Vulnerability in Oracle WebLogic Server being actively exploited by hackers
A security vulnerability in Oracle Corp.’s WebLogic Server is actively being exploited by hackers.
The vulnerability, CVE-2019-2725, is a remote code execution vulnerability that gives hackers access to a WebLogic server without the need for authentication.
While Oracle released a patch for the vulnerability April 26, many with WebLogic Server installs are yet to install the patch, opening the door for hackers to run riot.
The current widespread attack is utilizing a variant of the Muhstik botnet to install a new form of ransomware dubbed “Sodinokibi.” The ransomware itself shares typical traits with other forms of ransomware in that it encrypts files and demands a payment to release them but comes with a number of additional traits.
The extras functionality in Sodinokibi includes code that attempts to destroy backups to prevent victims from being able to restore lost data and also disables default Windows backup mechanism making restoring data harder again.
To make matters worse, those behind the attack are then reported to go for a double-strike with a second form of malware called Gandcrab also being deployed on targeted systems.
“We find it strange the attackers would choose to distribute additional, different ransomware on the same target,” security researches at Cisco Talos note. “Sodinokibi being a new flavor of ransomware, perhaps the attackers felt their earlier attempts had been unsuccessful and were still looking to cash in by distributing Gandcrab.”
The origin of the attackers is unknown at this stage but the vulnerability and exploits were first detected by security researchers in China and Taiwan April 17.
An IP trace for the origin of the attacks links back to a number of servers in Chile but that does not necessarily indicate the origin of those behind the hacking as it servers may be compromised themselves.
Those running a Cisco WebLogic Server are being advised to urgently apply the patch with Cisco itself giving the vulnerability a 9.8 out 10 rating for its severity.
That said, the patch is only available to those who have subscribed to Oracle’s Premium Support or Extended Support phases of their Lifetime Support Policy.
“Oracle recommends that customers plan product upgrades to ensure that patches released through the Security Alert program are available for the versions they are currently running,” the company says in its security advisory.
Image: Cisco Talos
Since you’re here …
… We’d like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.
If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.
Gloss