UPDATE
A variant of the Muhstik botnet has been uncovered in the wild, exploiting a recently-disclosed, dangerous vulnerability in Oracle WebLogic servers.
The newfound samples of Muhstik are targeting the recently-patched CVE-2019-2725 in WebLogic servers, and then launching distributed-denial-of-service (DDoS) and cryptojacking attacks with the aim of making money for the attacker behind the botnet, researchers said.
“From the timeline, we can see that the developer of Muhstik watches aggressively for new Linux service vulnerability exploits and takes immediate action to [incorporate] exploits against them into the botnet,” Cong Zheng and Yanhui Jia, researchers with Palo Alto Network’s Unit 42 team, said in a Tuesday analysis. “This makes sense, because the faster the botnet includes the new exploits, the greater chance of successfully using the vulnerability to harvest more bots before systems are patched.”
Oracle WebLogic is a popular server used for building and deploying enterprise applications. The server’s flaw (CVE-2019-2725), meanwhile, has a CVSS score of 9.8 and is a remote code-execution (RCE) bug that is exploitable without authentication. Oracle patched the flaw on April 26.
However, researchers first observed exploit traffic for the WebLogic vulnerability coming from three new Muhstik samples on April 28. Muhstik, which has been around since March 2018 and has wormlike self-propagating capabilities, is known to compromise Linux servers and IoT devices, and then launch cryptocurrency mining software and DDoS attacks.
They saw the exploit traffic being sent from the IP address 165.227.78[.]159, which was transmitting one shell command, to download a PHP webshell.
Interestingly, that IP address (165.227.78[.]159) has previously been used by the Muhstik botnet as a mere reporting server to collect information on bots – but now, the IP address appears to also be used as a payload host server.
The discovery shows that new samples of the Muhstik botnet continue to sniff out ripe exploits. The botnet had previously targeted an earlier WebLogic vulnerability (CVE-2017-10271), as well as WordPress and Drupal vulnerabilities.
Unit 42 researchers told Threatpost that they didn’t have further information on the number of servers impacted.
Oracle WebLogic
The latest Oracle WebLogic flaw, which impacts versions 10.3.6 and 12.1.3 of the server, is one such ripe target.
The flaw could allow an attacker to send a request to a WebLogic server, which would then reach out to a malicious host to complete the request, opening up the impacted server to an remote code-execution attack.
Oracle for its part is urging users to update as soon as possible. “Due to the severity of this vulnerability, Oracle recommends that this Security Alert be applied as soon as possible,” Eric Maurice, director of security assurance at Oracle, said in a recent post about the vulnerability.
Oracle didn’t respond to a request for further comment from Threatpost.
However, servers that haven’t yet updated are being targeted by several other bad actors, including ones spreading a new ransomware variant uncovered this week called “Sodinokibi.” That ransomware first came onto researchers’ radar on April 25 (the day before a patch was released), after attackers attempted to make an HTTP connection with vulnerable Oracle WebLogic servers.
Researchers for their part warn of a slew of scans checking for the Oracle WebLogic vulnerability, and urge users to update their devices as soon as possible.
https://twitter.com/bad_packets/status/1122356384849248258
When it comes to Muhstik, Unit 42 researchers said that adding this latest exploit to the botnet’s toolkit will increase the number of systems it can infect.
“The Oracle WebLogic wls9-async RCE vulnerability is now being used by Muhstik botnet in the wild and there is a great possibility that it will be exploited by other malware families in the future,” they said. “Under the pressure of racing with botnets, both service vendors and users should address new vulnerabilities by releasing patches and installing them respectively.”
This article was updated on May 2 at 8 am ET to reflect Unit 42 comments.
