A critical deserialization remote code execution vulnerability in Oracle WebLogic Server is found that could allow attackers to remotely run arbitrary commands on the affected servers just by sending a specially crafted HTTP request—without requiring any authorization. This vulnerability (CVE-2019-2725), which affected all versions of the Oracle WebLogic software was given a severity score of 9.8 out of 10.
The trend of taking advantages of newly disclosed and even patched vulnerabilities are becoming common among cybercriminals, which makes it one of the primary attack vectors for everyday-threats, like crypto-mining, phishing, and ransomware.
According to some cybersecurity researchers, an unknown group of hackers has been exploiting this vulnerability since at least April 25 to infect vulnerable servers using a new piece of ransomware malware.
This vulnerablity was named Sodinokibi by the researchers. Sodinokibi is a dangerous ransomware variant which has been designed to encrypt files in a user’s directory and then delete shadow copy backups from the system to prevent victims from recovering their data without paying a ransom.
Attackers are using a remote code execution vulnerability in the WebLogic Server, which is different from typical ransomware attacks, and deploying the Sodinokibi ransomware requires no user interaction. In this case, the attackers simply leveraged the Oracle WebLogic vulnerability, causing the affected server to download a copy of the ransomware from attacker-controlled IP addresses.
After downloaded, the Sodinokibi ransomware encrypts the victim’s systems and displays a ransom note demanding up to $2,500 in Bitcoin. The amount gets double to $5,000 if the ransom is not paid within a specified number of days—which may vary from two days to six days.
Over the past few years, attackers have been targeting Oracle WebLogic servers to conduct cryptomining operations.
For example, a hacker group made over $226,000 worth of Monero in late 2017 by exploiting CVE-2017-10271 in Oracle WebLogic servers.
It is also noted by the researchers that roughly eight hours after deploying Sodinokibi on an infected system, the attackers exploited the same WebLogic Server vulnerability to install another piece of ransomware known as GandCrab (v5.2).
In addition, as the servers are often deployed in enterprise settings and connected to other enterprise systems, the WebLogic servers could also be exploited to steal sensitive data.
Organizations that use Oracle WebLogic Server should make sure to update their installations to the latest version of the software as soon as possible.