A recently discovered zero-day vulnerability has been abused for over a week to infect Oracle WebLogic servers with at least two strands of ransomware, security researchers from Cisco Talos have told ZDNet.
Crooks have abused this zero-day to install a new strand of ransomware called Sodinokibi, but also versions of the older and more well-known GandCrab ransomware, in some cases.
Inefficient targeting of WebLogic servers
These ransomware attacks are head-scratching for industry experts.
Oracle WebLogic is a type of web server that sits between the frontend and backend of large-scale web applications and has a very limited and narrow scope –to reroute web requests to the proper part of a backend and return results to the frontend.
It is a very simple, yet powerful, middleware tool, is easy to back up, and easy to reinstall within minutes. Because of this, installing ransomware on Oracle WebLogic servers is as useless as past ransomware campaigns that have targeted Magento or Drupal sites.
Server owners can easily restore from backups or reinstall a server without losing access to sensitive files since they only have to reinstall a few business logic apps, as most of the user data is saved somewhere inside a database, and safe from ransomware.
“It is like installing ransomware on a web server,” Jaeson Schultz, Technical Leader at Cisco Talos told ZDNet in an email. “Because of this, the scope of the attack we investigated was severely limited.”
“In this case, the victim had functioning backups, logs, and even packet captures of the offending activity, which greatly aided our analysis.”
WebLogic zero-day has now received a patch
According to a report Schultz’s team published today, attackers exploited CVE-2019-2725, a zero-day in WebLogic’s WLS9_ASYNC and WLS-WSAT components.
The vulnerability was discovered by Chinese cyber-security firm KnownSec 404 on April 21, last Sunday.
At first, attackers scanned the internet for vulnerable WebLogic servers and only tested the zero-day’s effectiveness. However, during last week, as proof-of-concept code became more widely available, attackers also started infecting Oracle WebLogic servers with actual malware.
The attacks dropping ransomware began on April 25, a day before Oracle released a rare out-of-band security update with a patch for WebLogic server owners.
Attackers deployed new Sodinokibi ransomware
Talos said that it initially spotted a hacker group dropping the new Sodinokibi ransomware strain, while in later attacks they also installed the GandCrab ransomware, sometimes targeting servers previously infected with Sodinokibi just hours before.
“Sometimes the minds of the cyber criminals are truly inscrutable,” Schultz told ZDNet.
“We find it strange the attackers would choose to distribute additional, different ransomware on the same target. Sodinokibi being a new flavor of ransomware, perhaps the attackers felt their earlier attempts had been unsuccessful and were still looking to cash in by distributing Gandcrab.
“We don’t have any hard data that would establish the reasoning behind the attack,” Schultz said. “However one possibility is that the attackers knew the clock was running out on being able to exploit this Oracle WebLogic 0-day, so they were trying to profit as greatly as possible in the limited amount of time they had available.
“It might also explain why the attackers tried to deploy two different ransomware families on the victim’s network.”
Server owners should update ASAP
Oracle WebLogic server owners should be aware that every time that a WebLogic vulnerability has been disclosed in the past, it has been heavily abused by cyber-criminal groups, and especially by those involved in crypto-mining campaigns.
While ransomware attacks might be useless when aimed at WebLogic servers, server owners should take the time to apply Oracle’s recent patch to prevent other types of attacks, which are sure to come, if we’re to learn anything from past attacks on WebLogic servers.