob Rosiello identifies today’s and tomorrow’s top cybersecurity issues as the world reopens
Read More
Post-pandemic cyber threats
Read More