A recently-disclosed critical vulnerability in Oracle WebLogic is being actively exploited in a slew of attacks, which are distributing a never-before-seen ransomware variant.
The recently-patched flaw exists in Oracle’s WebLogic server, used for building and deploying enterprise applications. The deserialization vulnerability (CVE-2019-2725) is being exploited to spread what researchers with Cisco Talos in a Tuesday analysis dubbed the “Sodinokibi” ransomware.
“This is the first time we have seen this ransomware being used in the wild,” Jaeson Schultz, technical leader, at Cisco Talos, told Threatpost. “This new ransomware first emerged on April 26. Part of what makes this ransomware stick out is the fact that attackers were using a 0-day vulnerability to install it. Talos is continuing to analyze the ransomware itself. It’s obfuscated and there are several anti-analysis tricks.”
The critical flaw, which has a CVSS score of 9.8, is a remote code execution bug that is remotely exploitable without authentication. Impacted are versions 10.3.6.0.0 and 220.127.116.11.0 of the product. The flaw was patched on April 26 – but researchers said that attackers have been exploiting the flaw since April 21.
“Due to the severity of this vulnerability, Oracle recommends that this Security Alert be applied as soon as possible,” Eric Maurice, director of security assurance at Oracle, said in a recent post about the vulnerability.
The ransomware first came onto researchers’ radar on April 25 (the day before a patch was released), after attackers attempted to make an HTTP connection with a vulnerable Oracle WebLogic server.
While Cisco Talos researchers would not disclose further details to Threatpost regarding the victim of this particular ransomware attack – such as the company size or industry – they said they do think multiple victims are being targeted.
“Attackers were ultimately successful at encrypting a number of customer systems during this incident,” they said.
While typically ransomware variants require some form of user interaction – such as opening an attachment to an email message or clicking on a malicious link, this incident was abnormal as attackers simply leveraged the Oracle WebLogic vulnerability, researchers said.
Once attackers found a vulnerable server, they sent an HTTP POST request to that server. The request contained a PowerShell command, which downloaded a file called “radm.exe.” That then saved the ransomware locally and executed it.
Once downloaded, the ransomware encrypted the victim’s systems and displayed a ransom note to them, directing victims to a page on the Tor network to a domain (decryptor[.]top) the public web, which was registered on March 31 this year.
After victims visited said pages, they were directed to create a Bitcoin wallet and purchase $2500 (USD) worth of Bitcoin. They then were directed to transfer the Bitcoin to an address provided by the attackers. After the transaction is confirmed on the Blockchain, the attackers updates the page with a link to download the decryptor, researchers told Threatpost.
Researchers also noted that, once downloaded, the malicious file executed vssadmin.exe, a legitimate utility bundled with Windows that enables allows administrators to manage the shadow copies that are on the computer. Shadow copies are a technology that enables systems to take automatic backup copies of computer files.
Because attackers executed this feature, it allows them to access and delete the automatic backups – making it harder for victims to recover their data: “This action is a common [tactic] of ransomware to prevent users from easily recovering their data,” researchers said. “It attempts to delete default Windows backup mechanisms, otherwise known as ‘shadow copies,’ to prevent recovery of the original files from these backups.”
While researchers told Threatpost they’re not sure who is behind the attack, they did note that after the ransomware deployment, attackers followed up with an additional exploit attempt (of the CVE-2019-2725 vulnerability) approximately eight hours later.
Interestingly, this attack utilized the infamous Gandcrab ransomware (v5.2), making researchers believe that the attacker is a Gandcrab ransomware affiliate member, Schultz told Threatpost.
“We find it strange the attackers would choose to distribute additional, different ransomware on the same target,” researchers said. “Sodinokibi being a new flavor of ransomware, perhaps the attackers felt their earlier attempts had been unsuccessful and were still looking to cash in by distributing Gandcrab.”
Looking forward, researchers said that they expect attacks on Oracle’s WebLogic servers to increase, and urge users to update immediately. This flaw was not part of Oracle’s regularly-scheduled quarterly patch earlier in April, where it fixed 53 other critical vulnerabilities in Oracle products.
“Due to the ubiquity of Oracle WebLogic servers and the ease of exploitation of this vulnerability, Talos expects widespread attacks involving CVE-2019-2725,” they said.