View all newsletters
Receive our newsletter – data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
May 3, 2019updated 07 May 2019 7:54am

Critical Vulnerability in Oracle Server Drawing Attack from New Ransomware

Rather than needing to phish, attackers are simply "causing the affected server to download a copy of the ransomware from attacker-controlled IP addresses"

By CBR Staff Writer

Oracle WebLogic Server users need to patch their systems urgently, with a critical remote code execution vulnerability being widely exploited in the wild, including for delivery of a previously unseen ransomware variant, cybersecurity researchers say.

Oracle broke with its normal patch cycle to release an emergency patch on April 26. The vulnerability has a “critical” CVSS score of 9.8, indicating how severe the issue is.

The exploit allows attackers to remotely control victim hosts and execute code, install persistence and laterally move throughout the network: “Exploit code has been released into the public domain and we have observed active attacks against our customer base using this vulnerability”, Alert Logic said of the vuln: CNVD-C-2019-48814.

The Oracle WebLogic vulnerability Can be Exploited over a Network without the need for a Username and Password.

Alert Logic blamed “flawed implementation in deserializing input information”,  meaning an attacker can send a malicious HTTP request to execute commands remotely and without authorisation. Oracle credited “Badcode” of China’s Knownsec 404 Team and eight other Chinese cybersecurity researchers for the find; the severity of which was matched by ease of execution for those seeking to exploit the zero day.

“Oracle WebLogic wls9_async and wls-wsat components trigger deserialization remote command execution vulnerability” the Chinese team wrote on Medium, adding: “This vulnerability affects all Weblogic versions (including the latest version) that have the wls9_async_response.war and wls-wsat.war components enabled.”

Content from our partners
Incumbent banks must transform at speed, or miss the benefits of open banking
Leverage cloud and expertise to optimise engagements from onboarding to conclusion
How enterprises can best prepare for finance digitalisation

Oracle recommends that customers apply the April 2019 Critical Patch Update to the Oracle Database components of Oracle Fusion Middleware products too.

See also: Update Chrome “Right This Minute” Warns Google

Attacks using the recently-disclosed Oracle WebLogic vulnerability include the delivery of a previously unseen ransomware variant dubbed “Sodinokibi”, Cisco Talos security researchers said in a Tuesday analysis of the vulnerability.

April 25, 2019 activity showing the initial activity preceding the ransomware deployment. Credit: Cisco Talos

Talos said: “Historically, most varieties of ransomware have required some form of user interaction, such as a user opening an attachment to an email message, clicking on a malicious link, or running a piece of malware on the device. In this case, the attackers simply leveraged the Oracle WebLogic vulnerability, causing the affected server to download a copy of the ransomware from attacker-controlled IP addresses”

“For information on what patches need to be applied to your environments, refer to Critical Patch Update April 2019 Patch Availability Document for Oracle Products, My Oracle Support Note 2535708.1” Oracle said.

It noted that patches released through the Security Alert program are provided only for product versions that are covered under the Premier Support or Extended Support phases of its Lifetime Support Policy.

See also: Mimikatz: “The AK47 of Cyber Attacks”

Websites in our network
NEWSLETTER Sign up Tick the boxes of the newsletters you would like to receive. Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
I consent to New Statesman Media Group collecting my details provided via this form in accordance with the Privacy Policy
SUBSCRIBED

THANK YOU