Recent Oracle WebLogic zero-day used to infect servers with ransomware

Oracle WebLogic

A recently discovered zero-day vulnerability has been abused for over a week to infect Oracle WebLogic servers with at least two strands of ransomware, security researchers from Cisco Talos have told ZDNet.

Crooks have abused this zero-day to install a new strand of ransomware called Sodinokibi, but also versions of the older and more well-known GandCrab ransomware, in some cases.

Inefficient targeting of WebLogic servers

These ransomware attacks are head-scratching for industry experts.

Oracle WebLogic is a type of web server that sits between the frontend and backend of large-scale web applications and has a very limited and narrow scope –to reroute web requests to the proper part of a backend and return results to the frontend.

It is a very simple, yet powerful, middleware tool, is easy to back up, and easy to reinstall within minutes. Because of this, installing ransomware on Oracle WebLogic servers is as useless as past ransomware campaigns that have targeted Magento or Drupal sites.

Server owners can easily restore from backups or reinstall a server without losing access to sensitive files since they only have to reinstall a few business logic apps, as most of the user data is saved somewhere inside a database, and safe from ransomware.

“It is like installing ransomware on a web server,” Jaeson Schultz, Technical Leader at Cisco Talos told ZDNet in an email. “Because of this, the scope of the attack we investigated was severely limited.”

“In this case, the victim had functioning backups, logs, and even packet captures of the offending activity, which greatly aided our analysis.”

WebLogic zero-day has now received a patch

According to a report Schultz’s team published today, attackers exploited CVE-2019-2725, a zero-day in WebLogic’s WLS9_ASYNC and WLS-WSAT components.

The vulnerability was discovered by Chinese cyber-security firm KnownSec 404 on April 21, last Sunday.

At first, attackers scanned the internet for vulnerable WebLogic servers and only tested the zero-day’s effectiveness. However, during last week, as proof-of-concept code became more widely available, attackers also started infecting Oracle WebLogic servers with actual malware.

The attacks dropping ransomware began on April 25, a day before Oracle released a rare out-of-band security update with a patch for WebLogic server owners.

Attackers deployed new Sodinokibi ransomware

Talos said that it initially spotted a hacker group dropping the new Sodinokibi ransomware strain, while in later attacks they also installed the GandCrab ransomware, sometimes targeting servers previously infected with Sodinokibi just hours before.

“Sometimes the minds of the cyber criminals are truly inscrutable,” Schultz told ZDNet.

“We find it strange the attackers would choose to distribute additional, different ransomware on the same target. Sodinokibi being a new flavor of ransomware, perhaps the attackers felt their earlier attempts had been unsuccessful and were still looking to cash in by distributing Gandcrab.

“We don’t have any hard data that would establish the reasoning behind the attack,” Schultz said. “However one possibility is that the attackers knew the clock was running out on being able to exploit this Oracle WebLogic 0-day, so they were trying to profit as greatly as possible in the limited amount of time they had available.

“It might also explain why the attackers tried to deploy two different ransomware families on the victim’s network.”

Sodinokibi ransom note

Sodinokibi ransom note

Image: Cisco Talos

Server owners should update ASAP

Oracle WebLogic server owners should be aware that every time that a WebLogic vulnerability has been disclosed in the past, it has been heavily abused by cyber-criminal groups, and especially by those involved in crypto-mining campaigns.

While ransomware attacks might be useless when aimed at WebLogic servers, server owners should take the time to apply Oracle’s recent patch to prevent other types of attacks, which are sure to come, if we’re to learn anything from past attacks on WebLogic servers.

About the author

E-Crypto News was developed to assist all cryptocurrency investors in developing profitable cryptocurrency portfolios through the provision of timely and much-needed information. Investments in cryptocurrency require a level of detail, sensitivity, and accuracy that isn’t required in any other market and as such, we’ve developed our databases to help fill in information gaps.

Related Posts

E-Crypto News Executive Interviews

Automated trading with HaasBot Crypto Trading Bots

Crypto Scams

Millions in Cryptocurrency Stolen by Scammers in the Last Month According to Tenable Research
November 24, 2021
Behind The Scenes: How this Crypto Community Responded to + $50m Hack
October 18, 2021
Crypto Scams
Crypto Scams Still Persistent In 2021, SEC Warns About Red Flags To Watch
September 9, 2021
Poly Network
Here’s How Hackers Stole Over $600 million in the Poly Network Attack
August 12, 2021
The World’s Most Infamous Crypto Hacks and Scams
July 31, 2021

Blockchain/Cryptocurrency Questions and Answers

Crypto casinos
How Does Bitcoin Casino Work + 2021 Beginner’s Guide
November 8, 2021
How to Buy and Sell Cryptocurrency
November 8, 2021
What Are Bitcoin Futures And How Will They Work In 2022?
November 4, 2021
The Unconventional Guide to Ethereum
October 28, 2021
ICo Presale
The Science Behind ICO Presales…
October 14, 2021

CryptoCurrencyUSDChange 1hChange 24hChange 7d
Bitcoin51,076 0.37 % 4.38 % 11.71 %
Ethereum4,323.9 0.35 % 3.76 % 2.71 %
Binance Coin580.22 0.48 % 2.61 % 6.99 %
Tether0.9986 0.03 % 0.08 % 0.23 %
Solana196.25 0.19 % 5.13 % 3.96 %
Cardano1.410 0.31 % 5.89 % 12.05 %
USD Coin1.000 0.14 % 0.20 % 0.17 %
XRP0.8269 0.38 % 4.03 % 16.59 %
Polkadot30.87 2.19 % 17.29 % 10.73 %
Terra69.73 1.74 % 12.03 % 35.18 %

Bitcoin (BTC) $ 51,038.00
Ethereum (ETH) $ 4,313.98
Binance Coin (BNB) $ 579.07
Tether (USDT) $ 0.998811
Solana (SOL) $ 195.55
Cardano (ADA) $ 1.41
USD Coin (USDC) $ 0.99913
XRP (XRP) $ 0.824436
Polkadot (DOT) $ 30.61
Terra (LUNA) $ 69.36