Malicious activity exploiting the recently disclosed Oracle WebLogic critical deserialization vulnerability (CVE-2019-2725) is surging. Even though there’s a patch, tens of thousands of vulnerable machines represent an irresistible target for hackers, according to Unit 42 researchers at Palo Alto Networks – especially since the bug is “trivial” to exploit.
Oracle WebLogic Server is a popular application server used in building and deploying enterprise Java EE applications. Oracle released an out-of-band patch on April 26, 2019 – though exploitation for what was then a zero-day had already begun, researchers said. Quickly thereafter, attacks distributing a never-before-seen ransomware variant called “Sodinokibi” emerged; and then attacks spreading a new variant of the Muhstik botnet, which is used to launch distributed-denial-of-service (DDoS) and cryptojacking attacks.
Now, other attacks are starting to snowball, with no sign of abating.
“Once the vulnerability was made public with the release of the patch, numerous instances of proof-of-concept (PoC) code exploiting the vulnerability were released,” Unit 42 researchers said, in a posting late last week. “Preliminary indicators reveal over 600 exploitation attempts targeting CVE-2019-2725 on Palo Alto Networks soak sites and we expect this number to increase rapidly.”
They added that a scan showed more than 41,000 publicly accessible WebLogic instances in the wild.
“With this many publicly available WebLogic instances on the internet, as well as an unknown number of private instances in enterprise environments, we expect an escalation of exploitation attempts in the coming days and weeks,” according to the researchers.
The critical flaw, which has a CVSS score of 9.8, is a remote code execution bug that is remotely exploitable without authentication. Impacted are versions 10.3.6.0.0 and 126.96.36.199.0 of the product. Palo Alto pointed out that exploitation does not require any interaction from the user – a remote, unauthenticated user can send an HTTP request containing a crafted SOAP payload and obtain remote code execution trivially.
“People are on the lookout for critical vulnerabilities and seek to jump on them quickly so they can exploit them before patches are applied,” Ryan Olson, vice president of threat intelligence for Unit 42 told Threatpost. “As we outline in the blog, this isn’t a difficult vulnerability to exploit, particularly given it’s similarity to a previous vulnerability from 2017.”
That previous vulnerability (CVE-2017-10271) allows a remote, unauthenticated attacker to pass Java-class objects with arbitrary contents, allowing for remote code-execution and in many ways provides a blueprint for the new flaw, according to the researchers.
“This reinforces the importance of good testing for variant vulnerabilities by vendors when patching vulnerabilities,” Olson told Threatpost.
XMRig and GandCrab
Unit 42 researchers have observed a wide variety of payloads in addition to Muhstik and Sodinokibi, such as a PowerShell loader that fetches the open-source Monero cryptominer known as XMRig. In addition to dropping the miner, it terminates any legitimate Oracle update services that would patch the underlying WebLogic vulnerability, and establishes persistence by copying itself and creating a scheduled task that masquerades as the Oracle update service.
Other attacks are pushing ransomware to infected victims, including the infamous GandCrab.
The popularity of WebLogic Server, combined with its tendency to be deployed in business-critical environments, creates an attractive target set for cybercriminals; and exacerbating matters is the fact that there could be “an unknown number of private instances in enterprise environments,” Unit 42 researchers said. There are not directly exposed to the web, but an attacker that’s able to penetrate a corporate network could easily uncover them.
“These would essentially be internal network deployments,” Olson said. “The attacks wouldn’t be different, but the attackers would have to find a means to launch the attack so that it gets into the internal network.”
Businesses should make every effort to patch, and patch quickly, Olson noted.
“This is a reminder that the window for exploitation has narrowed and that enterprises need to be able to deploy critical patches like this in a matter of hours and days, not weeks and months,” he told Threatpost.